From 46dc3eed6a67cc3934c06e5981231cf60deddcb8 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Mon, 14 Aug 2023 17:19:20 -0300 Subject: [PATCH 01/24] copy rancher-backup version 102.x.x to 103.x.x --- packages/rancher-backup/rancher-backup-crd/package.yaml | 3 ++- .../rancher-backup/generated-changes/patch/Chart.yaml.patch | 2 +- packages/rancher-backup/rancher-backup/package.yaml | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/packages/rancher-backup/rancher-backup-crd/package.yaml b/packages/rancher-backup/rancher-backup-crd/package.yaml index acbd3bd5b..9ac8ddad9 100644 --- a/packages/rancher-backup/rancher-backup-crd/package.yaml +++ b/packages/rancher-backup/rancher-backup-crd/package.yaml @@ -1,2 +1,3 @@ url: https://github.com/rancher/backup-restore-operator/releases/download/v3.1.1/rancher-backup-crd-3.1.1.tgz -version: 102.0.1 +version: 103.0.0 +doNotRelease: true diff --git a/packages/rancher-backup/rancher-backup/generated-changes/patch/Chart.yaml.patch b/packages/rancher-backup/rancher-backup/generated-changes/patch/Chart.yaml.patch index 1bc4ef78a..4e4dca207 100644 --- a/packages/rancher-backup/rancher-backup/generated-changes/patch/Chart.yaml.patch +++ b/packages/rancher-backup/rancher-backup/generated-changes/patch/Chart.yaml.patch @@ -5,7 +5,7 @@ catalog.cattle.io/permits-os: linux,windows catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1 - catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0' -+ catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' ++ catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' catalog.cattle.io/release-name: rancher-backup catalog.cattle.io/scope: management catalog.cattle.io/type: cluster-tool diff --git a/packages/rancher-backup/rancher-backup/package.yaml b/packages/rancher-backup/rancher-backup/package.yaml index 117b5fb58..fc3e7ec50 100644 --- a/packages/rancher-backup/rancher-backup/package.yaml +++ b/packages/rancher-backup/rancher-backup/package.yaml @@ -1,2 +1,3 @@ url: https://github.com/rancher/backup-restore-operator/releases/download/v3.1.1/rancher-backup-3.1.1.tgz -version: 102.0.1 +version: 103.0.0 +doNotRelease: true From 01979917fb391eba0c764c32a300820f229aa3cd Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Wed, 1 Nov 2023 15:30:37 -0300 Subject: [PATCH 02/24] Emptying release.yaml after 6th batch release of 2.8 --- release.yaml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/release.yaml b/release.yaml index 2f7a82876..e69de29bb 100644 --- a/release.yaml +++ b/release.yaml @@ -1,10 +0,0 @@ -harvester-csi-driver: - - 103.0.0+up0.1.16 -harvester-cloud-provider: - - 103.0.0+up0.1.14 -rancher-csp-adapter: - - 103.0.0+up3.0.0 -rancher-logging: - - 103.0.0+up3.17.10 -rancher-logging-crd: - - 103.0.0+up3.17.10 From e02b272e4572652ae3ec42683d0a516433f958ac Mon Sep 17 00:00:00 2001 From: Eliyam Levy Date: Tue, 19 Sep 2023 13:35:44 -0400 Subject: [PATCH 03/24] update package and release yamls --- packages/rancher-backup/rancher-backup-crd/package.yaml | 3 +-- packages/rancher-backup/rancher-backup/package.yaml | 3 +-- release.yaml | 4 ++++ 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/packages/rancher-backup/rancher-backup-crd/package.yaml b/packages/rancher-backup/rancher-backup-crd/package.yaml index 9ac8ddad9..b760251ad 100644 --- a/packages/rancher-backup/rancher-backup-crd/package.yaml +++ b/packages/rancher-backup/rancher-backup-crd/package.yaml @@ -1,3 +1,2 @@ -url: https://github.com/rancher/backup-restore-operator/releases/download/v3.1.1/rancher-backup-crd-3.1.1.tgz +url: https://github.com/rancher/backup-restore-operator/releases/download/v4.0.0-rc1/rancher-backup-crd-4.0.0-rc1.tgz version: 103.0.0 -doNotRelease: true diff --git a/packages/rancher-backup/rancher-backup/package.yaml b/packages/rancher-backup/rancher-backup/package.yaml index fc3e7ec50..262317d01 100644 --- a/packages/rancher-backup/rancher-backup/package.yaml +++ b/packages/rancher-backup/rancher-backup/package.yaml @@ -1,3 +1,2 @@ -url: https://github.com/rancher/backup-restore-operator/releases/download/v3.1.1/rancher-backup-3.1.1.tgz +url: https://github.com/rancher/backup-restore-operator/releases/download/v4.0.0-rc1/rancher-backup-4.0.0-rc1.tgz version: 103.0.0 -doNotRelease: true diff --git a/release.yaml b/release.yaml index e69de29bb..61a31d562 100644 --- a/release.yaml +++ b/release.yaml @@ -0,0 +1,4 @@ +rancher-backup: + - 103.0.0+up4.0.0-rc1 +rancher-backup-crd: + - 103.0.0+up4.0.0-rc1 From 3cd68afca8c9dda724db5337c116c6a84c5335f3 Mon Sep 17 00:00:00 2001 From: Eliyam Levy Date: Tue, 19 Sep 2023 13:51:22 -0400 Subject: [PATCH 04/24] fix patch file to match upstream changes --- .../rancher-backup/generated-changes/patch/Chart.yaml.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/rancher-backup/rancher-backup/generated-changes/patch/Chart.yaml.patch b/packages/rancher-backup/rancher-backup/generated-changes/patch/Chart.yaml.patch index 4e4dca207..a7361c5db 100644 --- a/packages/rancher-backup/rancher-backup/generated-changes/patch/Chart.yaml.patch +++ b/packages/rancher-backup/rancher-backup/generated-changes/patch/Chart.yaml.patch @@ -4,7 +4,7 @@ catalog.cattle.io/os: linux catalog.cattle.io/permits-os: linux,windows catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1 -- catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0' +- catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' catalog.cattle.io/release-name: rancher-backup catalog.cattle.io/scope: management From f3f3dfbea6e265c9c3c849685467968ee01e2dbf Mon Sep 17 00:00:00 2001 From: Eliyam Levy Date: Tue, 19 Sep 2023 13:51:54 -0400 Subject: [PATCH 05/24] make charts --- ...rancher-backup-crd-103.0.0+up4.0.0-rc1.tgz | Bin 0 -> 1778 bytes .../rancher-backup-103.0.0+up4.0.0-rc1.tgz | Bin 0 -> 11559 bytes .../103.0.0+up4.0.0-rc1/Chart.yaml | 11 + .../103.0.0+up4.0.0-rc1/README.md | 3 + .../103.0.0+up4.0.0-rc1/templates/backup.yaml | 141 ++++++++++++ .../templates/resourceset.yaml | 118 ++++++++++ .../templates/restore.yaml | 122 ++++++++++ .../103.0.0+up4.0.0-rc1/Chart.yaml | 26 +++ .../103.0.0+up4.0.0-rc1/README.md | 79 +++++++ .../103.0.0+up4.0.0-rc1/app-readme.md | 33 +++ .../default-resourceset-contents/aks.yaml | 25 ++ .../default-resourceset-contents/eks.yaml | 17 ++ .../elemental.yaml | 49 ++++ .../default-resourceset-contents/fleet.yaml | 53 +++++ .../default-resourceset-contents/gke.yaml | 17 ++ .../provisioningv2.yaml | 23 ++ .../rancher-operator.yaml | 28 +++ .../default-resourceset-contents/rancher.yaml | 65 ++++++ .../templates/_helpers.tpl | 87 +++++++ .../templates/clusterrolebinding.yaml | 14 ++ .../templates/deployment.yaml | 79 +++++++ .../templates/hardened.yaml | 124 ++++++++++ .../103.0.0+up4.0.0-rc1/templates/psp.yaml | 31 +++ .../103.0.0+up4.0.0-rc1/templates/pvc.yaml | 27 +++ .../templates/rancher-resourceset.yaml | 13 ++ .../templates/s3-secret.yaml | 31 +++ .../templates/serviceaccount.yaml | 11 + .../templates/validate-install-crd.yaml | 16 ++ .../templates/validate-psp-install.yaml | 7 + .../tests/deployment_test.yaml | 216 ++++++++++++++++++ .../103.0.0+up4.0.0-rc1/tests/pvc_test.yaml | 102 +++++++++ .../tests/s3-secret_test.yaml | 141 ++++++++++++ .../103.0.0+up4.0.0-rc1/values.yaml | 81 +++++++ index.yaml | 45 ++++ 34 files changed, 1835 insertions(+) create mode 100644 assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc1.tgz create mode 100644 assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc1.tgz create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc1/Chart.yaml create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc1/README.md create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc1/templates/backup.yaml create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc1/templates/resourceset.yaml create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc1/templates/restore.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/Chart.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/README.md create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/app-readme.md create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/aks.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/eks.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/elemental.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/fleet.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/gke.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/provisioningv2.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher-operator.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/_helpers.tpl create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/clusterrolebinding.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/deployment.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/hardened.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/psp.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/pvc.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/rancher-resourceset.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/s3-secret.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/serviceaccount.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-install-crd.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-psp-install.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/deployment_test.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/pvc_test.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/s3-secret_test.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/values.yaml diff --git a/assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc1.tgz b/assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..ee991420a1352877688886be4465726b1859ff14 GIT binary patch literal 1778 zcmVDc zVQyr3R8em|NM&qo0PI`cZ`(K$&$IsuBKOeyfK@rp$H72x%{l3zxZa_#vwc}CP?{Rc zY$#GoQbCNx{_hKlvMtNhhaK6Q0Gd7&p{U;shclevXe==&3y}R8CXY$nCo*_HUSO%c zC63rxJLLPme|>qG{_p#K@qhp7a(Fhlyz(!GS2x#J!!v(yd41`hA-^U5m6Rxr<(dCt zUd6?|5yG4cjWrcqjd}S1$R2m}ZYZ4e>1%31ST85mx_HazUfmBrR5qi4l;W%FZdFlC{ z-@BV&hyQDcVum%S_n9VMdK6Uq|G*#m*9HH-@jL%N4dtB&#}uA5aPyb)9{;I~ z`#lYMkCX=^G)|Nj(Ij)(JD5{WQ{#_7;{a=H&JXJ|)^3!y_V0~5_f!nT%nYSS;t_I9 zu`ua*gpg(a?-Vf|h*=^rTQf<=6y;&Uuw0Gy5K=@KFCDW)>GaIXd^CmaBOC;&^q75> zlxvVL$gXQ_(e(@qu3WwWbPt!NcB(`&&2G)qk0wO%h z=872j?bpxWhSRNKgkmXT6BAbkYH4NG8*;~f=ks9+s?$eObqG@c+WP@*7> zxwE{5wj-nlZdIFby(?oxIgOHNga#$3<}e7;10zqyHiCrJEqW{kU(dBk1&~AjA+1VxX|w$Q>Pm90LuUoX)I!v8l)N_ANlC-=3k3CE}VqB zlGi|&dq#>rbdA=6)&m=wCFHTpeD`34sui>%A|Wu=h*_13pN6l^yidR!cn}Nf^1b8n z8sDCR+gz{!n+xr-+P{k%u*+r!qBIo&3cX~0b^n=7)(N#KC zwwsOivUVp8zn@~0kR6{_mbx96i3F_5U7#HvF6(QXhjvB$bFLO2Y+wZTt#P+JGvi`SLIlSn5Ku!Js`ueI+|GV%9 zSHrIUcM3X6{V!)XZ59EGC8$*;Fwf4O7VC0g?ooYBu)S&!5nM~b7|03CK>{bmq|TWI zR%L*>jdFzS+OS_4^4(#%4b;+G=gXiaq~Bhgc~({I+!V3emZ>ynssMH8N}DSW1Co}0 zUa#T6Ghs;p|D`-|?nUWcr%|F>lcqKl-Ia^3C0`vW=5jfK5T4`qmGt=bw3CW_EPXIM z16E?)4e{%)$`RINasM1kP|AG^w^XqMP1sm^go@HkqvdRPdvL7dm0If;;}xZP%YUw{x5@Sjk$bGKR8Q6AgjJGo ztkY)A;Ef%@@&u77&*M$0=a6ixti-&@k7|>%U5Nf}y7so}9Ci19EhN0O0jTEwf8!6Y ziv2$q*WLa9By_C%zpdQSWjaCfz0pFW|(*FZxq zB-~5syo^g)oka|F?y(C>*MMtld9QB{c{q5cV?!72zi$~q>KL-~##ovDp zZo1!porL~^Ce{M7f&&^)?s~o3^(a|jsgYh_ZBoa=uO<@(0h%q*_iZcs?sX?eM;&$4 U(QBta0ssL2|HzS|H~>Nb0A#Lc1^@s6 literal 0 HcmV?d00001 diff --git a/assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc1.tgz b/assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..bf0817e14e183f4504f21e2e1decfc815d05e480 GIT binary patch literal 11559 zcmV+?E!ff@iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYKbKAI%9La~iJrb)k1R`$H`%5Z$Ik6e zAQF-oQ3OMPvgNp|=KK81`6W+b;ZAC?9VdOqsIHDh0tW{NI4i&d7uxz5xyk_Q6VKUf zjG;?Qb2zpB@pwg5Rdr`;i~p;tYVzNTT2}v2-r80x)$KPs+vR_#~p^}L=p+~V|+Jr*Os)6`&QFPb% z=M++XoY_=IE;WZHGJx4K^M>QZGDlQ_}b9F=%GA9&GGn-*j1D0ufH<@o8bN88VI@%Ym|a#h;GixnLzxBh*6-*nYHMgRnjewP~<8UV=J?oXDT|LI@m@wU8#4^A=E{1 z8jiJ6DwoOy=$L)~$*fX>@zNC|HNkaV%5k90FX=woQ9f007$n+H-K^4UlUiiikh%f~m8f#*{jwwz;V@ zc}hxhl$@UkL6mG-c!bHOWFy&ciOfcY37TJH*C4fm678E56kysz7ZU1vI`v#sU|i78 zVuD`^nKK)ZudG%Xeg4yPLOT6uIrLn9OiAef8MHh^9@zj`qW`zvRH{k+U#(W2_5V{8 za|%a@X?_7N>Aj1G7+k6kfalduRwfivm&w15ckI3WnGP ztf^^_0JJP1;DMoOF@fnKNRa^sb1rZ5`XW_^9kSuTVur*JS_BmUc=3V(Fpy16Xmyb8 zBHD&i1k52Ih;9Hf#-3$>fe_|Q9s)e%e~ZdM$2Nr~6X&3Q(TM;fB>}#RfkzNHsGk50 zTWA9q*#3nw=zxw*0){5C45qL$(5Qi8G3S*uKKOeVjkrMOKLpJpt%uk$kSl*6+i3DaTx@n+G!$y7w#n@$p|-gFg>|y&5#%Z(&omIT zW{62BvZ*q|mN!LYlL0swg5ZsgfJyvG*#Q1zfos#U6e1uq=2^_d!4Mc|XxgkRwmRSlH7rPopw(~DN52Ox_&i}yREk-Rip33Z zJvQ|*FigU_B*2*4aBAv+n`cZ>3QaGddA7s=ykcv}5KH|vU<+JyWP6si0c@P=3=jwD zz$5||5X(~^V@%lEi$Du|Ms5j!S0ksw?2P(Fhm8Q*26PR8Z6D75QFDVY-Txn)I>_!& zs83$YwX2~aaswkIW4d*0>&T&GQ(~Jn=`VCP1f|SD7C>xZHAdKQdgj;z*U;vKkOa-7 zCu4SkC}n>}!O58daDZoMLx5!lnGcgfcZ4W_z=19`bIO}f!X-dcVThx^G~2@gH8k!W*k};zGk+ddCTxT>y!Vpke~w#k2Wi6`R%6qX0u$`^jj)v znkpWfbR}%R$>?g{q8g~|n}xy)P&W)<;SsRV3|U}k!4dJT)KEGW3^edYK9f+FOBA2g zIhG&EAB;FRjNI-Fxxis#GeS^6w@hZpzYx^|(eN7+1dN=&|KHzO8)l3CUi-~+t>0_E zIoPGYvo3TzokBp616?k|Et612e*;gUX%og4rURg1xQLUKjv*Do!N!z}RW?(+=YoyT z1P0~G8>UZ6>gL;xvKs#Rrcx^J@E_&MM)@84^;Z1c*(i~jzEP64cgey!v#T4v)Il&jtFrZ8%QC@LOSyv zm;f)ZM;-nIyEX9bFW%{~oH_OqFm9lHy-{p2k&eJC7k%|i7m=v1!+njN*9BRN2M@r< zKMDmn9GbRC=K?%idZv!*y3XW3qe?W|z^gc}iCvSkM0_ zKIfF-&k8R9b|k2}bq(ia1GLc$xf|eM*v9nCMMSJ{Ip=&}qGllhwFZjfMUfNbl*5G< zfUXPYj66Yop~y+pd~jTI#z^JLH5IibR+%*l$%ISfp*iwgq&V16BzWX*I-X@Iyn97< zr1%|e7LsW3Sy;>dOW6MuO&tp|!Srd2EGEE8)On~Yu+0A7+D_X4J6k)?@xLc2-@Yl* zxB^8XAwNmM_Q_vnMWFokSAkVDhoICK9-@%3ev~Ftwg$}{*R<&n6#s*47ViZBF*)r2 zD2DhT+erOg`1Wn{*TRK}zxh!ap?jbak=jhuabdy(c3l3E4Nzcp28bB|;(0{GG4XMY z-HC;v!32QxFNi)yhGz-oO2?R>D9FOEn-W2v%KW9m<#PnM7?c7ghzX-;;F0Mk?v~eN zTWB9Rv56*VIzw&)PaWtYQ2ec2DsL%j z5tJIx5#civk(Zp}JKe_cw?wvelu4Dc}&8Ss$OC9&he9fdoACBu*XX-+%daA@9e%Q!-UBn5bk zQQ*vMW*O!KkT63l@UKNJZeA=!lh-X~@UQY8q!>e4{_W5E9kY5Ys3TDP&mt&(Dy}~! zJe^`&nnBC(6tx7RV`NQBWGo`CHSp~lFm2uPjJ&~>ME7~Me4aR#U6epX28uz~gMc%8 z2OTG|+JkuOw{ICu?!Z?MQ>Yh?3JNCKg`sOY;XDr&pA8 zKiX9LE+yCgmzI-@Ei^D~!?Z{D-W6D4|EoLIO5FahsBbFI@&6|&6VoVGMHCv4LgwGEsUv_?P$FQ$1w(c_E6~Dsz&35> zU4tzKfp~*2NT+3f@roN>;AN>Ru`KOEg7_|Aag$UP!cAW;T#B!Gk7Nuh+dIUYhCN2W zJ2QQC_|8mU2-%+?{&z|N+*4fyL=MAbskm`aF%`NE004?F;nd29aR=hd!0%TwQ6?g( zKzmp-BL>e{V|l|=pFz|*7>yEgXw;91%&$0rz=tj8aX}!G5juh!Z(9mCTEJg_)l#o1 z9Hsh;M*hEj3nEDVCP13>a`Pbq2f8CtOGZWczFf4H0*Z>lpB9sDMWh+u!AmvcPh-ve z*T|mLB6S6c8}I8{_fxxm((Iho8_nQ-5ItNV?_wfin579~$cYa3nyq^8xcjM7{j^(e z9QDpVb-JfoeZTqX__R^)9-Ou_ameGVm@iyPQL=yaRyM)Om%UEe)!?xpc6Mt~|3XfdcJ9PSe) z|44Kl2FE;VpqM=9QH*pV5OQXUJOWUNf+gvdovO)7xVhfv?HU#|r?p500Ce_fnLH0- z6S+$c$ft?@(+I@OSb9o_Cgv>)PR1e=fozjT?5(3c!aZ{OZ>k#Ta|Kh z|93|%Kl^`AQKBB#fcYn(%XNqc5Ad}Vhe1;aT-WJZ&_k}jmEoEc{SBcp#*<17A36W1}G|aaU(}Agqx%rpvcG08c3#*dwT4N94Uw9u>XJiR}p#?bBi<{ z5$@s%vj0_-r~CdY{!vgACH^guF8~vv;{#;98``2F&TzLNG*Yo=0>o45eT4lp((FWN1t49LoB50i2)|?HjWm-rWf+0y_ zAvOj4BKBZ@Ss*`cL3h(0rR1iZl7}y2X}u}@!yESh70skz%`l#deAfT~8o7uB!{m>| za_r8XaQFu{uO@#r#g8BDkUw$BjsGyY_DG)rFNyz@D_c8>_|NuE^?CpQNy@6aO&$t; zQtd{Zhbgv2I)%%cGyg@C=+J^9NyM|(`QBP5bL-}p9G%1$-jC*zf8UZX|K$maN9bdz z{8zVA^1u8X|9_IQ#V4wDc7Swe_$O$$=`J^FeT(~Ahr?$=| zdJy9f;xDz;8cmBJLC(tkIVgQF(hK%qU84M&7Rk^Lh97N0(gr@4txTBD=3XSa$w@dnY0P zD`mC3^(_CNqQqjQ8J}PUf?ks^J1A=>B)M7?f@nd$xTo&R{w|MfH_|HNmm$tTWfu4Ut89`1Y^Lr-L-Jayn#4;2V?O?$K_u}&Fs zqzVF#W<<%%Fve?SC;ei>$Y}!>rvv-;4ah_*1}I*Pku6gj@yux%Da$(5XqJ%;0Kp7e zW@y9bb_J#$pA>!?XMF z@RG0pV+RTzWCSd=|I^?9s$0+T|0gMreemglU(+VOTDy+pwkQ|}8-`6XOJKXUArPs3F|Cc}~R)xA=v}ZqR zko8LjGd^vAm*~bMlrVxzm@$lAp|3#|KC~Dnp?#|Pe>Jo{k^E|E5@On;5;zm-VWd0| zNu{vsBI00vYK}FLX{N*xAHS-|b88auvQ+d_xGfxBm1T>d-6@pZuWk^kzB zs;1=s_H+FANy_(-|0|y>{VLE6(5u||; z;hl})Or#4-fdTcigCGtah&?~8^;zeP0Mm{LG+){|F4hs^nUace8Mff>A3gsG{@0rI zy_05XYCL8iOZfjy^-VJWYjx{6{`)lLMdHGxLZKTjZ0B+A%gMhjr&K72%<3N*JN@y> z&yqYc>DU{TbUfW$au>zxNS}R zU0?+iajaTg@Wfr~McpmzYC$)tfi`5sQXJ@JvUi9r3tw~dkIPPro1emPly%u-2fA>I zC~}FPwlRT(m;<)r=op!95b_ka)zk`wJ8lK7RDI5t@lknIJ{${3@%Ho0*-Yl{?a~Dt>C8EPV zZIW@|5@>j?i)Qk`L2fSKDz9#F_@q^*#Mu# zL7yWu|I7#bS!{0d-+ai$;-c~TpCg8UuQzfX+F*dV6bzWMlI zrA2oLI@Jws$%qXF_Jq&i>m=CN7Dsf}B-BLpU}s~OnLYB?wMoa^=m}cA@~1J?Uu3(X z>Ho>FlVkB0rc^F2Z=P=5s7n-fwg9qqY%rg+&hPA42rY(J2sUq{L9D(`=a{jDIrKHx zU4#X)&cg{QAQ=!wPQd|j3@*7jljg<)%FmuTlmKK>t~p~Dk%-K!6vwX9*#OuDhUp@m zTJxYiw_^K}T?AXC5i*I$&w>m9Dfpbs&+-|_=?w&xgN59$)N6a>3ZcqX9SDH@J9LkFR zL?c8)7f)G5614OkBi@m8k34xr-P9cM%g21EyfwB_Mg)ng7hsq}e!!S!$Cz5!1yivh z6%+DfeC?ZsY!E{P+1NIuV5b;h&jlZuwGhg8$uQzt4!6W!2H_wk^c^@tL>XdNA>Lq& zpn=@vJl%Ss;L!$GXOmi?pn#7#y5(M>G=4O@8}$Lk z&^FitU@chhp2P2PjSx8yt$eyet?5slFmJ?LK{FC82JQ`6!8|dSXat!nMC4Klfe+^3 ztB2gV?>j^=sGl9kOAa@H1N8~-!r!0_Aw)eX3f%##F*Gf4-35U&M1V;H%gOicjJ#uY zr8KeRB964B;x^EbTTB~ts!AkUgL#q*QHucLF{6s`TRo#enGOD@X-AS?`X5!6z@9iG z7+Uum+#qAv=*cURlB3uF1CLoa$mI?qK>8fBFtrt^p`Ng88?|Ekd4yH{utqaX4sZ-9wIbk|J?fq`Belamq3yMHzf{=0V&*k zT`DM2CjbT1ee~HX;T!$0K8u&1Uken)%`Zf_zWmD8NwDsjW6zdYzz-36@M~TffCvSo zOb$aiC5cH8NMq1#01Yt4I=_TBdI?+b-emt#{B25bCbKIo zoaWHKmCZJpH|zh9=~*^k3kPt(_`*d~JVQn(pW{-t1OjC1jA$+*o<%pnufNJg?=2eX zufKv<*yT(MhAtxGU^~KOk5Yv3)xzry&TQf=3c7KSE(M8$T&B#KC^2nCT!`fRDcmXv zR4JEDpL6}_&;Aw8pSh#_8JI(+3dWEKvN$f9nb;%NJg7)r4}C5b{^!5`n^C0jJNWh2 zHm0cd>#v31!9i?uSl+6%!DGKZC>iM%*Wy9~AR$;cc^rTv%jz;OIg~5uSu$-fgfm9c zA%K8MRSU^rfdF4yH0Dw;mkH#>WzIe!=gb0%m|E#+l5@|o;@2fJpMPdT0Kw;|@Aw(K zLNmsbqJt^4JsuX+Ed*_5SOjBz&6boYm4}7=efsxeqs>2r1Rxl=m~lCwOvyze)IPpk zopKrvJ(q`AISe7}c_1dZlK2|C6Y%PD+^PJ$kr=`TKvXZiE-^|4v~tBn6EH$de|h>O zI3B<;+W?NhS;scvS5HO+2IJI-B^nTe!;Ott>{k%J=n6fD=_PrQ_M(;TUrxLciRAD> zi&d1d(1aa<42G3S84HY|H4J4!V6FK(Ix(|Aq9g(o!HKUzL}qYCZ`k?>j?}&^7Lq+o;wNr1LFa!V9IyIkvQz%IY%@6e^ZweQ|NXTndU8NENvQ@#Ia zM)+S^)|db2vE{$|X6sE#{%<|Uf1jizm>zvs>6|Tv&pl42&q=qk6j;Llm7O<9`>*<@QhnzCrzqcn&w}-_$O?P}i!SJBscje5d}7n?yLP;a z5Ln*-Bba%QIuT-%h~GOKQAE`YBt_VRQQ~0~SiMK+n36K79@ks`8I}CcT5?z|pnha2 z2r1TYyFXJ4jDK$(Nu>n*3r(9hj*ECCBcS>O&2t7RXdT=o7hdpR zJh1(T@>DnYSfs8et_ryK=yO4d}l%UtJwlYu^x{9j-Ha|G7%0G8J{;#S& z+y75fR^gXW^5=`adokd8f(-z4!&5d@=%o0;$iru`~T5;?77^ptZ)B~Cg=&`zm@H0`|l~r<4b$C zJ{Cy!*y|^XFpnna2kq^#o_|c}C*E`J{IAdd(GS^Xl~qK+vi<+9?Zo{*m9011&+*?U zDUZ+p(e)8E`rHXprcfW7w$F??ZxfHBKmEf;H;O5VrBYxLARf%tS|rl7QS*>t^t#&`LCxbNfG3K z$@Ih)T5?h4Y&a#W1shI}xT%%f$9*GZ-_^`Z6Yfdu+NIq-f+3Mwiz@~p7lf-A3g{(kVwwq&O51*QI`XOkozFg=2AC6T2pz>lP$r;c$XpU6Yz@!F&%JDeLUg z%R5P>SmXp!XyJIsC7l61jpNFPqw@FR_>R21!Y#DC*reK+1}WFlyK}3b%Mv}Td3q-l z@oXjArOfVFM{5cHctD{DQd{_`xyhquGSHKpz{R|V985A?k<6s`8DJu5^jB6l3l((f z*LzP-7Sh68UH?4Ak2be{x{}KOPAIegeV_dkd+^X302kZ;T#4m>|D8Rohyr6(jV`MqVB_--u1u8Bkn!_a}^i;2wsMP}qj zM8XFc#iU(7X?D))jb;WCzAX`4&0GNNx#%JFvIdHbn*4Y1foKy4=_MaPiT}z%COVKv z->HH4pMUf8#b=&niA4I3kEHHrN+uuGKT7HDq6pV{GMfx+)6D{+CtfjaGHhdd<|2Y@ z`W>jg&Vb^mWK6=q8vzTCEHpz_bX5FJjbAIX&IlxKWX(Z9cSK|h88fPZqM~plGSC(| zOS91CZ+w> z3+kTZLiQ{%tiU=Fce%aqcF#VYX{R49<7U%BtiLZhou3Gw_Gu0>J`(EY+l{gs{`sa- zD(~x5Obwe*;{bG8`UsJ;V&B0+^6UFOGm_L3&p>c3q)0K^2_obN zBO3>gn>R@JsEO^c9f(~j&_(W)L|-boAwT~;5BwP>nb5g|V(+4%z5_e)%D)dN{!{^k z7y#UFtwac$u}-qd_7K7?A>DG~EhFDT0_Kr0Bx2fs3omqdd`^u3|ET_v!>c?<9EOH5 zDW+5c=icx!8V-?8c@$sH4ay89HyM%{hNfh?)rTJXv|*FPH^d_UzcN8{AC)K~{Nh&s zMGpFZTl(G)-||9yGw8X1qB$rp6!$@}MqB~4*6LqT?5DcOk7b2Oq=Q-Voxk9G6Wy~c z8O8k$fvsfcc{Y6%i60#c|KC_L_kWz3{wNzivMf9QRo+UR|1IyR<(=pKpQk9%{hzab zBfjzT;9Z>nK(+(yOOd1>{E)4mxVygc*3VO5y6*mvxU%qs`9e>DtFU*&K9d#!C~62A z7p_Ussht@VC+6*wP?cjE9t&{A4Q<4afF!W4?3>>aS5{;MrL3}^9vgiDHPaM{MVKC! z>bVw5q|e-az-T1u$<{-((~SMgd^7&BvE?fw9*dJd72V&weT)$$faVSFaTf_kAR3qy zKloL{D-SG&Qglc$VE@*U*5=YkYh;2RSD-BF{@#l*mj*xDzLP6uUSC}U#X0s|@gN9> z$@`)sTi&Evf>U^lZFo&eI-ahgmsUSbrjY8&Ud7*N%Rf2V4BP<^l@_6`k-9R_5%wXk=phCnCf;vn!EL&F)V( zD8M&GN8mT+yy{p4>wbj%3JC!yj<-<--dk-h=z4Hs>_)2Y6JH5l*E7dwW z?@{NXb>+01&h9`x-0t?8*P7by>OG^|xj4AhTCLXkq+RXzTJ7_RwWam6-L86Qcdg5# z^GU1S?H%0qrZ-O)jI9Bn&p0F{G~f7e?9*& zZfng+x!c!l)Z6a$y8RDu(&~2mhr7nL)4VEM&A!#rw5GOuwYLi|np@Z1mT?N3Y#fJ& zaMC(GpBk=yF?L~3-!^V{8|VF2OPjQIyJ~y4*B$S6d)DFkq-}TD?_Phm@uj|H*!}8x zQ+#2P!b=tE&oKLRj{oBj!i@mEG zWbcmKm4nJjwO2V-x2GrerE@wx#ZMEC#cdt66e6@F}o}W7xdT+dUZe5)Y zdfPWA)n*m;FV$|d3_E>C)2r>BBeit{d*zOyI;SW7{?U2&YNxN#o?f}U)vLSnbM>%d zT-+R9Os`1)L%-SW*XIpeYjhiQNB?lu)KzECxUk0UW^>l79JafaceFn}sa)7?+TEXA zpL{XALDksTETej2Yffi!vTdk0Ct9<-)wU0D|NZ$EtoCR9_m@ZK9}b<~m))(42{pCe z*7k9^cRNtaWz_2*4c=eP^~t--PUXt$?e(q)lecqyzYWjrtHz+}^tv5-d1Y&}^Rlts zv&Toh>A|+%YIn7|b9Da2n)aG4dVJfy(p%2S$-Z`USs^!Cd0g%EwB25>)fn8i+eW3` zJHOBxSL*gfr`1%o-j&_!_qN;bds`PDtP^9}tekWY?QYqbH>O)#=eE^4ue3eA-}+*d zTlPgyyXbw{{dzvpZVmO_)p<_a!IyCZ_4<34mF=6}MIUQ+OY8T_jn0SBQOFlpjq_f) zeg3808SJ0j_C9D=Clh1uyxiIwRIYC>KJ@o`J-T~Yadx{sUjLvsDYwooZC7iyv`*t) z`@FmR{=D42(XO2&5AL>`7F+90t$e6ml{ISI8vXVM?Oc0b-#)K64x<85TVtHSr%Ue9Vx&MWV%PTBZyHEEfH z`P*wl?RU_ZtK0TuJn6R%Z`;?-d;P-NZ(m%|i+yLOqgtnWclXQ5du@KD-cV?@kBsv8 zx?}g$E4#ga+SKP)z46wd;+!7c8i(iQme-k#w)K7OKolGp)Q?)~*+-hA`TeHq>>!`DDG= 1.23.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-resources-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-backup + catalog.cattle.io/scope: management + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-backup + catalog.cattle.io/upstream-version: 2.1.1 +apiVersion: v2 +appVersion: 4.0.0-rc1 +description: Provides ability to back up and restore the Rancher application running + on any Kubernetes cluster +icon: https://charts.rancher.io/assets/logos/backup-restore.svg +keywords: +- applications +- infrastructure +kubeVersion: '>= 1.23.0-0' +name: rancher-backup +version: 103.0.0+up4.0.0-rc1 diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/README.md b/charts/rancher-backup/103.0.0+up4.0.0-rc1/README.md new file mode 100644 index 000000000..59bff4425 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/README.md @@ -0,0 +1,79 @@ +# Rancher Backup + +This chart provides ability to back up and restore the Rancher application running on any Kubernetes cluster. + +Refer [this](https://github.com/rancher/backup-restore-operator) repository for implementation details. + +----- + +### Get Repo Info +```bash +helm repo add rancher-chart https://charts.rancher.io +helm repo update +``` + +----- + +### Install Chart +```bash +helm install rancher-backup-crd rancher-chart/rancher-backup-crd -n cattle-resources-system --create-namespace +helm install rancher-backup rancher-chart/rancher-backup -n cattle-resources-system +``` + +----- + +### Configuration +The following table lists the configurable parameters of the rancher-backup chart and their default values: + +| Parameter | Description | Default | +|----------|---------------|-------| +| image.repository | Container image repository | rancher/backup-restore-operator | +| image.tag | Container image tag | v0.1.0-rc1 | +| s3.enabled | Configure S3 compatible default storage location. Current version supports S3 and MinIO | false | +| s3.credentialSecretName | Name of the Secret containing S3 credentials. This is an optional field. Skip this field in order to use IAM Role authentication. The Secret must contain following two keys, `accessKey` and `secretKey` | "" | +| s3.credentialSecretNamespace | Namespace of the Secret containing S3 credentials. This can be any namespace. | "" | +| s3.region | Region of the S3 Bucket (Required for S3, not valid for MinIO) | "" | +| s3.bucketName | Name of the Bucket | "" | +| s3.folder | Base folder within the Bucket (optional) | "" | +| s3.endpoint | Endpoint for the S3 storage provider | "" | +| s3.endpointCA | Base64 encoded CA cert for the S3 storage provider (optional) | "" | +| s3.insecureTLSSkipVerify | Skip SSL verification | false | +| persistence.enabled | Configure a Persistent Volume as the default storage location. It accepts either a StorageClass name to create a PVC, or directly accepts the PV to use. The Persistent Volume is mounted at `/var/lib/backups` in the operator pod | false | +| persistence.storageClass | StorageClass to use for dynamically provisioning the Persistent Volume, which will be used for storing backups | "" | +| persistence.volumeName | Persistent Volume to use for storing backups | "" | +| persistence.size | Requested size of the Persistent Volume (Applicable when using dynamic provisioning) | "" | +| debug | Set debug flag for backup-restore deployment | false | +| trace | Set trace flag for backup-restore deployment | false | +| nodeSelector | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | {} | +| tolerations | https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration | [] | +| affinity | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | {} | +| serviceAccount.annotations | Annotations to apply to created service account | {} | +| global.cattle.psp.enabled | Enable or disable PSPs in the chart | false | + +----- + +### PSPs + +We have added a configuration to the chart `values.yaml` which allows you to enable or disable PSPs to align with the PSP deprecation in Kubernetes `v1.25` and above. + +----- + +### CRDs + +Refer [this](https://github.com/rancher/backup-restore-operator#crds) section for information on CRDs that this chart installs. Also refer [this](https://github.com/rancher/backup-restore-operator/tree/master/examples) folder containing sample manifests for the CRDs. + +----- +### Upgrading Chart +```bash +helm upgrade rancher-backup-crd -n cattle-resources-system +helm upgrade rancher-backup -n cattle-resources-system +``` + +----- +### Uninstall Chart + +```bash +helm uninstall rancher-backup -n cattle-resources-system +helm uninstall rancher-backup-crd -n cattle-resources-system +``` + diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/app-readme.md b/charts/rancher-backup/103.0.0+up4.0.0-rc1/app-readme.md new file mode 100644 index 000000000..b1406d5ee --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/app-readme.md @@ -0,0 +1,33 @@ +# Rancher Backup + +This chart enables ability to capture backups of the Rancher application and restore from these backups. This chart can be used to migrate Rancher from one Kubernetes cluster to a different Kubernetes cluster. + +For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/pages-for-subheaders/backup-restore-and-disaster-recovery). + +This chart installs the following components: + +- [backup-restore-operator](https://github.com/rancher/backup-restore-operator) + - The operator handles backing up all Kubernetes resources and CRDs that Rancher creates and manages from the local cluster. It gathers these resources by querying the Kubernetes API server, packages all the resources to create a tarball file and saves it in the configured backup storage location. + - The operator can be configured to store backups in S3-compatible object stores such as AWS S3 and MinIO, and in persistent volumes. During deployment, you can create a default storage location, but there is always the option to override the default storage location with each backup, but will be limited to using an S3-compatible object store. + - It preserves the ownerReferences on all resources, hence maintaining dependencies between objects. + - This operator provides encryption support, to encrypt user specified resources before saving them in the backup file. It uses the same encryption configuration that is used to enable [Kubernetes Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). +- Backup - A backup is a CRD (`Backup`) that defines when to take backups, where to store the backup and what encryption to use (optional). Backups can be taken ad hoc or scheduled to be taken in intervals. +- Restore - A restore is a CRD (`Restore`) that defines which backup to use to restore the Rancher application to. + +## Upgrading to Kubernetes v1.25+ + ​ +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + ​ +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. +​ +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + ​ +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. +​ +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. +​ +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/aks.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/aks.yaml new file mode 100644 index 000000000..779742058 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/aks.yaml @@ -0,0 +1,25 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "aks.cattle.io$" +- apiVersion: "aks.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + namespaces: + - "cattle-system" + resourceNames: + - "aks-config-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "aks-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "aks-operator" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaces: + - "cattle-system" + resourceNames: + - "aks-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/eks.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/eks.yaml new file mode 100644 index 000000000..ae57baddf --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/eks.yaml @@ -0,0 +1,17 @@ +- apiVersion: "eks.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + resourceNames: + - "eks-config-operator" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "eks.cattle.io$" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "eks-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "eks-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/elemental.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/elemental.yaml new file mode 100644 index 000000000..1d38b1229 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/elemental.yaml @@ -0,0 +1,49 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "elemental.cattle.io$" +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + namespaces: + - "cattle-elemental-system" + resourceNames: + - "elemental-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "elemental-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "elemental-operator" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaces: + - "cattle-elemental-system" + resourceNames: + - "elemental-operator" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "^globalrole$" + resourceNames: + - "elemental-operator" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "^apiservice$" + resourceNameRegexp: "elemental.cattle.io$" +- apiVersion: "elemental.cattle.io/v1beta1" + kindsRegexp: "." + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^roles$|^rolebindings$" + labelSelectors: + matchExpressions: + - key: "elemental.cattle.io/managed" + operator: "In" + values: ["true"] + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "v1" + kindsRegexp: "^secrets$|^serviceaccounts$" + labelSelectors: + matchExpressions: + - key: "elemental.cattle.io/managed" + operator: "In" + values: ["true"] + namespaceRegexp: "^cattle-fleet-|^fleet-" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/fleet.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/fleet.yaml new file mode 100644 index 000000000..a14125fec --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/fleet.yaml @@ -0,0 +1,53 @@ +- apiVersion: "v1" + kindsRegexp: "^namespaces$" + resourceNameRegexp: "^fleet-" +- apiVersion: "v1" + kindsRegexp: "^secrets$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + excludeResourceNameRegexp: "^import-token" + labelSelectors: + matchExpressions: + - key: "owner" + operator: "NotIn" + values: ["helm"] + - key: "fleet.cattle.io/managed" + operator: "In" + values: ["true"] +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + excludeResourceNameRegexp: "^default$" +- apiVersion: "v1" + kindsRegexp: "^configmaps$" + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^roles$|^rolebindings$" + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNameRegexp: "^fleet-|^gitjob-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNameRegexp: "^fleet-" + resourceNames: + - "gitjob" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$" +- apiVersion: "fleet.cattle.io/v1alpha1" + kindsRegexp: "." + excludeKinds: + - "bundledeployments" +- apiVersion: "gitjob.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + resourceNameRegexp: "^fleet-" + resourceNames: + - "gitjob" +- apiVersion: "apps/v1" + kindsRegexp: "^services$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + resourceNames: + - "gitjob" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/gke.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/gke.yaml new file mode 100644 index 000000000..a87eef364 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/gke.yaml @@ -0,0 +1,17 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "gke.cattle.io$" +- apiVersion: "gke.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + resourceNames: + - "gke-config-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "gke-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "gke-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/provisioningv2.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/provisioningv2.yaml new file mode 100644 index 000000000..50a7f906b --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/provisioningv2.yaml @@ -0,0 +1,23 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "provisioning.cattle.io$|rke-machine-config.cattle.io$|rke-machine.cattle.io$|rke.cattle.io$|cluster.x-k8s.io$" +- apiVersion: "provisioning.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "rke-machine-config.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "rke-machine.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "rke.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "cluster.x-k8s.io/v1beta1" + kindsRegexp: "." +- apiVersion: "v1" + kindsRegexp: "^secrets$" + resourceNameRegexp: "machine-plan$|rke-state$|machine-state$|machine-driver-secret$|machine-provision$|^harvesterconfig" + namespaces: + - "fleet-default" +- apiVersion: "v1" + kindsRegexp: "^configmaps$" + resourceNames: + - "provisioning-log" + namespaceRegexp: "^c-m-" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher-operator.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher-operator.yaml new file mode 100644 index 000000000..f30c2fd96 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher-operator.yaml @@ -0,0 +1,28 @@ +- apiVersion: "rancher.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + resourceNames: + - "rancher-operator" + namespaces: + - "rancher-operator-system" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaces: + - "rancher-operator-system" + excludeResourceNameRegexp: "^default$" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "rancher-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "rancher-operator" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "rancher.cattle.io$" +- apiVersion: "v1" + kindsRegexp: "^namespaces$" + resourceNames: + - "rancher-operator-system" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher.yaml new file mode 100644 index 000000000..47fa2e02f --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher.yaml @@ -0,0 +1,65 @@ +- apiVersion: "v1" + kindsRegexp: "^namespaces$" + resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-" + resourceNames: + - "local" +- apiVersion: "v1" + kindsRegexp: "^secrets$" + namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" + labelSelectors: + matchExpressions: + - key: "owner" + operator: "NotIn" + values: ["helm"] + excludeResourceNameRegexp: "^bootstrap-secret$|^rancher-csp-adapter|^csp-adapter-cache$" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" + excludeResourceNameRegexp: "^default$|^rancher-csp-adapter$" +- apiVersion: "v1" + kindsRegexp: "^configmaps$" + namespaces: + - "cattle-system" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^roles$|^rolebindings$" + namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" + excludeResourceNameRegexp: "^rancher-csp-adapter" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$" + excludeResourceNameRegexp: "^rancher-csp-adapter-" +- apiVersion: "scheduling.k8s.io/v1" + kindsRegexp: "^priorityclasses$" + resourceNameRegexp: "^rancher-critical$" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "." + excludeKinds: + - "tokens" + - "rancherusernotifications" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "^tokens$" + labelSelectors: + matchExpressions: + - key: "authn.management.cattle.io/kind" + operator: "NotIn" + values: [ "provisioning" ] +- apiVersion: "project.cattle.io/v3" + kindsRegexp: "." +- apiVersion: "catalog.cattle.io/v1" + kindsRegexp: "^clusterrepos$" +- apiVersion: "resources.cattle.io/v1" + kindsRegexp: "^ResourceSet$" +- apiVersion: "v1" + kindsRegexp: "^secrets$" + namespaceRegexp: "^.*$" + labelSelectors: + matchExpressions: + - key: "resources.cattle.io/backup" + operator: "In" + values: ["true"] diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/_helpers.tpl b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/_helpers.tpl new file mode 100644 index 000000000..a5e485243 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/_helpers.tpl @@ -0,0 +1,87 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "backupRestore.fullname" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "backupRestore.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "backupRestore.labels" -}} +helm.sh/chart: {{ include "backupRestore.chart" . }} +{{ include "backupRestore.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "backupRestore.selectorLabels" -}} +app.kubernetes.io/name: {{ include "backupRestore.fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +resources.cattle.io/operator: backup-restore +{{- end }} + + +{{/* +Create the name of the service account to use +*/}} +{{- define "backupRestore.serviceAccountName" -}} +{{ include "backupRestore.fullname" . }} +{{- end }} + + +{{- define "backupRestore.s3SecretName" -}} +{{- printf "%s-%s" .Chart.Name "s3" | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create PVC name using release and revision number, unless a volumeName is given. +*/}} +{{- define "backupRestore.pvcName" -}} +{{- if and .Values.persistence.volumeName }} +{{- printf "%s" .Values.persistence.volumeName }} +{{- else -}} +{{- printf "%s-%d" .Release.Name .Release.Revision }} +{{- end }} +{{- end }} + diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/clusterrolebinding.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..cf4abf670 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "backupRestore.fullname" . }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "backupRestore.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/deployment.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/deployment.yaml new file mode 100644 index 000000000..631fa458b --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/deployment.yaml @@ -0,0 +1,79 @@ +{{- if and .Values.s3.enabled .Values.persistence.enabled }} +{{- fail "\n\nCannot configure both s3 and PV for storing backups" }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "backupRestore.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "backupRestore.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "backupRestore.selectorLabels" . | nindent 8 }} + annotations: + checksum/s3: {{ include (print $.Template.BasePath "/s3-secret.yaml") . | sha256sum }} + checksum/pvc: {{ include (print $.Template.BasePath "/pvc.yaml") . | sha256sum }} + spec: + serviceAccountName: {{ include "backupRestore.serviceAccountName" . }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.imagePullSecrets | indent 6 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }} + args: +{{- if .Values.debug }} + - "--debug" +{{- end }} +{{- if .Values.trace }} + - "--trace" +{{- end }} + env: + - name: CHART_NAMESPACE + value: {{ .Release.Namespace }} + {{- if .Values.s3.enabled }} + - name: DEFAULT_S3_BACKUP_STORAGE_LOCATION + value: {{ include "backupRestore.s3SecretName" . }} + {{- end }} + {{- if .Values.proxy }} + - name: HTTP_PROXY + value: {{ .Values.proxy }} + - name: HTTPS_PROXY + value: {{ .Values.proxy }} + - name: NO_PROXY + value: {{ .Values.noProxy }} + {{- end }} + {{- if .Values.persistence.enabled }} + - name: DEFAULT_PERSISTENCE_ENABLED + value: "persistence-enabled" + volumeMounts: + - mountPath: "/var/lib/backups" + name: pv-storage + volumes: + - name: pv-storage + persistentVolumeClaim: + claimName: {{ include "backupRestore.pvcName" . }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/hardened.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/hardened.yaml new file mode 100644 index 000000000..bf8492ce0 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/hardened.yaml @@ -0,0 +1,124 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + backoffLimit: 1 + template: + spec: + serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa + securityContext: + runAsNonRoot: true + runAsUser: 1000 + restartPolicy: Never + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + containers: + - name: {{ include "backupRestore.fullname" . }}-patch-sa + image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }} + imagePullPolicy: IfNotPresent + command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +rules: + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "patch"] +{{- if .Values.global.cattle.psp.enabled}} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ include "backupRestore.fullname" . }}-patch-sa +{{- end}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "backupRestore.fullname" . }}-patch-sa +subjects: + - kind: ServiceAccount + name: {{ include "backupRestore.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.global.cattle.psp.enabled}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' +{{- end}} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "backupRestore.fullname" . }}-default-allow-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/psp.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/psp.yaml new file mode 100644 index 000000000..34bc96ee7 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/psp.yaml @@ -0,0 +1,31 @@ +{{- if .Values.global.cattle.psp.enabled -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "backupRestore.fullname" . }}-psp + labels: {{ include "backupRestore.labels" . | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'persistentVolumeClaim' + - 'secret' +{{- end -}} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/pvc.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/pvc.yaml new file mode 100644 index 000000000..ff57e4dab --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/pvc.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.persistence.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "backupRestore.pvcName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteOnce + resources: + {{- with .Values.persistence }} + requests: + storage: {{ .size | quote }} +{{- if .storageClass }} +{{- if (eq "-" .storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: {{ .storageClass | quote }} +{{- end }} +{{- end }} +{{- if .volumeName }} + volumeName: {{ .volumeName | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/rancher-resourceset.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/rancher-resourceset.yaml new file mode 100644 index 000000000..05add8824 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/rancher-resourceset.yaml @@ -0,0 +1,13 @@ +apiVersion: resources.cattle.io/v1 +kind: ResourceSet +metadata: + name: rancher-resource-set +controllerReferences: + - apiVersion: "apps/v1" + resource: "deployments" + name: "rancher" + namespace: "cattle-system" +resourceSelectors: +{{- range $path, $_ := .Files.Glob "files/default-resourceset-contents/*.yaml" -}} + {{- $.Files.Get $path | nindent 2 -}} +{{- end -}} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/s3-secret.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/s3-secret.yaml new file mode 100644 index 000000000..726509730 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/s3-secret.yaml @@ -0,0 +1,31 @@ +{{- if .Values.s3.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "backupRestore.s3SecretName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +type: Opaque +stringData: + {{- with .Values.s3 }} + {{- if .credentialSecretName }} + credentialSecretName: {{ .credentialSecretName }} + credentialSecretNamespace: {{ required "When providing a Secret containing S3 credentials, a valid .Values.credentialSecretNamespace must be provided" .credentialSecretNamespace }} + {{- end }} + {{- if .region }} + region: {{ .region | quote }} + {{- end }} + bucketName: {{ required "A valid .Values.bucketName is required for configuring S3 compatible storage as the default backup storage location" .bucketName | quote }} + {{- if .folder }} + folder: {{ .folder | quote }} + {{- end }} + endpoint: {{ required "A valid .Values.endpoint is required for configuring S3 compatible storage as the default backup storage location" .endpoint | quote }} + {{- if .endpointCA }} + endpointCA: {{ .endpointCA }} + {{- end }} + {{- if .insecureTLSSkipVerify }} + insecureTLSSkipVerify: {{ .insecureTLSSkipVerify | quote }} + {{- end }} + {{- end }} +{{ end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/serviceaccount.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/serviceaccount.yaml new file mode 100644 index 000000000..754e1fe89 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "backupRestore.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +{{- if .Values.serviceAccount.annotations }} + annotations: + {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} +{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-install-crd.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-install-crd.yaml new file mode 100644 index 000000000..f63fd2e2e --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-install-crd.yaml @@ -0,0 +1,16 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "resources.cattle.io/v1/Backup" false -}} +# {{- set $found "resources.cattle.io/v1/ResourceSet" false -}} +# {{- set $found "resources.cattle.io/v1/Restore" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-psp-install.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-psp-install.yaml new file mode 100644 index 000000000..a30c59d3b --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/deployment_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/deployment_test.yaml new file mode 100644 index 000000000..671d415db --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/deployment_test.yaml @@ -0,0 +1,216 @@ +suite: Test Deployment +templates: +- deployment.yaml +- s3-secret.yaml +- pvc.yaml +- _helpers.tpl +tests: +- it: should set name + template: deployment.yaml + asserts: + - equal: + path: metadata.name + value: "rancher-backup" +- it: should set namespace + template: deployment.yaml + asserts: + - equal: + path: metadata.namespace + value: "NAMESPACE" +- it: should set priorityClassName + set: + priorityClassName: "testClass" + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: "testClass" +- it: should set default imagePullPolicy + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: "Always" +- it: should set imagePullPolicy + set: + imagePullPolicy: "IfNotPresent" + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: "IfNotPresent" +- it: should set debug loglevel + set: + debug: true + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--debug" +- it: should set trace loglevel + set: + trace: true + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--trace" +- it: should set proxy environment variables + set: + proxy: "https://127.0.0.1:3128" + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTP_PROXY + value: "https://127.0.0.1:3128" + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: "https://127.0.0.1:3128" + - contains: + path: spec.template.spec.containers[0].env + content: + name: NO_PROXY + value: "127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local" +- it: should set proxy environment variables with modified noproxy + set: + proxy: "https://127.0.0.1:3128" + noProxy: "192.168.0.0/24" + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: NO_PROXY + value: "192.168.0.0/24" +- it: should set persistence variables + set: + persistence.enabled: true + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: DEFAULT_PERSISTENCE_ENABLED + value: "persistence-enabled" + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: "/var/lib/backups" + name: "pv-storage" + - equal: + path: spec.template.spec.volumes[0].name + value: "pv-storage" + - equal: + path: spec.template.spec.volumes[0].persistentVolumeClaim + value: + claimName: RELEASE-NAME-0 +- it: should set claim from custom static volumeName + set: + persistence.enabled: true + persistence.volumeName: "PREDEFINED-VOLUME" + persistence.storageClass: "PREDEFINED-STORAGECLASS" + persistence.size: "PREDIFINED-SAMEAS-PVSIZE" + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: DEFAULT_PERSISTENCE_ENABLED + value: "persistence-enabled" + - equal: + path: spec.template.spec.volumes[0].persistentVolumeClaim + value: + claimName: PREDEFINED-VOLUME +- it: should set private registry + template: deployment.yaml + set: + global.cattle.systemDefaultRegistry: "my.registry.local:3000" + asserts: + - matchRegex: + path: spec.template.spec.containers[0].image + pattern: ^my.registry.local:3000/rancher/backup-restore-operator:.*$ +- it: should set nodeselector + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux +- it: should not set default affinity + template: deployment.yaml + asserts: + - isNull: + path: spec.template.spec.affinity +- it: should set custom affinity + template: deployment.yaml + set: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd + asserts: + - equal: + path: spec.template.spec.affinity + value: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd +- it: should set tolerations + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.tolerations[0] + value: + key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +- it: should set custom tolerations + template: deployment.yaml + set: + tolerations: + - key: "example-key" + operator: "Exists" + effect: "NoSchedule" + asserts: + - equal: + path: spec.template.spec.tolerations[0] + value: + key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" + - equal: + path: spec.template.spec.tolerations[1] + value: + key: "example-key" + operator: "Exists" + effect: "NoSchedule" +- it: should not set default imagePullSecrets + template: deployment.yaml + asserts: + - isNull: + path: spec.template.spec.imagePullSecrets +- it: should set imagePullSecrets + set: + imagePullSecrets: + - name: "pull-secret" + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: "pull-secret" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/pvc_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/pvc_test.yaml new file mode 100644 index 000000000..3a1c40698 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/pvc_test.yaml @@ -0,0 +1,102 @@ +suite: Test PVC +templates: +- pvc.yaml +- _helpers.tpl +tests: +- it: should set name + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: metadata.name + value: "RELEASE-NAME-0" +- it: should set namespace + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: metadata.namespace + value: "NAMESPACE" +- it: should set accessModes + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: spec.accessModes[0] + value: "ReadWriteOnce" +- it: should set size + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: spec.resources.requests.storage + value: "2Gi" +- it: should set size + template: pvc.yaml + set: + persistence: + enabled: true + size: "10Gi" + asserts: + - equal: + path: spec.resources.requests.storage + value: "10Gi" +- it: should not set volumeName + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - isNull: + path: spec.volumeName +- it: should set default storageClass + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: spec.storageClassName + value: "" +- it: should set custom storageClass + template: pvc.yaml + set: + persistence: + enabled: true + storageClass: "storage-class" + asserts: + - equal: + path: spec.storageClassName + value: "storage-class" +- it: should set custom volumeName + template: pvc.yaml + set: + persistence: + enabled: true + volumeName: "volume-name" + asserts: + - equal: + path: spec.volumeName + value: "volume-name" +- it: should set claim from custom static volumeName + set: + persistence.enabled: true + persistence.volumeName: "PREDEFINED-VOLUME" + persistence.storageClass: "PREDEFINED-STORAGECLASS" + persistence.size: "PREDEFINED-SAMEAS-PVSIZE" + template: pvc.yaml + asserts: + - equal: + path: spec.resources.requests.storage + value: "PREDEFINED-SAMEAS-PVSIZE" + - equal: + path: spec.storageClassName + value: "PREDEFINED-STORAGECLASS" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/s3-secret_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/s3-secret_test.yaml new file mode 100644 index 000000000..af130dd29 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/s3-secret_test.yaml @@ -0,0 +1,141 @@ +suite: Test S3 Secret +templates: +- s3-secret.yaml +- _helpers.tpl +tests: +- it: should set name + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - equal: + path: metadata.name + value: "rancher-backup-s3" +- it: should set namespace + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - equal: + path: metadata.namespace + value: "NAMESPACE" +- it: should not set credentialSecretName + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.credentialSecretName +- it: should set credentialSecretName + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + credentialSecretName: "credential-secret-name" + credentialSecretNamespace: "credential-secret-namespace" + asserts: + - equal: + path: stringData.credentialSecretName + value: "credential-secret-name" + - equal: + path: stringData.credentialSecretNamespace + value: "credential-secret-namespace" +- it: should not set folder + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.folder +- it: should set folder + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + folder: "myfolder" + asserts: + - equal: + path: stringData.folder + value: "myfolder" +- it: should not set region + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.region +- it: should set region + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + region: "us-west-1" + asserts: + - equal: + path: stringData.region + value: "us-west-1" +- it: should not set endpointCA + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.endpointCA +- it: should set endpointCA + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + endpointCA: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" + asserts: + - equal: + path: stringData.endpointCA + value: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" +- it: should not set insecureTLSSkipVerify + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.insecureTLSSkipVerify +- it: should set insecureTLSSkipVerify + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + insecureTLSSkipVerify: "true" + asserts: + - equal: + path: stringData.insecureTLSSkipVerify + value: "true" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/values.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/values.yaml new file mode 100644 index 000000000..b62252ec4 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc1/values.yaml @@ -0,0 +1,81 @@ +image: + repository: rancher/backup-restore-operator + tag: v4.0.0-rc1 + +## Default s3 bucket for storing all backup files created by the backup-restore-operator +s3: + enabled: false + ## credentialSecretName if set, should be the name of the Secret containing AWS credentials. + ## To use IAM Role, don't set this field + credentialSecretName: "" + credentialSecretNamespace: "" + region: "" + bucketName: "" + folder: "" + endpoint: "" + endpointCA: "" + insecureTLSSkipVerify: false + +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## If persistence is enabled, operator will create a PVC with mountPath /var/lib/backups +persistence: + enabled: false + + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack). + ## Refer https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1 + ## + storageClass: "-" + + ## If you want to disable dynamic provisioning by setting storageClass to "-" above, + ## and want to target a particular PV, provide name of the target volume + volumeName: "" + + ## Only certain StorageClasses allow resizing PVs; Refer https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/ + size: 2Gi + +# Add log level flags to backup-restore +debug: false +trace: false + +# http[s] proxy server passed to backup client +# proxy: http://@:: + +# comma separated list of domains or ip addresses that will not use the proxy +noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false # PSP enablement should default to false + kubectl: + repository: rancher/kubectl + tag: v1.21.9 + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +affinity: {} + +serviceAccount: + annotations: {} + +priorityClassName: "" + +# Override imagePullPolicy for image +# options: Always, Never, IfNotPresent +# Defaults to Always +imagePullPolicy: "Always" + +## Optional array of imagePullSecrets containing private registry credentials +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] diff --git a/index.yaml b/index.yaml index 90d28035b..4fdaaf8ac 100755 --- a/index.yaml +++ b/index.yaml @@ -6261,6 +6261,36 @@ entries: - assets/rancher-alerting-drivers/rancher-alerting-drivers-1.0.100.tgz version: 1.0.100 rancher-backup: + - annotations: + catalog.cattle.io/auto-install: rancher-backup-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Rancher Backups + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-resources-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-backup + catalog.cattle.io/scope: management + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-backup + catalog.cattle.io/upstream-version: 2.1.1 + apiVersion: v2 + appVersion: 4.0.0-rc1 + created: "2023-09-19T13:51:37.700427-04:00" + description: Provides ability to back up and restore the Rancher application running + on any Kubernetes cluster + digest: 742c60b2bc4ef099830de8747217cea1b3d741338837e3c2ceb8fdd2400e25d1 + icon: https://charts.rancher.io/assets/logos/backup-restore.svg + keywords: + - applications + - infrastructure + kubeVersion: '>= 1.23.0-0' + name: rancher-backup + urls: + - assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc1.tgz + version: 103.0.0+up4.0.0-rc1 - annotations: catalog.cattle.io/auto-install: rancher-backup-crd=match catalog.cattle.io/certified: rancher @@ -6759,6 +6789,21 @@ entries: - assets/rancher-backup/rancher-backup-1.0.200.tgz version: 1.0.200 rancher-backup-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-resources-system + catalog.cattle.io/release-name: rancher-backup-crd + apiVersion: v2 + appVersion: 4.0.0-rc1 + created: "2023-09-19T13:51:38.879376-04:00" + description: Installs the CRDs for rancher-backup. + digest: f8ea4ab638cee126c1452e415175e652ac711c8020a4b4dda3eeeffa31ae4abc + name: rancher-backup-crd + type: application + urls: + - assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc1.tgz + version: 103.0.0+up4.0.0-rc1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" From 13ca56887a198a823c9bb0f12015eef7715567f5 Mon Sep 17 00:00:00 2001 From: Venkata Krishna Rohit Sakala Date: Thu, 21 Sep 2023 15:13:07 -0700 Subject: [PATCH 06/24] make forward-port rancher-backup 102.0.2+up3.1.2 --- .../rancher-backup-crd-102.0.2+up3.1.2.tgz | Bin 0 -> 1778 bytes .../rancher-backup-102.0.2+up3.1.2.tgz | Bin 0 -> 11554 bytes .../102.0.2+up3.1.2/Chart.yaml | 11 + .../102.0.2+up3.1.2/README.md | 3 + .../102.0.2+up3.1.2/templates/backup.yaml | 141 ++++++++++++ .../templates/resourceset.yaml | 118 ++++++++++ .../102.0.2+up3.1.2/templates/restore.yaml | 122 ++++++++++ .../rancher-backup/102.0.2+up3.1.2/Chart.yaml | 26 +++ .../rancher-backup/102.0.2+up3.1.2/README.md | 79 +++++++ .../102.0.2+up3.1.2/app-readme.md | 33 +++ .../default-resourceset-contents/aks.yaml | 25 ++ .../default-resourceset-contents/eks.yaml | 17 ++ .../elemental.yaml | 49 ++++ .../default-resourceset-contents/fleet.yaml | 53 +++++ .../default-resourceset-contents/gke.yaml | 17 ++ .../provisioningv2.yaml | 23 ++ .../rancher-operator.yaml | 28 +++ .../default-resourceset-contents/rancher.yaml | 65 ++++++ .../102.0.2+up3.1.2/templates/_helpers.tpl | 87 +++++++ .../templates/clusterrolebinding.yaml | 14 ++ .../102.0.2+up3.1.2/templates/deployment.yaml | 79 +++++++ .../102.0.2+up3.1.2/templates/hardened.yaml | 124 ++++++++++ .../102.0.2+up3.1.2/templates/psp.yaml | 31 +++ .../102.0.2+up3.1.2/templates/pvc.yaml | 27 +++ .../templates/rancher-resourceset.yaml | 13 ++ .../102.0.2+up3.1.2/templates/s3-secret.yaml | 31 +++ .../templates/serviceaccount.yaml | 11 + .../templates/validate-install-crd.yaml | 16 ++ .../templates/validate-psp-install.yaml | 7 + .../tests/deployment_test.yaml | 216 ++++++++++++++++++ .../102.0.2+up3.1.2/tests/pvc_test.yaml | 102 +++++++++ .../102.0.2+up3.1.2/tests/s3-secret_test.yaml | 141 ++++++++++++ .../102.0.2+up3.1.2/values.yaml | 81 +++++++ index.yaml | 45 ++++ release.yaml | 2 + 35 files changed, 1837 insertions(+) create mode 100644 assets/rancher-backup-crd/rancher-backup-crd-102.0.2+up3.1.2.tgz create mode 100644 assets/rancher-backup/rancher-backup-102.0.2+up3.1.2.tgz create mode 100644 charts/rancher-backup-crd/102.0.2+up3.1.2/Chart.yaml create mode 100644 charts/rancher-backup-crd/102.0.2+up3.1.2/README.md create mode 100644 charts/rancher-backup-crd/102.0.2+up3.1.2/templates/backup.yaml create mode 100644 charts/rancher-backup-crd/102.0.2+up3.1.2/templates/resourceset.yaml create mode 100644 charts/rancher-backup-crd/102.0.2+up3.1.2/templates/restore.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/Chart.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/README.md create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/app-readme.md create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/aks.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/eks.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/elemental.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/fleet.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/gke.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/provisioningv2.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/rancher-operator.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/rancher.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/templates/_helpers.tpl create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/templates/clusterrolebinding.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/templates/deployment.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/templates/hardened.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/templates/psp.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/templates/pvc.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/templates/rancher-resourceset.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/templates/s3-secret.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/templates/serviceaccount.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/templates/validate-install-crd.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/templates/validate-psp-install.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/tests/deployment_test.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/tests/pvc_test.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/tests/s3-secret_test.yaml create mode 100644 charts/rancher-backup/102.0.2+up3.1.2/values.yaml diff --git a/assets/rancher-backup-crd/rancher-backup-crd-102.0.2+up3.1.2.tgz b/assets/rancher-backup-crd/rancher-backup-crd-102.0.2+up3.1.2.tgz new file mode 100644 index 0000000000000000000000000000000000000000..e4543828ba87301e1b49ef86e6831ea697badace GIT binary patch literal 1778 zcmVDc zVQyr3R8em|NM&qo0PI_DZ`(E#&uf1QBF~FH&ofw+?fe-G6l>AZ9|FVBEIP-fKSN*{m@*Cn`O0m*dp83z_ zm0#Q|Aa?wrDL z2r9w^hR6>RFf+=)ytyrpabMldXsr@00T7WC7@Q8#&H}^CIrEwT-!QRZb zR~ujrg=-~(+g($?|M1`Uo_XWlyYn&NV0r$(KfDl>!t-shC&`;d65BbCJ!?c{0U;iy zb43LF=JUrdgUQw~LXi}aiHR!%wX`zp4Y}tT0#4*I2}dKrXLLRRBCW>rGZET~U1kar zvm|ucmk<$LW6CL?C!-r^^JGTnJAgc93{M#hk%`nhk9SnGp`3N>A#28V&}fXbK(T@( z?oP87+KiAIxK(Y;^{$K|jJvGLe8)u?sZA!)1L<^UzLfZH_~!3)gZAEG1s%o~#L^LH z4uy1D($1jOM+Q4xVs<2+t}6vA@lsbqfBpSBN^LKaO6z}XmBX{X2UOJmudXh0^}oK~ z8(g>bzf;gr>VFx#X|f2IFF~y;fmwF;v{;t|Gmolkg3VQfh~QcZ#z2l?1`;^QCw0y& zuq*@2Y?LEpSBCx4knax5O`sOuI-dtEA^HB|%(Kd3=cb6&v`mFLQwgX$SK3^87?7m& z^KuObo(PKr_?hy+xfg|Zomz=%MVeYubXP9AmV9-jn9JoD=I|6XucU|9r=3LPW9ft8 zDX;?Tu8CiDRSvNxi@T>tf>Q2VxTTUEsKdt61C*3zYAt6&HEKi1h9il!D5*sqhwme1 zak(-ob-K4`wS_xi!EWo{o>OoS-h*Qmuf$qE8LueRTlRBhwM{lxh}>g+g?cJ4C#;f$ zW1Ti@2CwW0mM4fzSst%SJ%?mlMJ47Ya!ve4L}w5|7(A6 zneYGUU$poClhCp5|Hf__zWW=<{JlS6vwP=Hr#9XLWW8jP2%LJSU9s)7>25u#(Qsq& zKDb(VQbhBt7GB$LQ}K=O!x6qe1i-+49uu*ifYFyDT!#25?K$xaz}?k~efoqBUjvmF+=Vh$y({dzZeyAvJ#I~~pwVfqxXUP#cwVfpib&)glmSP>!STZRnHn*)MZEMNC zJlfWhqH@4 zUADjfItl#;jjaWw1qU=5-*!4T>rt}6QX{><+N6%TUrxpf0yJHsuiIAi)oV|VmRf45 UrI$|s1ONd4|9G=c+yFuV08a8^OaK4? literal 0 HcmV?d00001 diff --git a/assets/rancher-backup/rancher-backup-102.0.2+up3.1.2.tgz b/assets/rancher-backup/rancher-backup-102.0.2+up3.1.2.tgz new file mode 100644 index 0000000000000000000000000000000000000000..020ddb0b22b5497052c23c37cf4379065264a526 GIT binary patch literal 11554 zcmV+-E#1-|iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYMciT9UFg#yh{R$i<`*xBwX;QMCw4RV3TTO%V3+qma$Ai3K2oO0BNlcl;FsV333OH8 zQ8h&azX4q>y=8y?lG~JZLR@H|3J?z!4-xEp1|kZX5sD_c%`m9|+j9Jy+_x_BCKe@1 zSZm|ja!h=kkG<>RsbwOf45wZNgxyCq)bJUin^Qd(NH7rzDwNc>k_aXB-FzB&$VQML zN$}*9<~AS(c2NaPpaX|!f*hJ#i_Taj!}bY9oILXpz2M2TRDiA<{w%AyS}K@`7@p-){^(3n9l*Y2TXY5}2CP%yy8t>Sn+J+L z1n3BbJP2LawhS&E!1Eo)a)t!}umhko14n)zc@Cn81Y<5(2J2}=sY@!Gn+DURM3p1t zvP1}?WYfk&Og5zm$$nKb9TvuDc8xugR0>MGZ&FZzTlEfzg#Lk>;I=H)&vd_)BGNCF|jE2 zW+C&WSX99-@*u@bi&HqPfT>`i!iyJR4-KGiQ$Wg~?;B%8!2o-JHM5){fVK?;EHJQa zCNLg?6q%quj3t?vR0PukSEh+;8I}}<>oI&-X9Ro&G0ltHQPY^h$o`4p%(FQQF^9yCr0UcQc z3@l`uOj+fiQ31u`oL6$;;qN^(0*m%%f!!GRX(sBf(+k7 zo#S?UY%wip4Q2tk*z9;{AkbLl#-@_Jso-imX#k@wv;s&@LS;h#M7GYfyV9p#k zu?)bMW~L~GrWeqBM`8e8F&;7ntG@<}!9_=oZ`&Kd!I{ngaghNmB47c*p2i4c!gwzR zE$SJ0DgdvBZi%fk)r&S80d!30nE*Qhoc*Kv24~&>ADp_#X;Wy7UrXL?p#k#3MJQ*w z4eS`mrDRiLn>Xn%3^oKs=O7CpF|Z0FY&1PH?1O9Qa6(9e=F*c1J3*APKjYx!Oaa)( zQ?wz#vIRMSNuf7H6hPoYk6MOrLl2zwHh?sv67ntUicu7R{3Dbr0sPdlXMowJ&~iXK zh6ytcY#U!QTfn+yc%Jph|5-@TzKw^QB~5>~slDCQOPfJUB}-GqXOpf(?Kc@+ty@$9 zrG2YVcmb-W32ZzBHku+E3~V?gft3{>T!({h&speBl&|7=Z2Bnn<5Xm zY;0x(3K+J4x7`JVlIUfhQ9P2y&sv zb+~O2%II(63A7x-#KLj`G))h2lF|{RLOD2?a<$54iuYV_@R`6sXErz(+yv!Rlyv7t)aOSQ29?LuK_<36;dD?@FrSO5@~y{0dR>cs-<-hcmdAZXYwJldxNDVkXnkvMTyO;L2UsjZ!wh>_S{?>f8`pw ziA@A-*heiJ!~xAekBK%nPR@MWKEt+U%s6HEv%(92T?wjcU&9&M z08KPS-Uc`rG%-E%5D^?M=bR5r)GVZ+RzOj_C~~5la=6e2(DUGokteJ#7IG3dA6(Cx zGE#Yxr{cE6Dzio*8FP(1u!g>e6c?L{1dqH;*SBqjcdy8fl%S){LK-bT3v1hdDf^$I ziEBfqoIZ_^&6Jo*-G{mY%k2NH?Q+Wg-`U#Udba#qW!pfZ1{a2*{3E(WE5F=7fS9(ZDF6nD!jvMu)k1_NX;hoFhuvVZnC zFvcsOSpVunyO<_TE*eBG42g**Xfj1!4NqL?AyE8HSM@DLD+09!T@gaD5K)h!IE1=y zQTZo_(?=AlNtG8x(Gs(|u+rQqt_7|}Fr@?Ewr7A1n+F{MbX{&7s)Y*#sOLKduTQ~F z85kqz5zt2lWCjVr6BJ+LxJk)o`V&GzEB^N#M-vW*O=MkT7E_^sz-P zZelD&lh-Zg$glDrq?kZi{vFKw9kYCFXdqDh&mt&(Dy}~!JegoennKI)6tx7RBV8(h{^jMW#L_}P1KE)#5R`W-~HxZbxpBM*c zqrd(t#SE3#NwVQklO+>8ZP{H;P{h1Gpl{aMuY$ubE$zvz|fi^XQ@7Mr$%y! z)`0gC*aERYkQ#%Zp+|AW772SHPENC!V!ZHID;RK+UUAa>XjARGl)3i5w46L_qrT;s zmNUHfuD}xeU)w2{lJ7Pir@nC!&vn%9Sh3Vk}lo^{LZ zRdxJMtZ{l_f+#d0h0MoabBzFUff7Lzt{C#$+2JaD2OP^`9yZuw5QyLZf(*)c%*0UI z3EjN{PI<~+Vi(&iPA^&fF<-Z^jhL5T03bulu=ik76q*yuDF6UnYv04ZyMVM$q;BTQ zzlmHM&nC!u_;HXW^1ofy())jJ^|#y4^8XYiXEi2eRfa)xm)qc-Tpb6{vO)1*&cB=* zkMMyom<9TnjsPih;Ag$Wj-cEEN}DHfr2}1;F#RH=YAiF%BIcc;ec@ZG7g5OOd<{O`;H zaL?r;Bytoc%fybuika|j2mnxg2`Bb^7Y9{vCJEsP)q8v$9; z%MFMa9Ow;6B^?#zdvozx3MeWHe_Bkt6|rV~7cbL{KTR|XUL$8(iPaS(uD!3eI-i== zlY0BCTC0ce!|34xeV0%XgS?d>ft=`YuimJ3k2{~*8y47;WD2ltF&)F1VHn2h1PN_^d95R zUz_L6)>*yPK4^F9&076ay;D#m~+5@<23CLHb)rvFHs55uD#6;Mnc_9(_W z5eT_cMIHkv#KDp*XJ=}%5^b>ec)OYntw|+T0RV$NTBgs#*u-3x1M+EV4>blcH2Pb2ZDaD_t5i0$6DVr%mm!G!@8VB34vDG`+piNi=L7(|6ex{$qw(lGoB(^n{ zks-dpl1qhng}Frd(Ps4Dw#@baM$j{ngUm-b3%bPrd%IQA)BC^MJ3G(*-&2&h$JJ;4 zN#t@J;{F4CEyZQf6av?Ex)$^>*Wb!xF7Xz(4whWO>XLl2rLTU{}c zjVMxFZuJ!_fIlR@VIX88a|86z0DDN`kNJ^D3p=6H$8g4j!Lc>5Xa(pQKkfd$$9xJ4 zSccCnb?i`dLnAfs`A(HIvD3nsRsi*Ulzi1C$g2Qd(=_?qLrf@WU?KC9HGhXi@F!iI zq&1RpjuP(Cy`~%_9H;Hj!%_1gcUQ$@MHp+YWY}{u!%!G_VVb53cM!61^T#3e-<^n_Zwq%w2{#M~lbzxp@{pC45F+%);=^1naRWz^QzF&7977HcE;fTTh*z>u3J+F37JY(JtvT~Y zA*1!@S}NPW{(2ze1)E>b{Kxq(+S*!W!)nn6*!tv)cJ>%c%-P#}$n319iWxtxAuVy% z6U5$}>U~6Ez-(vOY)csti{&$~C5&g+v!<4fhVk#cMwrkhqSx3PCm$Z1)shd+4)&r4 zk!>rKjc=n0_~pbWv=uXmf8pCS$IL)X)Z=xk&WykJT~~Yn0BxxVb3y(ho0 zXoviX%iQ=6(`%3P8Ss+$k6zl^NyUG*cl77||0gM{u5I#A=##E)#C_PpwrEY^y5=l+ zQ6~npp-2?)yy|@KRVR1r=9f8Z5@)<0EhYcHWxoEGCnz4FkEQxw+fM8M?YGbI|0gL+ zPGis0{-F_gmM6<=Y5nvD?9-mmf`)+zIl*S6pIQi-7oJ7Ysbg@B9>zF?`pay!##1B6 zxTuG|`iMl^<8uF642f8`DE<8hTZ0o{#YfLyp|AWTf8zaX(NkV_gXjqSoGKiLcwhP7 zqU4-cNglONeqYa^#@??4^Lh97N0+(!KX?(#MRnixVA=Wq?VXhVFX@`5KkNUeD2Z5U z&L>!*qHoEUZIrhYlI9kLAX+f6Lp^NU$m1zAn0}1H*fApls%3S$Rp3r?zA4}xFRMxiA=RbDz z=kI@>q|86@IoIS9=QP){@p2D$K8>L#vJ#%U@T-psgnE`U+>=;m3^`H;p+qyHDWA_DXOy&U;V6S@ z-*b#%AGsrp(#c6SjpvtRL(NpkWr*A)bfU_f{B#UHucroeHQ$*MUy~Cjcs+$+53(kieC;Rr}Mv+R+=mS ze3^n21>63L;obKv`11X~t&IP#Kj;5?lJY`|%aDRsHgdo#8)Ifh6c-(wDuQC{kWUd5 z+5ca^1{!x7UI>qPfPKeg-nD5NH1>ip7g@Y4=0_YhMeg^aOv1QU(^#0|zU`TM$+i_? zgJkxr>e+!*o+MV&8h{ZbM`#xG^@`#)cRYalTGspjQs^YAP|uI|97GNBe#v0Qrw#BD z-B^SYMsNu;fzd1UHLSvimcS&kPg}uXwbq_Uel@WOv7Dg_&O~|`sSiX_DeQTOxR{@s zV@+h5DRIOns48;ZT1325i$Myvg~N;e_|Y=*?_8Gaf0wwy8t{GezqXUU|D&X9ThH;| zCn?`U|F3+eBv#qM6ug?NUDfxHfMW8<$!6xTN%3_EQDmj)L@A+zM35#%gm*TAQ;{w# z0|r#j4#GHesP=-?)@SWA0xTz{&;o7ede}gSXG$t2b=ZQxfAsvPzxSgviEA38WR#ZfR3g_cd!LP24rPFZM3F~=w2dhw z#2he=qa$Q_VaQY5R#Pby?!Z|90|0O*&Rpz8*Z+tIcObl{HI98ft=n@QMuThONP|xu_WSBY}q8qdtjh#&ysh+&^#Q2 zYk7FG_C6Bnt8=o(MH4$G4eTArAwUeRmEg%!dY~na@*$I7))L507XGWMuzZ*jz8)b* zX4TER3Ma;zB4gAYXd^2B9@ucmu}rQYAUY0{m==*cN&paluL&Uaf&EGs2Z@yPmNQh) z)DpLhh}%l|1r`kA<_n(wK7#x0FM)32gZcY*#_>FxtCpJP`8ewKpDKcXP~1}KW+igk#vuIc}?BK8uAOs0;s$-c2G_Pi7zj}vb;zsog75f*-VCsZH+V6-nt)Y=FMcEF9!<2NCl0x6%y^Oh6pm#<$3y6~-Nc#z>A;Kn^^)*ab?$D}sv% zA!vI*f$JeYvl69iC;lY?k1Dg3KbYbTFyfzJO_*~aO(zq%$T5*)Sd57fy++89eUV@a zEfRBjgNQeB3~wfAAmd~k!p7x~nac2ZA~$i>RE$x@UJ!v($*Plpr(zc%b5{3>92a3O zYplPN5zeH^BB5@SR`$o31k|IpO!5$+k@(NObC6#}U~vs31#na1pqP-t&DUx{k!u1_ zKs7+0aS7k(fAv|s{QO#=C~kfs!u93XwvI!-XO2B%u}~gj^x#*$G5|3ONSz#oa#V>) z7)WE#9RN)*!Un&HH+~6Q_}*gwr^uV~o1GOP4|nkK1S?Z)K=O5VL{`Yw;c|hOZhla# z@(U#+o1Egf-r{b~fAS+||MOq}U1(G2@w;)8-Vm>~0Y08#69n6o;7n#$S~$&-e=D19 zGH*8cA=9&Lz7`H(pUH)XCU}a>NIxgFtO`P8tBhzKBEC&Gz?(Oc>HS3`ee(vq!X6h| zFz^r=h1(Gpdz2weuq?dZ;KC-(qM#cW8B&qB$YYB+Qze$8hzpSdKZRQ*;Zn+V)91N< z^ylCj=g-_x{tT=ETM9;y2(q{ynp)T=_AIPOJs*8m3;*+9|IH{;_#M1?)5H{2-n=RN z4h|BV!}3<84IcXqK*>nAxEdD{013f{#p3`RSyq>M$&p^k&XVPT0h}_D4gds9tJ+8g z3k3MeqA{!CT&9p07di)ooG}Y1W@=@pNzOgTieH(`eEz8g0R*4pzT;=`3Qd_ziVh~w z@p)L#un}~aVG)k?HDf7DE*>@t_UYe?jke$r5`duZVJ78-vPCWyp$_on%PFVv!1s8F zmBSFqo(E#WYl*M1HwLdhC!NaA8>t~|07MP-waO?J(#jJPO~4Sb^~*QL;qd^D*#>Y0 z&IWb}zj`vJFqovqEYXk{9ByL7V!wiLrYm$^wl2xbv=?!9a6$1#ERw?qEx0I$(S#j= zOoo+3nFx%aJ&1HdXsrc1ItjBtq9g(o;fb$8OlNRGyH!noTNlNBhTnpV$f-- z5Z$;HP*jVBWd6qR4dajSNbSpFA>G3`dEzz~^!zV`lU4tWeIxv`82`o~%;u2(DmXXm zq{8u1gmi}vaR!ftXX3KR#jem3*v;?xJ9H^;?Yno+x$skIM(WI z6CpN<_`S2Sg{Yi^qzHR3N<54LtM>?9OHwA&<9h6$Qz`hYWsazY)Q_=(p#H!{h$?q~ zihm!(5K|K2*5N(lrPn$~Yz5AjGwNcAzA%^9Sib$FLtbise|zzH78Q{CWW zk$S$kD&XFupTpfel=kv2m(Twu1AQd@zyA8q5m?IuShD_?bv^z4Us-#$|DUF;A}^8V zpRe}rC4lQGHUQ8KPX*D+MZlW4*rN)?W8|zS$B`uSE#~N|%9zwPF^vQ_F1jORPvmtb z5gZ{SbG5-7eUPIO9=upTl&Vq{WS6jf>x8>;6X>ps#dlh?o(h3gtg^JI-2FMU=oj37 z%+6O4(0P`Uz~*~+-YIE#c_+GBWFVylXsSco9nH0lBnuz0H{pQ#zGK=bkwr4qOB#>w z7mi**3?F&c=AkIH#l!H+_Wz^TvFCEXvcCN{9HS?Q|LUb@`|l~r<7<1y9}6^l;`I|n zn1^HZgZB1V&p#&glk9o!{I4(n@ekRirBzhHvi<+9?bQ80rLDJH&+*?UDUUDzasG%K zecl);6KISqClJOtZ&Q!sKZC0lhh7s5G&2#5B zAdqWAN6Z^P=JxU~c#-;Pde#(qGMRYvIGm`LcYltcH$`k1g6P?3vm!l$;HtQLd87Gy zGR`oHjfeBhVrBApLARf%tgrur7Qy1Od<9sl|I_#Xm$pmK=f9q&q*YMxCDRjIXlbUJ zv*DDk7H&8_;-=QzKJFVS`>tkQmT*sE*Dme$5e$h8FRmDbToA5aVU~ZiKt6G~xBg!v z2Czi`Z5Bc|>kGW+O_0B=R zOkwfVTS5!hi$2DbP!GDHY5ZrHiH*1lG@(n8clT%PhhjiugjQ68>un1yq1;Ldwf4Uz2 zf(*(L6DbY_#C55k9aEGAXyI5~&%&NXXNC<4SvZ`qSI?prW0>z@Bjuf4dU+?Ql!%-_ z3T>PWxnwh-XK`HlaMb*LIKCq6S!E`kc&xW$wOM0 ztLvYq_|fLpPggSe-w9>*f8eu!VhLj^vH~nx3BJQ6h;j{4 z03hh5lIa5gw!V5)hJVplAKHOpa3LL4KyWLODq)549)%8+KuzTKFES%PA`$_>I3~^N zNxgkmt<`go2yBV)YUTo9&qWWJmlaTC)a1X54@8@|$WQ|SD*u&-One}*zB2;}KL6(F zi_d)97K!v9A4wy~luSNqf2i5+;s{rHGMgN1v&}-Hr(UtuWYEO)%tHh@^gB>}odG3L z$(e+{KLj=&+GvXG_^9}s3cprnoe@af$eM$I-jK)^GG-tga(mzDoP9cLoqo7XnoSF_{=Vq6e%y^&Zo0_t9{V!)SI>Xr+TxxdtBekkRmn^MGoXaQXrDa zo$x^6JS=(k@G}mtn9d$vOpT@JP8FFVuDHf(D0A8|jB<>+2g8iA=ZTcvH5*!!L?_`e z4E9P`U9I|Yz1prT%#u^IEZ6a>B0rAd6N)E1?T=-EC?WZ(JP76_G_Qc-S*yNRZyYr1 zdrI&0xO-ABX6nb2vL{=#JEyJce!X^FZMSpUS+_wC2eN+kq+V?+XTA2pRsE+>3XdWj zPsA{psmitdr;s9kb2g#gGD|sRo@Ayc5ek=AnzSUS3MfuyY5-WQF_p5WX~pzh@wf|* z(A>vNjhay8ITi3{ey_`tj#kt+FLT_pSnl}8H@f2)@AGFfnQsb{3a~B5zeytMV4CoL zf`stvAZ(GQZ!gC<1fA7BLglR3cgRRV{h((?l4|N12(N_{DMs62g#2LW;P7$%1{prJ zuoJZdiAx1K$eWP(OJ#1zFL=)bf2KvobmpSOyLhPYz)8Id?gL6bRRAF-0QcjS7-4hx zB%f>#A>0zuEhpYG@+~CbJQ7Ak%=&N9g$|D|sWIRmwLj*_Di0Dzpacl5m4*Gvv`rZ#; zeIdR%^jtvEIVdkw_hGO`TmiKf_phk-GhNJ&WkpD2gIV%jz;JuYrEIa?DZ>7%v>N}cNe%}9iiW1-dIqTJu8$S=;)d>OQ zJHUY!N&CSM+4@Pk>nm^lJO!rf?hlD83s0CY^c1)XdpGJcZ4rQC3qkY3vnV=sa)aW; zx_uI=a!jLR0iL*_jRX;p6xOAE>pSAgij1J>8tdt?(HBs2O_4-|>2aw(*FuT)Id>m0 z9*KG~eu#IPvwu0?jDKuwIY%U8aq_2P1e>>yF`^XEdBb~LCgBLg1C!zhziN2pfhACi z4=Dlc-#XG-Um9tRP0-^iltta&n;GZQ;71!c&t+lBwg1E8J&)rBEII$RRVu$tpa0Uz z&-ovoq{Qw2c3EC$o%8}ShrRCS3#7or6g4R?T5Y21t1F;5!@egTguyU*UvzBCo0L^J zfw$O!*F-h&WR-Pk_0wbuDX;8R{Ef!Ej&l;&pLsW>|E%NBHE5}4Im10hg505GEs&pk zz^vqww}i$?j+>9>eSqij^upofa=EyW_a~a>b@*B$ zpW)=6ZcwZUr1%cD_;XDL3kMaS@Ca7!?0RTuVdp0z#5%JpkUvqlHQN^b>1}t}e0|aZ;pNJgm%yDc0nR)&x2N$net5!hqxUJFSwq9#>&BKnh zyVvR+cH7;n!*i|CZSi*+t&R1=cDMB&j+=Yu7v}Mm)+o2Thr3sreRSTX?nUFuZPwl0 zzIM3X>DI4XTC-zx%})E`;I`FhG|tD(aR>$=l0Php*ni^%V!L^|uW6l9%Wap9+x9-WHT9-_+O^^}=p^G53G{axrPt zV6RDzwVSGW2;x^SAbvp>E*`C|J0vbo=~ z&GL!Ua@*sRZBx5BY1Q?urgMmU@6Wejxi{^-zdSnsaOifw>~39*snzOkZ6E91+rFmj zsM|a0zrUIp<6ke^r7OR?*S+qK-_4BuCOmhpYW=d??X>CTmD8G@>*jXX869;e2ir!Y z*=beXqw_EJq+4&$r_FG4nC34f!N9A_6wcG7BYW>@0(=0W+=NGNom9~A+ zZq&6__sZ$^y4%h7-K~oc_K7*Emrgo|PDgiVwaM1jxnnoZOHJSCHNKd7!@20TF1lZK zzn+g%)%l#Z{V$^$>h|_7OWQZyiym${jaIL#*V-S3N0D4y)y}(m^ZZM*-QPdC z?S5!oos7-BbG@)^4lbXtisRAGa=k?U^O_^5Wv8)U~VE z=0x9bzjyuqhr_bj?H$*?G`!BZci6mTa&oPo)Lp+_`n7hc*o8w|m~Dr^hANtvLr%G|{$N_7yet@zm_> zI%fUKK^MLAOa1Di|6%uQYoe7ewX4(i*x0%(U0s^m`K?iJT=%|=dZ+tMY;>;nQDgUg zXWW}!G_D-OJ~_J7d##hP4ZB+F(9|1^%W`AdzHJ<}_sv@O;=0uOunW6A_u}M2-)oI+ z&ur{ox6d)x)5qQ3X{(m6!`EES6N^`TNq=51p4W@#_2PNGcwR65-Pem;kIi!UExxF8 z+-{F8w}(7yF#C!8n{}MG{IO(@@%`jOW+fNL3J{qU)?4}K4L5EC2(UkTd*r!1m*?_a U{%y= 1.16.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-resources-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-backup + catalog.cattle.io/scope: management + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-backup + catalog.cattle.io/upstream-version: 2.1.1 +apiVersion: v2 +appVersion: 3.1.2 +description: Provides ability to back up and restore the Rancher application running + on any Kubernetes cluster +icon: https://charts.rancher.io/assets/logos/backup-restore.svg +keywords: +- applications +- infrastructure +kubeVersion: '>= 1.16.0-0' +name: rancher-backup +version: 102.0.2+up3.1.2 diff --git a/charts/rancher-backup/102.0.2+up3.1.2/README.md b/charts/rancher-backup/102.0.2+up3.1.2/README.md new file mode 100644 index 000000000..59bff4425 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/README.md @@ -0,0 +1,79 @@ +# Rancher Backup + +This chart provides ability to back up and restore the Rancher application running on any Kubernetes cluster. + +Refer [this](https://github.com/rancher/backup-restore-operator) repository for implementation details. + +----- + +### Get Repo Info +```bash +helm repo add rancher-chart https://charts.rancher.io +helm repo update +``` + +----- + +### Install Chart +```bash +helm install rancher-backup-crd rancher-chart/rancher-backup-crd -n cattle-resources-system --create-namespace +helm install rancher-backup rancher-chart/rancher-backup -n cattle-resources-system +``` + +----- + +### Configuration +The following table lists the configurable parameters of the rancher-backup chart and their default values: + +| Parameter | Description | Default | +|----------|---------------|-------| +| image.repository | Container image repository | rancher/backup-restore-operator | +| image.tag | Container image tag | v0.1.0-rc1 | +| s3.enabled | Configure S3 compatible default storage location. Current version supports S3 and MinIO | false | +| s3.credentialSecretName | Name of the Secret containing S3 credentials. This is an optional field. Skip this field in order to use IAM Role authentication. The Secret must contain following two keys, `accessKey` and `secretKey` | "" | +| s3.credentialSecretNamespace | Namespace of the Secret containing S3 credentials. This can be any namespace. | "" | +| s3.region | Region of the S3 Bucket (Required for S3, not valid for MinIO) | "" | +| s3.bucketName | Name of the Bucket | "" | +| s3.folder | Base folder within the Bucket (optional) | "" | +| s3.endpoint | Endpoint for the S3 storage provider | "" | +| s3.endpointCA | Base64 encoded CA cert for the S3 storage provider (optional) | "" | +| s3.insecureTLSSkipVerify | Skip SSL verification | false | +| persistence.enabled | Configure a Persistent Volume as the default storage location. It accepts either a StorageClass name to create a PVC, or directly accepts the PV to use. The Persistent Volume is mounted at `/var/lib/backups` in the operator pod | false | +| persistence.storageClass | StorageClass to use for dynamically provisioning the Persistent Volume, which will be used for storing backups | "" | +| persistence.volumeName | Persistent Volume to use for storing backups | "" | +| persistence.size | Requested size of the Persistent Volume (Applicable when using dynamic provisioning) | "" | +| debug | Set debug flag for backup-restore deployment | false | +| trace | Set trace flag for backup-restore deployment | false | +| nodeSelector | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | {} | +| tolerations | https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration | [] | +| affinity | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | {} | +| serviceAccount.annotations | Annotations to apply to created service account | {} | +| global.cattle.psp.enabled | Enable or disable PSPs in the chart | false | + +----- + +### PSPs + +We have added a configuration to the chart `values.yaml` which allows you to enable or disable PSPs to align with the PSP deprecation in Kubernetes `v1.25` and above. + +----- + +### CRDs + +Refer [this](https://github.com/rancher/backup-restore-operator#crds) section for information on CRDs that this chart installs. Also refer [this](https://github.com/rancher/backup-restore-operator/tree/master/examples) folder containing sample manifests for the CRDs. + +----- +### Upgrading Chart +```bash +helm upgrade rancher-backup-crd -n cattle-resources-system +helm upgrade rancher-backup -n cattle-resources-system +``` + +----- +### Uninstall Chart + +```bash +helm uninstall rancher-backup -n cattle-resources-system +helm uninstall rancher-backup-crd -n cattle-resources-system +``` + diff --git a/charts/rancher-backup/102.0.2+up3.1.2/app-readme.md b/charts/rancher-backup/102.0.2+up3.1.2/app-readme.md new file mode 100644 index 000000000..b1406d5ee --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/app-readme.md @@ -0,0 +1,33 @@ +# Rancher Backup + +This chart enables ability to capture backups of the Rancher application and restore from these backups. This chart can be used to migrate Rancher from one Kubernetes cluster to a different Kubernetes cluster. + +For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/pages-for-subheaders/backup-restore-and-disaster-recovery). + +This chart installs the following components: + +- [backup-restore-operator](https://github.com/rancher/backup-restore-operator) + - The operator handles backing up all Kubernetes resources and CRDs that Rancher creates and manages from the local cluster. It gathers these resources by querying the Kubernetes API server, packages all the resources to create a tarball file and saves it in the configured backup storage location. + - The operator can be configured to store backups in S3-compatible object stores such as AWS S3 and MinIO, and in persistent volumes. During deployment, you can create a default storage location, but there is always the option to override the default storage location with each backup, but will be limited to using an S3-compatible object store. + - It preserves the ownerReferences on all resources, hence maintaining dependencies between objects. + - This operator provides encryption support, to encrypt user specified resources before saving them in the backup file. It uses the same encryption configuration that is used to enable [Kubernetes Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). +- Backup - A backup is a CRD (`Backup`) that defines when to take backups, where to store the backup and what encryption to use (optional). Backups can be taken ad hoc or scheduled to be taken in intervals. +- Restore - A restore is a CRD (`Restore`) that defines which backup to use to restore the Rancher application to. + +## Upgrading to Kubernetes v1.25+ + ​ +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + ​ +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. +​ +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + ​ +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. +​ +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. +​ +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/aks.yaml b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/aks.yaml new file mode 100644 index 000000000..779742058 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/aks.yaml @@ -0,0 +1,25 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "aks.cattle.io$" +- apiVersion: "aks.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + namespaces: + - "cattle-system" + resourceNames: + - "aks-config-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "aks-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "aks-operator" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaces: + - "cattle-system" + resourceNames: + - "aks-operator" diff --git a/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/eks.yaml b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/eks.yaml new file mode 100644 index 000000000..ae57baddf --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/eks.yaml @@ -0,0 +1,17 @@ +- apiVersion: "eks.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + resourceNames: + - "eks-config-operator" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "eks.cattle.io$" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "eks-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "eks-operator" diff --git a/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/elemental.yaml b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/elemental.yaml new file mode 100644 index 000000000..1d38b1229 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/elemental.yaml @@ -0,0 +1,49 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "elemental.cattle.io$" +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + namespaces: + - "cattle-elemental-system" + resourceNames: + - "elemental-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "elemental-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "elemental-operator" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaces: + - "cattle-elemental-system" + resourceNames: + - "elemental-operator" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "^globalrole$" + resourceNames: + - "elemental-operator" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "^apiservice$" + resourceNameRegexp: "elemental.cattle.io$" +- apiVersion: "elemental.cattle.io/v1beta1" + kindsRegexp: "." + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^roles$|^rolebindings$" + labelSelectors: + matchExpressions: + - key: "elemental.cattle.io/managed" + operator: "In" + values: ["true"] + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "v1" + kindsRegexp: "^secrets$|^serviceaccounts$" + labelSelectors: + matchExpressions: + - key: "elemental.cattle.io/managed" + operator: "In" + values: ["true"] + namespaceRegexp: "^cattle-fleet-|^fleet-" diff --git a/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/fleet.yaml b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/fleet.yaml new file mode 100644 index 000000000..a14125fec --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/fleet.yaml @@ -0,0 +1,53 @@ +- apiVersion: "v1" + kindsRegexp: "^namespaces$" + resourceNameRegexp: "^fleet-" +- apiVersion: "v1" + kindsRegexp: "^secrets$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + excludeResourceNameRegexp: "^import-token" + labelSelectors: + matchExpressions: + - key: "owner" + operator: "NotIn" + values: ["helm"] + - key: "fleet.cattle.io/managed" + operator: "In" + values: ["true"] +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + excludeResourceNameRegexp: "^default$" +- apiVersion: "v1" + kindsRegexp: "^configmaps$" + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^roles$|^rolebindings$" + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNameRegexp: "^fleet-|^gitjob-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNameRegexp: "^fleet-" + resourceNames: + - "gitjob" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$" +- apiVersion: "fleet.cattle.io/v1alpha1" + kindsRegexp: "." + excludeKinds: + - "bundledeployments" +- apiVersion: "gitjob.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + resourceNameRegexp: "^fleet-" + resourceNames: + - "gitjob" +- apiVersion: "apps/v1" + kindsRegexp: "^services$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + resourceNames: + - "gitjob" diff --git a/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/gke.yaml b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/gke.yaml new file mode 100644 index 000000000..a87eef364 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/gke.yaml @@ -0,0 +1,17 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "gke.cattle.io$" +- apiVersion: "gke.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + resourceNames: + - "gke-config-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "gke-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "gke-operator" diff --git a/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/provisioningv2.yaml b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/provisioningv2.yaml new file mode 100644 index 000000000..50a7f906b --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/provisioningv2.yaml @@ -0,0 +1,23 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "provisioning.cattle.io$|rke-machine-config.cattle.io$|rke-machine.cattle.io$|rke.cattle.io$|cluster.x-k8s.io$" +- apiVersion: "provisioning.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "rke-machine-config.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "rke-machine.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "rke.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "cluster.x-k8s.io/v1beta1" + kindsRegexp: "." +- apiVersion: "v1" + kindsRegexp: "^secrets$" + resourceNameRegexp: "machine-plan$|rke-state$|machine-state$|machine-driver-secret$|machine-provision$|^harvesterconfig" + namespaces: + - "fleet-default" +- apiVersion: "v1" + kindsRegexp: "^configmaps$" + resourceNames: + - "provisioning-log" + namespaceRegexp: "^c-m-" diff --git a/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/rancher-operator.yaml b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/rancher-operator.yaml new file mode 100644 index 000000000..f30c2fd96 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/rancher-operator.yaml @@ -0,0 +1,28 @@ +- apiVersion: "rancher.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + resourceNames: + - "rancher-operator" + namespaces: + - "rancher-operator-system" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaces: + - "rancher-operator-system" + excludeResourceNameRegexp: "^default$" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "rancher-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "rancher-operator" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "rancher.cattle.io$" +- apiVersion: "v1" + kindsRegexp: "^namespaces$" + resourceNames: + - "rancher-operator-system" diff --git a/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/rancher.yaml b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/rancher.yaml new file mode 100644 index 000000000..47fa2e02f --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/rancher.yaml @@ -0,0 +1,65 @@ +- apiVersion: "v1" + kindsRegexp: "^namespaces$" + resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-" + resourceNames: + - "local" +- apiVersion: "v1" + kindsRegexp: "^secrets$" + namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" + labelSelectors: + matchExpressions: + - key: "owner" + operator: "NotIn" + values: ["helm"] + excludeResourceNameRegexp: "^bootstrap-secret$|^rancher-csp-adapter|^csp-adapter-cache$" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" + excludeResourceNameRegexp: "^default$|^rancher-csp-adapter$" +- apiVersion: "v1" + kindsRegexp: "^configmaps$" + namespaces: + - "cattle-system" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^roles$|^rolebindings$" + namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" + excludeResourceNameRegexp: "^rancher-csp-adapter" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$" + excludeResourceNameRegexp: "^rancher-csp-adapter-" +- apiVersion: "scheduling.k8s.io/v1" + kindsRegexp: "^priorityclasses$" + resourceNameRegexp: "^rancher-critical$" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "." + excludeKinds: + - "tokens" + - "rancherusernotifications" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "^tokens$" + labelSelectors: + matchExpressions: + - key: "authn.management.cattle.io/kind" + operator: "NotIn" + values: [ "provisioning" ] +- apiVersion: "project.cattle.io/v3" + kindsRegexp: "." +- apiVersion: "catalog.cattle.io/v1" + kindsRegexp: "^clusterrepos$" +- apiVersion: "resources.cattle.io/v1" + kindsRegexp: "^ResourceSet$" +- apiVersion: "v1" + kindsRegexp: "^secrets$" + namespaceRegexp: "^.*$" + labelSelectors: + matchExpressions: + - key: "resources.cattle.io/backup" + operator: "In" + values: ["true"] diff --git a/charts/rancher-backup/102.0.2+up3.1.2/templates/_helpers.tpl b/charts/rancher-backup/102.0.2+up3.1.2/templates/_helpers.tpl new file mode 100644 index 000000000..a5e485243 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/templates/_helpers.tpl @@ -0,0 +1,87 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "backupRestore.fullname" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "backupRestore.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "backupRestore.labels" -}} +helm.sh/chart: {{ include "backupRestore.chart" . }} +{{ include "backupRestore.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "backupRestore.selectorLabels" -}} +app.kubernetes.io/name: {{ include "backupRestore.fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +resources.cattle.io/operator: backup-restore +{{- end }} + + +{{/* +Create the name of the service account to use +*/}} +{{- define "backupRestore.serviceAccountName" -}} +{{ include "backupRestore.fullname" . }} +{{- end }} + + +{{- define "backupRestore.s3SecretName" -}} +{{- printf "%s-%s" .Chart.Name "s3" | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create PVC name using release and revision number, unless a volumeName is given. +*/}} +{{- define "backupRestore.pvcName" -}} +{{- if and .Values.persistence.volumeName }} +{{- printf "%s" .Values.persistence.volumeName }} +{{- else -}} +{{- printf "%s-%d" .Release.Name .Release.Revision }} +{{- end }} +{{- end }} + diff --git a/charts/rancher-backup/102.0.2+up3.1.2/templates/clusterrolebinding.yaml b/charts/rancher-backup/102.0.2+up3.1.2/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..cf4abf670 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "backupRestore.fullname" . }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "backupRestore.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/charts/rancher-backup/102.0.2+up3.1.2/templates/deployment.yaml b/charts/rancher-backup/102.0.2+up3.1.2/templates/deployment.yaml new file mode 100644 index 000000000..631fa458b --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/templates/deployment.yaml @@ -0,0 +1,79 @@ +{{- if and .Values.s3.enabled .Values.persistence.enabled }} +{{- fail "\n\nCannot configure both s3 and PV for storing backups" }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "backupRestore.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "backupRestore.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "backupRestore.selectorLabels" . | nindent 8 }} + annotations: + checksum/s3: {{ include (print $.Template.BasePath "/s3-secret.yaml") . | sha256sum }} + checksum/pvc: {{ include (print $.Template.BasePath "/pvc.yaml") . | sha256sum }} + spec: + serviceAccountName: {{ include "backupRestore.serviceAccountName" . }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.imagePullSecrets | indent 6 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }} + args: +{{- if .Values.debug }} + - "--debug" +{{- end }} +{{- if .Values.trace }} + - "--trace" +{{- end }} + env: + - name: CHART_NAMESPACE + value: {{ .Release.Namespace }} + {{- if .Values.s3.enabled }} + - name: DEFAULT_S3_BACKUP_STORAGE_LOCATION + value: {{ include "backupRestore.s3SecretName" . }} + {{- end }} + {{- if .Values.proxy }} + - name: HTTP_PROXY + value: {{ .Values.proxy }} + - name: HTTPS_PROXY + value: {{ .Values.proxy }} + - name: NO_PROXY + value: {{ .Values.noProxy }} + {{- end }} + {{- if .Values.persistence.enabled }} + - name: DEFAULT_PERSISTENCE_ENABLED + value: "persistence-enabled" + volumeMounts: + - mountPath: "/var/lib/backups" + name: pv-storage + volumes: + - name: pv-storage + persistentVolumeClaim: + claimName: {{ include "backupRestore.pvcName" . }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} diff --git a/charts/rancher-backup/102.0.2+up3.1.2/templates/hardened.yaml b/charts/rancher-backup/102.0.2+up3.1.2/templates/hardened.yaml new file mode 100644 index 000000000..bf8492ce0 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/templates/hardened.yaml @@ -0,0 +1,124 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + backoffLimit: 1 + template: + spec: + serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa + securityContext: + runAsNonRoot: true + runAsUser: 1000 + restartPolicy: Never + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + containers: + - name: {{ include "backupRestore.fullname" . }}-patch-sa + image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }} + imagePullPolicy: IfNotPresent + command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +rules: + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "patch"] +{{- if .Values.global.cattle.psp.enabled}} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ include "backupRestore.fullname" . }}-patch-sa +{{- end}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "backupRestore.fullname" . }}-patch-sa +subjects: + - kind: ServiceAccount + name: {{ include "backupRestore.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.global.cattle.psp.enabled}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' +{{- end}} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "backupRestore.fullname" . }}-default-allow-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-backup/102.0.2+up3.1.2/templates/psp.yaml b/charts/rancher-backup/102.0.2+up3.1.2/templates/psp.yaml new file mode 100644 index 000000000..34bc96ee7 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/templates/psp.yaml @@ -0,0 +1,31 @@ +{{- if .Values.global.cattle.psp.enabled -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "backupRestore.fullname" . }}-psp + labels: {{ include "backupRestore.labels" . | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'persistentVolumeClaim' + - 'secret' +{{- end -}} diff --git a/charts/rancher-backup/102.0.2+up3.1.2/templates/pvc.yaml b/charts/rancher-backup/102.0.2+up3.1.2/templates/pvc.yaml new file mode 100644 index 000000000..ff57e4dab --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/templates/pvc.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.persistence.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "backupRestore.pvcName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteOnce + resources: + {{- with .Values.persistence }} + requests: + storage: {{ .size | quote }} +{{- if .storageClass }} +{{- if (eq "-" .storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: {{ .storageClass | quote }} +{{- end }} +{{- end }} +{{- if .volumeName }} + volumeName: {{ .volumeName | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/rancher-backup/102.0.2+up3.1.2/templates/rancher-resourceset.yaml b/charts/rancher-backup/102.0.2+up3.1.2/templates/rancher-resourceset.yaml new file mode 100644 index 000000000..05add8824 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/templates/rancher-resourceset.yaml @@ -0,0 +1,13 @@ +apiVersion: resources.cattle.io/v1 +kind: ResourceSet +metadata: + name: rancher-resource-set +controllerReferences: + - apiVersion: "apps/v1" + resource: "deployments" + name: "rancher" + namespace: "cattle-system" +resourceSelectors: +{{- range $path, $_ := .Files.Glob "files/default-resourceset-contents/*.yaml" -}} + {{- $.Files.Get $path | nindent 2 -}} +{{- end -}} diff --git a/charts/rancher-backup/102.0.2+up3.1.2/templates/s3-secret.yaml b/charts/rancher-backup/102.0.2+up3.1.2/templates/s3-secret.yaml new file mode 100644 index 000000000..726509730 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/templates/s3-secret.yaml @@ -0,0 +1,31 @@ +{{- if .Values.s3.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "backupRestore.s3SecretName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +type: Opaque +stringData: + {{- with .Values.s3 }} + {{- if .credentialSecretName }} + credentialSecretName: {{ .credentialSecretName }} + credentialSecretNamespace: {{ required "When providing a Secret containing S3 credentials, a valid .Values.credentialSecretNamespace must be provided" .credentialSecretNamespace }} + {{- end }} + {{- if .region }} + region: {{ .region | quote }} + {{- end }} + bucketName: {{ required "A valid .Values.bucketName is required for configuring S3 compatible storage as the default backup storage location" .bucketName | quote }} + {{- if .folder }} + folder: {{ .folder | quote }} + {{- end }} + endpoint: {{ required "A valid .Values.endpoint is required for configuring S3 compatible storage as the default backup storage location" .endpoint | quote }} + {{- if .endpointCA }} + endpointCA: {{ .endpointCA }} + {{- end }} + {{- if .insecureTLSSkipVerify }} + insecureTLSSkipVerify: {{ .insecureTLSSkipVerify | quote }} + {{- end }} + {{- end }} +{{ end }} diff --git a/charts/rancher-backup/102.0.2+up3.1.2/templates/serviceaccount.yaml b/charts/rancher-backup/102.0.2+up3.1.2/templates/serviceaccount.yaml new file mode 100644 index 000000000..754e1fe89 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "backupRestore.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +{{- if .Values.serviceAccount.annotations }} + annotations: + {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} +{{- end }} diff --git a/charts/rancher-backup/102.0.2+up3.1.2/templates/validate-install-crd.yaml b/charts/rancher-backup/102.0.2+up3.1.2/templates/validate-install-crd.yaml new file mode 100644 index 000000000..f63fd2e2e --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/templates/validate-install-crd.yaml @@ -0,0 +1,16 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "resources.cattle.io/v1/Backup" false -}} +# {{- set $found "resources.cattle.io/v1/ResourceSet" false -}} +# {{- set $found "resources.cattle.io/v1/Restore" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-backup/102.0.2+up3.1.2/templates/validate-psp-install.yaml b/charts/rancher-backup/102.0.2+up3.1.2/templates/validate-psp-install.yaml new file mode 100644 index 000000000..a30c59d3b --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-backup/102.0.2+up3.1.2/tests/deployment_test.yaml b/charts/rancher-backup/102.0.2+up3.1.2/tests/deployment_test.yaml new file mode 100644 index 000000000..671d415db --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/tests/deployment_test.yaml @@ -0,0 +1,216 @@ +suite: Test Deployment +templates: +- deployment.yaml +- s3-secret.yaml +- pvc.yaml +- _helpers.tpl +tests: +- it: should set name + template: deployment.yaml + asserts: + - equal: + path: metadata.name + value: "rancher-backup" +- it: should set namespace + template: deployment.yaml + asserts: + - equal: + path: metadata.namespace + value: "NAMESPACE" +- it: should set priorityClassName + set: + priorityClassName: "testClass" + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: "testClass" +- it: should set default imagePullPolicy + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: "Always" +- it: should set imagePullPolicy + set: + imagePullPolicy: "IfNotPresent" + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: "IfNotPresent" +- it: should set debug loglevel + set: + debug: true + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--debug" +- it: should set trace loglevel + set: + trace: true + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--trace" +- it: should set proxy environment variables + set: + proxy: "https://127.0.0.1:3128" + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTP_PROXY + value: "https://127.0.0.1:3128" + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: "https://127.0.0.1:3128" + - contains: + path: spec.template.spec.containers[0].env + content: + name: NO_PROXY + value: "127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local" +- it: should set proxy environment variables with modified noproxy + set: + proxy: "https://127.0.0.1:3128" + noProxy: "192.168.0.0/24" + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: NO_PROXY + value: "192.168.0.0/24" +- it: should set persistence variables + set: + persistence.enabled: true + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: DEFAULT_PERSISTENCE_ENABLED + value: "persistence-enabled" + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: "/var/lib/backups" + name: "pv-storage" + - equal: + path: spec.template.spec.volumes[0].name + value: "pv-storage" + - equal: + path: spec.template.spec.volumes[0].persistentVolumeClaim + value: + claimName: RELEASE-NAME-0 +- it: should set claim from custom static volumeName + set: + persistence.enabled: true + persistence.volumeName: "PREDEFINED-VOLUME" + persistence.storageClass: "PREDEFINED-STORAGECLASS" + persistence.size: "PREDIFINED-SAMEAS-PVSIZE" + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: DEFAULT_PERSISTENCE_ENABLED + value: "persistence-enabled" + - equal: + path: spec.template.spec.volumes[0].persistentVolumeClaim + value: + claimName: PREDEFINED-VOLUME +- it: should set private registry + template: deployment.yaml + set: + global.cattle.systemDefaultRegistry: "my.registry.local:3000" + asserts: + - matchRegex: + path: spec.template.spec.containers[0].image + pattern: ^my.registry.local:3000/rancher/backup-restore-operator:.*$ +- it: should set nodeselector + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux +- it: should not set default affinity + template: deployment.yaml + asserts: + - isNull: + path: spec.template.spec.affinity +- it: should set custom affinity + template: deployment.yaml + set: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd + asserts: + - equal: + path: spec.template.spec.affinity + value: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd +- it: should set tolerations + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.tolerations[0] + value: + key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +- it: should set custom tolerations + template: deployment.yaml + set: + tolerations: + - key: "example-key" + operator: "Exists" + effect: "NoSchedule" + asserts: + - equal: + path: spec.template.spec.tolerations[0] + value: + key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" + - equal: + path: spec.template.spec.tolerations[1] + value: + key: "example-key" + operator: "Exists" + effect: "NoSchedule" +- it: should not set default imagePullSecrets + template: deployment.yaml + asserts: + - isNull: + path: spec.template.spec.imagePullSecrets +- it: should set imagePullSecrets + set: + imagePullSecrets: + - name: "pull-secret" + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: "pull-secret" diff --git a/charts/rancher-backup/102.0.2+up3.1.2/tests/pvc_test.yaml b/charts/rancher-backup/102.0.2+up3.1.2/tests/pvc_test.yaml new file mode 100644 index 000000000..3a1c40698 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/tests/pvc_test.yaml @@ -0,0 +1,102 @@ +suite: Test PVC +templates: +- pvc.yaml +- _helpers.tpl +tests: +- it: should set name + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: metadata.name + value: "RELEASE-NAME-0" +- it: should set namespace + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: metadata.namespace + value: "NAMESPACE" +- it: should set accessModes + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: spec.accessModes[0] + value: "ReadWriteOnce" +- it: should set size + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: spec.resources.requests.storage + value: "2Gi" +- it: should set size + template: pvc.yaml + set: + persistence: + enabled: true + size: "10Gi" + asserts: + - equal: + path: spec.resources.requests.storage + value: "10Gi" +- it: should not set volumeName + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - isNull: + path: spec.volumeName +- it: should set default storageClass + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: spec.storageClassName + value: "" +- it: should set custom storageClass + template: pvc.yaml + set: + persistence: + enabled: true + storageClass: "storage-class" + asserts: + - equal: + path: spec.storageClassName + value: "storage-class" +- it: should set custom volumeName + template: pvc.yaml + set: + persistence: + enabled: true + volumeName: "volume-name" + asserts: + - equal: + path: spec.volumeName + value: "volume-name" +- it: should set claim from custom static volumeName + set: + persistence.enabled: true + persistence.volumeName: "PREDEFINED-VOLUME" + persistence.storageClass: "PREDEFINED-STORAGECLASS" + persistence.size: "PREDEFINED-SAMEAS-PVSIZE" + template: pvc.yaml + asserts: + - equal: + path: spec.resources.requests.storage + value: "PREDEFINED-SAMEAS-PVSIZE" + - equal: + path: spec.storageClassName + value: "PREDEFINED-STORAGECLASS" diff --git a/charts/rancher-backup/102.0.2+up3.1.2/tests/s3-secret_test.yaml b/charts/rancher-backup/102.0.2+up3.1.2/tests/s3-secret_test.yaml new file mode 100644 index 000000000..af130dd29 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/tests/s3-secret_test.yaml @@ -0,0 +1,141 @@ +suite: Test S3 Secret +templates: +- s3-secret.yaml +- _helpers.tpl +tests: +- it: should set name + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - equal: + path: metadata.name + value: "rancher-backup-s3" +- it: should set namespace + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - equal: + path: metadata.namespace + value: "NAMESPACE" +- it: should not set credentialSecretName + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.credentialSecretName +- it: should set credentialSecretName + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + credentialSecretName: "credential-secret-name" + credentialSecretNamespace: "credential-secret-namespace" + asserts: + - equal: + path: stringData.credentialSecretName + value: "credential-secret-name" + - equal: + path: stringData.credentialSecretNamespace + value: "credential-secret-namespace" +- it: should not set folder + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.folder +- it: should set folder + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + folder: "myfolder" + asserts: + - equal: + path: stringData.folder + value: "myfolder" +- it: should not set region + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.region +- it: should set region + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + region: "us-west-1" + asserts: + - equal: + path: stringData.region + value: "us-west-1" +- it: should not set endpointCA + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.endpointCA +- it: should set endpointCA + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + endpointCA: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" + asserts: + - equal: + path: stringData.endpointCA + value: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" +- it: should not set insecureTLSSkipVerify + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.insecureTLSSkipVerify +- it: should set insecureTLSSkipVerify + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + insecureTLSSkipVerify: "true" + asserts: + - equal: + path: stringData.insecureTLSSkipVerify + value: "true" diff --git a/charts/rancher-backup/102.0.2+up3.1.2/values.yaml b/charts/rancher-backup/102.0.2+up3.1.2/values.yaml new file mode 100644 index 000000000..bca6ec692 --- /dev/null +++ b/charts/rancher-backup/102.0.2+up3.1.2/values.yaml @@ -0,0 +1,81 @@ +image: + repository: rancher/backup-restore-operator + tag: v3.1.2 + +## Default s3 bucket for storing all backup files created by the backup-restore-operator +s3: + enabled: false + ## credentialSecretName if set, should be the name of the Secret containing AWS credentials. + ## To use IAM Role, don't set this field + credentialSecretName: "" + credentialSecretNamespace: "" + region: "" + bucketName: "" + folder: "" + endpoint: "" + endpointCA: "" + insecureTLSSkipVerify: false + +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## If persistence is enabled, operator will create a PVC with mountPath /var/lib/backups +persistence: + enabled: false + + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack). + ## Refer https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1 + ## + storageClass: "-" + + ## If you want to disable dynamic provisioning by setting storageClass to "-" above, + ## and want to target a particular PV, provide name of the target volume + volumeName: "" + + ## Only certain StorageClasses allow resizing PVs; Refer https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/ + size: 2Gi + +# Add log level flags to backup-restore +debug: false +trace: false + +# http[s] proxy server passed to backup client +# proxy: http://@:: + +# comma separated list of domains or ip addresses that will not use the proxy +noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false # PSP enablement should default to false + kubectl: + repository: rancher/kubectl + tag: v1.21.9 + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +affinity: {} + +serviceAccount: + annotations: {} + +priorityClassName: "" + +# Override imagePullPolicy for image +# options: Always, Never, IfNotPresent +# Defaults to Always +imagePullPolicy: "Always" + +## Optional array of imagePullSecrets containing private registry credentials +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] diff --git a/index.yaml b/index.yaml index 4fdaaf8ac..ab2cc2e01 100755 --- a/index.yaml +++ b/index.yaml @@ -6291,6 +6291,36 @@ entries: urls: - assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc1.tgz version: 103.0.0+up4.0.0-rc1 + - annotations: + catalog.cattle.io/auto-install: rancher-backup-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Rancher Backups + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-resources-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-backup + catalog.cattle.io/scope: management + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-backup + catalog.cattle.io/upstream-version: 2.1.1 + apiVersion: v2 + appVersion: 3.1.2 + created: "2023-09-21T15:12:49.186695-07:00" + description: Provides ability to back up and restore the Rancher application running + on any Kubernetes cluster + digest: dd5677099487da68a54a48dbb52f8e9601cfeee244b54ce4e508572f4c7ee063 + icon: https://charts.rancher.io/assets/logos/backup-restore.svg + keywords: + - applications + - infrastructure + kubeVersion: '>= 1.16.0-0' + name: rancher-backup + urls: + - assets/rancher-backup/rancher-backup-102.0.2+up3.1.2.tgz + version: 102.0.2+up3.1.2 - annotations: catalog.cattle.io/auto-install: rancher-backup-crd=match catalog.cattle.io/certified: rancher @@ -6804,6 +6834,21 @@ entries: urls: - assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc1.tgz version: 103.0.0+up4.0.0-rc1 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-resources-system + catalog.cattle.io/release-name: rancher-backup-crd + apiVersion: v2 + appVersion: 3.1.2 + created: "2023-09-21T15:13:15.47785-07:00" + description: Installs the CRDs for rancher-backup. + digest: 1a039ce1712965f3ac1e81e61d14fd4a437ccfe08ae1867f5acdff0572b56549 + name: rancher-backup-crd + type: application + urls: + - assets/rancher-backup-crd/rancher-backup-crd-102.0.2+up3.1.2.tgz + version: 102.0.2+up3.1.2 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index 61a31d562..baeda678f 100644 --- a/release.yaml +++ b/release.yaml @@ -1,4 +1,6 @@ rancher-backup: - 103.0.0+up4.0.0-rc1 + - 102.0.2+up3.1.2 rancher-backup-crd: - 103.0.0+up4.0.0-rc1 + - 102.0.2+up3.1.2 From e122641c16debfa293f88c5a99adecbea4932c06 Mon Sep 17 00:00:00 2001 From: Steven Crespo Date: Fri, 27 Oct 2023 14:29:02 -0700 Subject: [PATCH 07/24] Update rancher-backup to v4.0.0-rc2 --- packages/rancher-backup/rancher-backup-crd/package.yaml | 2 +- packages/rancher-backup/rancher-backup/package.yaml | 2 +- release.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/rancher-backup/rancher-backup-crd/package.yaml b/packages/rancher-backup/rancher-backup-crd/package.yaml index b760251ad..18d0ea383 100644 --- a/packages/rancher-backup/rancher-backup-crd/package.yaml +++ b/packages/rancher-backup/rancher-backup-crd/package.yaml @@ -1,2 +1,2 @@ -url: https://github.com/rancher/backup-restore-operator/releases/download/v4.0.0-rc1/rancher-backup-crd-4.0.0-rc1.tgz +url: https://github.com/rancher/backup-restore-operator/releases/download/v4.0.0-rc2/rancher-backup-crd-4.0.0-rc2.tgz version: 103.0.0 diff --git a/packages/rancher-backup/rancher-backup/package.yaml b/packages/rancher-backup/rancher-backup/package.yaml index 262317d01..af5a26e8b 100644 --- a/packages/rancher-backup/rancher-backup/package.yaml +++ b/packages/rancher-backup/rancher-backup/package.yaml @@ -1,2 +1,2 @@ -url: https://github.com/rancher/backup-restore-operator/releases/download/v4.0.0-rc1/rancher-backup-4.0.0-rc1.tgz +url: https://github.com/rancher/backup-restore-operator/releases/download/v4.0.0-rc2/rancher-backup-4.0.0-rc2.tgz version: 103.0.0 diff --git a/release.yaml b/release.yaml index baeda678f..3c42426f9 100644 --- a/release.yaml +++ b/release.yaml @@ -1,6 +1,6 @@ rancher-backup: - - 103.0.0+up4.0.0-rc1 - 102.0.2+up3.1.2 + - 103.0.0+up4.0.0-rc2 rancher-backup-crd: - - 103.0.0+up4.0.0-rc1 - 102.0.2+up3.1.2 + - 103.0.0+up4.0.0-rc2 From b4355054f34b4fb991c4e4639b13b652fd926abe Mon Sep 17 00:00:00 2001 From: Steven Crespo Date: Fri, 27 Oct 2023 14:46:31 -0700 Subject: [PATCH 08/24] Make charts --- ...rancher-backup-crd-103.0.0+up4.0.0-rc2.tgz | Bin 0 -> 1778 bytes .../rancher-backup-103.0.0+up4.0.0-rc2.tgz | Bin 0 -> 11560 bytes .../103.0.0+up4.0.0-rc2/Chart.yaml | 11 + .../103.0.0+up4.0.0-rc2/README.md | 3 + .../103.0.0+up4.0.0-rc2/templates/backup.yaml | 141 ++++++++++++ .../templates/resourceset.yaml | 118 ++++++++++ .../templates/restore.yaml | 122 ++++++++++ .../103.0.0+up4.0.0-rc2/Chart.yaml | 26 +++ .../103.0.0+up4.0.0-rc2/README.md | 79 +++++++ .../103.0.0+up4.0.0-rc2/app-readme.md | 33 +++ .../default-resourceset-contents/aks.yaml | 25 ++ .../default-resourceset-contents/eks.yaml | 17 ++ .../elemental.yaml | 49 ++++ .../default-resourceset-contents/fleet.yaml | 53 +++++ .../default-resourceset-contents/gke.yaml | 17 ++ .../provisioningv2.yaml | 23 ++ .../rancher-operator.yaml | 28 +++ .../default-resourceset-contents/rancher.yaml | 65 ++++++ .../templates/_helpers.tpl | 87 +++++++ .../templates/clusterrolebinding.yaml | 14 ++ .../templates/deployment.yaml | 79 +++++++ .../templates/hardened.yaml | 124 ++++++++++ .../103.0.0+up4.0.0-rc2/templates/psp.yaml | 31 +++ .../103.0.0+up4.0.0-rc2/templates/pvc.yaml | 27 +++ .../templates/rancher-resourceset.yaml | 13 ++ .../templates/s3-secret.yaml | 31 +++ .../templates/serviceaccount.yaml | 11 + .../templates/validate-install-crd.yaml | 16 ++ .../templates/validate-psp-install.yaml | 7 + .../tests/deployment_test.yaml | 216 ++++++++++++++++++ .../103.0.0+up4.0.0-rc2/tests/pvc_test.yaml | 102 +++++++++ .../tests/s3-secret_test.yaml | 141 ++++++++++++ .../103.0.0+up4.0.0-rc2/values.yaml | 81 +++++++ 33 files changed, 1790 insertions(+) create mode 100644 assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc2.tgz create mode 100644 assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc2.tgz create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc2/Chart.yaml create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc2/README.md create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc2/templates/backup.yaml create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc2/templates/resourceset.yaml create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc2/templates/restore.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/Chart.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/README.md create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/app-readme.md create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/aks.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/eks.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/elemental.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/fleet.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/gke.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/provisioningv2.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher-operator.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/_helpers.tpl create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/clusterrolebinding.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/deployment.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/hardened.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/psp.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/pvc.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/rancher-resourceset.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/s3-secret.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/serviceaccount.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-install-crd.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-psp-install.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/deployment_test.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/pvc_test.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/s3-secret_test.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/values.yaml diff --git a/assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc2.tgz b/assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc2.tgz new file mode 100644 index 0000000000000000000000000000000000000000..9cab6f689cfabaa9fb1deaee3a402736fae8b3db GIT binary patch literal 1778 zcmVDc zVQyr3R8em|NM&qo0PI`cZ`(K$&$IsuBKOeyfK@rp$H72x%{l3zxZa_#vwc}CP?{Rc zY$#GoQbCNx{_hKlvMtNhhaK6Q0Gd7&p{U;shclevXe==&3y}R8CXY$nCo*_HUSO%c zC63rxJLLPme|>qG{_p#K@qhp7a(Fhlyc*p27dOM<@XQ}vUJr+7$Zv^%B_&E@dFH>E zS8;J~gfQnqV@(BDqaH#8Ys^IG5v(->kBavMq^5HU!3brx;+(diK>&P&&b3V7+&P8g z2vm#-jF27dOHd+_1XN!wm4?Xqngj+|LEpT-mLX@aJsi_-AQcsSgq|*XIF8qUUV6Ug z_a(XL1)zweu}+6SbEPq33h4!)@#IdSxsU~DuUE=YFJl-X9LJ23RCT?l6~lo)G%Wv- z#2eOs_7+!?!~ZozF~b_v`%DurJqoJ*f8Y=O>w^E^_?`cshVssXV+zk2xcN(YkN;H0 z{hkKBN6Lc{8YfDNXp*_?9n2}Gsqsgkaey^8=ZEzfYd6YU`}fA3dnyKEW`dd$8` z$~DNbU`fO?rhW873H}x9#Rz#yW1T2ZX(4e4Uqt5fC?&h#!k|4Ml$Ml-rFd4-hh+>~ zP`QCdFmuYlytyrpabMlfX{{D52D09-Dd_(fAt#$>jR03x;SmX`ZXRd^O5-Trg1rs5 zR~ujrrE4XE+g(#X|LdF5U9JekvQ2aqR>;TeMwGLd@c@s5f%RIrXcWX;(Q8c&cGC{d8c z+*#g2+YwR&x2jFJ-jy+;oJL7BLW2@ia~Oo_fsrR;8$rVA7Cn}NujksN0!Si_oLlEr zp5Pfru?rcYy9`@MHA3$`Ml|3wTsZ))4fMtM)G!`*S4N{Gek9_oZ^RGo67f!-m z$!nm?JtIXQx<+e3>wyi;67pDPzI!l2)e2e>kq{Vb#H`B2Ps7({-X~xVJctE#`QGt( zjc-rEZ7x^<@)VpXSLWP+hcDCVBQ^IKI$xGEwumz!7+_v9OG4=M)wYGV6U6KX5M6Sp zI37y)HK7uMZTb4enA2+jW^;w6v3Qe(?R|_@sA7|-?4nW)k@I}2JG~fI`axo@=qjBm z+s#IMS-X>l-%qhg$d1n|OWlskL;_ajF3=7Sm-V&HLp!atJr0#F+{h`glz3Tqwz{aa z>1W17ryR#>A@qYo>xUzAcwQslI%3)3$YQ2IK0)vw;2=v9sLE9Ih1pkCVwXe_mX1Jk zD5TSpb_T6Ja@g4t^CQV@T`5?Jm$@4H?f2JRVtdt8S^rzB9A5N2pr-zReSKA^|6TZl z%j>TGcM3X6{V!)XZ59EGC8$*;Fwf4O7VC0g?ooYBu)S&!5nM~b7|03CK>{bmq|TWI zR%L*>jdFzS+OS_4^4(#%4b;+G=gXiaq~Bhgc~({I+!V3emZ>ynssMH8N}DSW1Co}0 zUa#T6Ghs;p|D`-|?nUWcr%|F>lcqKl-Ia^3C0`vW=5jfK5T4`qmGt=bw3CW_EPXIM z16E?)4e{%)$`RINasM1kP|AG^w^XqMP1sm^go@HkqvdRPdvL7dm0If;;}xZP%YUw{x5@Sjk$bGKR8Q6AgjJGo ztkY)A;Ef%@@&u77&*M$0=a6ixti-&@k7|>%U5Nf}y7so}9Ci19EhN0O0jTEwf8!6Y ziv2$qSKa;pBy_C%zpdQSWjaCfz0pFW|(*FZxq zB-~5syo^g)oka|F?y(C>*MMtld9QB{c{q5cV?!72zi$~q>KL-~##ovDp zuDjoVorL~^Ce{M7f&&^)?s~o3^(a|jsgYh_ZBoa=uO<@(0h%q*_iZcs?sX?eM;&$4 U(QBta0ssL2|Dt)=)Br*N00`V@8UO$Q literal 0 HcmV?d00001 diff --git a/assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc2.tgz b/assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc2.tgz new file mode 100644 index 0000000000000000000000000000000000000000..4306edab2b8a193454fbcd02a5d3d7aaad389125 GIT binary patch literal 11560 zcmV+@E!WZ?iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYKbKAIklWlE|o!dzu z5|S8E1Vezb<+!Wn`~1uKB~M}DPHM3oC4I-Ju8u_l2L}f@E5HK>TG|LXN*`)t*WRp+ zphF8YI5Ge6bVXHFb!Tgf|EsEM{NIvVRR2-j+Ai*@rQLG5_z$(XrEZu00n{hNA+xxI zLgydqqx*^v?r&0{Wnl`bfh|(W0iZz&O*|}UkWv#B47>?liWS2m6q;rQM3;-AIr={* zkZPmUrW$gnF))zsw@a<28^ku@OtIhuRX|JB1be&(lG-Lqs7nLeV6(8738A8kT#T`qoCy#Gpj+ zYi-;ZmX2@Iv9}#OHFQLj;nb-Bzx$v@!GDJ6=Cqg!#G8l+6-tG-k_e^3yKEXb$V8AJ zN$}{DrZylNwowI4paq9$f-IU^i_Taj&2$MxjzTduQ>(d#qTz{+Eo9N9dUtI?9Rw%A zSWAUsp_qfV(es{6OF3xU{?Dy~T2K{7E9G=VG{>+he|#<}4`AOg4LSo91J*HcZ2&Eu z%>~5{0(6A@bqHoU?5Xx3M&PT3drX(UPji`!pVBbzQkjxux&9WiT$ z7=$8=DpPE_6GS!{fWras-)IOJ#G8~2;7t~|F-%iVEP&v=R|7W&9f1jUEqV^=2y9NF zvuPTAxwJ?w1Ttlw#Y`LyfQ|-+#kyjv0}fHmgoFrM{T_bwhu?zF69#!DpVla!-vBow zLmL6zAgoIQ^qB=Gh6cEK#uTN{^a7e|NesX%wuW@E)L#R(z(q%vYnmIt!imlRv5^K0 zB47crJhc(Vgsr_0w4i6?6aaWNv`fs+s9v_&2%x1yM+eyQ;2a#+H~7;1|G}A!tTu(( z__bWSEi^!mZ-k^ww}veZ*_3QbY||$Fg~o=U6gkKohzzX42pde#47=b4TAUD)psDm^ z%uW!c?9VVbIa2`k@f2+cu*@LyU{dG|5d{#~(4mIrn$Q8~y$v8u=?H(zx?&VLAph|B zN&r8z%o$+*2{bIw4q?KKL({}J%oa567@p@n@_*(Mv~S|!W=So+-Bfosi=|DkrIMtn z;<8Csg7%w?uErgzfYO1H%e??qT?Zx}0uxP<2?iz{63 z`H}p|h;z%x?M#saY&JGM00lJDV21n)QOy?(zcWF=$oa?r{hhU8w&)*~-(AQ2qw>3r z9r_3BLc@~@1O(a8;WFGb2xauw@dO$cVQgX80P4DfI7#UUQXw2HOu1NPGsSz(S@>LF zP%P~-eNs?2-)EgI3pXNiKfWe0EdGnrsobKVui~&=K~Wpb1|qDkQXoVoG51;E;Ipj z95`d-@#_mkPQvDc?HE%=Do3uVur0C7tWikDTp|yQq3a;U#=0WGBWKfgO;h3BE3zZS z>u56sO{-)V_kto_W#y)-2UI$+If!ut)+bbu1Mnw z+35qj2Dn=_l@%S7cjm z{|^R8W6nSmw`KqAv1f=^K)(LXg=RiZnp8B1R0@%aCTKE6P7P0N=pc~)y;vx2DQX@R zYS0$pGXs&raS($l92ivo$>H=7g@vfN3!)R z8-|74B?8oOEsfWwV5bbU5p)RXBMmZRgy0DZ>o;yra{rD1HhR;T7}T3!gMe4kXWehM zSzT_;+DLm{NY1v9t1TJeV<V z!Im_G7U3ys2}DQ8oD|4NL|iN2`*&bin(69UgDZ&cvub%faU#1YfRGFngRc4kXZ8-- zc5Jo#@z(F(Q<~g^Z!V@NMua335p>s;{!9RBiQs*qEsU#FB6?Qdl4OjJRY^re#FVos z7Od?;`bhXD67%yTb@JH{d9}!le7z zrrHlFnfAZ5oE&VTzG3NxHGJ@{zykYU-6@x%_J2v;Ek4Kp*HXrYrB^^rOm+*KXirRb zWOvo+L#+T^I>L@|$L-a^_^r@!#oPo@s6z^wf4`!R08&ATfC(22>FrEk3*Q6Fu$XrZ zwipEB_P-*H^4(G~ly*dRFM(5$w)%z>ZxBD;Zd`zLOmgoO^YZNlV>;HrIpIX+I{ zEW^@IAeL;TvDThtEgCW!x?Pyi297e0}LFj*pQ>{m>LZhZiN;wv~YvtitW=rZv7l}wb1NFvZ4 z)J%!NGuBw#Fwv(Uwf0A&1RNUnV?y&Q4j}Mh%Xyp=h-8Eg;l|q*f{hmN*I$*yYYK;n z{=$*}@8A6hlD7$vB)!~x2*H8QkW}JPQNAx1uBCvyqVT8rxLXlw#&_@%&G^$uGw(IB zrj<}#LE_r`YOC|PSv{?{&#Se%|K5)t&XIQ!5iv;91QFy!hx_$LwR_U}+%A9KtJaRY z=bzi1vsU$>{`usrR_z>~HB)iO;;V=+Tu9;-qe03F$G5XIJl}UZ=bz78XCJQ8X|hcF z_G17v&z5K{w?Q8;?sVOpHCyNPR{OBssW)r&&-G??@1(w;#48^Hsz{)DznXBkPnrB9 z;dSUA^QeG){GdlZ)QLdIo+|PPKrRfHBv*E#CM&__dXKlOnb4S2LKOhe*rP@A+>cFU zE;%5d#`aG`5L0962^|`nw=g&vi;M~WNDW`;zm3^U0lNIGjn~-QiVbORZ*w+c5qN#3 zYy3n%kuBd08br1=7Lg&m!IDaaaD_}F{A@G&Z(B0`zY%nFWFh?t&VnxR|8}=Z#rXd3 z_U_iR|F@13_PF}YKM7o}Biw(4ucg=wnnK{JPS>0sGX1R-*Cg+42#qiv=PSU*gnHkx zY=~d3J#?UslGPO*nTR6A=2l<60{BDXY8pa1(l;io;^_sFKOfTg+IQpXlWw=@v*j%!s(6I(5eX$4TnMbTGXf}9E{s;VlVJBTp_ z^(=!pd)eykg}yGUP(ANxA{@eC(`&WE#1r$DYWMa%eXD|M!38p-VBhNTU(q z4jv=xUwL`D@2~uyIYm*T-x7HOFcwOFmW9j9!Z=Om?jR)N=1)WFzdI2f*A(uM;%^ub z#yj~xmlOIAz0|o`G>h|VtbAxr$nrGIffJ*Y^-}ah*vUD z3=dX5=3Rnft@+{)LPo34wG_60{q@L&=WTvHuRp&2f~~D(Hmv4tfUQoxU}ujliHyCy z$IQ-hqL{6x6}Tn5^aQatr^P;^&|7ThSZ_-n5z6v;twoGy+cBnwiH6~Cy+)YOCZadk z8Al%;p4Xxe&JXv42Z3!XgpF&W3i$2RCA1YXh=1eTG$+hJjMU?Gs@9CZcWql7{)eU% zgsC8Z6HlQv42!dgVF@=tlnK18fSv8_@^%h@0TFEVMBp3*^)t(yv4J%V6A42wAW0;| zrhwnX9?WlZ}%D_+>1uH-&$A!~VadndGk-##5p18UR2;2N8dm{E=9W zotYgB|Ip&qdR6N)4e&syh4Yn{}so8K~Y5?^>fn@j$EOSb%%Cn%nvkA?DI z-A>4V^*R2(ma^b9c9!(_jllCXUS3J+$2VZtdqN9p8Y1Kr>w$b~A*f$E21RF<#wEHR z;}GI6vDF$*iy-5o4*KRI5^Rsl{cABKV%(wl_a96LN4|&;p1(rh_(}fA``4nUw9E#< z5%`QM9EWgU>EEKHoL7k+wU2&V&!C3hF9q{?_x5L(O!@D<2<0Mss6JS9{(pNXCjU!C zRo#7-|LZ7`SZT^9SiYcd$(L=Ewi6OxEeb(2r(uga*ff#D(`PXG7=*L^Ui0#xZ$1(d zu7G@S0$rXS5?$qGU-@_pPkuEk)A;56FUq{wfIP0pEnD!?hIF(6UVa9Ze}V$HS_=mz z?t?tfPPFO8Btpxdf0WO#*?c3;mU68q^ubFH1fl|TNZ*taAF%%HNe`7w{*Ru}eN-O{ z_`g(Ex8mnNcAoQpt*2z4_{=o<#5v8CY`oONo$E35L{`c(8-8<9j!?(2hWirhgds=D zz~^X2l++AkyheJ`FE)&fHeh}_un{c%oaQVt>S}BVK}BGY zpxyvG{wF3LCGfI;LOG;lCX(qUP3lDPWe20 zoI%32xuf)|{m3!;eWZ>sNF^tiX*jnW8)~9L>Vim3KqsnXHG8~bYQAqqck(L@j`gtodf_P)c1;uph6 z>HKdcl`{FCt0_p4x9zWJ&O^_FFW&##O8Eb!=lox5DK8|u3@LbJA`84SF=l2&e%`^U zJjjO*`Q$;K{rCDcP`T6aLU_aj>{>eWu60ABp%;X?$l_%_J>sw_a{uRL0>+h^hQbsN zZO_C@vaJXkM6+L2&kv>WB%zwd0E{3xMl-LkR}{Co;{gh2nwGUBbrRW6dpuI$pI!1(d zHiA=;E-V2CRL>9nIJ7VJytLNm?Q;SQDdS&)^q%KJ>^C0!lhiU6D(}|Y3|F(zAdMa%ZbeD9~nFS`O3?Z zJT&OY?H4pW*<5fJ#p_U>ZJ8U|J2b^n&=G}(Nea1~!b&dp;>8PafGB7o8-qh@fOB8I zeCb0n;u$14G@dBdV+=uw%=>&otz4VwO9n2|*`c(Tc>0TIXPzmQyj3gO{bou9#mc(C z3Mk@OwYcDkyVmo%o7>f#ZW05n$%v&m(9LA;0GlSh;pQKgohCOwh2bdcvd1=b-~>_R z5HD?G3<)s@Y{k(LG8{kTDQ>H&sk_PrL<@w+q%Q2!K*J6sX4Gu^0T!R4o+w1uI3~EVMau?^7GaqQf3- z;&I>tsJV`VEb1qSC9Z8_hY|*W(e~7^4$lNe!ugSXrtWCmgXY{jRiYad1;C|>K>)O5 z)^=!$47&x;9vgP(N)@JDv7;kLChPQXU;)e;VF0}Wb%LJxu7>PByzFi;7^4~40AIvG zpJO!p!Uy|BY;N-3e8~CyyzzRUBL;u3HgXMGppUo|^qH~{@7UivX^B6)F3Mm}+^6%Z z72Y9emp8a2BQ_M+6F!5l<6t9O9N}4$P-E5oosB(a_Q+p11|4yu$8Yt@o5nTJ;Qn@(1d9rn_DpABstU`8 z3E`U&vSe1>v}F)!$-~STmMn0H-XlFcozXB~i^f^Dc2Ot0BefX(w zo^UiCOx`K9sG)>?O;8Q}qL`b>vw*$zM5byVYPS2#os87%n#();Ye|C1Z;@^L4Z9jkiv7RzF{v#xMB>ba6oATVg(sYvMP+IgS z93dJwc)}_Yzoq9G@s6Z>#!Q8_z6cgBT#l#zhFdFD0*(~&$UxPvr2Mb7MXAwqjk*9gpfkJi6Bn^bZ+1$@lVEe{H%@uS(Dun#bT zmd+LcYr%SVZGMkyh{(QZ<gRic_ZEmnh}37aBs-;=ZU#QL&#hqB9}@4ygviq zT;$9=-ywuS_54s?a<~C(sEv6S-Uej=A?!&}==52Qfnkd4E(n|=0u1U~PM&Y4XC136 zB#9*#ai}d7w}A%SVpyPERzlGl%#&P*S_BZ68C8Ve>KP8oZ16t~E0pxo`>3)2_Qe^& zz`Eby1{uRfi(ioxAH@dfyUfBt4tEeCPk$@jK+gok-c5Y-{8?e#A*hYySOsLylM7v- zB)lRxj}U^khZNWj;xj8zy0OAv67Z-p)BN5PZ-5d11Z%>a18F+x$VQfqEX`nx2+{+NjjhbM9qS51W$s@Mx6a4MJT#9LFL%a8d| zcZnPqVJ>T^znBruxXB>CY?M~^#}Eh9gSL$G5TOD4XWlo+uOcwG1d*R@>DbfS^9F?*K;3HdQL~{^vO}YWzypfCEoj1}q zZ@??;aHa(V2a%D#9bvFX3Bq`4;q?Y*HgOgO-P%Z#g2YA+Q|3&R7?vU~MDqL;Zk70| zl*^_snSS&a?+WKH+)@4li~&;xBS-{UYzIvZ>=JY4SEP=Mz7%r*^I!kXD3bdFym`~a z6jk25$^8KiBb&qWR;3Ld`}IJ{NVm8a7ZLyo!J5J2032CXmwCy7TuIK7VSxdhGLjAe z1Wc-$NCpc8_{zL77yP-5Auld-_6Rv+7Es94N=}oUdyW;qE}8lKQv(7BzJz_pFW?oL zGM*G2OrYiRu%KolXfeaWAM0zjqztJ%Oyup;zZV;A-XSCaLEpiQ%L!#lE)=2m@a5{1 z(|F)IJjBXj2w~3yG5(drH`p12S6`w|<(G}v5Hg78I`>)K2&$&0k-t!(dd;*C%whYwn; zqLhUu>} zu=N=620b8~ue}SKrGw$0=*XOpf#)vB&ExO{`9c3+=KU%1cXs@%LW7u>g>FFlC`F)) zhXW%O+VaYGQuvXPikSbu#K(_tOjbMxw($IKF_!sgkR>v-x&DW z9O7REr)Hg0I9`h2Zr>qJ;4$}1ToSp^6?y`@?4Ex>m-5!W2lt!`KbB_n;WSV5{<9h3 ze`#4={-dXs|LX46ZbJT-pX0x4DKVx;KU6xWOChv`ohC$Q-JjuzT>LCrOrc0aV^WrV=u z{-40id(w#zn?(HH*^nYCrywc99*h!?qrmb#Lfep(N%Xkd@=vMceb$n}YCiQtOF>Y7 zU?N17`%mKE$F482qVGQ?78w8DI+RKYco&-1Z*2$hNQO`KF`8uzQqbDJOD?$JKYwU> z59O(D@G(yvS6mhF;L&HSZXQZ|d7rw@|0V-{BKg0%{^tm+_bjwpgv{Df;CN_4cLh%?`tMPHb$$X1BxT-S5wM|R|#tpOX z2$>Ukok;*k@JOaK$dCsq65-Lx`mt1%q9Ccl(ybHj#!aBTDi%LTX{`%^WvsF|tK5GY z8uTmfKV|33Fld&gB(V7ro_CBJUfzqY<{3zF2AUS3X^%3kBe{f+*&BaAeb>@W6v-kP z>m`oIj|)dH!G=#fYgs5tY4JGxlKuZ|J@#B4R#vzFhGVpb_-{#lw*S^qo?hCs^)W}X zM_#Wf!aN+KpR~8fdj2_~pJ>mS^S?U(hd*SSmX;9(i}wGwwqy7Il(u%ap5wo3DNoP; z;q?(V`kXORCQut0mdA`4Z)1a=0h7niw z%~R*sBam%EOUxTT=JxX5dlCDoJH`|_GMRYr*q^AE_n$`4nIbj}LG)y_S&<%rcU9bj zywP+y8D21oiHBKcu`+qOpxZB0R+s-?3s1Q$)&L9TfBgRc(st?j{MUL)Tm*SvGOgJ{ zi!Z8-4X1cDf5YhsH?=bRcxa^Thnjgw!mY)wUD)jt7!rxKxMUD=PPlrBS^n7!x#sd< z`M*L8V1fMKDsRXA|8jZvIse;Q%9HK?$hhJCCtJDyq$&5GT!I|-&z#^P|NiqSw~T_` zIp~)$EY`gxG*@5rF{Xq%(DqH^PktsgVk=OGHbu_;r_c{YgW3o!DF#>D7Fs~Lr8Hma z03Nw>lzFCj?K?(~p->84*1P58k0IGixtAwt_!psy9MsV1D=w?=tZjoToz7uNa{tM8 z@K>Z!j+jVsC?Kv%{p6T}EI@O|Vmk(Q3_8BMa_7iCq9Amc@5c^q_`rfN$*p@gwp6Qt#0Nj=)#)^Pfr@s z!dzYbJjKs8w|=>j$p20#v;RGx{WE*;*c$-n+yBLKsTjZiZ+A<5zW-w_g}4Sq70^M1 zf_;D5bN)R5m7EevEy7nqP65%&A#)1wZVS&T;PVKXHgZUT+GdW5OOO>{(2DmRE0mZpXjkyOq&dvn4UX`AdCJ0s;@Gj zC@LwF(07Nx#6uHJkr^Hpe^cSt%B(U1i5ppQ5YQPC*+RyQDj=^Y9ElXPMb6SRwE3H# zjW$Ojm3Q&&3?OT2IN0Lp45rXAc)GMG7vo#DjJ!k!#nNs;EvSWJrCcn%U1>o*a9qfm z#)jovN8&EG_npr9=kwOthpVXBG#Be1i%$C&!l!wbfsBWQy7_jas0M%TmI}ok{-aph zD86IA-in_)8wE1eHVWRJtsnkcer<__5)-V8yi*qDbyr()09g23)(YcS+WIBdV>ZEK zxF+cqWN*&k#$+b%waJ%-$=kt22ec0~Qo3;Aqdb7HBQr}OIA~X<14&+f> zAd<UdR=A4hWu#S@x^}|Woqb=HUOTC_+bQjgJFkaBS-*N(ueO!*Ui=jFF2>jgos>R8 z-g%ZyA4cM5$HM2*1R&o+P``8xiq5Rm zpg1w^)csS5jV6EF9H(7x^!UtKwMdo5tO3JdU|T~1=LhiBobkITB>JSD4{+x z_W{F^sI{$!aHlEzm)U0gQ)A0lL^KvBe=3@{dHWP2iUG|U-qS7;jzBmtDSq&)hL;{# z1f}qhBEbHwBdzs?k=D=zJ*_~Q*ZqSRVM%$EG^QU>1w8b?=LHkuCsp0=jv4kvY$iwk*wp=n-a zT}$K>EBTij6e|KLzJo3PTycTL=G~qulNu?Om(p@kN)~myK(? zS-1E4>d|(mTfb?k&5qX9JMGKEyH=yoxEMFfy>6pow}dUTO5TGcJC+_%Ld=>f>Uk z*RoJ|yW8#bKEQFK)9D@U={I)$x@gvWW~0@rxAw00_uyrH>!#Dt&tRR6+T81QMthyEd2}&uT5a~b+uN&st#0X7uY6IuQrqUna=UqUpsJlx%WjvoyY>OO(~C{>tZRO_7~jl#cURk&``5R~+8Z@X zho#eUw{)UzPfo4zaof7SZ0`5Ip%1p%YV7Uw8%Hzkt7-S^_9g6H7n_adw@b6}RX=$5 z^>Wgv!CsS`sJHw5dShQ7H(=MinjYUZ)lQ?=xo(r<_5PK5abaI--O>Jqd41OJZr`4k z>t)!xQakk`Z1?PzR&MSbtBqUOEw**lK0EF8jxRdbJ3WW%N4@Y+Q>)zJom>R9_*7ixU zd)HTsMbzyb_upU7wDG&EcIn#f?ssqcsr5TcROu*b#1k#7e#%$YmJV( zlf!MT(d@LU_VLA6bJDFh=*eC4T5H&+rw6U$s}i|w6-VWEx3$;pHfsI5W>YUUyBC+O z+O@iU*>2R;R`=TK_PX26_uZ|_59X;psh3VWM^>k3&uWvctqaR+T$Gxw)@yv#iw*0t z+q&$2-TQViZr$nXyX%XLw*9Z88tV4;uS(mu-OCWx;r_O5x+ z*?WIcY~HqR>^KkZHR~o@>-ARgsC8XzQTWw}r9<<-vZvVqkS?~5vYF`^pXWTn#-Z4J8DW2ACw_SQyyHd@sz5Qk#9bA+< z2l`>Z)2y}X+ml{zRDxF3XSKJL{|Z<}|$ zS+ho4XN~b4GPPpMYnF$R+v!!=KI$Bdwvq9!4Bxl*yJlm2QF>>#i~5J_al`1( z-rneHuZ_N5-!;dhaj$W7*SxXcYnSFh^YWTr9@sl=)jZQWdtXoAw`SMsErn+DSTBxl z+E!P+wwecLb!~Rt9c}eX_Sx~Besoc6xb5+9TRUhSwt9B=qD#+CO153I4yS0MZney7 zsu#yoy|ZWO^=k`V_Aai9*O&bdd*50UwS1*spS8!@)>Y~HN>?xLw0h&F_jS}eJ7{99 zbA5msd+$5r-t@9@ZE5D|@l~}$kbkp^^OioA= 1.23.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-resources-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-backup + catalog.cattle.io/scope: management + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-backup + catalog.cattle.io/upstream-version: 2.1.1 +apiVersion: v2 +appVersion: 4.0.0-rc2 +description: Provides ability to back up and restore the Rancher application running + on any Kubernetes cluster +icon: https://charts.rancher.io/assets/logos/backup-restore.svg +keywords: +- applications +- infrastructure +kubeVersion: '>= 1.23.0-0' +name: rancher-backup +version: 103.0.0+up4.0.0-rc2 diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/README.md b/charts/rancher-backup/103.0.0+up4.0.0-rc2/README.md new file mode 100644 index 000000000..59bff4425 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/README.md @@ -0,0 +1,79 @@ +# Rancher Backup + +This chart provides ability to back up and restore the Rancher application running on any Kubernetes cluster. + +Refer [this](https://github.com/rancher/backup-restore-operator) repository for implementation details. + +----- + +### Get Repo Info +```bash +helm repo add rancher-chart https://charts.rancher.io +helm repo update +``` + +----- + +### Install Chart +```bash +helm install rancher-backup-crd rancher-chart/rancher-backup-crd -n cattle-resources-system --create-namespace +helm install rancher-backup rancher-chart/rancher-backup -n cattle-resources-system +``` + +----- + +### Configuration +The following table lists the configurable parameters of the rancher-backup chart and their default values: + +| Parameter | Description | Default | +|----------|---------------|-------| +| image.repository | Container image repository | rancher/backup-restore-operator | +| image.tag | Container image tag | v0.1.0-rc1 | +| s3.enabled | Configure S3 compatible default storage location. Current version supports S3 and MinIO | false | +| s3.credentialSecretName | Name of the Secret containing S3 credentials. This is an optional field. Skip this field in order to use IAM Role authentication. The Secret must contain following two keys, `accessKey` and `secretKey` | "" | +| s3.credentialSecretNamespace | Namespace of the Secret containing S3 credentials. This can be any namespace. | "" | +| s3.region | Region of the S3 Bucket (Required for S3, not valid for MinIO) | "" | +| s3.bucketName | Name of the Bucket | "" | +| s3.folder | Base folder within the Bucket (optional) | "" | +| s3.endpoint | Endpoint for the S3 storage provider | "" | +| s3.endpointCA | Base64 encoded CA cert for the S3 storage provider (optional) | "" | +| s3.insecureTLSSkipVerify | Skip SSL verification | false | +| persistence.enabled | Configure a Persistent Volume as the default storage location. It accepts either a StorageClass name to create a PVC, or directly accepts the PV to use. The Persistent Volume is mounted at `/var/lib/backups` in the operator pod | false | +| persistence.storageClass | StorageClass to use for dynamically provisioning the Persistent Volume, which will be used for storing backups | "" | +| persistence.volumeName | Persistent Volume to use for storing backups | "" | +| persistence.size | Requested size of the Persistent Volume (Applicable when using dynamic provisioning) | "" | +| debug | Set debug flag for backup-restore deployment | false | +| trace | Set trace flag for backup-restore deployment | false | +| nodeSelector | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | {} | +| tolerations | https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration | [] | +| affinity | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | {} | +| serviceAccount.annotations | Annotations to apply to created service account | {} | +| global.cattle.psp.enabled | Enable or disable PSPs in the chart | false | + +----- + +### PSPs + +We have added a configuration to the chart `values.yaml` which allows you to enable or disable PSPs to align with the PSP deprecation in Kubernetes `v1.25` and above. + +----- + +### CRDs + +Refer [this](https://github.com/rancher/backup-restore-operator#crds) section for information on CRDs that this chart installs. Also refer [this](https://github.com/rancher/backup-restore-operator/tree/master/examples) folder containing sample manifests for the CRDs. + +----- +### Upgrading Chart +```bash +helm upgrade rancher-backup-crd -n cattle-resources-system +helm upgrade rancher-backup -n cattle-resources-system +``` + +----- +### Uninstall Chart + +```bash +helm uninstall rancher-backup -n cattle-resources-system +helm uninstall rancher-backup-crd -n cattle-resources-system +``` + diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/app-readme.md b/charts/rancher-backup/103.0.0+up4.0.0-rc2/app-readme.md new file mode 100644 index 000000000..b1406d5ee --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/app-readme.md @@ -0,0 +1,33 @@ +# Rancher Backup + +This chart enables ability to capture backups of the Rancher application and restore from these backups. This chart can be used to migrate Rancher from one Kubernetes cluster to a different Kubernetes cluster. + +For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/pages-for-subheaders/backup-restore-and-disaster-recovery). + +This chart installs the following components: + +- [backup-restore-operator](https://github.com/rancher/backup-restore-operator) + - The operator handles backing up all Kubernetes resources and CRDs that Rancher creates and manages from the local cluster. It gathers these resources by querying the Kubernetes API server, packages all the resources to create a tarball file and saves it in the configured backup storage location. + - The operator can be configured to store backups in S3-compatible object stores such as AWS S3 and MinIO, and in persistent volumes. During deployment, you can create a default storage location, but there is always the option to override the default storage location with each backup, but will be limited to using an S3-compatible object store. + - It preserves the ownerReferences on all resources, hence maintaining dependencies between objects. + - This operator provides encryption support, to encrypt user specified resources before saving them in the backup file. It uses the same encryption configuration that is used to enable [Kubernetes Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). +- Backup - A backup is a CRD (`Backup`) that defines when to take backups, where to store the backup and what encryption to use (optional). Backups can be taken ad hoc or scheduled to be taken in intervals. +- Restore - A restore is a CRD (`Restore`) that defines which backup to use to restore the Rancher application to. + +## Upgrading to Kubernetes v1.25+ + ​ +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + ​ +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. +​ +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + ​ +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. +​ +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. +​ +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/aks.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/aks.yaml new file mode 100644 index 000000000..779742058 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/aks.yaml @@ -0,0 +1,25 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "aks.cattle.io$" +- apiVersion: "aks.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + namespaces: + - "cattle-system" + resourceNames: + - "aks-config-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "aks-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "aks-operator" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaces: + - "cattle-system" + resourceNames: + - "aks-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/eks.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/eks.yaml new file mode 100644 index 000000000..ae57baddf --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/eks.yaml @@ -0,0 +1,17 @@ +- apiVersion: "eks.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + resourceNames: + - "eks-config-operator" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "eks.cattle.io$" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "eks-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "eks-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/elemental.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/elemental.yaml new file mode 100644 index 000000000..1d38b1229 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/elemental.yaml @@ -0,0 +1,49 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "elemental.cattle.io$" +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + namespaces: + - "cattle-elemental-system" + resourceNames: + - "elemental-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "elemental-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "elemental-operator" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaces: + - "cattle-elemental-system" + resourceNames: + - "elemental-operator" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "^globalrole$" + resourceNames: + - "elemental-operator" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "^apiservice$" + resourceNameRegexp: "elemental.cattle.io$" +- apiVersion: "elemental.cattle.io/v1beta1" + kindsRegexp: "." + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^roles$|^rolebindings$" + labelSelectors: + matchExpressions: + - key: "elemental.cattle.io/managed" + operator: "In" + values: ["true"] + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "v1" + kindsRegexp: "^secrets$|^serviceaccounts$" + labelSelectors: + matchExpressions: + - key: "elemental.cattle.io/managed" + operator: "In" + values: ["true"] + namespaceRegexp: "^cattle-fleet-|^fleet-" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/fleet.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/fleet.yaml new file mode 100644 index 000000000..a14125fec --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/fleet.yaml @@ -0,0 +1,53 @@ +- apiVersion: "v1" + kindsRegexp: "^namespaces$" + resourceNameRegexp: "^fleet-" +- apiVersion: "v1" + kindsRegexp: "^secrets$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + excludeResourceNameRegexp: "^import-token" + labelSelectors: + matchExpressions: + - key: "owner" + operator: "NotIn" + values: ["helm"] + - key: "fleet.cattle.io/managed" + operator: "In" + values: ["true"] +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + excludeResourceNameRegexp: "^default$" +- apiVersion: "v1" + kindsRegexp: "^configmaps$" + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^roles$|^rolebindings$" + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNameRegexp: "^fleet-|^gitjob-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNameRegexp: "^fleet-" + resourceNames: + - "gitjob" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$" +- apiVersion: "fleet.cattle.io/v1alpha1" + kindsRegexp: "." + excludeKinds: + - "bundledeployments" +- apiVersion: "gitjob.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + resourceNameRegexp: "^fleet-" + resourceNames: + - "gitjob" +- apiVersion: "apps/v1" + kindsRegexp: "^services$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + resourceNames: + - "gitjob" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/gke.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/gke.yaml new file mode 100644 index 000000000..a87eef364 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/gke.yaml @@ -0,0 +1,17 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "gke.cattle.io$" +- apiVersion: "gke.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + resourceNames: + - "gke-config-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "gke-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "gke-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/provisioningv2.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/provisioningv2.yaml new file mode 100644 index 000000000..50a7f906b --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/provisioningv2.yaml @@ -0,0 +1,23 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "provisioning.cattle.io$|rke-machine-config.cattle.io$|rke-machine.cattle.io$|rke.cattle.io$|cluster.x-k8s.io$" +- apiVersion: "provisioning.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "rke-machine-config.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "rke-machine.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "rke.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "cluster.x-k8s.io/v1beta1" + kindsRegexp: "." +- apiVersion: "v1" + kindsRegexp: "^secrets$" + resourceNameRegexp: "machine-plan$|rke-state$|machine-state$|machine-driver-secret$|machine-provision$|^harvesterconfig" + namespaces: + - "fleet-default" +- apiVersion: "v1" + kindsRegexp: "^configmaps$" + resourceNames: + - "provisioning-log" + namespaceRegexp: "^c-m-" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher-operator.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher-operator.yaml new file mode 100644 index 000000000..f30c2fd96 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher-operator.yaml @@ -0,0 +1,28 @@ +- apiVersion: "rancher.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + resourceNames: + - "rancher-operator" + namespaces: + - "rancher-operator-system" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaces: + - "rancher-operator-system" + excludeResourceNameRegexp: "^default$" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "rancher-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "rancher-operator" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "rancher.cattle.io$" +- apiVersion: "v1" + kindsRegexp: "^namespaces$" + resourceNames: + - "rancher-operator-system" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher.yaml new file mode 100644 index 000000000..47fa2e02f --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher.yaml @@ -0,0 +1,65 @@ +- apiVersion: "v1" + kindsRegexp: "^namespaces$" + resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-" + resourceNames: + - "local" +- apiVersion: "v1" + kindsRegexp: "^secrets$" + namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" + labelSelectors: + matchExpressions: + - key: "owner" + operator: "NotIn" + values: ["helm"] + excludeResourceNameRegexp: "^bootstrap-secret$|^rancher-csp-adapter|^csp-adapter-cache$" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" + excludeResourceNameRegexp: "^default$|^rancher-csp-adapter$" +- apiVersion: "v1" + kindsRegexp: "^configmaps$" + namespaces: + - "cattle-system" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^roles$|^rolebindings$" + namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" + excludeResourceNameRegexp: "^rancher-csp-adapter" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$" + excludeResourceNameRegexp: "^rancher-csp-adapter-" +- apiVersion: "scheduling.k8s.io/v1" + kindsRegexp: "^priorityclasses$" + resourceNameRegexp: "^rancher-critical$" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "." + excludeKinds: + - "tokens" + - "rancherusernotifications" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "^tokens$" + labelSelectors: + matchExpressions: + - key: "authn.management.cattle.io/kind" + operator: "NotIn" + values: [ "provisioning" ] +- apiVersion: "project.cattle.io/v3" + kindsRegexp: "." +- apiVersion: "catalog.cattle.io/v1" + kindsRegexp: "^clusterrepos$" +- apiVersion: "resources.cattle.io/v1" + kindsRegexp: "^ResourceSet$" +- apiVersion: "v1" + kindsRegexp: "^secrets$" + namespaceRegexp: "^.*$" + labelSelectors: + matchExpressions: + - key: "resources.cattle.io/backup" + operator: "In" + values: ["true"] diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/_helpers.tpl b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/_helpers.tpl new file mode 100644 index 000000000..a5e485243 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/_helpers.tpl @@ -0,0 +1,87 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "backupRestore.fullname" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "backupRestore.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "backupRestore.labels" -}} +helm.sh/chart: {{ include "backupRestore.chart" . }} +{{ include "backupRestore.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "backupRestore.selectorLabels" -}} +app.kubernetes.io/name: {{ include "backupRestore.fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +resources.cattle.io/operator: backup-restore +{{- end }} + + +{{/* +Create the name of the service account to use +*/}} +{{- define "backupRestore.serviceAccountName" -}} +{{ include "backupRestore.fullname" . }} +{{- end }} + + +{{- define "backupRestore.s3SecretName" -}} +{{- printf "%s-%s" .Chart.Name "s3" | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create PVC name using release and revision number, unless a volumeName is given. +*/}} +{{- define "backupRestore.pvcName" -}} +{{- if and .Values.persistence.volumeName }} +{{- printf "%s" .Values.persistence.volumeName }} +{{- else -}} +{{- printf "%s-%d" .Release.Name .Release.Revision }} +{{- end }} +{{- end }} + diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/clusterrolebinding.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..cf4abf670 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "backupRestore.fullname" . }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "backupRestore.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/deployment.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/deployment.yaml new file mode 100644 index 000000000..631fa458b --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/deployment.yaml @@ -0,0 +1,79 @@ +{{- if and .Values.s3.enabled .Values.persistence.enabled }} +{{- fail "\n\nCannot configure both s3 and PV for storing backups" }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "backupRestore.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "backupRestore.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "backupRestore.selectorLabels" . | nindent 8 }} + annotations: + checksum/s3: {{ include (print $.Template.BasePath "/s3-secret.yaml") . | sha256sum }} + checksum/pvc: {{ include (print $.Template.BasePath "/pvc.yaml") . | sha256sum }} + spec: + serviceAccountName: {{ include "backupRestore.serviceAccountName" . }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.imagePullSecrets | indent 6 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }} + args: +{{- if .Values.debug }} + - "--debug" +{{- end }} +{{- if .Values.trace }} + - "--trace" +{{- end }} + env: + - name: CHART_NAMESPACE + value: {{ .Release.Namespace }} + {{- if .Values.s3.enabled }} + - name: DEFAULT_S3_BACKUP_STORAGE_LOCATION + value: {{ include "backupRestore.s3SecretName" . }} + {{- end }} + {{- if .Values.proxy }} + - name: HTTP_PROXY + value: {{ .Values.proxy }} + - name: HTTPS_PROXY + value: {{ .Values.proxy }} + - name: NO_PROXY + value: {{ .Values.noProxy }} + {{- end }} + {{- if .Values.persistence.enabled }} + - name: DEFAULT_PERSISTENCE_ENABLED + value: "persistence-enabled" + volumeMounts: + - mountPath: "/var/lib/backups" + name: pv-storage + volumes: + - name: pv-storage + persistentVolumeClaim: + claimName: {{ include "backupRestore.pvcName" . }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/hardened.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/hardened.yaml new file mode 100644 index 000000000..bf8492ce0 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/hardened.yaml @@ -0,0 +1,124 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + backoffLimit: 1 + template: + spec: + serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa + securityContext: + runAsNonRoot: true + runAsUser: 1000 + restartPolicy: Never + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + containers: + - name: {{ include "backupRestore.fullname" . }}-patch-sa + image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }} + imagePullPolicy: IfNotPresent + command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +rules: + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "patch"] +{{- if .Values.global.cattle.psp.enabled}} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ include "backupRestore.fullname" . }}-patch-sa +{{- end}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "backupRestore.fullname" . }}-patch-sa +subjects: + - kind: ServiceAccount + name: {{ include "backupRestore.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.global.cattle.psp.enabled}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' +{{- end}} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "backupRestore.fullname" . }}-default-allow-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/psp.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/psp.yaml new file mode 100644 index 000000000..34bc96ee7 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/psp.yaml @@ -0,0 +1,31 @@ +{{- if .Values.global.cattle.psp.enabled -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "backupRestore.fullname" . }}-psp + labels: {{ include "backupRestore.labels" . | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'persistentVolumeClaim' + - 'secret' +{{- end -}} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/pvc.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/pvc.yaml new file mode 100644 index 000000000..ff57e4dab --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/pvc.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.persistence.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "backupRestore.pvcName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteOnce + resources: + {{- with .Values.persistence }} + requests: + storage: {{ .size | quote }} +{{- if .storageClass }} +{{- if (eq "-" .storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: {{ .storageClass | quote }} +{{- end }} +{{- end }} +{{- if .volumeName }} + volumeName: {{ .volumeName | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/rancher-resourceset.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/rancher-resourceset.yaml new file mode 100644 index 000000000..05add8824 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/rancher-resourceset.yaml @@ -0,0 +1,13 @@ +apiVersion: resources.cattle.io/v1 +kind: ResourceSet +metadata: + name: rancher-resource-set +controllerReferences: + - apiVersion: "apps/v1" + resource: "deployments" + name: "rancher" + namespace: "cattle-system" +resourceSelectors: +{{- range $path, $_ := .Files.Glob "files/default-resourceset-contents/*.yaml" -}} + {{- $.Files.Get $path | nindent 2 -}} +{{- end -}} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/s3-secret.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/s3-secret.yaml new file mode 100644 index 000000000..726509730 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/s3-secret.yaml @@ -0,0 +1,31 @@ +{{- if .Values.s3.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "backupRestore.s3SecretName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +type: Opaque +stringData: + {{- with .Values.s3 }} + {{- if .credentialSecretName }} + credentialSecretName: {{ .credentialSecretName }} + credentialSecretNamespace: {{ required "When providing a Secret containing S3 credentials, a valid .Values.credentialSecretNamespace must be provided" .credentialSecretNamespace }} + {{- end }} + {{- if .region }} + region: {{ .region | quote }} + {{- end }} + bucketName: {{ required "A valid .Values.bucketName is required for configuring S3 compatible storage as the default backup storage location" .bucketName | quote }} + {{- if .folder }} + folder: {{ .folder | quote }} + {{- end }} + endpoint: {{ required "A valid .Values.endpoint is required for configuring S3 compatible storage as the default backup storage location" .endpoint | quote }} + {{- if .endpointCA }} + endpointCA: {{ .endpointCA }} + {{- end }} + {{- if .insecureTLSSkipVerify }} + insecureTLSSkipVerify: {{ .insecureTLSSkipVerify | quote }} + {{- end }} + {{- end }} +{{ end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/serviceaccount.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/serviceaccount.yaml new file mode 100644 index 000000000..754e1fe89 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "backupRestore.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +{{- if .Values.serviceAccount.annotations }} + annotations: + {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} +{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-install-crd.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-install-crd.yaml new file mode 100644 index 000000000..f63fd2e2e --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-install-crd.yaml @@ -0,0 +1,16 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "resources.cattle.io/v1/Backup" false -}} +# {{- set $found "resources.cattle.io/v1/ResourceSet" false -}} +# {{- set $found "resources.cattle.io/v1/Restore" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-psp-install.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-psp-install.yaml new file mode 100644 index 000000000..a30c59d3b --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/deployment_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/deployment_test.yaml new file mode 100644 index 000000000..671d415db --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/deployment_test.yaml @@ -0,0 +1,216 @@ +suite: Test Deployment +templates: +- deployment.yaml +- s3-secret.yaml +- pvc.yaml +- _helpers.tpl +tests: +- it: should set name + template: deployment.yaml + asserts: + - equal: + path: metadata.name + value: "rancher-backup" +- it: should set namespace + template: deployment.yaml + asserts: + - equal: + path: metadata.namespace + value: "NAMESPACE" +- it: should set priorityClassName + set: + priorityClassName: "testClass" + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: "testClass" +- it: should set default imagePullPolicy + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: "Always" +- it: should set imagePullPolicy + set: + imagePullPolicy: "IfNotPresent" + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: "IfNotPresent" +- it: should set debug loglevel + set: + debug: true + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--debug" +- it: should set trace loglevel + set: + trace: true + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--trace" +- it: should set proxy environment variables + set: + proxy: "https://127.0.0.1:3128" + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTP_PROXY + value: "https://127.0.0.1:3128" + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: "https://127.0.0.1:3128" + - contains: + path: spec.template.spec.containers[0].env + content: + name: NO_PROXY + value: "127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local" +- it: should set proxy environment variables with modified noproxy + set: + proxy: "https://127.0.0.1:3128" + noProxy: "192.168.0.0/24" + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: NO_PROXY + value: "192.168.0.0/24" +- it: should set persistence variables + set: + persistence.enabled: true + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: DEFAULT_PERSISTENCE_ENABLED + value: "persistence-enabled" + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: "/var/lib/backups" + name: "pv-storage" + - equal: + path: spec.template.spec.volumes[0].name + value: "pv-storage" + - equal: + path: spec.template.spec.volumes[0].persistentVolumeClaim + value: + claimName: RELEASE-NAME-0 +- it: should set claim from custom static volumeName + set: + persistence.enabled: true + persistence.volumeName: "PREDEFINED-VOLUME" + persistence.storageClass: "PREDEFINED-STORAGECLASS" + persistence.size: "PREDIFINED-SAMEAS-PVSIZE" + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: DEFAULT_PERSISTENCE_ENABLED + value: "persistence-enabled" + - equal: + path: spec.template.spec.volumes[0].persistentVolumeClaim + value: + claimName: PREDEFINED-VOLUME +- it: should set private registry + template: deployment.yaml + set: + global.cattle.systemDefaultRegistry: "my.registry.local:3000" + asserts: + - matchRegex: + path: spec.template.spec.containers[0].image + pattern: ^my.registry.local:3000/rancher/backup-restore-operator:.*$ +- it: should set nodeselector + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux +- it: should not set default affinity + template: deployment.yaml + asserts: + - isNull: + path: spec.template.spec.affinity +- it: should set custom affinity + template: deployment.yaml + set: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd + asserts: + - equal: + path: spec.template.spec.affinity + value: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd +- it: should set tolerations + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.tolerations[0] + value: + key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +- it: should set custom tolerations + template: deployment.yaml + set: + tolerations: + - key: "example-key" + operator: "Exists" + effect: "NoSchedule" + asserts: + - equal: + path: spec.template.spec.tolerations[0] + value: + key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" + - equal: + path: spec.template.spec.tolerations[1] + value: + key: "example-key" + operator: "Exists" + effect: "NoSchedule" +- it: should not set default imagePullSecrets + template: deployment.yaml + asserts: + - isNull: + path: spec.template.spec.imagePullSecrets +- it: should set imagePullSecrets + set: + imagePullSecrets: + - name: "pull-secret" + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: "pull-secret" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/pvc_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/pvc_test.yaml new file mode 100644 index 000000000..3a1c40698 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/pvc_test.yaml @@ -0,0 +1,102 @@ +suite: Test PVC +templates: +- pvc.yaml +- _helpers.tpl +tests: +- it: should set name + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: metadata.name + value: "RELEASE-NAME-0" +- it: should set namespace + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: metadata.namespace + value: "NAMESPACE" +- it: should set accessModes + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: spec.accessModes[0] + value: "ReadWriteOnce" +- it: should set size + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: spec.resources.requests.storage + value: "2Gi" +- it: should set size + template: pvc.yaml + set: + persistence: + enabled: true + size: "10Gi" + asserts: + - equal: + path: spec.resources.requests.storage + value: "10Gi" +- it: should not set volumeName + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - isNull: + path: spec.volumeName +- it: should set default storageClass + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: spec.storageClassName + value: "" +- it: should set custom storageClass + template: pvc.yaml + set: + persistence: + enabled: true + storageClass: "storage-class" + asserts: + - equal: + path: spec.storageClassName + value: "storage-class" +- it: should set custom volumeName + template: pvc.yaml + set: + persistence: + enabled: true + volumeName: "volume-name" + asserts: + - equal: + path: spec.volumeName + value: "volume-name" +- it: should set claim from custom static volumeName + set: + persistence.enabled: true + persistence.volumeName: "PREDEFINED-VOLUME" + persistence.storageClass: "PREDEFINED-STORAGECLASS" + persistence.size: "PREDEFINED-SAMEAS-PVSIZE" + template: pvc.yaml + asserts: + - equal: + path: spec.resources.requests.storage + value: "PREDEFINED-SAMEAS-PVSIZE" + - equal: + path: spec.storageClassName + value: "PREDEFINED-STORAGECLASS" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/s3-secret_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/s3-secret_test.yaml new file mode 100644 index 000000000..af130dd29 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/s3-secret_test.yaml @@ -0,0 +1,141 @@ +suite: Test S3 Secret +templates: +- s3-secret.yaml +- _helpers.tpl +tests: +- it: should set name + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - equal: + path: metadata.name + value: "rancher-backup-s3" +- it: should set namespace + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - equal: + path: metadata.namespace + value: "NAMESPACE" +- it: should not set credentialSecretName + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.credentialSecretName +- it: should set credentialSecretName + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + credentialSecretName: "credential-secret-name" + credentialSecretNamespace: "credential-secret-namespace" + asserts: + - equal: + path: stringData.credentialSecretName + value: "credential-secret-name" + - equal: + path: stringData.credentialSecretNamespace + value: "credential-secret-namespace" +- it: should not set folder + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.folder +- it: should set folder + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + folder: "myfolder" + asserts: + - equal: + path: stringData.folder + value: "myfolder" +- it: should not set region + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.region +- it: should set region + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + region: "us-west-1" + asserts: + - equal: + path: stringData.region + value: "us-west-1" +- it: should not set endpointCA + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.endpointCA +- it: should set endpointCA + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + endpointCA: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" + asserts: + - equal: + path: stringData.endpointCA + value: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" +- it: should not set insecureTLSSkipVerify + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.insecureTLSSkipVerify +- it: should set insecureTLSSkipVerify + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + insecureTLSSkipVerify: "true" + asserts: + - equal: + path: stringData.insecureTLSSkipVerify + value: "true" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/values.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/values.yaml new file mode 100644 index 000000000..b5e3b610f --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0-rc2/values.yaml @@ -0,0 +1,81 @@ +image: + repository: rancher/backup-restore-operator + tag: v4.0.0-rc2 + +## Default s3 bucket for storing all backup files created by the backup-restore-operator +s3: + enabled: false + ## credentialSecretName if set, should be the name of the Secret containing AWS credentials. + ## To use IAM Role, don't set this field + credentialSecretName: "" + credentialSecretNamespace: "" + region: "" + bucketName: "" + folder: "" + endpoint: "" + endpointCA: "" + insecureTLSSkipVerify: false + +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## If persistence is enabled, operator will create a PVC with mountPath /var/lib/backups +persistence: + enabled: false + + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack). + ## Refer https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1 + ## + storageClass: "-" + + ## If you want to disable dynamic provisioning by setting storageClass to "-" above, + ## and want to target a particular PV, provide name of the target volume + volumeName: "" + + ## Only certain StorageClasses allow resizing PVs; Refer https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/ + size: 2Gi + +# Add log level flags to backup-restore +debug: false +trace: false + +# http[s] proxy server passed to backup client +# proxy: http://@:: + +# comma separated list of domains or ip addresses that will not use the proxy +noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false # PSP enablement should default to false + kubectl: + repository: rancher/kubectl + tag: v1.21.9 + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +affinity: {} + +serviceAccount: + annotations: {} + +priorityClassName: "" + +# Override imagePullPolicy for image +# options: Always, Never, IfNotPresent +# Defaults to Always +imagePullPolicy: "Always" + +## Optional array of imagePullSecrets containing private registry credentials +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] From 9a8794ff1ac401511c1838c3d7b3039c85323055 Mon Sep 17 00:00:00 2001 From: Steven Crespo Date: Fri, 27 Oct 2023 15:09:59 -0700 Subject: [PATCH 09/24] Make remove rancher-backup v4.0.0-rc1 --- ...rancher-backup-crd-103.0.0+up4.0.0-rc1.tgz | Bin 1778 -> 0 bytes .../rancher-backup-103.0.0+up4.0.0-rc1.tgz | Bin 11559 -> 0 bytes .../103.0.0+up4.0.0-rc1/Chart.yaml | 11 - .../103.0.0+up4.0.0-rc1/README.md | 3 - .../103.0.0+up4.0.0-rc1/templates/backup.yaml | 141 ------------ .../templates/resourceset.yaml | 118 ---------- .../templates/restore.yaml | 122 ---------- .../103.0.0+up4.0.0-rc1/Chart.yaml | 26 --- .../103.0.0+up4.0.0-rc1/README.md | 79 ------- .../103.0.0+up4.0.0-rc1/app-readme.md | 33 --- .../default-resourceset-contents/aks.yaml | 25 -- .../default-resourceset-contents/eks.yaml | 17 -- .../elemental.yaml | 49 ---- .../default-resourceset-contents/fleet.yaml | 53 ----- .../default-resourceset-contents/gke.yaml | 17 -- .../provisioningv2.yaml | 23 -- .../rancher-operator.yaml | 28 --- .../default-resourceset-contents/rancher.yaml | 65 ------ .../templates/_helpers.tpl | 87 ------- .../templates/clusterrolebinding.yaml | 14 -- .../templates/deployment.yaml | 79 ------- .../templates/hardened.yaml | 124 ---------- .../103.0.0+up4.0.0-rc1/templates/psp.yaml | 31 --- .../103.0.0+up4.0.0-rc1/templates/pvc.yaml | 27 --- .../templates/rancher-resourceset.yaml | 13 -- .../templates/s3-secret.yaml | 31 --- .../templates/serviceaccount.yaml | 11 - .../templates/validate-install-crd.yaml | 16 -- .../templates/validate-psp-install.yaml | 7 - .../tests/deployment_test.yaml | 216 ------------------ .../103.0.0+up4.0.0-rc1/tests/pvc_test.yaml | 102 --------- .../tests/s3-secret_test.yaml | 141 ------------ .../103.0.0+up4.0.0-rc1/values.yaml | 81 ------- index.yaml | 20 +- 34 files changed, 10 insertions(+), 1800 deletions(-) delete mode 100644 assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc1.tgz delete mode 100644 assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc1.tgz delete mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc1/Chart.yaml delete mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc1/README.md delete mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc1/templates/backup.yaml delete mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc1/templates/resourceset.yaml delete mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc1/templates/restore.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/Chart.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/README.md delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/app-readme.md delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/aks.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/eks.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/elemental.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/fleet.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/gke.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/provisioningv2.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher-operator.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/_helpers.tpl delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/clusterrolebinding.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/deployment.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/hardened.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/psp.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/pvc.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/rancher-resourceset.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/s3-secret.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/serviceaccount.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-install-crd.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-psp-install.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/deployment_test.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/pvc_test.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/s3-secret_test.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc1/values.yaml diff --git a/assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc1.tgz b/assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc1.tgz deleted file mode 100644 index ee991420a1352877688886be4465726b1859ff14..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1778 zcmVDc zVQyr3R8em|NM&qo0PI`cZ`(K$&$IsuBKOeyfK@rp$H72x%{l3zxZa_#vwc}CP?{Rc zY$#GoQbCNx{_hKlvMtNhhaK6Q0Gd7&p{U;shclevXe==&3y}R8CXY$nCo*_HUSO%c zC63rxJLLPme|>qG{_p#K@qhp7a(Fhlyz(!GS2x#J!!v(yd41`hA-^U5m6Rxr<(dCt zUd6?|5yG4cjWrcqjd}S1$R2m}ZYZ4e>1%31ST85mx_HazUfmBrR5qi4l;W%FZdFlC{ z-@BV&hyQDcVum%S_n9VMdK6Uq|G*#m*9HH-@jL%N4dtB&#}uA5aPyb)9{;I~ z`#lYMkCX=^G)|Nj(Ij)(JD5{WQ{#_7;{a=H&JXJ|)^3!y_V0~5_f!nT%nYSS;t_I9 zu`ua*gpg(a?-Vf|h*=^rTQf<=6y;&Uuw0Gy5K=@KFCDW)>GaIXd^CmaBOC;&^q75> zlxvVL$gXQ_(e(@qu3WwWbPt!NcB(`&&2G)qk0wO%h z=872j?bpxWhSRNKgkmXT6BAbkYH4NG8*;~f=ks9+s?$eObqG@c+WP@*7> zxwE{5wj-nlZdIFby(?oxIgOHNga#$3<}e7;10zqyHiCrJEqW{kU(dBk1&~AjA+1VxX|w$Q>Pm90LuUoX)I!v8l)N_ANlC-=3k3CE}VqB zlGi|&dq#>rbdA=6)&m=wCFHTpeD`34sui>%A|Wu=h*_13pN6l^yidR!cn}Nf^1b8n z8sDCR+gz{!n+xr-+P{k%u*+r!qBIo&3cX~0b^n=7)(N#KC zwwsOivUVp8zn@~0kR6{_mbx96i3F_5U7#HvF6(QXhjvB$bFLO2Y+wZTt#P+JGvi`SLIlSn5Ku!Js`ueI+|GV%9 zSHrIUcM3X6{V!)XZ59EGC8$*;Fwf4O7VC0g?ooYBu)S&!5nM~b7|03CK>{bmq|TWI zR%L*>jdFzS+OS_4^4(#%4b;+G=gXiaq~Bhgc~({I+!V3emZ>ynssMH8N}DSW1Co}0 zUa#T6Ghs;p|D`-|?nUWcr%|F>lcqKl-Ia^3C0`vW=5jfK5T4`qmGt=bw3CW_EPXIM z16E?)4e{%)$`RINasM1kP|AG^w^XqMP1sm^go@HkqvdRPdvL7dm0If;;}xZP%YUw{x5@Sjk$bGKR8Q6AgjJGo ztkY)A;Ef%@@&u77&*M$0=a6ixti-&@k7|>%U5Nf}y7so}9Ci19EhN0O0jTEwf8!6Y ziv2$q*WLa9By_C%zpdQSWjaCfz0pFW|(*FZxq zB-~5syo^g)oka|F?y(C>*MMtld9QB{c{q5cV?!72zi$~q>KL-~##ovDp zZo1!porL~^Ce{M7f&&^)?s~o3^(a|jsgYh_ZBoa=uO<@(0h%q*_iZcs?sX?eM;&$4 U(QBta0ssL2|HzS|H~>Nb0A#Lc1^@s6 diff --git a/assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc1.tgz b/assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc1.tgz deleted file mode 100644 index bf0817e14e183f4504f21e2e1decfc815d05e480..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 11559 zcmV+?E!ff@iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYKbKAI%9La~iJrb)k1R`$H`%5Z$Ik6e zAQF-oQ3OMPvgNp|=KK81`6W+b;ZAC?9VdOqsIHDh0tW{NI4i&d7uxz5xyk_Q6VKUf zjG;?Qb2zpB@pwg5Rdr`;i~p;tYVzNTT2}v2-r80x)$KPs+vR_#~p^}L=p+~V|+Jr*Os)6`&QFPb% z=M++XoY_=IE;WZHGJx4K^M>QZGDlQ_}b9F=%GA9&GGn-*j1D0ufH<@o8bN88VI@%Ym|a#h;GixnLzxBh*6-*nYHMgRnjewP~<8UV=J?oXDT|LI@m@wU8#4^A=E{1 z8jiJ6DwoOy=$L)~$*fX>@zNC|HNkaV%5k90FX=woQ9f007$n+H-K^4UlUiiikh%f~m8f#*{jwwz;V@ zc}hxhl$@UkL6mG-c!bHOWFy&ciOfcY37TJH*C4fm678E56kysz7ZU1vI`v#sU|i78 zVuD`^nKK)ZudG%Xeg4yPLOT6uIrLn9OiAef8MHh^9@zj`qW`zvRH{k+U#(W2_5V{8 za|%a@X?_7N>Aj1G7+k6kfalduRwfivm&w15ckI3WnGP ztf^^_0JJP1;DMoOF@fnKNRa^sb1rZ5`XW_^9kSuTVur*JS_BmUc=3V(Fpy16Xmyb8 zBHD&i1k52Ih;9Hf#-3$>fe_|Q9s)e%e~ZdM$2Nr~6X&3Q(TM;fB>}#RfkzNHsGk50 zTWA9q*#3nw=zxw*0){5C45qL$(5Qi8G3S*uKKOeVjkrMOKLpJpt%uk$kSl*6+i3DaTx@n+G!$y7w#n@$p|-gFg>|y&5#%Z(&omIT zW{62BvZ*q|mN!LYlL0swg5ZsgfJyvG*#Q1zfos#U6e1uq=2^_d!4Mc|XxgkRwmRSlH7rPopw(~DN52Ox_&i}yREk-Rip33Z zJvQ|*FigU_B*2*4aBAv+n`cZ>3QaGddA7s=ykcv}5KH|vU<+JyWP6si0c@P=3=jwD zz$5||5X(~^V@%lEi$Du|Ms5j!S0ksw?2P(Fhm8Q*26PR8Z6D75QFDVY-Txn)I>_!& zs83$YwX2~aaswkIW4d*0>&T&GQ(~Jn=`VCP1f|SD7C>xZHAdKQdgj;z*U;vKkOa-7 zCu4SkC}n>}!O58daDZoMLx5!lnGcgfcZ4W_z=19`bIO}f!X-dcVThx^G~2@gH8k!W*k};zGk+ddCTxT>y!Vpke~w#k2Wi6`R%6qX0u$`^jj)v znkpWfbR}%R$>?g{q8g~|n}xy)P&W)<;SsRV3|U}k!4dJT)KEGW3^edYK9f+FOBA2g zIhG&EAB;FRjNI-Fxxis#GeS^6w@hZpzYx^|(eN7+1dN=&|KHzO8)l3CUi-~+t>0_E zIoPGYvo3TzokBp616?k|Et612e*;gUX%og4rURg1xQLUKjv*Do!N!z}RW?(+=YoyT z1P0~G8>UZ6>gL;xvKs#Rrcx^J@E_&MM)@84^;Z1c*(i~jzEP64cgey!v#T4v)Il&jtFrZ8%QC@LOSyv zm;f)ZM;-nIyEX9bFW%{~oH_OqFm9lHy-{p2k&eJC7k%|i7m=v1!+njN*9BRN2M@r< zKMDmn9GbRC=K?%idZv!*y3XW3qe?W|z^gc}iCvSkM0_ zKIfF-&k8R9b|k2}bq(ia1GLc$xf|eM*v9nCMMSJ{Ip=&}qGllhwFZjfMUfNbl*5G< zfUXPYj66Yop~y+pd~jTI#z^JLH5IibR+%*l$%ISfp*iwgq&V16BzWX*I-X@Iyn97< zr1%|e7LsW3Sy;>dOW6MuO&tp|!Srd2EGEE8)On~Yu+0A7+D_X4J6k)?@xLc2-@Yl* zxB^8XAwNmM_Q_vnMWFokSAkVDhoICK9-@%3ev~Ftwg$}{*R<&n6#s*47ViZBF*)r2 zD2DhT+erOg`1Wn{*TRK}zxh!ap?jbak=jhuabdy(c3l3E4Nzcp28bB|;(0{GG4XMY z-HC;v!32QxFNi)yhGz-oO2?R>D9FOEn-W2v%KW9m<#PnM7?c7ghzX-;;F0Mk?v~eN zTWB9Rv56*VIzw&)PaWtYQ2ec2DsL%j z5tJIx5#civk(Zp}JKe_cw?wvelu4Dc}&8Ss$OC9&he9fdoACBu*XX-+%daA@9e%Q!-UBn5bk zQQ*vMW*O!KkT63l@UKNJZeA=!lh-X~@UQY8q!>e4{_W5E9kY5Ys3TDP&mt&(Dy}~! zJe^`&nnBC(6tx7RV`NQBWGo`CHSp~lFm2uPjJ&~>ME7~Me4aR#U6epX28uz~gMc%8 z2OTG|+JkuOw{ICu?!Z?MQ>Yh?3JNCKg`sOY;XDr&pA8 zKiX9LE+yCgmzI-@Ei^D~!?Z{D-W6D4|EoLIO5FahsBbFI@&6|&6VoVGMHCv4LgwGEsUv_?P$FQ$1w(c_E6~Dsz&35> zU4tzKfp~*2NT+3f@roN>;AN>Ru`KOEg7_|Aag$UP!cAW;T#B!Gk7Nuh+dIUYhCN2W zJ2QQC_|8mU2-%+?{&z|N+*4fyL=MAbskm`aF%`NE004?F;nd29aR=hd!0%TwQ6?g( zKzmp-BL>e{V|l|=pFz|*7>yEgXw;91%&$0rz=tj8aX}!G5juh!Z(9mCTEJg_)l#o1 z9Hsh;M*hEj3nEDVCP13>a`Pbq2f8CtOGZWczFf4H0*Z>lpB9sDMWh+u!AmvcPh-ve z*T|mLB6S6c8}I8{_fxxm((Iho8_nQ-5ItNV?_wfin579~$cYa3nyq^8xcjM7{j^(e z9QDpVb-JfoeZTqX__R^)9-Ou_ameGVm@iyPQL=yaRyM)Om%UEe)!?xpc6Mt~|3XfdcJ9PSe) z|44Kl2FE;VpqM=9QH*pV5OQXUJOWUNf+gvdovO)7xVhfv?HU#|r?p500Ce_fnLH0- z6S+$c$ft?@(+I@OSb9o_Cgv>)PR1e=fozjT?5(3c!aZ{OZ>k#Ta|Kh z|93|%Kl^`AQKBB#fcYn(%XNqc5Ad}Vhe1;aT-WJZ&_k}jmEoEc{SBcp#*<17A36W1}G|aaU(}Agqx%rpvcG08c3#*dwT4N94Uw9u>XJiR}p#?bBi<{ z5$@s%vj0_-r~CdY{!vgACH^guF8~vv;{#;98``2F&TzLNG*Yo=0>o45eT4lp((FWN1t49LoB50i2)|?HjWm-rWf+0y_ zAvOj4BKBZ@Ss*`cL3h(0rR1iZl7}y2X}u}@!yESh70skz%`l#deAfT~8o7uB!{m>| za_r8XaQFu{uO@#r#g8BDkUw$BjsGyY_DG)rFNyz@D_c8>_|NuE^?CpQNy@6aO&$t; zQtd{Zhbgv2I)%%cGyg@C=+J^9NyM|(`QBP5bL-}p9G%1$-jC*zf8UZX|K$maN9bdz z{8zVA^1u8X|9_IQ#V4wDc7Swe_$O$$=`J^FeT(~Ahr?$=| zdJy9f;xDz;8cmBJLC(tkIVgQF(hK%qU84M&7Rk^Lh97N0(gr@4txTBD=3XSa$w@dnY0P zD`mC3^(_CNqQqjQ8J}PUf?ks^J1A=>B)M7?f@nd$xTo&R{w|MfH_|HNmm$tTWfu4Ut89`1Y^Lr-L-Jayn#4;2V?O?$K_u}&Fs zqzVF#W<<%%Fve?SC;ei>$Y}!>rvv-;4ah_*1}I*Pku6gj@yux%Da$(5XqJ%;0Kp7e zW@y9bb_J#$pA>!?XMF z@RG0pV+RTzWCSd=|I^?9s$0+T|0gMreemglU(+VOTDy+pwkQ|}8-`6XOJKXUArPs3F|Cc}~R)xA=v}ZqR zko8LjGd^vAm*~bMlrVxzm@$lAp|3#|KC~Dnp?#|Pe>Jo{k^E|E5@On;5;zm-VWd0| zNu{vsBI00vYK}FLX{N*xAHS-|b88auvQ+d_xGfxBm1T>d-6@pZuWk^kzB zs;1=s_H+FANy_(-|0|y>{VLE6(5u||; z;hl})Or#4-fdTcigCGtah&?~8^;zeP0Mm{LG+){|F4hs^nUace8Mff>A3gsG{@0rI zy_05XYCL8iOZfjy^-VJWYjx{6{`)lLMdHGxLZKTjZ0B+A%gMhjr&K72%<3N*JN@y> z&yqYc>DU{TbUfW$au>zxNS}R zU0?+iajaTg@Wfr~McpmzYC$)tfi`5sQXJ@JvUi9r3tw~dkIPPro1emPly%u-2fA>I zC~}FPwlRT(m;<)r=op!95b_ka)zk`wJ8lK7RDI5t@lknIJ{${3@%Ho0*-Yl{?a~Dt>C8EPV zZIW@|5@>j?i)Qk`L2fSKDz9#F_@q^*#Mu# zL7yWu|I7#bS!{0d-+ai$;-c~TpCg8UuQzfX+F*dV6bzWMlI zrA2oLI@Jws$%qXF_Jq&i>m=CN7Dsf}B-BLpU}s~OnLYB?wMoa^=m}cA@~1J?Uu3(X z>Ho>FlVkB0rc^F2Z=P=5s7n-fwg9qqY%rg+&hPA42rY(J2sUq{L9D(`=a{jDIrKHx zU4#X)&cg{QAQ=!wPQd|j3@*7jljg<)%FmuTlmKK>t~p~Dk%-K!6vwX9*#OuDhUp@m zTJxYiw_^K}T?AXC5i*I$&w>m9Dfpbs&+-|_=?w&xgN59$)N6a>3ZcqX9SDH@J9LkFR zL?c8)7f)G5614OkBi@m8k34xr-P9cM%g21EyfwB_Mg)ng7hsq}e!!S!$Cz5!1yivh z6%+DfeC?ZsY!E{P+1NIuV5b;h&jlZuwGhg8$uQzt4!6W!2H_wk^c^@tL>XdNA>Lq& zpn=@vJl%Ss;L!$GXOmi?pn#7#y5(M>G=4O@8}$Lk z&^FitU@chhp2P2PjSx8yt$eyet?5slFmJ?LK{FC82JQ`6!8|dSXat!nMC4Klfe+^3 ztB2gV?>j^=sGl9kOAa@H1N8~-!r!0_Aw)eX3f%##F*Gf4-35U&M1V;H%gOicjJ#uY zr8KeRB964B;x^EbTTB~ts!AkUgL#q*QHucLF{6s`TRo#enGOD@X-AS?`X5!6z@9iG z7+Uum+#qAv=*cURlB3uF1CLoa$mI?qK>8fBFtrt^p`Ng88?|Ekd4yH{utqaX4sZ-9wIbk|J?fq`Belamq3yMHzf{=0V&*k zT`DM2CjbT1ee~HX;T!$0K8u&1Uken)%`Zf_zWmD8NwDsjW6zdYzz-36@M~TffCvSo zOb$aiC5cH8NMq1#01Yt4I=_TBdI?+b-emt#{B25bCbKIo zoaWHKmCZJpH|zh9=~*^k3kPt(_`*d~JVQn(pW{-t1OjC1jA$+*o<%pnufNJg?=2eX zufKv<*yT(MhAtxGU^~KOk5Yv3)xzry&TQf=3c7KSE(M8$T&B#KC^2nCT!`fRDcmXv zR4JEDpL6}_&;Aw8pSh#_8JI(+3dWEKvN$f9nb;%NJg7)r4}C5b{^!5`n^C0jJNWh2 zHm0cd>#v31!9i?uSl+6%!DGKZC>iM%*Wy9~AR$;cc^rTv%jz;OIg~5uSu$-fgfm9c zA%K8MRSU^rfdF4yH0Dw;mkH#>WzIe!=gb0%m|E#+l5@|o;@2fJpMPdT0Kw;|@Aw(K zLNmsbqJt^4JsuX+Ed*_5SOjBz&6boYm4}7=efsxeqs>2r1Rxl=m~lCwOvyze)IPpk zopKrvJ(q`AISe7}c_1dZlK2|C6Y%PD+^PJ$kr=`TKvXZiE-^|4v~tBn6EH$de|h>O zI3B<;+W?NhS;scvS5HO+2IJI-B^nTe!;Ott>{k%J=n6fD=_PrQ_M(;TUrxLciRAD> zi&d1d(1aa<42G3S84HY|H4J4!V6FK(Ix(|Aq9g(o!HKUzL}qYCZ`k?>j?}&^7Lq+o;wNr1LFa!V9IyIkvQz%IY%@6e^ZweQ|NXTndU8NENvQ@#Ia zM)+S^)|db2vE{$|X6sE#{%<|Uf1jizm>zvs>6|Tv&pl42&q=qk6j;Llm7O<9`>*<@QhnzCrzqcn&w}-_$O?P}i!SJBscje5d}7n?yLP;a z5Ln*-Bba%QIuT-%h~GOKQAE`YBt_VRQQ~0~SiMK+n36K79@ks`8I}CcT5?z|pnha2 z2r1TYyFXJ4jDK$(Nu>n*3r(9hj*ECCBcS>O&2t7RXdT=o7hdpR zJh1(T@>DnYSfs8et_ryK=yO4d}l%UtJwlYu^x{9j-Ha|G7%0G8J{;#S& z+y75fR^gXW^5=`adokd8f(-z4!&5d@=%o0;$iru`~T5;?77^ptZ)B~Cg=&`zm@H0`|l~r<4b$C zJ{Cy!*y|^XFpnna2kq^#o_|c}C*E`J{IAdd(GS^Xl~qK+vi<+9?Zo{*m9011&+*?U zDUZ+p(e)8E`rHXprcfW7w$F??ZxfHBKmEf;H;O5VrBYxLARf%tS|rl7QS*>t^t#&`LCxbNfG3K z$@Ih)T5?h4Y&a#W1shI}xT%%f$9*GZ-_^`Z6Yfdu+NIq-f+3Mwiz@~p7lf-A3g{(kVwwq&O51*QI`XOkozFg=2AC6T2pz>lP$r;c$XpU6Yz@!F&%JDeLUg z%R5P>SmXp!XyJIsC7l61jpNFPqw@FR_>R21!Y#DC*reK+1}WFlyK}3b%Mv}Td3q-l z@oXjArOfVFM{5cHctD{DQd{_`xyhquGSHKpz{R|V985A?k<6s`8DJu5^jB6l3l((f z*LzP-7Sh68UH?4Ak2be{x{}KOPAIegeV_dkd+^X302kZ;T#4m>|D8Rohyr6(jV`MqVB_--u1u8Bkn!_a}^i;2wsMP}qj zM8XFc#iU(7X?D))jb;WCzAX`4&0GNNx#%JFvIdHbn*4Y1foKy4=_MaPiT}z%COVKv z->HH4pMUf8#b=&niA4I3kEHHrN+uuGKT7HDq6pV{GMfx+)6D{+CtfjaGHhdd<|2Y@ z`W>jg&Vb^mWK6=q8vzTCEHpz_bX5FJjbAIX&IlxKWX(Z9cSK|h88fPZqM~plGSC(| zOS91CZ+w> z3+kTZLiQ{%tiU=Fce%aqcF#VYX{R49<7U%BtiLZhou3Gw_Gu0>J`(EY+l{gs{`sa- zD(~x5Obwe*;{bG8`UsJ;V&B0+^6UFOGm_L3&p>c3q)0K^2_obN zBO3>gn>R@JsEO^c9f(~j&_(W)L|-boAwT~;5BwP>nb5g|V(+4%z5_e)%D)dN{!{^k z7y#UFtwac$u}-qd_7K7?A>DG~EhFDT0_Kr0Bx2fs3omqdd`^u3|ET_v!>c?<9EOH5 zDW+5c=icx!8V-?8c@$sH4ay89HyM%{hNfh?)rTJXv|*FPH^d_UzcN8{AC)K~{Nh&s zMGpFZTl(G)-||9yGw8X1qB$rp6!$@}MqB~4*6LqT?5DcOk7b2Oq=Q-Voxk9G6Wy~c z8O8k$fvsfcc{Y6%i60#c|KC_L_kWz3{wNzivMf9QRo+UR|1IyR<(=pKpQk9%{hzab zBfjzT;9Z>nK(+(yOOd1>{E)4mxVygc*3VO5y6*mvxU%qs`9e>DtFU*&K9d#!C~62A z7p_Ussht@VC+6*wP?cjE9t&{A4Q<4afF!W4?3>>aS5{;MrL3}^9vgiDHPaM{MVKC! z>bVw5q|e-az-T1u$<{-((~SMgd^7&BvE?fw9*dJd72V&weT)$$faVSFaTf_kAR3qy zKloL{D-SG&Qglc$VE@*U*5=YkYh;2RSD-BF{@#l*mj*xDzLP6uUSC}U#X0s|@gN9> z$@`)sTi&Evf>U^lZFo&eI-ahgmsUSbrjY8&Ud7*N%Rf2V4BP<^l@_6`k-9R_5%wXk=phCnCf;vn!EL&F)V( zD8M&GN8mT+yy{p4>wbj%3JC!yj<-<--dk-h=z4Hs>_)2Y6JH5l*E7dwW z?@{NXb>+01&h9`x-0t?8*P7by>OG^|xj4AhTCLXkq+RXzTJ7_RwWam6-L86Qcdg5# z^GU1S?H%0qrZ-O)jI9Bn&p0F{G~f7e?9*& zZfng+x!c!l)Z6a$y8RDu(&~2mhr7nL)4VEM&A!#rw5GOuwYLi|np@Z1mT?N3Y#fJ& zaMC(GpBk=yF?L~3-!^V{8|VF2OPjQIyJ~y4*B$S6d)DFkq-}TD?_Phm@uj|H*!}8x zQ+#2P!b=tE&oKLRj{oBj!i@mEG zWbcmKm4nJjwO2V-x2GrerE@wx#ZMEC#cdt66e6@F}o}W7xdT+dUZe5)Y zdfPWA)n*m;FV$|d3_E>C)2r>BBeit{d*zOyI;SW7{?U2&YNxN#o?f}U)vLSnbM>%d zT-+R9Os`1)L%-SW*XIpeYjhiQNB?lu)KzECxUk0UW^>l79JafaceFn}sa)7?+TEXA zpL{XALDksTETej2Yffi!vTdk0Ct9<-)wU0D|NZ$EtoCR9_m@ZK9}b<~m))(42{pCe z*7k9^cRNtaWz_2*4c=eP^~t--PUXt$?e(q)lecqyzYWjrtHz+}^tv5-d1Y&}^Rlts zv&Toh>A|+%YIn7|b9Da2n)aG4dVJfy(p%2S$-Z`USs^!Cd0g%EwB25>)fn8i+eW3` zJHOBxSL*gfr`1%o-j&_!_qN;bds`PDtP^9}tekWY?QYqbH>O)#=eE^4ue3eA-}+*d zTlPgyyXbw{{dzvpZVmO_)p<_a!IyCZ_4<34mF=6}MIUQ+OY8T_jn0SBQOFlpjq_f) zeg3808SJ0j_C9D=Clh1uyxiIwRIYC>KJ@o`J-T~Yadx{sUjLvsDYwooZC7iyv`*t) z`@FmR{=D42(XO2&5AL>`7F+90t$e6ml{ISI8vXVM?Oc0b-#)K64x<85TVtHSr%Ue9Vx&MWV%PTBZyHEEfH z`P*wl?RU_ZtK0TuJn6R%Z`;?-d;P-NZ(m%|i+yLOqgtnWclXQ5du@KD-cV?@kBsv8 zx?}g$E4#ga+SKP)z46wd;+!7c8i(iQme-k#w)K7OKolGp)Q?)~*+-hA`TeHq>>!`DDG= 1.23.0-0 < 1.28.0-0' - catalog.cattle.io/namespace: cattle-resources-system - catalog.cattle.io/os: linux - catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1 - catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' - catalog.cattle.io/release-name: rancher-backup - catalog.cattle.io/scope: management - catalog.cattle.io/type: cluster-tool - catalog.cattle.io/ui-component: rancher-backup - catalog.cattle.io/upstream-version: 2.1.1 -apiVersion: v2 -appVersion: 4.0.0-rc1 -description: Provides ability to back up and restore the Rancher application running - on any Kubernetes cluster -icon: https://charts.rancher.io/assets/logos/backup-restore.svg -keywords: -- applications -- infrastructure -kubeVersion: '>= 1.23.0-0' -name: rancher-backup -version: 103.0.0+up4.0.0-rc1 diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/README.md b/charts/rancher-backup/103.0.0+up4.0.0-rc1/README.md deleted file mode 100644 index 59bff4425..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# Rancher Backup - -This chart provides ability to back up and restore the Rancher application running on any Kubernetes cluster. - -Refer [this](https://github.com/rancher/backup-restore-operator) repository for implementation details. - ------ - -### Get Repo Info -```bash -helm repo add rancher-chart https://charts.rancher.io -helm repo update -``` - ------ - -### Install Chart -```bash -helm install rancher-backup-crd rancher-chart/rancher-backup-crd -n cattle-resources-system --create-namespace -helm install rancher-backup rancher-chart/rancher-backup -n cattle-resources-system -``` - ------ - -### Configuration -The following table lists the configurable parameters of the rancher-backup chart and their default values: - -| Parameter | Description | Default | -|----------|---------------|-------| -| image.repository | Container image repository | rancher/backup-restore-operator | -| image.tag | Container image tag | v0.1.0-rc1 | -| s3.enabled | Configure S3 compatible default storage location. Current version supports S3 and MinIO | false | -| s3.credentialSecretName | Name of the Secret containing S3 credentials. This is an optional field. Skip this field in order to use IAM Role authentication. The Secret must contain following two keys, `accessKey` and `secretKey` | "" | -| s3.credentialSecretNamespace | Namespace of the Secret containing S3 credentials. This can be any namespace. | "" | -| s3.region | Region of the S3 Bucket (Required for S3, not valid for MinIO) | "" | -| s3.bucketName | Name of the Bucket | "" | -| s3.folder | Base folder within the Bucket (optional) | "" | -| s3.endpoint | Endpoint for the S3 storage provider | "" | -| s3.endpointCA | Base64 encoded CA cert for the S3 storage provider (optional) | "" | -| s3.insecureTLSSkipVerify | Skip SSL verification | false | -| persistence.enabled | Configure a Persistent Volume as the default storage location. It accepts either a StorageClass name to create a PVC, or directly accepts the PV to use. The Persistent Volume is mounted at `/var/lib/backups` in the operator pod | false | -| persistence.storageClass | StorageClass to use for dynamically provisioning the Persistent Volume, which will be used for storing backups | "" | -| persistence.volumeName | Persistent Volume to use for storing backups | "" | -| persistence.size | Requested size of the Persistent Volume (Applicable when using dynamic provisioning) | "" | -| debug | Set debug flag for backup-restore deployment | false | -| trace | Set trace flag for backup-restore deployment | false | -| nodeSelector | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | {} | -| tolerations | https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration | [] | -| affinity | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | {} | -| serviceAccount.annotations | Annotations to apply to created service account | {} | -| global.cattle.psp.enabled | Enable or disable PSPs in the chart | false | - ------ - -### PSPs - -We have added a configuration to the chart `values.yaml` which allows you to enable or disable PSPs to align with the PSP deprecation in Kubernetes `v1.25` and above. - ------ - -### CRDs - -Refer [this](https://github.com/rancher/backup-restore-operator#crds) section for information on CRDs that this chart installs. Also refer [this](https://github.com/rancher/backup-restore-operator/tree/master/examples) folder containing sample manifests for the CRDs. - ------ -### Upgrading Chart -```bash -helm upgrade rancher-backup-crd -n cattle-resources-system -helm upgrade rancher-backup -n cattle-resources-system -``` - ------ -### Uninstall Chart - -```bash -helm uninstall rancher-backup -n cattle-resources-system -helm uninstall rancher-backup-crd -n cattle-resources-system -``` - diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/app-readme.md b/charts/rancher-backup/103.0.0+up4.0.0-rc1/app-readme.md deleted file mode 100644 index b1406d5ee..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/app-readme.md +++ /dev/null @@ -1,33 +0,0 @@ -# Rancher Backup - -This chart enables ability to capture backups of the Rancher application and restore from these backups. This chart can be used to migrate Rancher from one Kubernetes cluster to a different Kubernetes cluster. - -For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/pages-for-subheaders/backup-restore-and-disaster-recovery). - -This chart installs the following components: - -- [backup-restore-operator](https://github.com/rancher/backup-restore-operator) - - The operator handles backing up all Kubernetes resources and CRDs that Rancher creates and manages from the local cluster. It gathers these resources by querying the Kubernetes API server, packages all the resources to create a tarball file and saves it in the configured backup storage location. - - The operator can be configured to store backups in S3-compatible object stores such as AWS S3 and MinIO, and in persistent volumes. During deployment, you can create a default storage location, but there is always the option to override the default storage location with each backup, but will be limited to using an S3-compatible object store. - - It preserves the ownerReferences on all resources, hence maintaining dependencies between objects. - - This operator provides encryption support, to encrypt user specified resources before saving them in the backup file. It uses the same encryption configuration that is used to enable [Kubernetes Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). -- Backup - A backup is a CRD (`Backup`) that defines when to take backups, where to store the backup and what encryption to use (optional). Backups can be taken ad hoc or scheduled to be taken in intervals. -- Restore - A restore is a CRD (`Restore`) that defines which backup to use to restore the Rancher application to. - -## Upgrading to Kubernetes v1.25+ - ​ -Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. - ​ -As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. -​ -> **Note:** -> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. - ​ -> **Note:** -> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** -> -> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. -​ -Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. -​ -As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/aks.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/aks.yaml deleted file mode 100644 index 779742058..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/aks.yaml +++ /dev/null @@ -1,25 +0,0 @@ -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "aks.cattle.io$" -- apiVersion: "aks.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "apps/v1" - kindsRegexp: "^deployments$" - namespaces: - - "cattle-system" - resourceNames: - - "aks-config-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNames: - - "aks-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNames: - - "aks-operator" -- apiVersion: "v1" - kindsRegexp: "^serviceaccounts$" - namespaces: - - "cattle-system" - resourceNames: - - "aks-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/eks.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/eks.yaml deleted file mode 100644 index ae57baddf..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/eks.yaml +++ /dev/null @@ -1,17 +0,0 @@ -- apiVersion: "eks.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "apps/v1" - kindsRegexp: "^deployments$" - resourceNames: - - "eks-config-operator" -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "eks.cattle.io$" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNames: - - "eks-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNames: - - "eks-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/elemental.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/elemental.yaml deleted file mode 100644 index 1d38b1229..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/elemental.yaml +++ /dev/null @@ -1,49 +0,0 @@ -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "elemental.cattle.io$" -- apiVersion: "apps/v1" - kindsRegexp: "^deployments$" - namespaces: - - "cattle-elemental-system" - resourceNames: - - "elemental-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNames: - - "elemental-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNames: - - "elemental-operator" -- apiVersion: "v1" - kindsRegexp: "^serviceaccounts$" - namespaces: - - "cattle-elemental-system" - resourceNames: - - "elemental-operator" -- apiVersion: "management.cattle.io/v3" - kindsRegexp: "^globalrole$" - resourceNames: - - "elemental-operator" -- apiVersion: "management.cattle.io/v3" - kindsRegexp: "^apiservice$" - resourceNameRegexp: "elemental.cattle.io$" -- apiVersion: "elemental.cattle.io/v1beta1" - kindsRegexp: "." - namespaceRegexp: "^cattle-fleet-|^fleet-" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^roles$|^rolebindings$" - labelSelectors: - matchExpressions: - - key: "elemental.cattle.io/managed" - operator: "In" - values: ["true"] - namespaceRegexp: "^cattle-fleet-|^fleet-" -- apiVersion: "v1" - kindsRegexp: "^secrets$|^serviceaccounts$" - labelSelectors: - matchExpressions: - - key: "elemental.cattle.io/managed" - operator: "In" - values: ["true"] - namespaceRegexp: "^cattle-fleet-|^fleet-" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/fleet.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/fleet.yaml deleted file mode 100644 index a14125fec..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/fleet.yaml +++ /dev/null @@ -1,53 +0,0 @@ -- apiVersion: "v1" - kindsRegexp: "^namespaces$" - resourceNameRegexp: "^fleet-" -- apiVersion: "v1" - kindsRegexp: "^secrets$" - namespaceRegexp: "^cattle-fleet-|^fleet-" - excludeResourceNameRegexp: "^import-token" - labelSelectors: - matchExpressions: - - key: "owner" - operator: "NotIn" - values: ["helm"] - - key: "fleet.cattle.io/managed" - operator: "In" - values: ["true"] -- apiVersion: "v1" - kindsRegexp: "^serviceaccounts$" - namespaceRegexp: "^cattle-fleet-|^fleet-" - excludeResourceNameRegexp: "^default$" -- apiVersion: "v1" - kindsRegexp: "^configmaps$" - namespaceRegexp: "^cattle-fleet-|^fleet-" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^roles$|^rolebindings$" - namespaceRegexp: "^cattle-fleet-|^fleet-" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNameRegexp: "^fleet-|^gitjob-" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNameRegexp: "^fleet-" - resourceNames: - - "gitjob" -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$" -- apiVersion: "fleet.cattle.io/v1alpha1" - kindsRegexp: "." - excludeKinds: - - "bundledeployments" -- apiVersion: "gitjob.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "apps/v1" - kindsRegexp: "^deployments$" - namespaceRegexp: "^cattle-fleet-|^fleet-" - resourceNameRegexp: "^fleet-" - resourceNames: - - "gitjob" -- apiVersion: "apps/v1" - kindsRegexp: "^services$" - namespaceRegexp: "^cattle-fleet-|^fleet-" - resourceNames: - - "gitjob" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/gke.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/gke.yaml deleted file mode 100644 index a87eef364..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/gke.yaml +++ /dev/null @@ -1,17 +0,0 @@ -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "gke.cattle.io$" -- apiVersion: "gke.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "apps/v1" - kindsRegexp: "^deployments$" - resourceNames: - - "gke-config-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNames: - - "gke-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNames: - - "gke-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/provisioningv2.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/provisioningv2.yaml deleted file mode 100644 index 50a7f906b..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/provisioningv2.yaml +++ /dev/null @@ -1,23 +0,0 @@ -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "provisioning.cattle.io$|rke-machine-config.cattle.io$|rke-machine.cattle.io$|rke.cattle.io$|cluster.x-k8s.io$" -- apiVersion: "provisioning.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "rke-machine-config.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "rke-machine.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "rke.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "cluster.x-k8s.io/v1beta1" - kindsRegexp: "." -- apiVersion: "v1" - kindsRegexp: "^secrets$" - resourceNameRegexp: "machine-plan$|rke-state$|machine-state$|machine-driver-secret$|machine-provision$|^harvesterconfig" - namespaces: - - "fleet-default" -- apiVersion: "v1" - kindsRegexp: "^configmaps$" - resourceNames: - - "provisioning-log" - namespaceRegexp: "^c-m-" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher-operator.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher-operator.yaml deleted file mode 100644 index f30c2fd96..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher-operator.yaml +++ /dev/null @@ -1,28 +0,0 @@ -- apiVersion: "rancher.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "apps/v1" - kindsRegexp: "^deployments$" - resourceNames: - - "rancher-operator" - namespaces: - - "rancher-operator-system" -- apiVersion: "v1" - kindsRegexp: "^serviceaccounts$" - namespaces: - - "rancher-operator-system" - excludeResourceNameRegexp: "^default$" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNames: - - "rancher-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNames: - - "rancher-operator" -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "rancher.cattle.io$" -- apiVersion: "v1" - kindsRegexp: "^namespaces$" - resourceNames: - - "rancher-operator-system" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher.yaml deleted file mode 100644 index 47fa2e02f..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/files/default-resourceset-contents/rancher.yaml +++ /dev/null @@ -1,65 +0,0 @@ -- apiVersion: "v1" - kindsRegexp: "^namespaces$" - resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-" - resourceNames: - - "local" -- apiVersion: "v1" - kindsRegexp: "^secrets$" - namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" - labelSelectors: - matchExpressions: - - key: "owner" - operator: "NotIn" - values: ["helm"] - excludeResourceNameRegexp: "^bootstrap-secret$|^rancher-csp-adapter|^csp-adapter-cache$" -- apiVersion: "v1" - kindsRegexp: "^serviceaccounts$" - namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" - excludeResourceNameRegexp: "^default$|^rancher-csp-adapter$" -- apiVersion: "v1" - kindsRegexp: "^configmaps$" - namespaces: - - "cattle-system" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^roles$|^rolebindings$" - namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" - excludeResourceNameRegexp: "^rancher-csp-adapter" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$" - excludeResourceNameRegexp: "^rancher-csp-adapter-" -- apiVersion: "scheduling.k8s.io/v1" - kindsRegexp: "^priorityclasses$" - resourceNameRegexp: "^rancher-critical$" -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$" -- apiVersion: "management.cattle.io/v3" - kindsRegexp: "." - excludeKinds: - - "tokens" - - "rancherusernotifications" -- apiVersion: "management.cattle.io/v3" - kindsRegexp: "^tokens$" - labelSelectors: - matchExpressions: - - key: "authn.management.cattle.io/kind" - operator: "NotIn" - values: [ "provisioning" ] -- apiVersion: "project.cattle.io/v3" - kindsRegexp: "." -- apiVersion: "catalog.cattle.io/v1" - kindsRegexp: "^clusterrepos$" -- apiVersion: "resources.cattle.io/v1" - kindsRegexp: "^ResourceSet$" -- apiVersion: "v1" - kindsRegexp: "^secrets$" - namespaceRegexp: "^.*$" - labelSelectors: - matchExpressions: - - key: "resources.cattle.io/backup" - operator: "In" - values: ["true"] diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/_helpers.tpl b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/_helpers.tpl deleted file mode 100644 index a5e485243..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/_helpers.tpl +++ /dev/null @@ -1,87 +0,0 @@ -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} - -{{/* -Windows cluster will add default taint for linux nodes, -add below linux tolerations to workloads could be scheduled to those linux nodes -*/}} -{{- define "linux-node-tolerations" -}} -- key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -{{- end -}} - -{{- define "linux-node-selector" -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} -beta.kubernetes.io/os: linux -{{- else -}} -kubernetes.io/os: linux -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "backupRestore.fullname" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "backupRestore.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "backupRestore.labels" -}} -helm.sh/chart: {{ include "backupRestore.chart" . }} -{{ include "backupRestore.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "backupRestore.selectorLabels" -}} -app.kubernetes.io/name: {{ include "backupRestore.fullname" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -resources.cattle.io/operator: backup-restore -{{- end }} - - -{{/* -Create the name of the service account to use -*/}} -{{- define "backupRestore.serviceAccountName" -}} -{{ include "backupRestore.fullname" . }} -{{- end }} - - -{{- define "backupRestore.s3SecretName" -}} -{{- printf "%s-%s" .Chart.Name "s3" | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create PVC name using release and revision number, unless a volumeName is given. -*/}} -{{- define "backupRestore.pvcName" -}} -{{- if and .Values.persistence.volumeName }} -{{- printf "%s" .Values.persistence.volumeName }} -{{- else -}} -{{- printf "%s-%d" .Release.Name .Release.Revision }} -{{- end }} -{{- end }} - diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/clusterrolebinding.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/clusterrolebinding.yaml deleted file mode 100644 index cf4abf670..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "backupRestore.fullname" . }} - labels: - {{- include "backupRestore.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ include "backupRestore.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/deployment.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/deployment.yaml deleted file mode 100644 index 631fa458b..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/deployment.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{- if and .Values.s3.enabled .Values.persistence.enabled }} -{{- fail "\n\nCannot configure both s3 and PV for storing backups" }} -{{- end }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "backupRestore.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "backupRestore.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - {{- include "backupRestore.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "backupRestore.selectorLabels" . | nindent 8 }} - annotations: - checksum/s3: {{ include (print $.Template.BasePath "/s3-secret.yaml") . | sha256sum }} - checksum/pvc: {{ include (print $.Template.BasePath "/pvc.yaml") . | sha256sum }} - spec: - serviceAccountName: {{ include "backupRestore.serviceAccountName" . }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 6 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }} - args: -{{- if .Values.debug }} - - "--debug" -{{- end }} -{{- if .Values.trace }} - - "--trace" -{{- end }} - env: - - name: CHART_NAMESPACE - value: {{ .Release.Namespace }} - {{- if .Values.s3.enabled }} - - name: DEFAULT_S3_BACKUP_STORAGE_LOCATION - value: {{ include "backupRestore.s3SecretName" . }} - {{- end }} - {{- if .Values.proxy }} - - name: HTTP_PROXY - value: {{ .Values.proxy }} - - name: HTTPS_PROXY - value: {{ .Values.proxy }} - - name: NO_PROXY - value: {{ .Values.noProxy }} - {{- end }} - {{- if .Values.persistence.enabled }} - - name: DEFAULT_PERSISTENCE_ENABLED - value: "persistence-enabled" - volumeMounts: - - mountPath: "/var/lib/backups" - name: pv-storage - volumes: - - name: pv-storage - persistentVolumeClaim: - claimName: {{ include "backupRestore.pvcName" . }} - {{- end }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/hardened.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/hardened.yaml deleted file mode 100644 index bf8492ce0..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/hardened.yaml +++ /dev/null @@ -1,124 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "backupRestore.fullname" . }}-patch-sa - namespace: {{ .Release.Namespace }} - labels: {{ include "backupRestore.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation -spec: - backoffLimit: 1 - template: - spec: - serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa - securityContext: - runAsNonRoot: true - runAsUser: 1000 - restartPolicy: Never - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} - containers: - - name: {{ include "backupRestore.fullname" . }}-patch-sa - image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }} - imagePullPolicy: IfNotPresent - command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "backupRestore.fullname" . }}-patch-sa - namespace: {{ .Release.Namespace }} - labels: {{ include "backupRestore.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "backupRestore.fullname" . }}-patch-sa - labels: {{ include "backupRestore.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation -rules: - - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "patch"] -{{- if .Values.global.cattle.psp.enabled}} - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: - - {{ include "backupRestore.fullname" . }}-patch-sa -{{- end}} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "backupRestore.fullname" . }}-patch-sa - labels: {{ include "backupRestore.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "backupRestore.fullname" . }}-patch-sa -subjects: - - kind: ServiceAccount - name: {{ include "backupRestore.fullname" . }}-patch-sa - namespace: {{ .Release.Namespace }} ---- -{{- if .Values.global.cattle.psp.enabled}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "backupRestore.fullname" . }}-patch-sa - labels: {{ include "backupRestore.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation -spec: - privileged: false - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - volumes: - - 'secret' -{{- end}} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "backupRestore.fullname" . }}-default-allow-all - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} - egress: - - {} - policyTypes: - - Ingress - - Egress diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/psp.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/psp.yaml deleted file mode 100644 index 34bc96ee7..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/psp.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "backupRestore.fullname" . }}-psp - labels: {{ include "backupRestore.labels" . | nindent 4 }} -spec: - privileged: false - allowPrivilegeEscalation: false - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - volumes: - - 'persistentVolumeClaim' - - 'secret' -{{- end -}} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/pvc.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/pvc.yaml deleted file mode 100644 index ff57e4dab..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/pvc.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if and .Values.persistence.enabled -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "backupRestore.pvcName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "backupRestore.labels" . | nindent 4 }} -spec: - accessModes: - - ReadWriteOnce - resources: - {{- with .Values.persistence }} - requests: - storage: {{ .size | quote }} -{{- if .storageClass }} -{{- if (eq "-" .storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: {{ .storageClass | quote }} -{{- end }} -{{- end }} -{{- if .volumeName }} - volumeName: {{ .volumeName | quote }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/rancher-resourceset.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/rancher-resourceset.yaml deleted file mode 100644 index 05add8824..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/rancher-resourceset.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: resources.cattle.io/v1 -kind: ResourceSet -metadata: - name: rancher-resource-set -controllerReferences: - - apiVersion: "apps/v1" - resource: "deployments" - name: "rancher" - namespace: "cattle-system" -resourceSelectors: -{{- range $path, $_ := .Files.Glob "files/default-resourceset-contents/*.yaml" -}} - {{- $.Files.Get $path | nindent 2 -}} -{{- end -}} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/s3-secret.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/s3-secret.yaml deleted file mode 100644 index 726509730..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/s3-secret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.s3.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "backupRestore.s3SecretName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "backupRestore.labels" . | nindent 4 }} -type: Opaque -stringData: - {{- with .Values.s3 }} - {{- if .credentialSecretName }} - credentialSecretName: {{ .credentialSecretName }} - credentialSecretNamespace: {{ required "When providing a Secret containing S3 credentials, a valid .Values.credentialSecretNamespace must be provided" .credentialSecretNamespace }} - {{- end }} - {{- if .region }} - region: {{ .region | quote }} - {{- end }} - bucketName: {{ required "A valid .Values.bucketName is required for configuring S3 compatible storage as the default backup storage location" .bucketName | quote }} - {{- if .folder }} - folder: {{ .folder | quote }} - {{- end }} - endpoint: {{ required "A valid .Values.endpoint is required for configuring S3 compatible storage as the default backup storage location" .endpoint | quote }} - {{- if .endpointCA }} - endpointCA: {{ .endpointCA }} - {{- end }} - {{- if .insecureTLSSkipVerify }} - insecureTLSSkipVerify: {{ .insecureTLSSkipVerify | quote }} - {{- end }} - {{- end }} -{{ end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/serviceaccount.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/serviceaccount.yaml deleted file mode 100644 index 754e1fe89..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/serviceaccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "backupRestore.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "backupRestore.labels" . | nindent 4 }} -{{- if .Values.serviceAccount.annotations }} - annotations: - {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} -{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-install-crd.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-install-crd.yaml deleted file mode 100644 index f63fd2e2e..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-install-crd.yaml +++ /dev/null @@ -1,16 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -# {{- $found := dict -}} -# {{- set $found "resources.cattle.io/v1/Backup" false -}} -# {{- set $found "resources.cattle.io/v1/ResourceSet" false -}} -# {{- set $found "resources.cattle.io/v1/Restore" false -}} -# {{- range .Capabilities.APIVersions -}} -# {{- if hasKey $found (toString .) -}} -# {{- set $found (toString .) true -}} -# {{- end -}} -# {{- end -}} -# {{- range $_, $exists := $found -}} -# {{- if (eq $exists false) -}} -# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} -# {{- end -}} -# {{- end -}} -#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-psp-install.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-psp-install.yaml deleted file mode 100644 index a30c59d3b..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/deployment_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/deployment_test.yaml deleted file mode 100644 index 671d415db..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/deployment_test.yaml +++ /dev/null @@ -1,216 +0,0 @@ -suite: Test Deployment -templates: -- deployment.yaml -- s3-secret.yaml -- pvc.yaml -- _helpers.tpl -tests: -- it: should set name - template: deployment.yaml - asserts: - - equal: - path: metadata.name - value: "rancher-backup" -- it: should set namespace - template: deployment.yaml - asserts: - - equal: - path: metadata.namespace - value: "NAMESPACE" -- it: should set priorityClassName - set: - priorityClassName: "testClass" - template: deployment.yaml - asserts: - - equal: - path: spec.template.spec.priorityClassName - value: "testClass" -- it: should set default imagePullPolicy - template: deployment.yaml - asserts: - - equal: - path: spec.template.spec.containers[0].imagePullPolicy - value: "Always" -- it: should set imagePullPolicy - set: - imagePullPolicy: "IfNotPresent" - template: deployment.yaml - asserts: - - equal: - path: spec.template.spec.containers[0].imagePullPolicy - value: "IfNotPresent" -- it: should set debug loglevel - set: - debug: true - template: deployment.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].args - content: "--debug" -- it: should set trace loglevel - set: - trace: true - template: deployment.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].args - content: "--trace" -- it: should set proxy environment variables - set: - proxy: "https://127.0.0.1:3128" - template: deployment.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: HTTP_PROXY - value: "https://127.0.0.1:3128" - - contains: - path: spec.template.spec.containers[0].env - content: - name: HTTPS_PROXY - value: "https://127.0.0.1:3128" - - contains: - path: spec.template.spec.containers[0].env - content: - name: NO_PROXY - value: "127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local" -- it: should set proxy environment variables with modified noproxy - set: - proxy: "https://127.0.0.1:3128" - noProxy: "192.168.0.0/24" - template: deployment.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: NO_PROXY - value: "192.168.0.0/24" -- it: should set persistence variables - set: - persistence.enabled: true - template: deployment.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: DEFAULT_PERSISTENCE_ENABLED - value: "persistence-enabled" - - contains: - path: spec.template.spec.containers[0].volumeMounts - content: - mountPath: "/var/lib/backups" - name: "pv-storage" - - equal: - path: spec.template.spec.volumes[0].name - value: "pv-storage" - - equal: - path: spec.template.spec.volumes[0].persistentVolumeClaim - value: - claimName: RELEASE-NAME-0 -- it: should set claim from custom static volumeName - set: - persistence.enabled: true - persistence.volumeName: "PREDEFINED-VOLUME" - persistence.storageClass: "PREDEFINED-STORAGECLASS" - persistence.size: "PREDIFINED-SAMEAS-PVSIZE" - template: deployment.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: DEFAULT_PERSISTENCE_ENABLED - value: "persistence-enabled" - - equal: - path: spec.template.spec.volumes[0].persistentVolumeClaim - value: - claimName: PREDEFINED-VOLUME -- it: should set private registry - template: deployment.yaml - set: - global.cattle.systemDefaultRegistry: "my.registry.local:3000" - asserts: - - matchRegex: - path: spec.template.spec.containers[0].image - pattern: ^my.registry.local:3000/rancher/backup-restore-operator:.*$ -- it: should set nodeselector - template: deployment.yaml - asserts: - - equal: - path: spec.template.spec.nodeSelector - value: - kubernetes.io/os: linux -- it: should not set default affinity - template: deployment.yaml - asserts: - - isNull: - path: spec.template.spec.affinity -- it: should set custom affinity - template: deployment.yaml - set: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: disktype - operator: In - values: - - ssd - asserts: - - equal: - path: spec.template.spec.affinity - value: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: disktype - operator: In - values: - - ssd -- it: should set tolerations - template: deployment.yaml - asserts: - - equal: - path: spec.template.spec.tolerations[0] - value: - key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -- it: should set custom tolerations - template: deployment.yaml - set: - tolerations: - - key: "example-key" - operator: "Exists" - effect: "NoSchedule" - asserts: - - equal: - path: spec.template.spec.tolerations[0] - value: - key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" - - equal: - path: spec.template.spec.tolerations[1] - value: - key: "example-key" - operator: "Exists" - effect: "NoSchedule" -- it: should not set default imagePullSecrets - template: deployment.yaml - asserts: - - isNull: - path: spec.template.spec.imagePullSecrets -- it: should set imagePullSecrets - set: - imagePullSecrets: - - name: "pull-secret" - template: deployment.yaml - asserts: - - equal: - path: spec.template.spec.imagePullSecrets[0].name - value: "pull-secret" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/pvc_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/pvc_test.yaml deleted file mode 100644 index 3a1c40698..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/pvc_test.yaml +++ /dev/null @@ -1,102 +0,0 @@ -suite: Test PVC -templates: -- pvc.yaml -- _helpers.tpl -tests: -- it: should set name - template: pvc.yaml - set: - persistence: - enabled: true - asserts: - - equal: - path: metadata.name - value: "RELEASE-NAME-0" -- it: should set namespace - template: pvc.yaml - set: - persistence: - enabled: true - asserts: - - equal: - path: metadata.namespace - value: "NAMESPACE" -- it: should set accessModes - template: pvc.yaml - set: - persistence: - enabled: true - asserts: - - equal: - path: spec.accessModes[0] - value: "ReadWriteOnce" -- it: should set size - template: pvc.yaml - set: - persistence: - enabled: true - asserts: - - equal: - path: spec.resources.requests.storage - value: "2Gi" -- it: should set size - template: pvc.yaml - set: - persistence: - enabled: true - size: "10Gi" - asserts: - - equal: - path: spec.resources.requests.storage - value: "10Gi" -- it: should not set volumeName - template: pvc.yaml - set: - persistence: - enabled: true - asserts: - - isNull: - path: spec.volumeName -- it: should set default storageClass - template: pvc.yaml - set: - persistence: - enabled: true - asserts: - - equal: - path: spec.storageClassName - value: "" -- it: should set custom storageClass - template: pvc.yaml - set: - persistence: - enabled: true - storageClass: "storage-class" - asserts: - - equal: - path: spec.storageClassName - value: "storage-class" -- it: should set custom volumeName - template: pvc.yaml - set: - persistence: - enabled: true - volumeName: "volume-name" - asserts: - - equal: - path: spec.volumeName - value: "volume-name" -- it: should set claim from custom static volumeName - set: - persistence.enabled: true - persistence.volumeName: "PREDEFINED-VOLUME" - persistence.storageClass: "PREDEFINED-STORAGECLASS" - persistence.size: "PREDEFINED-SAMEAS-PVSIZE" - template: pvc.yaml - asserts: - - equal: - path: spec.resources.requests.storage - value: "PREDEFINED-SAMEAS-PVSIZE" - - equal: - path: spec.storageClassName - value: "PREDEFINED-STORAGECLASS" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/s3-secret_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/s3-secret_test.yaml deleted file mode 100644 index af130dd29..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/tests/s3-secret_test.yaml +++ /dev/null @@ -1,141 +0,0 @@ -suite: Test S3 Secret -templates: -- s3-secret.yaml -- _helpers.tpl -tests: -- it: should set name - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - equal: - path: metadata.name - value: "rancher-backup-s3" -- it: should set namespace - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - equal: - path: metadata.namespace - value: "NAMESPACE" -- it: should not set credentialSecretName - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - isNull: - path: stringData.credentialSecretName -- it: should set credentialSecretName - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - credentialSecretName: "credential-secret-name" - credentialSecretNamespace: "credential-secret-namespace" - asserts: - - equal: - path: stringData.credentialSecretName - value: "credential-secret-name" - - equal: - path: stringData.credentialSecretNamespace - value: "credential-secret-namespace" -- it: should not set folder - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - isNull: - path: stringData.folder -- it: should set folder - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - folder: "myfolder" - asserts: - - equal: - path: stringData.folder - value: "myfolder" -- it: should not set region - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - isNull: - path: stringData.region -- it: should set region - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - region: "us-west-1" - asserts: - - equal: - path: stringData.region - value: "us-west-1" -- it: should not set endpointCA - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - isNull: - path: stringData.endpointCA -- it: should set endpointCA - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - endpointCA: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" - asserts: - - equal: - path: stringData.endpointCA - value: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" -- it: should not set insecureTLSSkipVerify - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - isNull: - path: stringData.insecureTLSSkipVerify -- it: should set insecureTLSSkipVerify - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - insecureTLSSkipVerify: "true" - asserts: - - equal: - path: stringData.insecureTLSSkipVerify - value: "true" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc1/values.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc1/values.yaml deleted file mode 100644 index b62252ec4..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc1/values.yaml +++ /dev/null @@ -1,81 +0,0 @@ -image: - repository: rancher/backup-restore-operator - tag: v4.0.0-rc1 - -## Default s3 bucket for storing all backup files created by the backup-restore-operator -s3: - enabled: false - ## credentialSecretName if set, should be the name of the Secret containing AWS credentials. - ## To use IAM Role, don't set this field - credentialSecretName: "" - credentialSecretNamespace: "" - region: "" - bucketName: "" - folder: "" - endpoint: "" - endpointCA: "" - insecureTLSSkipVerify: false - -## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ -## If persistence is enabled, operator will create a PVC with mountPath /var/lib/backups -persistence: - enabled: false - - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack). - ## Refer https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1 - ## - storageClass: "-" - - ## If you want to disable dynamic provisioning by setting storageClass to "-" above, - ## and want to target a particular PV, provide name of the target volume - volumeName: "" - - ## Only certain StorageClasses allow resizing PVs; Refer https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/ - size: 2Gi - -# Add log level flags to backup-restore -debug: false -trace: false - -# http[s] proxy server passed to backup client -# proxy: http://@:: - -# comma separated list of domains or ip addresses that will not use the proxy -noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local - -global: - cattle: - systemDefaultRegistry: "" - psp: - enabled: false # PSP enablement should default to false - kubectl: - repository: rancher/kubectl - tag: v1.21.9 - -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} - -## List of node taints to tolerate (requires Kubernetes >= 1.6) -tolerations: [] - -affinity: {} - -serviceAccount: - annotations: {} - -priorityClassName: "" - -# Override imagePullPolicy for image -# options: Always, Never, IfNotPresent -# Defaults to Always -imagePullPolicy: "Always" - -## Optional array of imagePullSecrets containing private registry credentials -## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ -imagePullSecrets: [] diff --git a/index.yaml b/index.yaml index ab2cc2e01..91db41656 100755 --- a/index.yaml +++ b/index.yaml @@ -6277,11 +6277,11 @@ entries: catalog.cattle.io/ui-component: rancher-backup catalog.cattle.io/upstream-version: 2.1.1 apiVersion: v2 - appVersion: 4.0.0-rc1 - created: "2023-09-19T13:51:37.700427-04:00" + appVersion: 4.0.0-rc2 + created: "2023-10-27T15:09:43.15051-07:00" description: Provides ability to back up and restore the Rancher application running on any Kubernetes cluster - digest: 742c60b2bc4ef099830de8747217cea1b3d741338837e3c2ceb8fdd2400e25d1 + digest: 1945636db982e2a7f119eef314050fd35207b512b677cd4641df8bef6d6c5772 icon: https://charts.rancher.io/assets/logos/backup-restore.svg keywords: - applications @@ -6289,8 +6289,8 @@ entries: kubeVersion: '>= 1.23.0-0' name: rancher-backup urls: - - assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc1.tgz - version: 103.0.0+up4.0.0-rc1 + - assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc2.tgz + version: 103.0.0+up4.0.0-rc2 - annotations: catalog.cattle.io/auto-install: rancher-backup-crd=match catalog.cattle.io/certified: rancher @@ -6825,15 +6825,15 @@ entries: catalog.cattle.io/namespace: cattle-resources-system catalog.cattle.io/release-name: rancher-backup-crd apiVersion: v2 - appVersion: 4.0.0-rc1 - created: "2023-09-19T13:51:38.879376-04:00" + appVersion: 4.0.0-rc2 + created: "2023-10-27T15:09:49.772564-07:00" description: Installs the CRDs for rancher-backup. - digest: f8ea4ab638cee126c1452e415175e652ac711c8020a4b4dda3eeeffa31ae4abc + digest: 65146112b6670fdd6a525ac96554586a06081b7dc22334311ed38c5f7d99563d name: rancher-backup-crd type: application urls: - - assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc1.tgz - version: 103.0.0+up4.0.0-rc1 + - assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc2.tgz + version: 103.0.0+up4.0.0-rc2 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" From 1052fa939b8bf0b5f51044a72b687982cb7696d8 Mon Sep 17 00:00:00 2001 From: Steven Crespo Date: Mon, 30 Oct 2023 12:04:52 -0700 Subject: [PATCH 10/24] Make remove rancher-backup v4.0.0-rc2 --- ...rancher-backup-crd-103.0.0+up4.0.0-rc2.tgz | Bin 1778 -> 0 bytes .../rancher-backup-103.0.0+up4.0.0-rc2.tgz | Bin 11560 -> 0 bytes .../103.0.0+up4.0.0-rc2/Chart.yaml | 11 - .../103.0.0+up4.0.0-rc2/README.md | 3 - .../103.0.0+up4.0.0-rc2/templates/backup.yaml | 141 ------------ .../templates/resourceset.yaml | 118 ---------- .../templates/restore.yaml | 122 ---------- .../103.0.0+up4.0.0-rc2/Chart.yaml | 26 --- .../103.0.0+up4.0.0-rc2/README.md | 79 ------- .../103.0.0+up4.0.0-rc2/app-readme.md | 33 --- .../default-resourceset-contents/aks.yaml | 25 -- .../default-resourceset-contents/eks.yaml | 17 -- .../elemental.yaml | 49 ---- .../default-resourceset-contents/fleet.yaml | 53 ----- .../default-resourceset-contents/gke.yaml | 17 -- .../provisioningv2.yaml | 23 -- .../rancher-operator.yaml | 28 --- .../default-resourceset-contents/rancher.yaml | 65 ------ .../templates/_helpers.tpl | 87 ------- .../templates/clusterrolebinding.yaml | 14 -- .../templates/deployment.yaml | 79 ------- .../templates/hardened.yaml | 124 ---------- .../103.0.0+up4.0.0-rc2/templates/psp.yaml | 31 --- .../103.0.0+up4.0.0-rc2/templates/pvc.yaml | 27 --- .../templates/rancher-resourceset.yaml | 13 -- .../templates/s3-secret.yaml | 31 --- .../templates/serviceaccount.yaml | 11 - .../templates/validate-install-crd.yaml | 16 -- .../templates/validate-psp-install.yaml | 7 - .../tests/deployment_test.yaml | 216 ------------------ .../103.0.0+up4.0.0-rc2/tests/pvc_test.yaml | 102 --------- .../tests/s3-secret_test.yaml | 141 ------------ .../103.0.0+up4.0.0-rc2/values.yaml | 81 ------- index.yaml | 45 ---- 34 files changed, 1835 deletions(-) delete mode 100644 assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc2.tgz delete mode 100644 assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc2.tgz delete mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc2/Chart.yaml delete mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc2/README.md delete mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc2/templates/backup.yaml delete mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc2/templates/resourceset.yaml delete mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0-rc2/templates/restore.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/Chart.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/README.md delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/app-readme.md delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/aks.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/eks.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/elemental.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/fleet.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/gke.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/provisioningv2.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher-operator.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/_helpers.tpl delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/clusterrolebinding.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/deployment.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/hardened.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/psp.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/pvc.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/rancher-resourceset.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/s3-secret.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/serviceaccount.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-install-crd.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-psp-install.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/deployment_test.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/pvc_test.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/s3-secret_test.yaml delete mode 100644 charts/rancher-backup/103.0.0+up4.0.0-rc2/values.yaml diff --git a/assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc2.tgz b/assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc2.tgz deleted file mode 100644 index 9cab6f689cfabaa9fb1deaee3a402736fae8b3db..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1778 zcmVDc zVQyr3R8em|NM&qo0PI`cZ`(K$&$IsuBKOeyfK@rp$H72x%{l3zxZa_#vwc}CP?{Rc zY$#GoQbCNx{_hKlvMtNhhaK6Q0Gd7&p{U;shclevXe==&3y}R8CXY$nCo*_HUSO%c zC63rxJLLPme|>qG{_p#K@qhp7a(Fhlyc*p27dOM<@XQ}vUJr+7$Zv^%B_&E@dFH>E zS8;J~gfQnqV@(BDqaH#8Ys^IG5v(->kBavMq^5HU!3brx;+(diK>&P&&b3V7+&P8g z2vm#-jF27dOHd+_1XN!wm4?Xqngj+|LEpT-mLX@aJsi_-AQcsSgq|*XIF8qUUV6Ug z_a(XL1)zweu}+6SbEPq33h4!)@#IdSxsU~DuUE=YFJl-X9LJ23RCT?l6~lo)G%Wv- z#2eOs_7+!?!~ZozF~b_v`%DurJqoJ*f8Y=O>w^E^_?`cshVssXV+zk2xcN(YkN;H0 z{hkKBN6Lc{8YfDNXp*_?9n2}Gsqsgkaey^8=ZEzfYd6YU`}fA3dnyKEW`dd$8` z$~DNbU`fO?rhW873H}x9#Rz#yW1T2ZX(4e4Uqt5fC?&h#!k|4Ml$Ml-rFd4-hh+>~ zP`QCdFmuYlytyrpabMlfX{{D52D09-Dd_(fAt#$>jR03x;SmX`ZXRd^O5-Trg1rs5 zR~ujrrE4XE+g(#X|LdF5U9JekvQ2aqR>;TeMwGLd@c@s5f%RIrXcWX;(Q8c&cGC{d8c z+*#g2+YwR&x2jFJ-jy+;oJL7BLW2@ia~Oo_fsrR;8$rVA7Cn}NujksN0!Si_oLlEr zp5Pfru?rcYy9`@MHA3$`Ml|3wTsZ))4fMtM)G!`*S4N{Gek9_oZ^RGo67f!-m z$!nm?JtIXQx<+e3>wyi;67pDPzI!l2)e2e>kq{Vb#H`B2Ps7({-X~xVJctE#`QGt( zjc-rEZ7x^<@)VpXSLWP+hcDCVBQ^IKI$xGEwumz!7+_v9OG4=M)wYGV6U6KX5M6Sp zI37y)HK7uMZTb4enA2+jW^;w6v3Qe(?R|_@sA7|-?4nW)k@I}2JG~fI`axo@=qjBm z+s#IMS-X>l-%qhg$d1n|OWlskL;_ajF3=7Sm-V&HLp!atJr0#F+{h`glz3Tqwz{aa z>1W17ryR#>A@qYo>xUzAcwQslI%3)3$YQ2IK0)vw;2=v9sLE9Ih1pkCVwXe_mX1Jk zD5TSpb_T6Ja@g4t^CQV@T`5?Jm$@4H?f2JRVtdt8S^rzB9A5N2pr-zReSKA^|6TZl z%j>TGcM3X6{V!)XZ59EGC8$*;Fwf4O7VC0g?ooYBu)S&!5nM~b7|03CK>{bmq|TWI zR%L*>jdFzS+OS_4^4(#%4b;+G=gXiaq~Bhgc~({I+!V3emZ>ynssMH8N}DSW1Co}0 zUa#T6Ghs;p|D`-|?nUWcr%|F>lcqKl-Ia^3C0`vW=5jfK5T4`qmGt=bw3CW_EPXIM z16E?)4e{%)$`RINasM1kP|AG^w^XqMP1sm^go@HkqvdRPdvL7dm0If;;}xZP%YUw{x5@Sjk$bGKR8Q6AgjJGo ztkY)A;Ef%@@&u77&*M$0=a6ixti-&@k7|>%U5Nf}y7so}9Ci19EhN0O0jTEwf8!6Y ziv2$qSKa;pBy_C%zpdQSWjaCfz0pFW|(*FZxq zB-~5syo^g)oka|F?y(C>*MMtld9QB{c{q5cV?!72zi$~q>KL-~##ovDp zuDjoVorL~^Ce{M7f&&^)?s~o3^(a|jsgYh_ZBoa=uO<@(0h%q*_iZcs?sX?eM;&$4 U(QBta0ssL2|Dt)=)Br*N00`V@8UO$Q diff --git a/assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc2.tgz b/assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc2.tgz deleted file mode 100644 index 4306edab2b8a193454fbcd02a5d3d7aaad389125..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 11560 zcmV+@E!WZ?iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PMYKbKAIklWlE|o!dzu z5|S8E1Vezb<+!Wn`~1uKB~M}DPHM3oC4I-Ju8u_l2L}f@E5HK>TG|LXN*`)t*WRp+ zphF8YI5Ge6bVXHFb!Tgf|EsEM{NIvVRR2-j+Ai*@rQLG5_z$(XrEZu00n{hNA+xxI zLgydqqx*^v?r&0{Wnl`bfh|(W0iZz&O*|}UkWv#B47>?liWS2m6q;rQM3;-AIr={* zkZPmUrW$gnF))zsw@a<28^ku@OtIhuRX|JB1be&(lG-Lqs7nLeV6(8738A8kT#T`qoCy#Gpj+ zYi-;ZmX2@Iv9}#OHFQLj;nb-Bzx$v@!GDJ6=Cqg!#G8l+6-tG-k_e^3yKEXb$V8AJ zN$}{DrZylNwowI4paq9$f-IU^i_Taj&2$MxjzTduQ>(d#qTz{+Eo9N9dUtI?9Rw%A zSWAUsp_qfV(es{6OF3xU{?Dy~T2K{7E9G=VG{>+he|#<}4`AOg4LSo91J*HcZ2&Eu z%>~5{0(6A@bqHoU?5Xx3M&PT3drX(UPji`!pVBbzQkjxux&9WiT$ z7=$8=DpPE_6GS!{fWras-)IOJ#G8~2;7t~|F-%iVEP&v=R|7W&9f1jUEqV^=2y9NF zvuPTAxwJ?w1Ttlw#Y`LyfQ|-+#kyjv0}fHmgoFrM{T_bwhu?zF69#!DpVla!-vBow zLmL6zAgoIQ^qB=Gh6cEK#uTN{^a7e|NesX%wuW@E)L#R(z(q%vYnmIt!imlRv5^K0 zB47crJhc(Vgsr_0w4i6?6aaWNv`fs+s9v_&2%x1yM+eyQ;2a#+H~7;1|G}A!tTu(( z__bWSEi^!mZ-k^ww}veZ*_3QbY||$Fg~o=U6gkKohzzX42pde#47=b4TAUD)psDm^ z%uW!c?9VVbIa2`k@f2+cu*@LyU{dG|5d{#~(4mIrn$Q8~y$v8u=?H(zx?&VLAph|B zN&r8z%o$+*2{bIw4q?KKL({}J%oa567@p@n@_*(Mv~S|!W=So+-Bfosi=|DkrIMtn z;<8Csg7%w?uErgzfYO1H%e??qT?Zx}0uxP<2?iz{63 z`H}p|h;z%x?M#saY&JGM00lJDV21n)QOy?(zcWF=$oa?r{hhU8w&)*~-(AQ2qw>3r z9r_3BLc@~@1O(a8;WFGb2xauw@dO$cVQgX80P4DfI7#UUQXw2HOu1NPGsSz(S@>LF zP%P~-eNs?2-)EgI3pXNiKfWe0EdGnrsobKVui~&=K~Wpb1|qDkQXoVoG51;E;Ipj z95`d-@#_mkPQvDc?HE%=Do3uVur0C7tWikDTp|yQq3a;U#=0WGBWKfgO;h3BE3zZS z>u56sO{-)V_kto_W#y)-2UI$+If!ut)+bbu1Mnw z+35qj2Dn=_l@%S7cjm z{|^R8W6nSmw`KqAv1f=^K)(LXg=RiZnp8B1R0@%aCTKE6P7P0N=pc~)y;vx2DQX@R zYS0$pGXs&raS($l92ivo$>H=7g@vfN3!)R z8-|74B?8oOEsfWwV5bbU5p)RXBMmZRgy0DZ>o;yra{rD1HhR;T7}T3!gMe4kXWehM zSzT_;+DLm{NY1v9t1TJeV<V z!Im_G7U3ys2}DQ8oD|4NL|iN2`*&bin(69UgDZ&cvub%faU#1YfRGFngRc4kXZ8-- zc5Jo#@z(F(Q<~g^Z!V@NMua335p>s;{!9RBiQs*qEsU#FB6?Qdl4OjJRY^re#FVos z7Od?;`bhXD67%yTb@JH{d9}!le7z zrrHlFnfAZ5oE&VTzG3NxHGJ@{zykYU-6@x%_J2v;Ek4Kp*HXrYrB^^rOm+*KXirRb zWOvo+L#+T^I>L@|$L-a^_^r@!#oPo@s6z^wf4`!R08&ATfC(22>FrEk3*Q6Fu$XrZ zwipEB_P-*H^4(G~ly*dRFM(5$w)%z>ZxBD;Zd`zLOmgoO^YZNlV>;HrIpIX+I{ zEW^@IAeL;TvDThtEgCW!x?Pyi297e0}LFj*pQ>{m>LZhZiN;wv~YvtitW=rZv7l}wb1NFvZ4 z)J%!NGuBw#Fwv(Uwf0A&1RNUnV?y&Q4j}Mh%Xyp=h-8Eg;l|q*f{hmN*I$*yYYK;n z{=$*}@8A6hlD7$vB)!~x2*H8QkW}JPQNAx1uBCvyqVT8rxLXlw#&_@%&G^$uGw(IB zrj<}#LE_r`YOC|PSv{?{&#Se%|K5)t&XIQ!5iv;91QFy!hx_$LwR_U}+%A9KtJaRY z=bzi1vsU$>{`usrR_z>~HB)iO;;V=+Tu9;-qe03F$G5XIJl}UZ=bz78XCJQ8X|hcF z_G17v&z5K{w?Q8;?sVOpHCyNPR{OBssW)r&&-G??@1(w;#48^Hsz{)DznXBkPnrB9 z;dSUA^QeG){GdlZ)QLdIo+|PPKrRfHBv*E#CM&__dXKlOnb4S2LKOhe*rP@A+>cFU zE;%5d#`aG`5L0962^|`nw=g&vi;M~WNDW`;zm3^U0lNIGjn~-QiVbORZ*w+c5qN#3 zYy3n%kuBd08br1=7Lg&m!IDaaaD_}F{A@G&Z(B0`zY%nFWFh?t&VnxR|8}=Z#rXd3 z_U_iR|F@13_PF}YKM7o}Biw(4ucg=wnnK{JPS>0sGX1R-*Cg+42#qiv=PSU*gnHkx zY=~d3J#?UslGPO*nTR6A=2l<60{BDXY8pa1(l;io;^_sFKOfTg+IQpXlWw=@v*j%!s(6I(5eX$4TnMbTGXf}9E{s;VlVJBTp_ z^(=!pd)eykg}yGUP(ANxA{@eC(`&WE#1r$DYWMa%eXD|M!38p-VBhNTU(q z4jv=xUwL`D@2~uyIYm*T-x7HOFcwOFmW9j9!Z=Om?jR)N=1)WFzdI2f*A(uM;%^ub z#yj~xmlOIAz0|o`G>h|VtbAxr$nrGIffJ*Y^-}ah*vUD z3=dX5=3Rnft@+{)LPo34wG_60{q@L&=WTvHuRp&2f~~D(Hmv4tfUQoxU}ujliHyCy z$IQ-hqL{6x6}Tn5^aQatr^P;^&|7ThSZ_-n5z6v;twoGy+cBnwiH6~Cy+)YOCZadk z8Al%;p4Xxe&JXv42Z3!XgpF&W3i$2RCA1YXh=1eTG$+hJjMU?Gs@9CZcWql7{)eU% zgsC8Z6HlQv42!dgVF@=tlnK18fSv8_@^%h@0TFEVMBp3*^)t(yv4J%V6A42wAW0;| zrhwnX9?WlZ}%D_+>1uH-&$A!~VadndGk-##5p18UR2;2N8dm{E=9W zotYgB|Ip&qdR6N)4e&syh4Yn{}so8K~Y5?^>fn@j$EOSb%%Cn%nvkA?DI z-A>4V^*R2(ma^b9c9!(_jllCXUS3J+$2VZtdqN9p8Y1Kr>w$b~A*f$E21RF<#wEHR z;}GI6vDF$*iy-5o4*KRI5^Rsl{cABKV%(wl_a96LN4|&;p1(rh_(}fA``4nUw9E#< z5%`QM9EWgU>EEKHoL7k+wU2&V&!C3hF9q{?_x5L(O!@D<2<0Mss6JS9{(pNXCjU!C zRo#7-|LZ7`SZT^9SiYcd$(L=Ewi6OxEeb(2r(uga*ff#D(`PXG7=*L^Ui0#xZ$1(d zu7G@S0$rXS5?$qGU-@_pPkuEk)A;56FUq{wfIP0pEnD!?hIF(6UVa9Ze}V$HS_=mz z?t?tfPPFO8Btpxdf0WO#*?c3;mU68q^ubFH1fl|TNZ*taAF%%HNe`7w{*Ru}eN-O{ z_`g(Ex8mnNcAoQpt*2z4_{=o<#5v8CY`oONo$E35L{`c(8-8<9j!?(2hWirhgds=D zz~^X2l++AkyheJ`FE)&fHeh}_un{c%oaQVt>S}BVK}BGY zpxyvG{wF3LCGfI;LOG;lCX(qUP3lDPWe20 zoI%32xuf)|{m3!;eWZ>sNF^tiX*jnW8)~9L>Vim3KqsnXHG8~bYQAqqck(L@j`gtodf_P)c1;uph6 z>HKdcl`{FCt0_p4x9zWJ&O^_FFW&##O8Eb!=lox5DK8|u3@LbJA`84SF=l2&e%`^U zJjjO*`Q$;K{rCDcP`T6aLU_aj>{>eWu60ABp%;X?$l_%_J>sw_a{uRL0>+h^hQbsN zZO_C@vaJXkM6+L2&kv>WB%zwd0E{3xMl-LkR}{Co;{gh2nwGUBbrRW6dpuI$pI!1(d zHiA=;E-V2CRL>9nIJ7VJytLNm?Q;SQDdS&)^q%KJ>^C0!lhiU6D(}|Y3|F(zAdMa%ZbeD9~nFS`O3?Z zJT&OY?H4pW*<5fJ#p_U>ZJ8U|J2b^n&=G}(Nea1~!b&dp;>8PafGB7o8-qh@fOB8I zeCb0n;u$14G@dBdV+=uw%=>&otz4VwO9n2|*`c(Tc>0TIXPzmQyj3gO{bou9#mc(C z3Mk@OwYcDkyVmo%o7>f#ZW05n$%v&m(9LA;0GlSh;pQKgohCOwh2bdcvd1=b-~>_R z5HD?G3<)s@Y{k(LG8{kTDQ>H&sk_PrL<@w+q%Q2!K*J6sX4Gu^0T!R4o+w1uI3~EVMau?^7GaqQf3- z;&I>tsJV`VEb1qSC9Z8_hY|*W(e~7^4$lNe!ugSXrtWCmgXY{jRiYad1;C|>K>)O5 z)^=!$47&x;9vgP(N)@JDv7;kLChPQXU;)e;VF0}Wb%LJxu7>PByzFi;7^4~40AIvG zpJO!p!Uy|BY;N-3e8~CyyzzRUBL;u3HgXMGppUo|^qH~{@7UivX^B6)F3Mm}+^6%Z z72Y9emp8a2BQ_M+6F!5l<6t9O9N}4$P-E5oosB(a_Q+p11|4yu$8Yt@o5nTJ;Qn@(1d9rn_DpABstU`8 z3E`U&vSe1>v}F)!$-~STmMn0H-XlFcozXB~i^f^Dc2Ot0BefX(w zo^UiCOx`K9sG)>?O;8Q}qL`b>vw*$zM5byVYPS2#os87%n#();Ye|C1Z;@^L4Z9jkiv7RzF{v#xMB>ba6oATVg(sYvMP+IgS z93dJwc)}_Yzoq9G@s6Z>#!Q8_z6cgBT#l#zhFdFD0*(~&$UxPvr2Mb7MXAwqjk*9gpfkJi6Bn^bZ+1$@lVEe{H%@uS(Dun#bT zmd+LcYr%SVZGMkyh{(QZ<gRic_ZEmnh}37aBs-;=ZU#QL&#hqB9}@4ygviq zT;$9=-ywuS_54s?a<~C(sEv6S-Uej=A?!&}==52Qfnkd4E(n|=0u1U~PM&Y4XC136 zB#9*#ai}d7w}A%SVpyPERzlGl%#&P*S_BZ68C8Ve>KP8oZ16t~E0pxo`>3)2_Qe^& zz`Eby1{uRfi(ioxAH@dfyUfBt4tEeCPk$@jK+gok-c5Y-{8?e#A*hYySOsLylM7v- zB)lRxj}U^khZNWj;xj8zy0OAv67Z-p)BN5PZ-5d11Z%>a18F+x$VQfqEX`nx2+{+NjjhbM9qS51W$s@Mx6a4MJT#9LFL%a8d| zcZnPqVJ>T^znBruxXB>CY?M~^#}Eh9gSL$G5TOD4XWlo+uOcwG1d*R@>DbfS^9F?*K;3HdQL~{^vO}YWzypfCEoj1}q zZ@??;aHa(V2a%D#9bvFX3Bq`4;q?Y*HgOgO-P%Z#g2YA+Q|3&R7?vU~MDqL;Zk70| zl*^_snSS&a?+WKH+)@4li~&;xBS-{UYzIvZ>=JY4SEP=Mz7%r*^I!kXD3bdFym`~a z6jk25$^8KiBb&qWR;3Ld`}IJ{NVm8a7ZLyo!J5J2032CXmwCy7TuIK7VSxdhGLjAe z1Wc-$NCpc8_{zL77yP-5Auld-_6Rv+7Es94N=}oUdyW;qE}8lKQv(7BzJz_pFW?oL zGM*G2OrYiRu%KolXfeaWAM0zjqztJ%Oyup;zZV;A-XSCaLEpiQ%L!#lE)=2m@a5{1 z(|F)IJjBXj2w~3yG5(drH`p12S6`w|<(G}v5Hg78I`>)K2&$&0k-t!(dd;*C%whYwn; zqLhUu>} zu=N=620b8~ue}SKrGw$0=*XOpf#)vB&ExO{`9c3+=KU%1cXs@%LW7u>g>FFlC`F)) zhXW%O+VaYGQuvXPikSbu#K(_tOjbMxw($IKF_!sgkR>v-x&DW z9O7REr)Hg0I9`h2Zr>qJ;4$}1ToSp^6?y`@?4Ex>m-5!W2lt!`KbB_n;WSV5{<9h3 ze`#4={-dXs|LX46ZbJT-pX0x4DKVx;KU6xWOChv`ohC$Q-JjuzT>LCrOrc0aV^WrV=u z{-40id(w#zn?(HH*^nYCrywc99*h!?qrmb#Lfep(N%Xkd@=vMceb$n}YCiQtOF>Y7 zU?N17`%mKE$F482qVGQ?78w8DI+RKYco&-1Z*2$hNQO`KF`8uzQqbDJOD?$JKYwU> z59O(D@G(yvS6mhF;L&HSZXQZ|d7rw@|0V-{BKg0%{^tm+_bjwpgv{Df;CN_4cLh%?`tMPHb$$X1BxT-S5wM|R|#tpOX z2$>Ukok;*k@JOaK$dCsq65-Lx`mt1%q9Ccl(ybHj#!aBTDi%LTX{`%^WvsF|tK5GY z8uTmfKV|33Fld&gB(V7ro_CBJUfzqY<{3zF2AUS3X^%3kBe{f+*&BaAeb>@W6v-kP z>m`oIj|)dH!G=#fYgs5tY4JGxlKuZ|J@#B4R#vzFhGVpb_-{#lw*S^qo?hCs^)W}X zM_#Wf!aN+KpR~8fdj2_~pJ>mS^S?U(hd*SSmX;9(i}wGwwqy7Il(u%ap5wo3DNoP; z;q?(V`kXORCQut0mdA`4Z)1a=0h7niw z%~R*sBam%EOUxTT=JxX5dlCDoJH`|_GMRYr*q^AE_n$`4nIbj}LG)y_S&<%rcU9bj zywP+y8D21oiHBKcu`+qOpxZB0R+s-?3s1Q$)&L9TfBgRc(st?j{MUL)Tm*SvGOgJ{ zi!Z8-4X1cDf5YhsH?=bRcxa^Thnjgw!mY)wUD)jt7!rxKxMUD=PPlrBS^n7!x#sd< z`M*L8V1fMKDsRXA|8jZvIse;Q%9HK?$hhJCCtJDyq$&5GT!I|-&z#^P|NiqSw~T_` zIp~)$EY`gxG*@5rF{Xq%(DqH^PktsgVk=OGHbu_;r_c{YgW3o!DF#>D7Fs~Lr8Hma z03Nw>lzFCj?K?(~p->84*1P58k0IGixtAwt_!psy9MsV1D=w?=tZjoToz7uNa{tM8 z@K>Z!j+jVsC?Kv%{p6T}EI@O|Vmk(Q3_8BMa_7iCq9Amc@5c^q_`rfN$*p@gwp6Qt#0Nj=)#)^Pfr@s z!dzYbJjKs8w|=>j$p20#v;RGx{WE*;*c$-n+yBLKsTjZiZ+A<5zW-w_g}4Sq70^M1 zf_;D5bN)R5m7EevEy7nqP65%&A#)1wZVS&T;PVKXHgZUT+GdW5OOO>{(2DmRE0mZpXjkyOq&dvn4UX`AdCJ0s;@Gj zC@LwF(07Nx#6uHJkr^Hpe^cSt%B(U1i5ppQ5YQPC*+RyQDj=^Y9ElXPMb6SRwE3H# zjW$Ojm3Q&&3?OT2IN0Lp45rXAc)GMG7vo#DjJ!k!#nNs;EvSWJrCcn%U1>o*a9qfm z#)jovN8&EG_npr9=kwOthpVXBG#Be1i%$C&!l!wbfsBWQy7_jas0M%TmI}ok{-aph zD86IA-in_)8wE1eHVWRJtsnkcer<__5)-V8yi*qDbyr()09g23)(YcS+WIBdV>ZEK zxF+cqWN*&k#$+b%waJ%-$=kt22ec0~Qo3;Aqdb7HBQr}OIA~X<14&+f> zAd<UdR=A4hWu#S@x^}|Woqb=HUOTC_+bQjgJFkaBS-*N(ueO!*Ui=jFF2>jgos>R8 z-g%ZyA4cM5$HM2*1R&o+P``8xiq5Rm zpg1w^)csS5jV6EF9H(7x^!UtKwMdo5tO3JdU|T~1=LhiBobkITB>JSD4{+x z_W{F^sI{$!aHlEzm)U0gQ)A0lL^KvBe=3@{dHWP2iUG|U-qS7;jzBmtDSq&)hL;{# z1f}qhBEbHwBdzs?k=D=zJ*_~Q*ZqSRVM%$EG^QU>1w8b?=LHkuCsp0=jv4kvY$iwk*wp=n-a zT}$K>EBTij6e|KLzJo3PTycTL=G~qulNu?Om(p@kN)~myK(? zS-1E4>d|(mTfb?k&5qX9JMGKEyH=yoxEMFfy>6pow}dUTO5TGcJC+_%Ld=>f>Uk z*RoJ|yW8#bKEQFK)9D@U={I)$x@gvWW~0@rxAw00_uyrH>!#Dt&tRR6+T81QMthyEd2}&uT5a~b+uN&st#0X7uY6IuQrqUna=UqUpsJlx%WjvoyY>OO(~C{>tZRO_7~jl#cURk&``5R~+8Z@X zho#eUw{)UzPfo4zaof7SZ0`5Ip%1p%YV7Uw8%Hzkt7-S^_9g6H7n_adw@b6}RX=$5 z^>Wgv!CsS`sJHw5dShQ7H(=MinjYUZ)lQ?=xo(r<_5PK5abaI--O>Jqd41OJZr`4k z>t)!xQakk`Z1?PzR&MSbtBqUOEw**lK0EF8jxRdbJ3WW%N4@Y+Q>)zJom>R9_*7ixU zd)HTsMbzyb_upU7wDG&EcIn#f?ssqcsr5TcROu*b#1k#7e#%$YmJV( zlf!MT(d@LU_VLA6bJDFh=*eC4T5H&+rw6U$s}i|w6-VWEx3$;pHfsI5W>YUUyBC+O z+O@iU*>2R;R`=TK_PX26_uZ|_59X;psh3VWM^>k3&uWvctqaR+T$Gxw)@yv#iw*0t z+q&$2-TQViZr$nXyX%XLw*9Z88tV4;uS(mu-OCWx;r_O5x+ z*?WIcY~HqR>^KkZHR~o@>-ARgsC8XzQTWw}r9<<-vZvVqkS?~5vYF`^pXWTn#-Z4J8DW2ACw_SQyyHd@sz5Qk#9bA+< z2l`>Z)2y}X+ml{zRDxF3XSKJL{|Z<}|$ zS+ho4XN~b4GPPpMYnF$R+v!!=KI$Bdwvq9!4Bxl*yJlm2QF>>#i~5J_al`1( z-rneHuZ_N5-!;dhaj$W7*SxXcYnSFh^YWTr9@sl=)jZQWdtXoAw`SMsErn+DSTBxl z+E!P+wwecLb!~Rt9c}eX_Sx~Besoc6xb5+9TRUhSwt9B=qD#+CO153I4yS0MZney7 zsu#yoy|ZWO^=k`V_Aai9*O&bdd*50UwS1*spS8!@)>Y~HN>?xLw0h&F_jS}eJ7{99 zbA5msd+$5r-t@9@ZE5D|@l~}$kbkp^^OioA= 1.23.0-0 < 1.28.0-0' - catalog.cattle.io/namespace: cattle-resources-system - catalog.cattle.io/os: linux - catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1 - catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' - catalog.cattle.io/release-name: rancher-backup - catalog.cattle.io/scope: management - catalog.cattle.io/type: cluster-tool - catalog.cattle.io/ui-component: rancher-backup - catalog.cattle.io/upstream-version: 2.1.1 -apiVersion: v2 -appVersion: 4.0.0-rc2 -description: Provides ability to back up and restore the Rancher application running - on any Kubernetes cluster -icon: https://charts.rancher.io/assets/logos/backup-restore.svg -keywords: -- applications -- infrastructure -kubeVersion: '>= 1.23.0-0' -name: rancher-backup -version: 103.0.0+up4.0.0-rc2 diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/README.md b/charts/rancher-backup/103.0.0+up4.0.0-rc2/README.md deleted file mode 100644 index 59bff4425..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/README.md +++ /dev/null @@ -1,79 +0,0 @@ -# Rancher Backup - -This chart provides ability to back up and restore the Rancher application running on any Kubernetes cluster. - -Refer [this](https://github.com/rancher/backup-restore-operator) repository for implementation details. - ------ - -### Get Repo Info -```bash -helm repo add rancher-chart https://charts.rancher.io -helm repo update -``` - ------ - -### Install Chart -```bash -helm install rancher-backup-crd rancher-chart/rancher-backup-crd -n cattle-resources-system --create-namespace -helm install rancher-backup rancher-chart/rancher-backup -n cattle-resources-system -``` - ------ - -### Configuration -The following table lists the configurable parameters of the rancher-backup chart and their default values: - -| Parameter | Description | Default | -|----------|---------------|-------| -| image.repository | Container image repository | rancher/backup-restore-operator | -| image.tag | Container image tag | v0.1.0-rc1 | -| s3.enabled | Configure S3 compatible default storage location. Current version supports S3 and MinIO | false | -| s3.credentialSecretName | Name of the Secret containing S3 credentials. This is an optional field. Skip this field in order to use IAM Role authentication. The Secret must contain following two keys, `accessKey` and `secretKey` | "" | -| s3.credentialSecretNamespace | Namespace of the Secret containing S3 credentials. This can be any namespace. | "" | -| s3.region | Region of the S3 Bucket (Required for S3, not valid for MinIO) | "" | -| s3.bucketName | Name of the Bucket | "" | -| s3.folder | Base folder within the Bucket (optional) | "" | -| s3.endpoint | Endpoint for the S3 storage provider | "" | -| s3.endpointCA | Base64 encoded CA cert for the S3 storage provider (optional) | "" | -| s3.insecureTLSSkipVerify | Skip SSL verification | false | -| persistence.enabled | Configure a Persistent Volume as the default storage location. It accepts either a StorageClass name to create a PVC, or directly accepts the PV to use. The Persistent Volume is mounted at `/var/lib/backups` in the operator pod | false | -| persistence.storageClass | StorageClass to use for dynamically provisioning the Persistent Volume, which will be used for storing backups | "" | -| persistence.volumeName | Persistent Volume to use for storing backups | "" | -| persistence.size | Requested size of the Persistent Volume (Applicable when using dynamic provisioning) | "" | -| debug | Set debug flag for backup-restore deployment | false | -| trace | Set trace flag for backup-restore deployment | false | -| nodeSelector | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | {} | -| tolerations | https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration | [] | -| affinity | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | {} | -| serviceAccount.annotations | Annotations to apply to created service account | {} | -| global.cattle.psp.enabled | Enable or disable PSPs in the chart | false | - ------ - -### PSPs - -We have added a configuration to the chart `values.yaml` which allows you to enable or disable PSPs to align with the PSP deprecation in Kubernetes `v1.25` and above. - ------ - -### CRDs - -Refer [this](https://github.com/rancher/backup-restore-operator#crds) section for information on CRDs that this chart installs. Also refer [this](https://github.com/rancher/backup-restore-operator/tree/master/examples) folder containing sample manifests for the CRDs. - ------ -### Upgrading Chart -```bash -helm upgrade rancher-backup-crd -n cattle-resources-system -helm upgrade rancher-backup -n cattle-resources-system -``` - ------ -### Uninstall Chart - -```bash -helm uninstall rancher-backup -n cattle-resources-system -helm uninstall rancher-backup-crd -n cattle-resources-system -``` - diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/app-readme.md b/charts/rancher-backup/103.0.0+up4.0.0-rc2/app-readme.md deleted file mode 100644 index b1406d5ee..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/app-readme.md +++ /dev/null @@ -1,33 +0,0 @@ -# Rancher Backup - -This chart enables ability to capture backups of the Rancher application and restore from these backups. This chart can be used to migrate Rancher from one Kubernetes cluster to a different Kubernetes cluster. - -For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/pages-for-subheaders/backup-restore-and-disaster-recovery). - -This chart installs the following components: - -- [backup-restore-operator](https://github.com/rancher/backup-restore-operator) - - The operator handles backing up all Kubernetes resources and CRDs that Rancher creates and manages from the local cluster. It gathers these resources by querying the Kubernetes API server, packages all the resources to create a tarball file and saves it in the configured backup storage location. - - The operator can be configured to store backups in S3-compatible object stores such as AWS S3 and MinIO, and in persistent volumes. During deployment, you can create a default storage location, but there is always the option to override the default storage location with each backup, but will be limited to using an S3-compatible object store. - - It preserves the ownerReferences on all resources, hence maintaining dependencies between objects. - - This operator provides encryption support, to encrypt user specified resources before saving them in the backup file. It uses the same encryption configuration that is used to enable [Kubernetes Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). -- Backup - A backup is a CRD (`Backup`) that defines when to take backups, where to store the backup and what encryption to use (optional). Backups can be taken ad hoc or scheduled to be taken in intervals. -- Restore - A restore is a CRD (`Restore`) that defines which backup to use to restore the Rancher application to. - -## Upgrading to Kubernetes v1.25+ - ​ -Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. - ​ -As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. -​ -> **Note:** -> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. - ​ -> **Note:** -> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** -> -> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. -​ -Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. -​ -As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/aks.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/aks.yaml deleted file mode 100644 index 779742058..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/aks.yaml +++ /dev/null @@ -1,25 +0,0 @@ -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "aks.cattle.io$" -- apiVersion: "aks.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "apps/v1" - kindsRegexp: "^deployments$" - namespaces: - - "cattle-system" - resourceNames: - - "aks-config-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNames: - - "aks-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNames: - - "aks-operator" -- apiVersion: "v1" - kindsRegexp: "^serviceaccounts$" - namespaces: - - "cattle-system" - resourceNames: - - "aks-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/eks.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/eks.yaml deleted file mode 100644 index ae57baddf..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/eks.yaml +++ /dev/null @@ -1,17 +0,0 @@ -- apiVersion: "eks.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "apps/v1" - kindsRegexp: "^deployments$" - resourceNames: - - "eks-config-operator" -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "eks.cattle.io$" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNames: - - "eks-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNames: - - "eks-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/elemental.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/elemental.yaml deleted file mode 100644 index 1d38b1229..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/elemental.yaml +++ /dev/null @@ -1,49 +0,0 @@ -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "elemental.cattle.io$" -- apiVersion: "apps/v1" - kindsRegexp: "^deployments$" - namespaces: - - "cattle-elemental-system" - resourceNames: - - "elemental-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNames: - - "elemental-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNames: - - "elemental-operator" -- apiVersion: "v1" - kindsRegexp: "^serviceaccounts$" - namespaces: - - "cattle-elemental-system" - resourceNames: - - "elemental-operator" -- apiVersion: "management.cattle.io/v3" - kindsRegexp: "^globalrole$" - resourceNames: - - "elemental-operator" -- apiVersion: "management.cattle.io/v3" - kindsRegexp: "^apiservice$" - resourceNameRegexp: "elemental.cattle.io$" -- apiVersion: "elemental.cattle.io/v1beta1" - kindsRegexp: "." - namespaceRegexp: "^cattle-fleet-|^fleet-" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^roles$|^rolebindings$" - labelSelectors: - matchExpressions: - - key: "elemental.cattle.io/managed" - operator: "In" - values: ["true"] - namespaceRegexp: "^cattle-fleet-|^fleet-" -- apiVersion: "v1" - kindsRegexp: "^secrets$|^serviceaccounts$" - labelSelectors: - matchExpressions: - - key: "elemental.cattle.io/managed" - operator: "In" - values: ["true"] - namespaceRegexp: "^cattle-fleet-|^fleet-" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/fleet.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/fleet.yaml deleted file mode 100644 index a14125fec..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/fleet.yaml +++ /dev/null @@ -1,53 +0,0 @@ -- apiVersion: "v1" - kindsRegexp: "^namespaces$" - resourceNameRegexp: "^fleet-" -- apiVersion: "v1" - kindsRegexp: "^secrets$" - namespaceRegexp: "^cattle-fleet-|^fleet-" - excludeResourceNameRegexp: "^import-token" - labelSelectors: - matchExpressions: - - key: "owner" - operator: "NotIn" - values: ["helm"] - - key: "fleet.cattle.io/managed" - operator: "In" - values: ["true"] -- apiVersion: "v1" - kindsRegexp: "^serviceaccounts$" - namespaceRegexp: "^cattle-fleet-|^fleet-" - excludeResourceNameRegexp: "^default$" -- apiVersion: "v1" - kindsRegexp: "^configmaps$" - namespaceRegexp: "^cattle-fleet-|^fleet-" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^roles$|^rolebindings$" - namespaceRegexp: "^cattle-fleet-|^fleet-" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNameRegexp: "^fleet-|^gitjob-" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNameRegexp: "^fleet-" - resourceNames: - - "gitjob" -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$" -- apiVersion: "fleet.cattle.io/v1alpha1" - kindsRegexp: "." - excludeKinds: - - "bundledeployments" -- apiVersion: "gitjob.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "apps/v1" - kindsRegexp: "^deployments$" - namespaceRegexp: "^cattle-fleet-|^fleet-" - resourceNameRegexp: "^fleet-" - resourceNames: - - "gitjob" -- apiVersion: "apps/v1" - kindsRegexp: "^services$" - namespaceRegexp: "^cattle-fleet-|^fleet-" - resourceNames: - - "gitjob" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/gke.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/gke.yaml deleted file mode 100644 index a87eef364..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/gke.yaml +++ /dev/null @@ -1,17 +0,0 @@ -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "gke.cattle.io$" -- apiVersion: "gke.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "apps/v1" - kindsRegexp: "^deployments$" - resourceNames: - - "gke-config-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNames: - - "gke-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNames: - - "gke-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/provisioningv2.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/provisioningv2.yaml deleted file mode 100644 index 50a7f906b..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/provisioningv2.yaml +++ /dev/null @@ -1,23 +0,0 @@ -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "provisioning.cattle.io$|rke-machine-config.cattle.io$|rke-machine.cattle.io$|rke.cattle.io$|cluster.x-k8s.io$" -- apiVersion: "provisioning.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "rke-machine-config.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "rke-machine.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "rke.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "cluster.x-k8s.io/v1beta1" - kindsRegexp: "." -- apiVersion: "v1" - kindsRegexp: "^secrets$" - resourceNameRegexp: "machine-plan$|rke-state$|machine-state$|machine-driver-secret$|machine-provision$|^harvesterconfig" - namespaces: - - "fleet-default" -- apiVersion: "v1" - kindsRegexp: "^configmaps$" - resourceNames: - - "provisioning-log" - namespaceRegexp: "^c-m-" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher-operator.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher-operator.yaml deleted file mode 100644 index f30c2fd96..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher-operator.yaml +++ /dev/null @@ -1,28 +0,0 @@ -- apiVersion: "rancher.cattle.io/v1" - kindsRegexp: "." -- apiVersion: "apps/v1" - kindsRegexp: "^deployments$" - resourceNames: - - "rancher-operator" - namespaces: - - "rancher-operator-system" -- apiVersion: "v1" - kindsRegexp: "^serviceaccounts$" - namespaces: - - "rancher-operator-system" - excludeResourceNameRegexp: "^default$" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNames: - - "rancher-operator" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNames: - - "rancher-operator" -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "rancher.cattle.io$" -- apiVersion: "v1" - kindsRegexp: "^namespaces$" - resourceNames: - - "rancher-operator-system" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher.yaml deleted file mode 100644 index 47fa2e02f..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/files/default-resourceset-contents/rancher.yaml +++ /dev/null @@ -1,65 +0,0 @@ -- apiVersion: "v1" - kindsRegexp: "^namespaces$" - resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-" - resourceNames: - - "local" -- apiVersion: "v1" - kindsRegexp: "^secrets$" - namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" - labelSelectors: - matchExpressions: - - key: "owner" - operator: "NotIn" - values: ["helm"] - excludeResourceNameRegexp: "^bootstrap-secret$|^rancher-csp-adapter|^csp-adapter-cache$" -- apiVersion: "v1" - kindsRegexp: "^serviceaccounts$" - namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" - excludeResourceNameRegexp: "^default$|^rancher-csp-adapter$" -- apiVersion: "v1" - kindsRegexp: "^configmaps$" - namespaces: - - "cattle-system" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^roles$|^rolebindings$" - namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" - excludeResourceNameRegexp: "^rancher-csp-adapter" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterrolebindings$" - resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-" -- apiVersion: "rbac.authorization.k8s.io/v1" - kindsRegexp: "^clusterroles$" - resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$" - excludeResourceNameRegexp: "^rancher-csp-adapter-" -- apiVersion: "scheduling.k8s.io/v1" - kindsRegexp: "^priorityclasses$" - resourceNameRegexp: "^rancher-critical$" -- apiVersion: "apiextensions.k8s.io/v1" - kindsRegexp: "." - resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$" -- apiVersion: "management.cattle.io/v3" - kindsRegexp: "." - excludeKinds: - - "tokens" - - "rancherusernotifications" -- apiVersion: "management.cattle.io/v3" - kindsRegexp: "^tokens$" - labelSelectors: - matchExpressions: - - key: "authn.management.cattle.io/kind" - operator: "NotIn" - values: [ "provisioning" ] -- apiVersion: "project.cattle.io/v3" - kindsRegexp: "." -- apiVersion: "catalog.cattle.io/v1" - kindsRegexp: "^clusterrepos$" -- apiVersion: "resources.cattle.io/v1" - kindsRegexp: "^ResourceSet$" -- apiVersion: "v1" - kindsRegexp: "^secrets$" - namespaceRegexp: "^.*$" - labelSelectors: - matchExpressions: - - key: "resources.cattle.io/backup" - operator: "In" - values: ["true"] diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/_helpers.tpl b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/_helpers.tpl deleted file mode 100644 index a5e485243..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/_helpers.tpl +++ /dev/null @@ -1,87 +0,0 @@ -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} - -{{/* -Windows cluster will add default taint for linux nodes, -add below linux tolerations to workloads could be scheduled to those linux nodes -*/}} -{{- define "linux-node-tolerations" -}} -- key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -{{- end -}} - -{{- define "linux-node-selector" -}} -{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} -beta.kubernetes.io/os: linux -{{- else -}} -kubernetes.io/os: linux -{{- end -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -*/}} -{{- define "backupRestore.fullname" -}} -{{- .Chart.Name | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "backupRestore.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "backupRestore.labels" -}} -helm.sh/chart: {{ include "backupRestore.chart" . }} -{{ include "backupRestore.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "backupRestore.selectorLabels" -}} -app.kubernetes.io/name: {{ include "backupRestore.fullname" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -resources.cattle.io/operator: backup-restore -{{- end }} - - -{{/* -Create the name of the service account to use -*/}} -{{- define "backupRestore.serviceAccountName" -}} -{{ include "backupRestore.fullname" . }} -{{- end }} - - -{{- define "backupRestore.s3SecretName" -}} -{{- printf "%s-%s" .Chart.Name "s3" | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create PVC name using release and revision number, unless a volumeName is given. -*/}} -{{- define "backupRestore.pvcName" -}} -{{- if and .Values.persistence.volumeName }} -{{- printf "%s" .Values.persistence.volumeName }} -{{- else -}} -{{- printf "%s-%d" .Release.Name .Release.Revision }} -{{- end }} -{{- end }} - diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/clusterrolebinding.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/clusterrolebinding.yaml deleted file mode 100644 index cf4abf670..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/clusterrolebinding.yaml +++ /dev/null @@ -1,14 +0,0 @@ -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: {{ include "backupRestore.fullname" . }} - labels: - {{- include "backupRestore.labels" . | nindent 4 }} -subjects: -- kind: ServiceAccount - name: {{ include "backupRestore.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: cluster-admin - apiGroup: rbac.authorization.k8s.io diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/deployment.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/deployment.yaml deleted file mode 100644 index 631fa458b..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/deployment.yaml +++ /dev/null @@ -1,79 +0,0 @@ -{{- if and .Values.s3.enabled .Values.persistence.enabled }} -{{- fail "\n\nCannot configure both s3 and PV for storing backups" }} -{{- end }} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "backupRestore.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "backupRestore.labels" . | nindent 4 }} -spec: - selector: - matchLabels: - {{- include "backupRestore.selectorLabels" . | nindent 6 }} - template: - metadata: - labels: - {{- include "backupRestore.selectorLabels" . | nindent 8 }} - annotations: - checksum/s3: {{ include (print $.Template.BasePath "/s3-secret.yaml") . | sha256sum }} - checksum/pvc: {{ include (print $.Template.BasePath "/pvc.yaml") . | sha256sum }} - spec: - serviceAccountName: {{ include "backupRestore.serviceAccountName" . }} - {{- if .Values.imagePullSecrets }} - imagePullSecrets: - {{ toYaml .Values.imagePullSecrets | indent 6 }} - {{- end }} - {{- if .Values.priorityClassName }} - priorityClassName: {{ .Values.priorityClassName }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }} - args: -{{- if .Values.debug }} - - "--debug" -{{- end }} -{{- if .Values.trace }} - - "--trace" -{{- end }} - env: - - name: CHART_NAMESPACE - value: {{ .Release.Namespace }} - {{- if .Values.s3.enabled }} - - name: DEFAULT_S3_BACKUP_STORAGE_LOCATION - value: {{ include "backupRestore.s3SecretName" . }} - {{- end }} - {{- if .Values.proxy }} - - name: HTTP_PROXY - value: {{ .Values.proxy }} - - name: HTTPS_PROXY - value: {{ .Values.proxy }} - - name: NO_PROXY - value: {{ .Values.noProxy }} - {{- end }} - {{- if .Values.persistence.enabled }} - - name: DEFAULT_PERSISTENCE_ENABLED - value: "persistence-enabled" - volumeMounts: - - mountPath: "/var/lib/backups" - name: pv-storage - volumes: - - name: pv-storage - persistentVolumeClaim: - claimName: {{ include "backupRestore.pvcName" . }} - {{- end }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/hardened.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/hardened.yaml deleted file mode 100644 index bf8492ce0..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/hardened.yaml +++ /dev/null @@ -1,124 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ include "backupRestore.fullname" . }}-patch-sa - namespace: {{ .Release.Namespace }} - labels: {{ include "backupRestore.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation -spec: - backoffLimit: 1 - template: - spec: - serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa - securityContext: - runAsNonRoot: true - runAsUser: 1000 - restartPolicy: Never - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} - containers: - - name: {{ include "backupRestore.fullname" . }}-patch-sa - image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }} - imagePullPolicy: IfNotPresent - command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "backupRestore.fullname" . }}-patch-sa - namespace: {{ .Release.Namespace }} - labels: {{ include "backupRestore.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "backupRestore.fullname" . }}-patch-sa - labels: {{ include "backupRestore.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation -rules: - - apiGroups: [""] - resources: ["serviceaccounts"] - verbs: ["get", "patch"] -{{- if .Values.global.cattle.psp.enabled}} - - apiGroups: ["policy"] - resources: ["podsecuritypolicies"] - verbs: ["use"] - resourceNames: - - {{ include "backupRestore.fullname" . }}-patch-sa -{{- end}} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "backupRestore.fullname" . }}-patch-sa - labels: {{ include "backupRestore.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "backupRestore.fullname" . }}-patch-sa -subjects: - - kind: ServiceAccount - name: {{ include "backupRestore.fullname" . }}-patch-sa - namespace: {{ .Release.Namespace }} ---- -{{- if .Values.global.cattle.psp.enabled}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "backupRestore.fullname" . }}-patch-sa - labels: {{ include "backupRestore.labels" . | nindent 4 }} - annotations: - "helm.sh/hook": post-install, post-upgrade - "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation -spec: - privileged: false - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - volumes: - - 'secret' -{{- end}} ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ include "backupRestore.fullname" . }}-default-allow-all - namespace: {{ .Release.Namespace }} -spec: - podSelector: {} - egress: - - {} - policyTypes: - - Ingress - - Egress diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/psp.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/psp.yaml deleted file mode 100644 index 34bc96ee7..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/psp.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled -}} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ include "backupRestore.fullname" . }}-psp - labels: {{ include "backupRestore.labels" . | nindent 4 }} -spec: - privileged: false - allowPrivilegeEscalation: false - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - volumes: - - 'persistentVolumeClaim' - - 'secret' -{{- end -}} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/pvc.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/pvc.yaml deleted file mode 100644 index ff57e4dab..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/pvc.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if and .Values.persistence.enabled -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "backupRestore.pvcName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "backupRestore.labels" . | nindent 4 }} -spec: - accessModes: - - ReadWriteOnce - resources: - {{- with .Values.persistence }} - requests: - storage: {{ .size | quote }} -{{- if .storageClass }} -{{- if (eq "-" .storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: {{ .storageClass | quote }} -{{- end }} -{{- end }} -{{- if .volumeName }} - volumeName: {{ .volumeName | quote }} -{{- end }} -{{- end }} -{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/rancher-resourceset.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/rancher-resourceset.yaml deleted file mode 100644 index 05add8824..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/rancher-resourceset.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: resources.cattle.io/v1 -kind: ResourceSet -metadata: - name: rancher-resource-set -controllerReferences: - - apiVersion: "apps/v1" - resource: "deployments" - name: "rancher" - namespace: "cattle-system" -resourceSelectors: -{{- range $path, $_ := .Files.Glob "files/default-resourceset-contents/*.yaml" -}} - {{- $.Files.Get $path | nindent 2 -}} -{{- end -}} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/s3-secret.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/s3-secret.yaml deleted file mode 100644 index 726509730..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/s3-secret.yaml +++ /dev/null @@ -1,31 +0,0 @@ -{{- if .Values.s3.enabled -}} -apiVersion: v1 -kind: Secret -metadata: - name: {{ include "backupRestore.s3SecretName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "backupRestore.labels" . | nindent 4 }} -type: Opaque -stringData: - {{- with .Values.s3 }} - {{- if .credentialSecretName }} - credentialSecretName: {{ .credentialSecretName }} - credentialSecretNamespace: {{ required "When providing a Secret containing S3 credentials, a valid .Values.credentialSecretNamespace must be provided" .credentialSecretNamespace }} - {{- end }} - {{- if .region }} - region: {{ .region | quote }} - {{- end }} - bucketName: {{ required "A valid .Values.bucketName is required for configuring S3 compatible storage as the default backup storage location" .bucketName | quote }} - {{- if .folder }} - folder: {{ .folder | quote }} - {{- end }} - endpoint: {{ required "A valid .Values.endpoint is required for configuring S3 compatible storage as the default backup storage location" .endpoint | quote }} - {{- if .endpointCA }} - endpointCA: {{ .endpointCA }} - {{- end }} - {{- if .insecureTLSSkipVerify }} - insecureTLSSkipVerify: {{ .insecureTLSSkipVerify | quote }} - {{- end }} - {{- end }} -{{ end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/serviceaccount.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/serviceaccount.yaml deleted file mode 100644 index 754e1fe89..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/serviceaccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "backupRestore.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "backupRestore.labels" . | nindent 4 }} -{{- if .Values.serviceAccount.annotations }} - annotations: - {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} -{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-install-crd.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-install-crd.yaml deleted file mode 100644 index f63fd2e2e..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-install-crd.yaml +++ /dev/null @@ -1,16 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -# {{- $found := dict -}} -# {{- set $found "resources.cattle.io/v1/Backup" false -}} -# {{- set $found "resources.cattle.io/v1/ResourceSet" false -}} -# {{- set $found "resources.cattle.io/v1/Restore" false -}} -# {{- range .Capabilities.APIVersions -}} -# {{- if hasKey $found (toString .) -}} -# {{- set $found (toString .) true -}} -# {{- end -}} -# {{- end -}} -# {{- range $_, $exists := $found -}} -# {{- if (eq $exists false) -}} -# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} -# {{- end -}} -# {{- end -}} -#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-psp-install.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-psp-install.yaml deleted file mode 100644 index a30c59d3b..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/deployment_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/deployment_test.yaml deleted file mode 100644 index 671d415db..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/deployment_test.yaml +++ /dev/null @@ -1,216 +0,0 @@ -suite: Test Deployment -templates: -- deployment.yaml -- s3-secret.yaml -- pvc.yaml -- _helpers.tpl -tests: -- it: should set name - template: deployment.yaml - asserts: - - equal: - path: metadata.name - value: "rancher-backup" -- it: should set namespace - template: deployment.yaml - asserts: - - equal: - path: metadata.namespace - value: "NAMESPACE" -- it: should set priorityClassName - set: - priorityClassName: "testClass" - template: deployment.yaml - asserts: - - equal: - path: spec.template.spec.priorityClassName - value: "testClass" -- it: should set default imagePullPolicy - template: deployment.yaml - asserts: - - equal: - path: spec.template.spec.containers[0].imagePullPolicy - value: "Always" -- it: should set imagePullPolicy - set: - imagePullPolicy: "IfNotPresent" - template: deployment.yaml - asserts: - - equal: - path: spec.template.spec.containers[0].imagePullPolicy - value: "IfNotPresent" -- it: should set debug loglevel - set: - debug: true - template: deployment.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].args - content: "--debug" -- it: should set trace loglevel - set: - trace: true - template: deployment.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].args - content: "--trace" -- it: should set proxy environment variables - set: - proxy: "https://127.0.0.1:3128" - template: deployment.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: HTTP_PROXY - value: "https://127.0.0.1:3128" - - contains: - path: spec.template.spec.containers[0].env - content: - name: HTTPS_PROXY - value: "https://127.0.0.1:3128" - - contains: - path: spec.template.spec.containers[0].env - content: - name: NO_PROXY - value: "127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local" -- it: should set proxy environment variables with modified noproxy - set: - proxy: "https://127.0.0.1:3128" - noProxy: "192.168.0.0/24" - template: deployment.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: NO_PROXY - value: "192.168.0.0/24" -- it: should set persistence variables - set: - persistence.enabled: true - template: deployment.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: DEFAULT_PERSISTENCE_ENABLED - value: "persistence-enabled" - - contains: - path: spec.template.spec.containers[0].volumeMounts - content: - mountPath: "/var/lib/backups" - name: "pv-storage" - - equal: - path: spec.template.spec.volumes[0].name - value: "pv-storage" - - equal: - path: spec.template.spec.volumes[0].persistentVolumeClaim - value: - claimName: RELEASE-NAME-0 -- it: should set claim from custom static volumeName - set: - persistence.enabled: true - persistence.volumeName: "PREDEFINED-VOLUME" - persistence.storageClass: "PREDEFINED-STORAGECLASS" - persistence.size: "PREDIFINED-SAMEAS-PVSIZE" - template: deployment.yaml - asserts: - - contains: - path: spec.template.spec.containers[0].env - content: - name: DEFAULT_PERSISTENCE_ENABLED - value: "persistence-enabled" - - equal: - path: spec.template.spec.volumes[0].persistentVolumeClaim - value: - claimName: PREDEFINED-VOLUME -- it: should set private registry - template: deployment.yaml - set: - global.cattle.systemDefaultRegistry: "my.registry.local:3000" - asserts: - - matchRegex: - path: spec.template.spec.containers[0].image - pattern: ^my.registry.local:3000/rancher/backup-restore-operator:.*$ -- it: should set nodeselector - template: deployment.yaml - asserts: - - equal: - path: spec.template.spec.nodeSelector - value: - kubernetes.io/os: linux -- it: should not set default affinity - template: deployment.yaml - asserts: - - isNull: - path: spec.template.spec.affinity -- it: should set custom affinity - template: deployment.yaml - set: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: disktype - operator: In - values: - - ssd - asserts: - - equal: - path: spec.template.spec.affinity - value: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: disktype - operator: In - values: - - ssd -- it: should set tolerations - template: deployment.yaml - asserts: - - equal: - path: spec.template.spec.tolerations[0] - value: - key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -- it: should set custom tolerations - template: deployment.yaml - set: - tolerations: - - key: "example-key" - operator: "Exists" - effect: "NoSchedule" - asserts: - - equal: - path: spec.template.spec.tolerations[0] - value: - key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" - - equal: - path: spec.template.spec.tolerations[1] - value: - key: "example-key" - operator: "Exists" - effect: "NoSchedule" -- it: should not set default imagePullSecrets - template: deployment.yaml - asserts: - - isNull: - path: spec.template.spec.imagePullSecrets -- it: should set imagePullSecrets - set: - imagePullSecrets: - - name: "pull-secret" - template: deployment.yaml - asserts: - - equal: - path: spec.template.spec.imagePullSecrets[0].name - value: "pull-secret" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/pvc_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/pvc_test.yaml deleted file mode 100644 index 3a1c40698..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/pvc_test.yaml +++ /dev/null @@ -1,102 +0,0 @@ -suite: Test PVC -templates: -- pvc.yaml -- _helpers.tpl -tests: -- it: should set name - template: pvc.yaml - set: - persistence: - enabled: true - asserts: - - equal: - path: metadata.name - value: "RELEASE-NAME-0" -- it: should set namespace - template: pvc.yaml - set: - persistence: - enabled: true - asserts: - - equal: - path: metadata.namespace - value: "NAMESPACE" -- it: should set accessModes - template: pvc.yaml - set: - persistence: - enabled: true - asserts: - - equal: - path: spec.accessModes[0] - value: "ReadWriteOnce" -- it: should set size - template: pvc.yaml - set: - persistence: - enabled: true - asserts: - - equal: - path: spec.resources.requests.storage - value: "2Gi" -- it: should set size - template: pvc.yaml - set: - persistence: - enabled: true - size: "10Gi" - asserts: - - equal: - path: spec.resources.requests.storage - value: "10Gi" -- it: should not set volumeName - template: pvc.yaml - set: - persistence: - enabled: true - asserts: - - isNull: - path: spec.volumeName -- it: should set default storageClass - template: pvc.yaml - set: - persistence: - enabled: true - asserts: - - equal: - path: spec.storageClassName - value: "" -- it: should set custom storageClass - template: pvc.yaml - set: - persistence: - enabled: true - storageClass: "storage-class" - asserts: - - equal: - path: spec.storageClassName - value: "storage-class" -- it: should set custom volumeName - template: pvc.yaml - set: - persistence: - enabled: true - volumeName: "volume-name" - asserts: - - equal: - path: spec.volumeName - value: "volume-name" -- it: should set claim from custom static volumeName - set: - persistence.enabled: true - persistence.volumeName: "PREDEFINED-VOLUME" - persistence.storageClass: "PREDEFINED-STORAGECLASS" - persistence.size: "PREDEFINED-SAMEAS-PVSIZE" - template: pvc.yaml - asserts: - - equal: - path: spec.resources.requests.storage - value: "PREDEFINED-SAMEAS-PVSIZE" - - equal: - path: spec.storageClassName - value: "PREDEFINED-STORAGECLASS" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/s3-secret_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/s3-secret_test.yaml deleted file mode 100644 index af130dd29..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/tests/s3-secret_test.yaml +++ /dev/null @@ -1,141 +0,0 @@ -suite: Test S3 Secret -templates: -- s3-secret.yaml -- _helpers.tpl -tests: -- it: should set name - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - equal: - path: metadata.name - value: "rancher-backup-s3" -- it: should set namespace - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - equal: - path: metadata.namespace - value: "NAMESPACE" -- it: should not set credentialSecretName - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - isNull: - path: stringData.credentialSecretName -- it: should set credentialSecretName - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - credentialSecretName: "credential-secret-name" - credentialSecretNamespace: "credential-secret-namespace" - asserts: - - equal: - path: stringData.credentialSecretName - value: "credential-secret-name" - - equal: - path: stringData.credentialSecretNamespace - value: "credential-secret-namespace" -- it: should not set folder - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - isNull: - path: stringData.folder -- it: should set folder - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - folder: "myfolder" - asserts: - - equal: - path: stringData.folder - value: "myfolder" -- it: should not set region - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - isNull: - path: stringData.region -- it: should set region - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - region: "us-west-1" - asserts: - - equal: - path: stringData.region - value: "us-west-1" -- it: should not set endpointCA - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - isNull: - path: stringData.endpointCA -- it: should set endpointCA - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - endpointCA: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" - asserts: - - equal: - path: stringData.endpointCA - value: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" -- it: should not set insecureTLSSkipVerify - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - asserts: - - isNull: - path: stringData.insecureTLSSkipVerify -- it: should set insecureTLSSkipVerify - template: s3-secret.yaml - set: - s3: - enabled: true - bucketName: "yourbucket" - endpoint: "https://s3.amazonaws.com" - insecureTLSSkipVerify: "true" - asserts: - - equal: - path: stringData.insecureTLSSkipVerify - value: "true" diff --git a/charts/rancher-backup/103.0.0+up4.0.0-rc2/values.yaml b/charts/rancher-backup/103.0.0+up4.0.0-rc2/values.yaml deleted file mode 100644 index b5e3b610f..000000000 --- a/charts/rancher-backup/103.0.0+up4.0.0-rc2/values.yaml +++ /dev/null @@ -1,81 +0,0 @@ -image: - repository: rancher/backup-restore-operator - tag: v4.0.0-rc2 - -## Default s3 bucket for storing all backup files created by the backup-restore-operator -s3: - enabled: false - ## credentialSecretName if set, should be the name of the Secret containing AWS credentials. - ## To use IAM Role, don't set this field - credentialSecretName: "" - credentialSecretNamespace: "" - region: "" - bucketName: "" - folder: "" - endpoint: "" - endpointCA: "" - insecureTLSSkipVerify: false - -## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ -## If persistence is enabled, operator will create a PVC with mountPath /var/lib/backups -persistence: - enabled: false - - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack). - ## Refer https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1 - ## - storageClass: "-" - - ## If you want to disable dynamic provisioning by setting storageClass to "-" above, - ## and want to target a particular PV, provide name of the target volume - volumeName: "" - - ## Only certain StorageClasses allow resizing PVs; Refer https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/ - size: 2Gi - -# Add log level flags to backup-restore -debug: false -trace: false - -# http[s] proxy server passed to backup client -# proxy: http://@:: - -# comma separated list of domains or ip addresses that will not use the proxy -noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local - -global: - cattle: - systemDefaultRegistry: "" - psp: - enabled: false # PSP enablement should default to false - kubectl: - repository: rancher/kubectl - tag: v1.21.9 - -## Node labels for pod assignment -## Ref: https://kubernetes.io/docs/user-guide/node-selection/ -## -nodeSelector: {} - -## List of node taints to tolerate (requires Kubernetes >= 1.6) -tolerations: [] - -affinity: {} - -serviceAccount: - annotations: {} - -priorityClassName: "" - -# Override imagePullPolicy for image -# options: Always, Never, IfNotPresent -# Defaults to Always -imagePullPolicy: "Always" - -## Optional array of imagePullSecrets containing private registry credentials -## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ -imagePullSecrets: [] diff --git a/index.yaml b/index.yaml index 91db41656..4d8138c4a 100755 --- a/index.yaml +++ b/index.yaml @@ -6261,36 +6261,6 @@ entries: - assets/rancher-alerting-drivers/rancher-alerting-drivers-1.0.100.tgz version: 1.0.100 rancher-backup: - - annotations: - catalog.cattle.io/auto-install: rancher-backup-crd=match - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: Rancher Backups - catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0' - catalog.cattle.io/namespace: cattle-resources-system - catalog.cattle.io/os: linux - catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1 - catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' - catalog.cattle.io/release-name: rancher-backup - catalog.cattle.io/scope: management - catalog.cattle.io/type: cluster-tool - catalog.cattle.io/ui-component: rancher-backup - catalog.cattle.io/upstream-version: 2.1.1 - apiVersion: v2 - appVersion: 4.0.0-rc2 - created: "2023-10-27T15:09:43.15051-07:00" - description: Provides ability to back up and restore the Rancher application running - on any Kubernetes cluster - digest: 1945636db982e2a7f119eef314050fd35207b512b677cd4641df8bef6d6c5772 - icon: https://charts.rancher.io/assets/logos/backup-restore.svg - keywords: - - applications - - infrastructure - kubeVersion: '>= 1.23.0-0' - name: rancher-backup - urls: - - assets/rancher-backup/rancher-backup-103.0.0+up4.0.0-rc2.tgz - version: 103.0.0+up4.0.0-rc2 - annotations: catalog.cattle.io/auto-install: rancher-backup-crd=match catalog.cattle.io/certified: rancher @@ -6819,21 +6789,6 @@ entries: - assets/rancher-backup/rancher-backup-1.0.200.tgz version: 1.0.200 rancher-backup-crd: - - annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/hidden: "true" - catalog.cattle.io/namespace: cattle-resources-system - catalog.cattle.io/release-name: rancher-backup-crd - apiVersion: v2 - appVersion: 4.0.0-rc2 - created: "2023-10-27T15:09:49.772564-07:00" - description: Installs the CRDs for rancher-backup. - digest: 65146112b6670fdd6a525ac96554586a06081b7dc22334311ed38c5f7d99563d - name: rancher-backup-crd - type: application - urls: - - assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0-rc2.tgz - version: 103.0.0+up4.0.0-rc2 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" From d53db5a41a99baaa3a995c7b97c4f19494b467cb Mon Sep 17 00:00:00 2001 From: Steven Crespo Date: Mon, 30 Oct 2023 12:27:51 -0700 Subject: [PATCH 11/24] Update rancher-backup to v4.0.0 --- packages/rancher-backup/rancher-backup-crd/package.yaml | 2 +- packages/rancher-backup/rancher-backup/package.yaml | 2 +- release.yaml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/packages/rancher-backup/rancher-backup-crd/package.yaml b/packages/rancher-backup/rancher-backup-crd/package.yaml index 18d0ea383..090bd8349 100644 --- a/packages/rancher-backup/rancher-backup-crd/package.yaml +++ b/packages/rancher-backup/rancher-backup-crd/package.yaml @@ -1,2 +1,2 @@ -url: https://github.com/rancher/backup-restore-operator/releases/download/v4.0.0-rc2/rancher-backup-crd-4.0.0-rc2.tgz +url: https://github.com/rancher/backup-restore-operator/releases/download/v4.0.0/rancher-backup-crd-4.0.0.tgz version: 103.0.0 diff --git a/packages/rancher-backup/rancher-backup/package.yaml b/packages/rancher-backup/rancher-backup/package.yaml index af5a26e8b..5a6b09de6 100644 --- a/packages/rancher-backup/rancher-backup/package.yaml +++ b/packages/rancher-backup/rancher-backup/package.yaml @@ -1,2 +1,2 @@ -url: https://github.com/rancher/backup-restore-operator/releases/download/v4.0.0-rc2/rancher-backup-4.0.0-rc2.tgz +url: https://github.com/rancher/backup-restore-operator/releases/download/v4.0.0/rancher-backup-4.0.0.tgz version: 103.0.0 diff --git a/release.yaml b/release.yaml index 3c42426f9..a5906a736 100644 --- a/release.yaml +++ b/release.yaml @@ -1,6 +1,6 @@ rancher-backup: - 102.0.2+up3.1.2 - - 103.0.0+up4.0.0-rc2 + - 103.0.0+up4.0.0 rancher-backup-crd: - 102.0.2+up3.1.2 - - 103.0.0+up4.0.0-rc2 + - 103.0.0+up4.0.0 From cb1e51a263bae0ed18f0cf3558fcaba55802a2fd Mon Sep 17 00:00:00 2001 From: Steven Crespo Date: Mon, 30 Oct 2023 12:52:21 -0700 Subject: [PATCH 12/24] Make charts --- .../rancher-backup-crd-103.0.0+up4.0.0.tgz | Bin 0 -> 1774 bytes .../rancher-backup-103.0.0+up4.0.0.tgz | Bin 0 -> 11553 bytes .../103.0.0+up4.0.0/Chart.yaml | 11 + .../103.0.0+up4.0.0/README.md | 3 + .../103.0.0+up4.0.0/templates/backup.yaml | 141 ++++++++++++ .../templates/resourceset.yaml | 118 ++++++++++ .../103.0.0+up4.0.0/templates/restore.yaml | 122 ++++++++++ .../rancher-backup/103.0.0+up4.0.0/Chart.yaml | 26 +++ .../rancher-backup/103.0.0+up4.0.0/README.md | 79 +++++++ .../103.0.0+up4.0.0/app-readme.md | 33 +++ .../default-resourceset-contents/aks.yaml | 25 ++ .../default-resourceset-contents/eks.yaml | 17 ++ .../elemental.yaml | 49 ++++ .../default-resourceset-contents/fleet.yaml | 53 +++++ .../default-resourceset-contents/gke.yaml | 17 ++ .../provisioningv2.yaml | 23 ++ .../rancher-operator.yaml | 28 +++ .../default-resourceset-contents/rancher.yaml | 65 ++++++ .../103.0.0+up4.0.0/templates/_helpers.tpl | 87 +++++++ .../templates/clusterrolebinding.yaml | 14 ++ .../103.0.0+up4.0.0/templates/deployment.yaml | 79 +++++++ .../103.0.0+up4.0.0/templates/hardened.yaml | 124 ++++++++++ .../103.0.0+up4.0.0/templates/psp.yaml | 31 +++ .../103.0.0+up4.0.0/templates/pvc.yaml | 27 +++ .../templates/rancher-resourceset.yaml | 13 ++ .../103.0.0+up4.0.0/templates/s3-secret.yaml | 31 +++ .../templates/serviceaccount.yaml | 11 + .../templates/validate-install-crd.yaml | 16 ++ .../templates/validate-psp-install.yaml | 7 + .../tests/deployment_test.yaml | 216 ++++++++++++++++++ .../103.0.0+up4.0.0/tests/pvc_test.yaml | 102 +++++++++ .../103.0.0+up4.0.0/tests/s3-secret_test.yaml | 141 ++++++++++++ .../103.0.0+up4.0.0/values.yaml | 81 +++++++ index.yaml | 45 ++++ 34 files changed, 1835 insertions(+) create mode 100644 assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0.tgz create mode 100644 assets/rancher-backup/rancher-backup-103.0.0+up4.0.0.tgz create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0/Chart.yaml create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0/README.md create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0/templates/backup.yaml create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0/templates/resourceset.yaml create mode 100644 charts/rancher-backup-crd/103.0.0+up4.0.0/templates/restore.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/Chart.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/README.md create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/app-readme.md create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/aks.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/eks.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/elemental.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/fleet.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/gke.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/provisioningv2.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/rancher-operator.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/rancher.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/templates/_helpers.tpl create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/templates/clusterrolebinding.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/templates/deployment.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/templates/hardened.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/templates/psp.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/templates/pvc.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/templates/rancher-resourceset.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/templates/s3-secret.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/templates/serviceaccount.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/templates/validate-install-crd.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/templates/validate-psp-install.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/tests/deployment_test.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/tests/pvc_test.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/tests/s3-secret_test.yaml create mode 100644 charts/rancher-backup/103.0.0+up4.0.0/values.yaml diff --git a/assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0.tgz b/assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..03c1dee7f84bc4cdc258f7175ddee373942430cd GIT binary patch literal 1774 zcmVDc zVQyr3R8em|NM&qo0PI^|Z`(Ey&$B-Tkv(*OU{{WvbTCk?nUfC1x}mVMz6=9OQ)ihC zMQS7!#2EJ72a2*S%hVq`vX=n5J`|y--yM&4yyNLCF((U<-5DnLanvQ!e?4Acse4Nt zva@E$^E~frI86TcJTL#hcR3iG^@o=ip63k){o$F{A71q@&yd#;|5A#T#`4U2GOzsN zUI<~%g~pl+u0|b%2-cX1phvLQ40=?&CLlGPQ}9P9wH4>I1@(R4BXq814Cl@%9EYGH zOkjlUU{`_?u_U0nYN<4Y&etR`zzVwN^|cHcd+p$eeg>(i;3M>K(ZNx){&U##dS1r| zMI?=MGW3BfjTuu&F93}vHww*#%)$0Lh0OFaf)T<|#3)JB)_GVl>w5#k?uR(CZ2#}A ztwj$1*APYwYf!IKZ9MfTDEI%qH}I}<{{P17U$y>!3d%YUjwn28;N~yYyZ=!c_j~Af z?kV?2XdEjo!b$3~H!!E1CJqpS#y-~AoFCS2tlg;I+P^pM+))t_Gc%APjz-8e#lj@# z5ki*v&k15O5V2Tdwq}xyDawPGVYwRZAf$*eo;qf+(#e^X`e_2&McDTf=`s5xDc2y! zg2f?EnRd}vCHN<-7bDbD8tYi~lok>P@KL0Gj}o#A&JEf_LTO2PP>5$Gy<0}G1(g}7 z1v94%%$wWt828oPjMggAA|UJinu7j44>{R9s|C2SiXM@W=;n@wpfnDnE!gW|d$m5+ zP`FkixZO4N=TG0h>zOy+zCE7+_Lt}1{nZOWDI9EzJx$&$lGx69=vyNq3kdNjohu^X z*PlLo9!$4}5sIXUOiWxEsHK%zZ^%8*5O5-wNjMq{KBvJHh_o8d&qQb|c9|(i%#+Y% zUqVE1jVY%*NJcl%=EA#28V(0GEhK(T@(?#{9n z+KiAIxK(Y;^{$K|TY68l`CjPM1pUu5wkKEKMh}-d7pqea6b~%<$K5DHNHLt zx4B?G$Ww5lT$ytN?mkYZ_te~H=zLks*doq^V1RkSED3?rSDO~zP7t%NKy<;O;&>?G z@0d#Px8>{RV@{_An9UXH#^OyDw)ZhsqKZwTvWrSJgwFG+>hxk*={t$JqN{YOXg6!^ zW#vv9et$$JAv->=G<7>J6A4%qyFfEMT-Mh#5AC$p<~WqPa4o06QsQOq+3KRwq@NiR zopKzhh0u2ntsjoe;c<<8?TBTEBa4{=`2hYez(E!yP^GEp6SJ?f#4Zj)EFFR7P)MgG z?F?FdWU$jEW=G=Lx>B$bFLgEa&%ZCD)b=c?wEnkNIXvlmKt=uk>gqCA|GV(|gMM58 zI|Uu3{+F?vCX0ai64a^^m}O^Ai*-3L^QgKe*jzP;2(G1I4CDmnAc2#7Qs>M9%QC>s zMma)uW!Ntb`R=gX1Zv@}^J&l$lJ76hJgY2rZi-k<%T$;%m4Lc)rOlOx0ZB?f&)0C^ zk+9f@Un%#Udr^4TsglfXAqLCEdR~?Ia=}OCJo+fE8GG zP5i2>a)>oq+&)GUlycv~EtTv*9X6Kkp`=52%au{7 z)4fHjE!+VMc3c1UoPvAs9vrK9CD!`UctxS!vY#ufZL+yS$F)j zcwtAdJV9j2@_13|IV9UEDlu>JqsruL7oxkHuDz@}N7emb3kgqc0IInEzwri_`Tn1a zVSE2S2_5VHZ|tVwyT5_V-}@6byLbL{YU4dX)=Q>|z^QlI728gm?$(nU4L26=y{m;M zMKsT9;kErX72o*YAL09h4-D+*F%j!27=1ayWr!cso)fPC++D5Mr%&kcHPC?sIQjy*m#v+UuBp%RcFG<^0(b97zNBw7VdwuiUZ7=kj;!*Yc&;G@m{O>>e!}j-I zC!uf9#9BaFa6se9O{a6c9wiGbHPQ>LP3oBYDc zVQyr3R8em|NM&qo0PMYKbKAJGFnqqg`V}Z8_njoylqtzeqG!(3Bg>NGO}4c;cFrV$ zNJwHt5exy!mgA|q-|xS?zvL+_+(|9Aqh!uCYHDJUK%>#mZ%B#cn>7C#n|m5Wr`ePV5_crydjhu-=iQ?DV zxG^jp-=t%2J9uj7h$zFUQvrVWL5+g{4AISLF%^h65fLhs3U4J5N`-gXG;olKAVHGg z(J4)BKs0Ql3Yb6(4$%ZzG_@9;u}Yfh5{ev!Vr-^Xa}7nq6B}E|qD%Ge+Jrg?PJ*$P z3dKS(2W_M0J(-qr(6;@bTLrbC=5$0f$FM1XbS|k5VBateIs+5~)+ump04<%(1H}#k zbcB2!gtl!O8kY{>xRzyD!yEwE0??X)W4DhS3sFS8G3N}8^)#Z?CY8-ijp zLb>mP?&g zpL9jF%xLqUt}SR3)BjUwx`;gS0nO$q4iVG*4ze*ZD0XH( z^Tb$G!8URr#Y~G+IIMuFV4>WL7hoR^pleb<%AoIRV?@CKJAgGatRaA=2?Q)KFia*e z4uTZvpg-gCmemg_Gt7_$`zBjN2GArZ2f&LL41kU-YCyA%GzZZpoFHHf06}yEkP&uG z9rT4TGkE}b!2cGNfrc##4JOW@df5&EBLxAzgMmvBIINz67B;=rJzv(`FzGJx$yA!4jOWSLahhb)R7~9AWOHg!L()MXRRt97#2aA>!8j_ zyFE6T7BmJkk6dha95fJWsj|t}PNBB=+KV-^=@R59L)Xv|Tgiw)D6*(B#ilz!WRn3n z9031~hJZo5N!bA2WPuyQH08ts2+n&oaAVLBm|)kU=a7!T<`g=crqP#dMRFmKDf295 z;&1?TG%zgI72^&#L^Tr8uu1ayP2E(y?Q7MvIw z;7c=8ltR-BXs#tO0IwJi>4Mc?1IFN@Bg-|-4PfC!XMos90|pVWfM8E;gfU^f7lIb_ zjGO`huZDJstuxijHX8x7bm-^+TOOQ)FINKinPtuZvrVC4fp!QJ zW*nF%zG1e2amVmH?~(sAm!N$U4>wC{@$II%yICx4dM%YCO%<0-x)QYCWOOy|Pz96@ zj9l&osOmZ}@er73icByt;gEP%N}wHcI_kSaPe`c4HHs(d9Lta7PezaI9nFcfBUWjVGYWSTg0!Ge1{_pRs4YNi5sQm6a<{y>cZS2rLSQi?eOduf0h7Q-^ zra>s9zm6x+um}?i!v;{-9mGjWN018TU}4JDDw`?ZbI!u&0)t{{m#rlQb@S~;Q4Rjw zEftD8{7130QGCaKy%j%qHVR~_Z4{*KRWPvz&0KD1;yyH`D??4LSO5@~y{0kDZJs>O8>cmdAa=kg)5d%dN_lUj=XMTyO;Moj@IZ84P<_`|LP!A=Ey|BH8e zB4>`h1WXzz=QoN?rqU63<)Ck_;UE&Wb-As%^ExMMamNvS{4gMncgbSA(v)-yCz z)ikF68CAlbCa+>U26hZOi>PMCVP{k1I83y;adPgO<~cSEZN@3XpXFWvY)ep8^9Ihy z256!wayG!>po!_ZgNWd8Ip=&}qGm1zwF2_uMV=GojKhT{fQ|!aj68mQv5=Fn`CvQ7 zl#$AjJQcPjmYFpQ$(U>8fiZL)q}W(jBzWX(+OBCTyn977e~<@9-kOs2#N)PAfhu*m-3+AhcJ|DCO^ooD-h9p(FXMH*NjFSO)msoXw$tdek=J?nYtsruD#W;=#O2O$3+WHbLD0Ep>g??*ns2U&XJ@7(wAn{RTL zBL3oe=3@PUdPs9Kb;lJ757=-WNH#!@)#)Q<1c>J$HOExQ4R*#RhB{LM(#Ig$2f#$=Mcq zwIzc*3`GV!pmae*+_|%GFR*0zu|JJT+Z_yyTW%ePND!w0k249JncXZyJpdABZ23O6 zsKrf;g=q4+`4st8{)6NrD9gXSdB10tj|nvd^8c9!`Oo>)$Al*nY)MmS5uT!!Ky-x6 zNr8++)U5)(e+P!8nXaBSxPs_DtClAdC$ftI23+7U_Crdh{Vy#i2b-vG zSh`^iAG|BD!2VZv%B86NUs89~;K_$#gvKrT=sXu=gkdOOo!h3|o7Sj@u)TMPnm`(Kep`Hq$w)%z>ZxB0GX|3n*@$gq04oZNl`6kg9#39UrG~mJ#VEP)jz_SZmL+ z7LfQ!nUfIcxxkYiNYKfSK+}^}2|h#@R?J9G5AN%&=!=!uVIfhp5z@xQooteFWF}s5 z!wbADbR?FAJxCDW3CwSjvO>7&%au$1HSdv(U}<}YxRapA5O{m4Ef3$GYI7lb6U6^c zEC3H&E_@;fVX{Q**squf-}(Rm#aD1*X2ZA#Q8w`Ul|qz?NFvxC)J%!PGtpSwFwv(U zx%Nk+1QHtdV?y&Q4j}Mh%Xyp=h-8Eg;l|q*g3T82*I$*yYYK;n{=(7!@8A6hlD83% zB)!~#2*H8QkW}JPQNA}9uBCvyqVT8rxLXlw#&_`&&G^$uGw(IBrj<}#LE_r`YOC|P zSv{?{&#Se%|K5)t&e3-f6){L#2_nde4)^PgYWJk`xn2IeSFIg)&p)?2XRYc%{qxCL zt=c&}Yo_9mC07w&xRAsvMuQX%$G5XIJl}UZ=bz78XCJQ8X|hcF_G17v&z5K{w?ZE< z?)0@eYqrkot@dHNQ*YMlpX<%)-bsBwiB~=ZRFOdQel_86pECVN!hGl-^{9Y+{IEwp z)QLdIo+|PfKrRfHBsn`#la*kDy~o?tOlV9hp$Y(K?9n29?#CuFSq{jju|3of#MD@N zVhxSWTNs>-MaC3=q=v8b-^OgF09}6G#%t_t$A(sKZ-X{s5qN#3ulR|6BHO+hG>B|# zEFwdAgC&&;;R=~V_}OOk-?n7>em|64~1dt80y zp9C(~5$-?2*HUZ-O(Aeqr)y3Rnf_LaYm)aighm*T^A%uYLcQ-8HpDO29y(A*$?A%Z zOhl1lbE_|30sJ9xH4Pyh=^LPr2G~Igf6R|O8rbrkK87jnB-9bpk&7X$Ue|I7}t|{Ch#osU>Om^~r%0s4d$DBQj z$^?;BrpW2@*F(gGLx|9y^AB^`#P%FXPKj9WattXr*jV@0AYREpF+5oLn0E<^wdTwp zgp5|7YpHDi`s8iv338eu}4h~8jl9DR6rUW-0BKim%< z1h%bEHm->(;I~tk&{oJG{*7}+qBw{rjth!CqM0_Py8pIPRN4Xk09NEm_vNg^RO1^g!VV1ApUKP^Fb z!x|>^rks+;v$3?^6#nrI`~Q+=lFu_trb6E~0Dy)LBK|P>Bf*ZHnH>!O(BjqPue$j0 zvmNp^m(2JN(`!%k8SsMmPqDPM6N~?B@2JoF|7$7Bu5I#A=vr4dVn1$So42NLU32ce zs1psEP$UX?UUh!-s*}2P^IOK6#2N2rOUb`)$=3h!1jQ5du~7f3+j0HBz55*hUrSkV z8aqq-`$ph-nk=uR_2V0`>ph_bH4PDRiuFK0wGh-V9fP7XOXC{dk8ud~m)L3zr$&%* zQ3ri<5ec@(<^Hu85;5*j{QD2K21mY%51zk5-}p)X$oto#r?l(_!4de3DjbJ!U+LeX zq?}iY9<`5tU(cY1-Y*67dH42bmrVWdy$I!^dgywv==}fo&UWJb|8DtN|F5G&Vx=jc zVEKx^C118t+D=HETNHw5PQw;;uxTQPr_f;fF$ib-z2@aX-+Uw_Tmkvu1iCyuB)ZDW zzVh)Hp8RT7rg6*rUzB;V0eM`HTeje(4e4kDy!;F*{{#hYwH6Lc+y{A{p=i^KNrc#+ zf0)m(*?c3;mhx3mtOqYW5QqxUq4lPe_<;3iPkN|i%765P?xXrxApfPZx)neFu~U5h z{%0*E`^0Ca$tTWfu4Ln-9`0O^p(nBup4sr5i*kfIhBe%mSSJiQQU<<6Goqws8RIq5 z6MwN`WV8YEQ-Xc}4rHe74sn6O9E#$PLYUBJoA#Wv2n`h+2ah7w#^--SM5iR z(eER5gh4tv$)@4_a%`xH3aJc{nuJbN$;eN~V5hgrrfS50cy=EiU$WQ#$bo`K837CJ z|K#_-YVkS#zn1dU2cI7KHEryxwTCSDaf>E`P$9I{ow4^FJ`}$gMoQ;@E3K3%|9qK( z6nWeJisn4@EcoL6znJ}BDyr&p{;#!^7gAh?6udH#1zwpLGczJT@8DD(B16V zK=u64k3;)v&r5B6-aaS5utEyW({{FlHH3JkqxH)C|-whZOi=7-k~Xuf{rLOOj5|@6jpM%7cX9b14Ka!*%%yJ1DyNv=_WDInv7VA1Kmvb4zOwB8*ct_-Dz_3Qy7l2E_-Z42Tl-04)M}9#*h$m zz&MVMkm2|tPjOpKC6~Jg=N=3Iz`Zzgu^(LjBOcrX|DKZj+`ZzL(4Udt_qltJNHKB` z*g(aXeBv#Lyj{SrAOK3?P@o!z$6oL^Q?*bmsEVT%d9%>w%)L)-6pIdfw28-o3!vsY z4zj49AeOkcjU7rD07lzW!#X?@7zyV`_L;h)aSxhv?^TIzP!s^yDh2`2l9}6~DKhL9 zKznT1p=(vx;))#|IWk$Ne+vs>)(8XW4X6|J%y%_p_hGiX!C;JLWCMH=2Yrsw>fWCWJ2@7Q zG3Dao@aDs6XA2-p!#eXxtNh-MxzHkb1z@u_8U**X+b2vcjDfdu-G@XV?L3^& z0#X2B=oB0f$Kc|dGf8PYr2OoeO$k5-iIvW5xKsOwuQFG?E=T>Y_ zii;47Btixe`B{(-AO&CI`B}aIIlaE3vay~?hS=$`DB@CV*(Aw(V4!KvqIbd2G#tHa zd3dt+J`(AxQ?kYd6Pu9+_8z1VAcWRZ@Z>2y&=N=akj^h_@nk0n|5a63K1>PUjF2U> z>ZV7md0!9Do+C-1{gee;B)@nG^! zp+yZP)QcS3+--tt=oiJ@Or8bettT>7`%tspXQp2{yK$uucTc^P@4;M$jWt#;m%Bv5 z4~9BZuP`vnI6-;3dk@T)(A9unq@ePTCXn%@Z(wcTs2ee!6p;f3bt4ce6F_LZiSG>6inKj8?`z`+w% zk@zh=$B1_%-6L0CQ#Ub&`~or$DsPP~loCPW%L~wr0Y6|&(_>5x?0|{bkcuez5x()v zLNBBBhiqY$@0LQqFe{H|Ya zL$EcH=LC0`vGR7(q*C48U5j z-d&sDH;-6qmm~$XaCmq?y(vhVZjENAvLCBJQ5pN0& z5^{RIh&Qq{XC`PM<76Ac#^sNh%5ZohH*wWeh*8B}5P?(4suPc=LKh%&R(FXU7hx`I zsK1yI&ZNm8zHXFO_Q#L})PuH6@(`hc_-EcZ$gd(WxCW8}xG8Z^bV%Xm>q1VEYXVR} z)kB|g3E${{^+mk=@>-xMZhj%c_2t*Lj(xsojy+>BUmimA;8(pe03ixUog9R63KA1P zkj9`}0P0|bHGUCq_!2h%y}|yY$eHq+ofRMtckuCeD^qAd@^x}VhR@dia)B3aeo$QC z7fJ>;ImKbU#oe6$Z$}vHQGzhuvhaF?3!6BLf^Kc3Nkw8Khb`tzl^B*HE=2PD6mFIHODWe)Uo!pZ zFWxoIU$~?E1sDUi6pSDdWU(DIHLy#}nO~7QF8Wf){m*~>H={`I5Afzq6H`=q^CtHP zIE-u#%UhK;c)j{|UISzYEO2YMwrONIpoaLPzJ01z;(Y9bjd z5a28G#$52{GKRdk(Agv8j9EY-Q!6=5a_%`+{K{nJ^G^*3AovpY9lwBAXv$<#bTEOI z%fo`2iJ-*{3xBMy8A};*@i39MPyb$Qw0Vb+00eypGbtyOEpnjQsK&hz(%_AgUE!7Z{~{S~+5(2^b=_e!1G%KOVp_+W@w} zS;H3LS5Jl%29wl~CF&D{!;Oqs>{k%Zbh)n0)+KqF_B_t^E-2mzMRNF{1sA0-ny@2~ z&ag5l6M+#l2Z2uTtu=2)Ct?;zlth5SKk=0d=?pHYJP64uF>Z-#x2n#MoMG!R>J558 zHeY*}HcJP?Khcpn9|O-_kekQh3G##f!OZ(pF=1oWNu5nYbi!p)2$RcG*4ufG*{&eGl$A6@Dzu=)-BA=>2C4!vE5;y8cH` zt^d{Ct=+i(-!47Jf7eoCLXUo^c23tqXbH{x1nUx-zb^e4-Hv{mZb!>$*9XYImy>R3 zEwDiTOFO%9`>(vKmY(H*9pwkena>~dtiUI*==_cr+IB(BHJf%nwBu!zz~cU&z|4En zi4dDa{NCBnLR3ycQiMGiB_2nC<$Hv-At{sSaW(c&spNguk|An7^+T*6s6Q|fqRRaz z@$X~#OK|l4rv!uX@2x|rlz?}kY5mrA5RYW|R3D>R#vlc){k!CX3;y$mmiJJe>INV4 z)N#dC0S_L126yvN+ROV?KL48x^ojKU>gzv8U?mS=!TMh=7USRlmDOkae?4Uxc?mRs zw%U7;0IsIk06@1q6+|l)0b^oghbk10k+qr}2a?RUn1ib-LsHwsG!Wdd=#G#%k=L07 zaDmoKYJZ}E)OfK+ke9`T0{I--FmkF)={2b+cW-{quC>`*A!tM zj?qur+haZdoX}6S=gj$EUH-!#vQ10NsDefN|6AL!`+rJXyXEKj?^?>!%YT?Z!bYDn zM#=nRzI#4&otgS8fxh$lNgEs=j&Z{CWhk zO=yXEjNSW*-lYl>JaMFG;wy*tHA0eF8%w!HY`d>ahx&IXUp=eMWp(WMeYTH5!D7VzgmpXt)?i^*F zDPH@I(PJo-LYMV!Ir(EqHdF59NgDn|s3He7boz?R>N{)Oph~B6Sd-j;vK{;tX_O-- zQXC41t5QEXrXUN@+_Bh>fgOX+G!qgscQ}5pjzJB^Fh9aZN;|vs@?KIY5;=hsnm8JA zNoGJ#;<)tTsO)_>z9TQMa0@IiHmMe-e#*7v?%eX{vP2Inp56&mJmX}mklG#VXeH$z z4JhP6VhcYpH(At-2YTWYIA7L~jY*0tlA82B1xzT7{?g0M+y%Pu=E2jGhO{tOS3ghj zv(2qvt|aom6Uyv=&u9P49z6C2!1?xnv0N&~@BiB^?>yiCv6ezygQ5!PAVR^uKkYgH z9)L2~vnBkinR9?W7d<3iRzRLnlmE^?5^Z85t>6JD@Ly@jga;DpJ24RN^KYKM_}n#3 zkx2jPk<`3Q$>gK@XCc{L7~v{UW|M+#vYAix*ekZ044RmpJBT2Q{s5}4GN33bDU;B5 zhrq-`6HSpB9ug&@p(rw5Sy0TgFCSB70fb@t&ZYBtTq`p2Tv{)O;qo@F58A)#)*-6*QTpSz_(afkmXmNts-*sr(Z z=gvlfOtp=Iw`c2zzn14Mkx*iSb&+?X_x+HR+`Gw!?|4rTr7X}#K3&U@{{>-sOD6rMyl*2FN0 zsYIdA!v5p>Ez(?SU@K?` zB9{tukTW6Smr7>H&wI}Uf4V`&bY`Q-yKt!Q(2BkC?gNTGRRAG601xAp5MfjJB%N%J zA>0DeEhgR~^35e+76}6)CjGbILWif9)DZBG>Yo|1%7er~Xc&`xVoBiA8$3pX0n#Xs z;>)=~siEXLLo&tCltQ=s&;y?~XcGH|Smgg##%SiD5=Mky-0Ho^K>u$`--qE_oQrP? zJ?Bs~1Le8u-VfG@E1*{5{w39ZqKoWUR)9n@m?htN4Ck5Xu4&3B?hgoT#XHZk>BC6; z>{$5!#*(`KV^6gw+4zxV(fP09R_y$5aeH@n`+5Io9VNW~bKa{(H+~+ytK$PmcYr-D z68D22v-J~o*O%V5ygOJ4ex20gd-3ROo|`;s^O&v7C|XIqzJHo z>qu*TVWc%QK~Jkt=5_yIX3V6)&o*$L%iNM`|NF;#p2iDUaQUUJvsHVqijwnw00QHo^7P6_B4{*AWl=V3@owI<)0Y$^|%qci4hA zq@dx+GV9Xvr^ysjUfQep8;yAt=ftx=({4)tRmY!d&{D^+hWm^JsY6LxAiws2SxG~& z0`kFQiJ)(>Wi{dqk=c^JUCQ8FK;tOKWuy5J;AuQPcQ~nBE-vK#g{FBGzLv-*IQf?w z6e|KLzJo3PT#>>2L4_wgfR#GC4jLNR`h^Iw%Ir$y6SMov4GQp0(V_T$#3jlNB2+1^ zIKBR;!qXc9mO8&4g0<=|M2=PFI5dF7JpYn|3s3iNW=HGlo%ZG7U8~V(T#TFLUboS_7@J$IZfmcj9$6jp>iA;ZXm+}XciqYD*VAG{ zz3dz{bajNU)a@o5H_9Eg)zsBu_quGJ^&0hJuQdAF85h4@d>A!b^>MM&Ygwqf-R*XI zAKGY2F^c%Z=T{P=Gv(akRTYK00d+@Tpb<=6+XRyx3adZU7jkAl1?r4`I2X?h> z{cf*z(Q7nXBXjb)-^v|jBjSWyQ}TX{p(v~?TwnH!_sNFTRKs< zC#TlTshxTe zwtIFrwJ)y6IC7TdaNpPlx4#}}RJot{d&TIuReEAP!N)T5Gqd3$s@xhB02y?Uot zoz<*Xty7~r+K219rrP`Zr8#QW>(g%OsM#sKqrJ&#>C$S_&cXQR^sDan%lbjf)XS$< z%WjWPw{`XQv{f%|HLWAudw;P7%e`su{nhcshaz z`|q!3+W6g7yL9b#_q#X!@!Oep(1aJ(b**2vyPY<@y0%)=i=w{WwMNI?$>FxvXm(mv z`}pFkIqB9L^yIF2tu^e^(}ULWRf*iTilcJ7+uG}P8@2vjv#FPw-HXds?ONTwY&Ys^ zt9xyAd)@8k`|j4|2lG^))JvzGBdb%iXSK=J)`ev@E=o;T>ovaW#fEj+ZC!T1?tQx$ zx9)WH-StIA+y2*44Rw3_SEcRS?qv_RtVXNXE!Nr}hR1GJxA-EpyTVYc>K^+u~*d)K_^?7hDzHg8)u zc3cMcnst-$dc9RVYF!swRKL@E%@3`M*8A%AMad>-AIy{1<-49LPfK01dZSN@ z2krN^+y8J>*1Nrv+Si8D8TXEwcT7%hil=qkZI|BFu2l1DZ@*bb2N&hefqvNUG;6K; z_N3Pvm7rC1n%4C<_+fN(^`TYjUXDn+(d@y?!`b!MBhv1Sk9+mg+vZ(w)~wOiSz~;M zOs&{58z0*H`pL2Sc6wE|k2(jVZDhPF!}qQIuGtu0l-`-`qWP@lYoo8% zcg^u=+-n@&HE-(d5 zU7KBZM_c`peRh1OA6*n1ZhJi3)(%>St)AVz=+d*3l5N+l!zr4mTP^dN>c#O?@9bH6 z{n|p8y^E{j^=1FV-nZ67EnlhEXYH}Jbyd2)($$MQt=_oleI51A4w_i&Tpysu-uuqD zH@$3JTbg-#d{ykVPRAzfs;wiv*l1jp8`Jh(= 1.23.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-resources-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-backup + catalog.cattle.io/scope: management + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-backup + catalog.cattle.io/upstream-version: 2.1.1 +apiVersion: v2 +appVersion: 4.0.0 +description: Provides ability to back up and restore the Rancher application running + on any Kubernetes cluster +icon: https://charts.rancher.io/assets/logos/backup-restore.svg +keywords: +- applications +- infrastructure +kubeVersion: '>= 1.23.0-0' +name: rancher-backup +version: 103.0.0+up4.0.0 diff --git a/charts/rancher-backup/103.0.0+up4.0.0/README.md b/charts/rancher-backup/103.0.0+up4.0.0/README.md new file mode 100644 index 000000000..59bff4425 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/README.md @@ -0,0 +1,79 @@ +# Rancher Backup + +This chart provides ability to back up and restore the Rancher application running on any Kubernetes cluster. + +Refer [this](https://github.com/rancher/backup-restore-operator) repository for implementation details. + +----- + +### Get Repo Info +```bash +helm repo add rancher-chart https://charts.rancher.io +helm repo update +``` + +----- + +### Install Chart +```bash +helm install rancher-backup-crd rancher-chart/rancher-backup-crd -n cattle-resources-system --create-namespace +helm install rancher-backup rancher-chart/rancher-backup -n cattle-resources-system +``` + +----- + +### Configuration +The following table lists the configurable parameters of the rancher-backup chart and their default values: + +| Parameter | Description | Default | +|----------|---------------|-------| +| image.repository | Container image repository | rancher/backup-restore-operator | +| image.tag | Container image tag | v0.1.0-rc1 | +| s3.enabled | Configure S3 compatible default storage location. Current version supports S3 and MinIO | false | +| s3.credentialSecretName | Name of the Secret containing S3 credentials. This is an optional field. Skip this field in order to use IAM Role authentication. The Secret must contain following two keys, `accessKey` and `secretKey` | "" | +| s3.credentialSecretNamespace | Namespace of the Secret containing S3 credentials. This can be any namespace. | "" | +| s3.region | Region of the S3 Bucket (Required for S3, not valid for MinIO) | "" | +| s3.bucketName | Name of the Bucket | "" | +| s3.folder | Base folder within the Bucket (optional) | "" | +| s3.endpoint | Endpoint for the S3 storage provider | "" | +| s3.endpointCA | Base64 encoded CA cert for the S3 storage provider (optional) | "" | +| s3.insecureTLSSkipVerify | Skip SSL verification | false | +| persistence.enabled | Configure a Persistent Volume as the default storage location. It accepts either a StorageClass name to create a PVC, or directly accepts the PV to use. The Persistent Volume is mounted at `/var/lib/backups` in the operator pod | false | +| persistence.storageClass | StorageClass to use for dynamically provisioning the Persistent Volume, which will be used for storing backups | "" | +| persistence.volumeName | Persistent Volume to use for storing backups | "" | +| persistence.size | Requested size of the Persistent Volume (Applicable when using dynamic provisioning) | "" | +| debug | Set debug flag for backup-restore deployment | false | +| trace | Set trace flag for backup-restore deployment | false | +| nodeSelector | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | {} | +| tolerations | https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration | [] | +| affinity | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | {} | +| serviceAccount.annotations | Annotations to apply to created service account | {} | +| global.cattle.psp.enabled | Enable or disable PSPs in the chart | false | + +----- + +### PSPs + +We have added a configuration to the chart `values.yaml` which allows you to enable or disable PSPs to align with the PSP deprecation in Kubernetes `v1.25` and above. + +----- + +### CRDs + +Refer [this](https://github.com/rancher/backup-restore-operator#crds) section for information on CRDs that this chart installs. Also refer [this](https://github.com/rancher/backup-restore-operator/tree/master/examples) folder containing sample manifests for the CRDs. + +----- +### Upgrading Chart +```bash +helm upgrade rancher-backup-crd -n cattle-resources-system +helm upgrade rancher-backup -n cattle-resources-system +``` + +----- +### Uninstall Chart + +```bash +helm uninstall rancher-backup -n cattle-resources-system +helm uninstall rancher-backup-crd -n cattle-resources-system +``` + diff --git a/charts/rancher-backup/103.0.0+up4.0.0/app-readme.md b/charts/rancher-backup/103.0.0+up4.0.0/app-readme.md new file mode 100644 index 000000000..b1406d5ee --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/app-readme.md @@ -0,0 +1,33 @@ +# Rancher Backup + +This chart enables ability to capture backups of the Rancher application and restore from these backups. This chart can be used to migrate Rancher from one Kubernetes cluster to a different Kubernetes cluster. + +For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/pages-for-subheaders/backup-restore-and-disaster-recovery). + +This chart installs the following components: + +- [backup-restore-operator](https://github.com/rancher/backup-restore-operator) + - The operator handles backing up all Kubernetes resources and CRDs that Rancher creates and manages from the local cluster. It gathers these resources by querying the Kubernetes API server, packages all the resources to create a tarball file and saves it in the configured backup storage location. + - The operator can be configured to store backups in S3-compatible object stores such as AWS S3 and MinIO, and in persistent volumes. During deployment, you can create a default storage location, but there is always the option to override the default storage location with each backup, but will be limited to using an S3-compatible object store. + - It preserves the ownerReferences on all resources, hence maintaining dependencies between objects. + - This operator provides encryption support, to encrypt user specified resources before saving them in the backup file. It uses the same encryption configuration that is used to enable [Kubernetes Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). +- Backup - A backup is a CRD (`Backup`) that defines when to take backups, where to store the backup and what encryption to use (optional). Backups can be taken ad hoc or scheduled to be taken in intervals. +- Restore - A restore is a CRD (`Restore`) that defines which backup to use to restore the Rancher application to. + +## Upgrading to Kubernetes v1.25+ + ​ +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + ​ +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. +​ +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + ​ +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. +​ +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. +​ +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/aks.yaml b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/aks.yaml new file mode 100644 index 000000000..779742058 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/aks.yaml @@ -0,0 +1,25 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "aks.cattle.io$" +- apiVersion: "aks.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + namespaces: + - "cattle-system" + resourceNames: + - "aks-config-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "aks-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "aks-operator" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaces: + - "cattle-system" + resourceNames: + - "aks-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/eks.yaml b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/eks.yaml new file mode 100644 index 000000000..ae57baddf --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/eks.yaml @@ -0,0 +1,17 @@ +- apiVersion: "eks.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + resourceNames: + - "eks-config-operator" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "eks.cattle.io$" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "eks-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "eks-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/elemental.yaml b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/elemental.yaml new file mode 100644 index 000000000..1d38b1229 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/elemental.yaml @@ -0,0 +1,49 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "elemental.cattle.io$" +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + namespaces: + - "cattle-elemental-system" + resourceNames: + - "elemental-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "elemental-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "elemental-operator" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaces: + - "cattle-elemental-system" + resourceNames: + - "elemental-operator" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "^globalrole$" + resourceNames: + - "elemental-operator" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "^apiservice$" + resourceNameRegexp: "elemental.cattle.io$" +- apiVersion: "elemental.cattle.io/v1beta1" + kindsRegexp: "." + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^roles$|^rolebindings$" + labelSelectors: + matchExpressions: + - key: "elemental.cattle.io/managed" + operator: "In" + values: ["true"] + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "v1" + kindsRegexp: "^secrets$|^serviceaccounts$" + labelSelectors: + matchExpressions: + - key: "elemental.cattle.io/managed" + operator: "In" + values: ["true"] + namespaceRegexp: "^cattle-fleet-|^fleet-" diff --git a/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/fleet.yaml b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/fleet.yaml new file mode 100644 index 000000000..a14125fec --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/fleet.yaml @@ -0,0 +1,53 @@ +- apiVersion: "v1" + kindsRegexp: "^namespaces$" + resourceNameRegexp: "^fleet-" +- apiVersion: "v1" + kindsRegexp: "^secrets$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + excludeResourceNameRegexp: "^import-token" + labelSelectors: + matchExpressions: + - key: "owner" + operator: "NotIn" + values: ["helm"] + - key: "fleet.cattle.io/managed" + operator: "In" + values: ["true"] +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + excludeResourceNameRegexp: "^default$" +- apiVersion: "v1" + kindsRegexp: "^configmaps$" + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^roles$|^rolebindings$" + namespaceRegexp: "^cattle-fleet-|^fleet-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNameRegexp: "^fleet-|^gitjob-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNameRegexp: "^fleet-" + resourceNames: + - "gitjob" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$" +- apiVersion: "fleet.cattle.io/v1alpha1" + kindsRegexp: "." + excludeKinds: + - "bundledeployments" +- apiVersion: "gitjob.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + resourceNameRegexp: "^fleet-" + resourceNames: + - "gitjob" +- apiVersion: "apps/v1" + kindsRegexp: "^services$" + namespaceRegexp: "^cattle-fleet-|^fleet-" + resourceNames: + - "gitjob" diff --git a/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/gke.yaml b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/gke.yaml new file mode 100644 index 000000000..a87eef364 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/gke.yaml @@ -0,0 +1,17 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "gke.cattle.io$" +- apiVersion: "gke.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + resourceNames: + - "gke-config-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "gke-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "gke-operator" diff --git a/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/provisioningv2.yaml b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/provisioningv2.yaml new file mode 100644 index 000000000..50a7f906b --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/provisioningv2.yaml @@ -0,0 +1,23 @@ +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "provisioning.cattle.io$|rke-machine-config.cattle.io$|rke-machine.cattle.io$|rke.cattle.io$|cluster.x-k8s.io$" +- apiVersion: "provisioning.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "rke-machine-config.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "rke-machine.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "rke.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "cluster.x-k8s.io/v1beta1" + kindsRegexp: "." +- apiVersion: "v1" + kindsRegexp: "^secrets$" + resourceNameRegexp: "machine-plan$|rke-state$|machine-state$|machine-driver-secret$|machine-provision$|^harvesterconfig" + namespaces: + - "fleet-default" +- apiVersion: "v1" + kindsRegexp: "^configmaps$" + resourceNames: + - "provisioning-log" + namespaceRegexp: "^c-m-" diff --git a/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/rancher-operator.yaml b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/rancher-operator.yaml new file mode 100644 index 000000000..f30c2fd96 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/rancher-operator.yaml @@ -0,0 +1,28 @@ +- apiVersion: "rancher.cattle.io/v1" + kindsRegexp: "." +- apiVersion: "apps/v1" + kindsRegexp: "^deployments$" + resourceNames: + - "rancher-operator" + namespaces: + - "rancher-operator-system" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaces: + - "rancher-operator-system" + excludeResourceNameRegexp: "^default$" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNames: + - "rancher-operator" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNames: + - "rancher-operator" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "rancher.cattle.io$" +- apiVersion: "v1" + kindsRegexp: "^namespaces$" + resourceNames: + - "rancher-operator-system" diff --git a/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/rancher.yaml b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/rancher.yaml new file mode 100644 index 000000000..47fa2e02f --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/rancher.yaml @@ -0,0 +1,65 @@ +- apiVersion: "v1" + kindsRegexp: "^namespaces$" + resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-" + resourceNames: + - "local" +- apiVersion: "v1" + kindsRegexp: "^secrets$" + namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" + labelSelectors: + matchExpressions: + - key: "owner" + operator: "NotIn" + values: ["helm"] + excludeResourceNameRegexp: "^bootstrap-secret$|^rancher-csp-adapter|^csp-adapter-cache$" +- apiVersion: "v1" + kindsRegexp: "^serviceaccounts$" + namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" + excludeResourceNameRegexp: "^default$|^rancher-csp-adapter$" +- apiVersion: "v1" + kindsRegexp: "^configmaps$" + namespaces: + - "cattle-system" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^roles$|^rolebindings$" + namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-" + excludeResourceNameRegexp: "^rancher-csp-adapter" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterrolebindings$" + resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-" +- apiVersion: "rbac.authorization.k8s.io/v1" + kindsRegexp: "^clusterroles$" + resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$" + excludeResourceNameRegexp: "^rancher-csp-adapter-" +- apiVersion: "scheduling.k8s.io/v1" + kindsRegexp: "^priorityclasses$" + resourceNameRegexp: "^rancher-critical$" +- apiVersion: "apiextensions.k8s.io/v1" + kindsRegexp: "." + resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "." + excludeKinds: + - "tokens" + - "rancherusernotifications" +- apiVersion: "management.cattle.io/v3" + kindsRegexp: "^tokens$" + labelSelectors: + matchExpressions: + - key: "authn.management.cattle.io/kind" + operator: "NotIn" + values: [ "provisioning" ] +- apiVersion: "project.cattle.io/v3" + kindsRegexp: "." +- apiVersion: "catalog.cattle.io/v1" + kindsRegexp: "^clusterrepos$" +- apiVersion: "resources.cattle.io/v1" + kindsRegexp: "^ResourceSet$" +- apiVersion: "v1" + kindsRegexp: "^secrets$" + namespaceRegexp: "^.*$" + labelSelectors: + matchExpressions: + - key: "resources.cattle.io/backup" + operator: "In" + values: ["true"] diff --git a/charts/rancher-backup/103.0.0+up4.0.0/templates/_helpers.tpl b/charts/rancher-backup/103.0.0+up4.0.0/templates/_helpers.tpl new file mode 100644 index 000000000..a5e485243 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/templates/_helpers.tpl @@ -0,0 +1,87 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "backupRestore.fullname" -}} +{{- .Chart.Name | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "backupRestore.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "backupRestore.labels" -}} +helm.sh/chart: {{ include "backupRestore.chart" . }} +{{ include "backupRestore.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "backupRestore.selectorLabels" -}} +app.kubernetes.io/name: {{ include "backupRestore.fullname" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +resources.cattle.io/operator: backup-restore +{{- end }} + + +{{/* +Create the name of the service account to use +*/}} +{{- define "backupRestore.serviceAccountName" -}} +{{ include "backupRestore.fullname" . }} +{{- end }} + + +{{- define "backupRestore.s3SecretName" -}} +{{- printf "%s-%s" .Chart.Name "s3" | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create PVC name using release and revision number, unless a volumeName is given. +*/}} +{{- define "backupRestore.pvcName" -}} +{{- if and .Values.persistence.volumeName }} +{{- printf "%s" .Values.persistence.volumeName }} +{{- else -}} +{{- printf "%s-%d" .Release.Name .Release.Revision }} +{{- end }} +{{- end }} + diff --git a/charts/rancher-backup/103.0.0+up4.0.0/templates/clusterrolebinding.yaml b/charts/rancher-backup/103.0.0+up4.0.0/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..cf4abf670 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/templates/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "backupRestore.fullname" . }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +subjects: +- kind: ServiceAccount + name: {{ include "backupRestore.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io diff --git a/charts/rancher-backup/103.0.0+up4.0.0/templates/deployment.yaml b/charts/rancher-backup/103.0.0+up4.0.0/templates/deployment.yaml new file mode 100644 index 000000000..631fa458b --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/templates/deployment.yaml @@ -0,0 +1,79 @@ +{{- if and .Values.s3.enabled .Values.persistence.enabled }} +{{- fail "\n\nCannot configure both s3 and PV for storing backups" }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "backupRestore.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "backupRestore.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "backupRestore.selectorLabels" . | nindent 8 }} + annotations: + checksum/s3: {{ include (print $.Template.BasePath "/s3-secret.yaml") . | sha256sum }} + checksum/pvc: {{ include (print $.Template.BasePath "/pvc.yaml") . | sha256sum }} + spec: + serviceAccountName: {{ include "backupRestore.serviceAccountName" . }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: + {{ toYaml .Values.imagePullSecrets | indent 6 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }} + args: +{{- if .Values.debug }} + - "--debug" +{{- end }} +{{- if .Values.trace }} + - "--trace" +{{- end }} + env: + - name: CHART_NAMESPACE + value: {{ .Release.Namespace }} + {{- if .Values.s3.enabled }} + - name: DEFAULT_S3_BACKUP_STORAGE_LOCATION + value: {{ include "backupRestore.s3SecretName" . }} + {{- end }} + {{- if .Values.proxy }} + - name: HTTP_PROXY + value: {{ .Values.proxy }} + - name: HTTPS_PROXY + value: {{ .Values.proxy }} + - name: NO_PROXY + value: {{ .Values.noProxy }} + {{- end }} + {{- if .Values.persistence.enabled }} + - name: DEFAULT_PERSISTENCE_ENABLED + value: "persistence-enabled" + volumeMounts: + - mountPath: "/var/lib/backups" + name: pv-storage + volumes: + - name: pv-storage + persistentVolumeClaim: + claimName: {{ include "backupRestore.pvcName" . }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0/templates/hardened.yaml b/charts/rancher-backup/103.0.0+up4.0.0/templates/hardened.yaml new file mode 100644 index 000000000..bf8492ce0 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/templates/hardened.yaml @@ -0,0 +1,124 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + backoffLimit: 1 + template: + spec: + serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa + securityContext: + runAsNonRoot: true + runAsUser: 1000 + restartPolicy: Never + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + containers: + - name: {{ include "backupRestore.fullname" . }}-patch-sa + image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }} + imagePullPolicy: IfNotPresent + command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +rules: + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "patch"] +{{- if .Values.global.cattle.psp.enabled}} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ include "backupRestore.fullname" . }}-patch-sa +{{- end}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "backupRestore.fullname" . }}-patch-sa +subjects: + - kind: ServiceAccount + name: {{ include "backupRestore.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.global.cattle.psp.enabled}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "backupRestore.fullname" . }}-patch-sa + labels: {{ include "backupRestore.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' +{{- end}} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "backupRestore.fullname" . }}-default-allow-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-backup/103.0.0+up4.0.0/templates/psp.yaml b/charts/rancher-backup/103.0.0+up4.0.0/templates/psp.yaml new file mode 100644 index 000000000..34bc96ee7 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/templates/psp.yaml @@ -0,0 +1,31 @@ +{{- if .Values.global.cattle.psp.enabled -}} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "backupRestore.fullname" . }}-psp + labels: {{ include "backupRestore.labels" . | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'persistentVolumeClaim' + - 'secret' +{{- end -}} diff --git a/charts/rancher-backup/103.0.0+up4.0.0/templates/pvc.yaml b/charts/rancher-backup/103.0.0+up4.0.0/templates/pvc.yaml new file mode 100644 index 000000000..ff57e4dab --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/templates/pvc.yaml @@ -0,0 +1,27 @@ +{{- if and .Values.persistence.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "backupRestore.pvcName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteOnce + resources: + {{- with .Values.persistence }} + requests: + storage: {{ .size | quote }} +{{- if .storageClass }} +{{- if (eq "-" .storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: {{ .storageClass | quote }} +{{- end }} +{{- end }} +{{- if .volumeName }} + volumeName: {{ .volumeName | quote }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0/templates/rancher-resourceset.yaml b/charts/rancher-backup/103.0.0+up4.0.0/templates/rancher-resourceset.yaml new file mode 100644 index 000000000..05add8824 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/templates/rancher-resourceset.yaml @@ -0,0 +1,13 @@ +apiVersion: resources.cattle.io/v1 +kind: ResourceSet +metadata: + name: rancher-resource-set +controllerReferences: + - apiVersion: "apps/v1" + resource: "deployments" + name: "rancher" + namespace: "cattle-system" +resourceSelectors: +{{- range $path, $_ := .Files.Glob "files/default-resourceset-contents/*.yaml" -}} + {{- $.Files.Get $path | nindent 2 -}} +{{- end -}} diff --git a/charts/rancher-backup/103.0.0+up4.0.0/templates/s3-secret.yaml b/charts/rancher-backup/103.0.0+up4.0.0/templates/s3-secret.yaml new file mode 100644 index 000000000..726509730 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/templates/s3-secret.yaml @@ -0,0 +1,31 @@ +{{- if .Values.s3.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "backupRestore.s3SecretName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +type: Opaque +stringData: + {{- with .Values.s3 }} + {{- if .credentialSecretName }} + credentialSecretName: {{ .credentialSecretName }} + credentialSecretNamespace: {{ required "When providing a Secret containing S3 credentials, a valid .Values.credentialSecretNamespace must be provided" .credentialSecretNamespace }} + {{- end }} + {{- if .region }} + region: {{ .region | quote }} + {{- end }} + bucketName: {{ required "A valid .Values.bucketName is required for configuring S3 compatible storage as the default backup storage location" .bucketName | quote }} + {{- if .folder }} + folder: {{ .folder | quote }} + {{- end }} + endpoint: {{ required "A valid .Values.endpoint is required for configuring S3 compatible storage as the default backup storage location" .endpoint | quote }} + {{- if .endpointCA }} + endpointCA: {{ .endpointCA }} + {{- end }} + {{- if .insecureTLSSkipVerify }} + insecureTLSSkipVerify: {{ .insecureTLSSkipVerify | quote }} + {{- end }} + {{- end }} +{{ end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0/templates/serviceaccount.yaml b/charts/rancher-backup/103.0.0+up4.0.0/templates/serviceaccount.yaml new file mode 100644 index 000000000..754e1fe89 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/templates/serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "backupRestore.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "backupRestore.labels" . | nindent 4 }} +{{- if .Values.serviceAccount.annotations }} + annotations: + {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} +{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0/templates/validate-install-crd.yaml b/charts/rancher-backup/103.0.0+up4.0.0/templates/validate-install-crd.yaml new file mode 100644 index 000000000..f63fd2e2e --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/templates/validate-install-crd.yaml @@ -0,0 +1,16 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "resources.cattle.io/v1/Backup" false -}} +# {{- set $found "resources.cattle.io/v1/ResourceSet" false -}} +# {{- set $found "resources.cattle.io/v1/Restore" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-backup/103.0.0+up4.0.0/templates/validate-psp-install.yaml b/charts/rancher-backup/103.0.0+up4.0.0/templates/validate-psp-install.yaml new file mode 100644 index 000000000..a30c59d3b --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-backup/103.0.0+up4.0.0/tests/deployment_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0/tests/deployment_test.yaml new file mode 100644 index 000000000..671d415db --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/tests/deployment_test.yaml @@ -0,0 +1,216 @@ +suite: Test Deployment +templates: +- deployment.yaml +- s3-secret.yaml +- pvc.yaml +- _helpers.tpl +tests: +- it: should set name + template: deployment.yaml + asserts: + - equal: + path: metadata.name + value: "rancher-backup" +- it: should set namespace + template: deployment.yaml + asserts: + - equal: + path: metadata.namespace + value: "NAMESPACE" +- it: should set priorityClassName + set: + priorityClassName: "testClass" + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.priorityClassName + value: "testClass" +- it: should set default imagePullPolicy + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: "Always" +- it: should set imagePullPolicy + set: + imagePullPolicy: "IfNotPresent" + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.containers[0].imagePullPolicy + value: "IfNotPresent" +- it: should set debug loglevel + set: + debug: true + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--debug" +- it: should set trace loglevel + set: + trace: true + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].args + content: "--trace" +- it: should set proxy environment variables + set: + proxy: "https://127.0.0.1:3128" + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTP_PROXY + value: "https://127.0.0.1:3128" + - contains: + path: spec.template.spec.containers[0].env + content: + name: HTTPS_PROXY + value: "https://127.0.0.1:3128" + - contains: + path: spec.template.spec.containers[0].env + content: + name: NO_PROXY + value: "127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local" +- it: should set proxy environment variables with modified noproxy + set: + proxy: "https://127.0.0.1:3128" + noProxy: "192.168.0.0/24" + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: NO_PROXY + value: "192.168.0.0/24" +- it: should set persistence variables + set: + persistence.enabled: true + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: DEFAULT_PERSISTENCE_ENABLED + value: "persistence-enabled" + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: "/var/lib/backups" + name: "pv-storage" + - equal: + path: spec.template.spec.volumes[0].name + value: "pv-storage" + - equal: + path: spec.template.spec.volumes[0].persistentVolumeClaim + value: + claimName: RELEASE-NAME-0 +- it: should set claim from custom static volumeName + set: + persistence.enabled: true + persistence.volumeName: "PREDEFINED-VOLUME" + persistence.storageClass: "PREDEFINED-STORAGECLASS" + persistence.size: "PREDIFINED-SAMEAS-PVSIZE" + template: deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: DEFAULT_PERSISTENCE_ENABLED + value: "persistence-enabled" + - equal: + path: spec.template.spec.volumes[0].persistentVolumeClaim + value: + claimName: PREDEFINED-VOLUME +- it: should set private registry + template: deployment.yaml + set: + global.cattle.systemDefaultRegistry: "my.registry.local:3000" + asserts: + - matchRegex: + path: spec.template.spec.containers[0].image + pattern: ^my.registry.local:3000/rancher/backup-restore-operator:.*$ +- it: should set nodeselector + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.nodeSelector + value: + kubernetes.io/os: linux +- it: should not set default affinity + template: deployment.yaml + asserts: + - isNull: + path: spec.template.spec.affinity +- it: should set custom affinity + template: deployment.yaml + set: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd + asserts: + - equal: + path: spec.template.spec.affinity + value: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: disktype + operator: In + values: + - ssd +- it: should set tolerations + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.tolerations[0] + value: + key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +- it: should set custom tolerations + template: deployment.yaml + set: + tolerations: + - key: "example-key" + operator: "Exists" + effect: "NoSchedule" + asserts: + - equal: + path: spec.template.spec.tolerations[0] + value: + key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" + - equal: + path: spec.template.spec.tolerations[1] + value: + key: "example-key" + operator: "Exists" + effect: "NoSchedule" +- it: should not set default imagePullSecrets + template: deployment.yaml + asserts: + - isNull: + path: spec.template.spec.imagePullSecrets +- it: should set imagePullSecrets + set: + imagePullSecrets: + - name: "pull-secret" + template: deployment.yaml + asserts: + - equal: + path: spec.template.spec.imagePullSecrets[0].name + value: "pull-secret" diff --git a/charts/rancher-backup/103.0.0+up4.0.0/tests/pvc_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0/tests/pvc_test.yaml new file mode 100644 index 000000000..3a1c40698 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/tests/pvc_test.yaml @@ -0,0 +1,102 @@ +suite: Test PVC +templates: +- pvc.yaml +- _helpers.tpl +tests: +- it: should set name + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: metadata.name + value: "RELEASE-NAME-0" +- it: should set namespace + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: metadata.namespace + value: "NAMESPACE" +- it: should set accessModes + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: spec.accessModes[0] + value: "ReadWriteOnce" +- it: should set size + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: spec.resources.requests.storage + value: "2Gi" +- it: should set size + template: pvc.yaml + set: + persistence: + enabled: true + size: "10Gi" + asserts: + - equal: + path: spec.resources.requests.storage + value: "10Gi" +- it: should not set volumeName + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - isNull: + path: spec.volumeName +- it: should set default storageClass + template: pvc.yaml + set: + persistence: + enabled: true + asserts: + - equal: + path: spec.storageClassName + value: "" +- it: should set custom storageClass + template: pvc.yaml + set: + persistence: + enabled: true + storageClass: "storage-class" + asserts: + - equal: + path: spec.storageClassName + value: "storage-class" +- it: should set custom volumeName + template: pvc.yaml + set: + persistence: + enabled: true + volumeName: "volume-name" + asserts: + - equal: + path: spec.volumeName + value: "volume-name" +- it: should set claim from custom static volumeName + set: + persistence.enabled: true + persistence.volumeName: "PREDEFINED-VOLUME" + persistence.storageClass: "PREDEFINED-STORAGECLASS" + persistence.size: "PREDEFINED-SAMEAS-PVSIZE" + template: pvc.yaml + asserts: + - equal: + path: spec.resources.requests.storage + value: "PREDEFINED-SAMEAS-PVSIZE" + - equal: + path: spec.storageClassName + value: "PREDEFINED-STORAGECLASS" diff --git a/charts/rancher-backup/103.0.0+up4.0.0/tests/s3-secret_test.yaml b/charts/rancher-backup/103.0.0+up4.0.0/tests/s3-secret_test.yaml new file mode 100644 index 000000000..af130dd29 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/tests/s3-secret_test.yaml @@ -0,0 +1,141 @@ +suite: Test S3 Secret +templates: +- s3-secret.yaml +- _helpers.tpl +tests: +- it: should set name + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - equal: + path: metadata.name + value: "rancher-backup-s3" +- it: should set namespace + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - equal: + path: metadata.namespace + value: "NAMESPACE" +- it: should not set credentialSecretName + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.credentialSecretName +- it: should set credentialSecretName + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + credentialSecretName: "credential-secret-name" + credentialSecretNamespace: "credential-secret-namespace" + asserts: + - equal: + path: stringData.credentialSecretName + value: "credential-secret-name" + - equal: + path: stringData.credentialSecretNamespace + value: "credential-secret-namespace" +- it: should not set folder + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.folder +- it: should set folder + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + folder: "myfolder" + asserts: + - equal: + path: stringData.folder + value: "myfolder" +- it: should not set region + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.region +- it: should set region + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + region: "us-west-1" + asserts: + - equal: + path: stringData.region + value: "us-west-1" +- it: should not set endpointCA + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.endpointCA +- it: should set endpointCA + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + endpointCA: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" + asserts: + - equal: + path: stringData.endpointCA + value: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t" +- it: should not set insecureTLSSkipVerify + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + asserts: + - isNull: + path: stringData.insecureTLSSkipVerify +- it: should set insecureTLSSkipVerify + template: s3-secret.yaml + set: + s3: + enabled: true + bucketName: "yourbucket" + endpoint: "https://s3.amazonaws.com" + insecureTLSSkipVerify: "true" + asserts: + - equal: + path: stringData.insecureTLSSkipVerify + value: "true" diff --git a/charts/rancher-backup/103.0.0+up4.0.0/values.yaml b/charts/rancher-backup/103.0.0+up4.0.0/values.yaml new file mode 100644 index 000000000..5d606f742 --- /dev/null +++ b/charts/rancher-backup/103.0.0+up4.0.0/values.yaml @@ -0,0 +1,81 @@ +image: + repository: rancher/backup-restore-operator + tag: v4.0.0 + +## Default s3 bucket for storing all backup files created by the backup-restore-operator +s3: + enabled: false + ## credentialSecretName if set, should be the name of the Secret containing AWS credentials. + ## To use IAM Role, don't set this field + credentialSecretName: "" + credentialSecretNamespace: "" + region: "" + bucketName: "" + folder: "" + endpoint: "" + endpointCA: "" + insecureTLSSkipVerify: false + +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## If persistence is enabled, operator will create a PVC with mountPath /var/lib/backups +persistence: + enabled: false + + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack). + ## Refer https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1 + ## + storageClass: "-" + + ## If you want to disable dynamic provisioning by setting storageClass to "-" above, + ## and want to target a particular PV, provide name of the target volume + volumeName: "" + + ## Only certain StorageClasses allow resizing PVs; Refer https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/ + size: 2Gi + +# Add log level flags to backup-restore +debug: false +trace: false + +# http[s] proxy server passed to backup client +# proxy: http://@:: + +# comma separated list of domains or ip addresses that will not use the proxy +noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false # PSP enablement should default to false + kubectl: + repository: rancher/kubectl + tag: v1.21.9 + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +affinity: {} + +serviceAccount: + annotations: {} + +priorityClassName: "" + +# Override imagePullPolicy for image +# options: Always, Never, IfNotPresent +# Defaults to Always +imagePullPolicy: "Always" + +## Optional array of imagePullSecrets containing private registry credentials +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] diff --git a/index.yaml b/index.yaml index 4d8138c4a..9f10fd219 100755 --- a/index.yaml +++ b/index.yaml @@ -6261,6 +6261,36 @@ entries: - assets/rancher-alerting-drivers/rancher-alerting-drivers-1.0.100.tgz version: 1.0.100 rancher-backup: + - annotations: + catalog.cattle.io/auto-install: rancher-backup-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Rancher Backups + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-resources-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-backup + catalog.cattle.io/scope: management + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-backup + catalog.cattle.io/upstream-version: 2.1.1 + apiVersion: v2 + appVersion: 4.0.0 + created: "2023-10-30T12:40:59.106857-07:00" + description: Provides ability to back up and restore the Rancher application running + on any Kubernetes cluster + digest: 5b211ec8cb04c65d642eec33ce5d6e2e9df8d3c0a8f25372f33ea7983a47ead3 + icon: https://charts.rancher.io/assets/logos/backup-restore.svg + keywords: + - applications + - infrastructure + kubeVersion: '>= 1.23.0-0' + name: rancher-backup + urls: + - assets/rancher-backup/rancher-backup-103.0.0+up4.0.0.tgz + version: 103.0.0+up4.0.0 - annotations: catalog.cattle.io/auto-install: rancher-backup-crd=match catalog.cattle.io/certified: rancher @@ -6789,6 +6819,21 @@ entries: - assets/rancher-backup/rancher-backup-1.0.200.tgz version: 1.0.200 rancher-backup-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-resources-system + catalog.cattle.io/release-name: rancher-backup-crd + apiVersion: v2 + appVersion: 4.0.0 + created: "2023-10-30T12:41:00.790812-07:00" + description: Installs the CRDs for rancher-backup. + digest: d3363fb031d2756acbaf716133c8bdddb2177e906347f17fe4cf6e5ef662dd4b + name: rancher-backup-crd + type: application + urls: + - assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0.tgz + version: 103.0.0+up4.0.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" From 3eb2cdfd8d54dafa10f95fe12515f7b485b41197 Mon Sep 17 00:00:00 2001 From: Lucas Lopes Date: Mon, 14 Aug 2023 16:42:39 -0300 Subject: [PATCH 13/24] Copy rancher-gatekeeper version 102. x.x to 103.0.0 --- .../generated-changes/patch/Chart.yaml.patch | 2 +- packages/rancher-gatekeeper/package.yaml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch index d051f7dfc..5145ffc36 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch @@ -10,7 +10,7 @@ + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 -+ catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' ++ catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper diff --git a/packages/rancher-gatekeeper/package.yaml b/packages/rancher-gatekeeper/package.yaml index bd189dd88..5ef8e2d99 100644 --- a/packages/rancher-gatekeeper/package.yaml +++ b/packages/rancher-gatekeeper/package.yaml @@ -1,8 +1,9 @@ url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.12.0.tgz -version: 102.1.0 +version: 103.0.0 additionalCharts: - workingDir: charts-crd crdOptions: templateDirectory: crd-template crdDirectory: crd-manifest addCRDValidationToMainChart: true +doNotRelease: true \ No newline at end of file From f1a28e25f5e31e3c322fef0ea71b8d73f034329e Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Wed, 23 Aug 2023 17:22:27 -0300 Subject: [PATCH 14/24] updating rancher-gatekeeper support for k8s 1.27 For k8s 1.27 support - apps and feature charts removing doNotRelease: true changing kube-version to support 1.27 adding rancher-gatekeeper with version to release.yaml make prepare make patch make clean --- .../generated-changes/patch/Chart.yaml.patch | 2 +- .../generated-changes/patch/templates/_helpers.tpl.patch | 4 ++-- packages/rancher-gatekeeper/package.yaml | 3 +-- release.yaml | 4 ++++ 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch index 5145ffc36..622b464d5 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch @@ -5,7 +5,7 @@ + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper -+ catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.27.0-0' ++ catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch index 00f5072fa..dcd1cbdee 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch @@ -12,7 +12,7 @@ +{{- end -}} +{{- end -}} + - {{/* ++{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} @@ -27,7 +27,7 @@ +kubernetes.io/os: linux +{{- end -}} + -+{{/* + {{/* Output post install webhook probe container entry */}} {{- define "gatekeeper.postInstallWebhookProbeContainer" -}} diff --git a/packages/rancher-gatekeeper/package.yaml b/packages/rancher-gatekeeper/package.yaml index 5ef8e2d99..c953f4990 100644 --- a/packages/rancher-gatekeeper/package.yaml +++ b/packages/rancher-gatekeeper/package.yaml @@ -1,9 +1,8 @@ url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.12.0.tgz -version: 103.0.0 +version: 103.0.1 additionalCharts: - workingDir: charts-crd crdOptions: templateDirectory: crd-template crdDirectory: crd-manifest addCRDValidationToMainChart: true -doNotRelease: true \ No newline at end of file diff --git a/release.yaml b/release.yaml index a5906a736..001d9227f 100644 --- a/release.yaml +++ b/release.yaml @@ -4,3 +4,7 @@ rancher-backup: rancher-backup-crd: - 102.0.2+up3.1.2 - 103.0.0+up4.0.0 +rancher-gatekeeper: + - 103.0.1+up3.12.0 +rancher-gatekeeper-crd: + - 103.0.1+up3.12.0 From 0f8b2c0468c1c27a4ad57eda47d70ae4fc6f95e9 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Wed, 23 Aug 2023 17:23:14 -0300 Subject: [PATCH 15/24] gatekeeper chart update make charts --- ...ancher-gatekeeper-crd-103.0.1+up3.12.0.tgz | Bin 0 -> 13235 bytes .../rancher-gatekeeper-103.0.1+up3.12.0.tgz | Bin 0 -> 17287 bytes .../103.0.1+up3.12.0/Chart.yaml | 10 + .../103.0.1+up3.12.0/README.md | 2 + .../assign-customresourcedefinition.yaml | 757 ++++++++++++++++++ .../assignimage-customresourcedefinition.yaml | 237 ++++++ ...signmetadata-customresourcedefinition.yaml | 655 +++++++++++++++ .../config-customresourcedefinition.yaml | 105 +++ ...intpodstatus-customresourcedefinition.yaml | 67 ++ ...ainttemplate-customresourcedefinition.yaml | 357 +++++++++ ...atepodstatus-customresourcedefinition.yaml | 66 ++ ...siontemplate-customresourcedefinition.yaml | 73 ++ .../modifyset-customresourcedefinition.yaml | 676 ++++++++++++++++ ...torpodstatus-customresourcedefinition.yaml | 65 ++ .../provider-customresourcedefinition.yaml | 78 ++ .../103.0.1+up3.12.0/templates/_helpers.tpl | 22 + .../103.0.1+up3.12.0/templates/jobs.yaml | 126 +++ .../103.0.1+up3.12.0/templates/manifest.yaml | 14 + .../103.0.1+up3.12.0/templates/rbac.yaml | 76 ++ .../templates/validate-psp-install.yaml | 7 + .../103.0.1+up3.12.0/values.yaml | 21 + .../103.0.1+up3.12.0/.helmignore | 21 + .../103.0.1+up3.12.0/CHANGELOG.md | 15 + .../103.0.1+up3.12.0/Chart.yaml | 26 + .../103.0.1+up3.12.0/README.md | 210 +++++ .../103.0.1+up3.12.0/app-readme.md | 32 + .../103.0.1+up3.12.0/templates/_helpers.tpl | 113 +++ .../templates/allowedrepos.yaml | 35 + .../gatekeeper-admin-podsecuritypolicy.yaml | 38 + .../gatekeeper-admin-serviceaccount.yaml | 11 + .../gatekeeper-audit-deployment.yaml | 156 ++++ ...ekeeper-controller-manager-deployment.yaml | 169 ++++ ...per-controller-manager-network-policy.yaml | 30 + ...ontroller-manager-poddisruptionbudget.yaml | 24 + ...atekeeper-critical-pods-resourcequota.yaml | 23 + .../gatekeeper-manager-role-clusterrole.yaml | 174 ++++ .../gatekeeper-manager-role-role.yaml | 37 + ...anager-rolebinding-clusterrolebinding.yaml | 20 + ...eeper-manager-rolebinding-rolebinding.yaml | 21 + ...guration-mutatingwebhookconfiguration.yaml | 60 ++ ...ration-validatingwebhookconfiguration.yaml | 109 +++ ...gatekeeper-webhook-server-cert-secret.yaml | 14 + .../gatekeeper-webhook-service-service.yaml | 38 + .../templates/namespace-post-install.yaml | 165 ++++ .../templates/namespace-post-upgrade.yaml | 153 ++++ .../templates/probe-webhook-post-install.yaml | 46 ++ .../templates/requiredlabels.yaml | 57 ++ .../templates/upgrade-crds-hook.yaml | 116 +++ .../templates/validate-install-crd.yaml | 24 + .../templates/validate-psp-install.yaml | 7 + .../templates/webhook-configs-pre-delete.yaml | 141 ++++ .../103.0.1+up3.12.0/values.yaml | 271 +++++++ index.yaml | 44 + 53 files changed, 5814 insertions(+) create mode 100644 assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz create mode 100644 assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml create mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml diff --git a/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz b/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..5ed680d1124cae6c1b3d66f5b4f51060ac069e08 GIT binary patch literal 13235 zcmch8RahNM(=P5#aQEO2!3h@J-QC?GI0Ojp?i$?Pg1fszSh%~h4rK4|KlWdotFtbq zXS%wo-s+jBdZyl9MBy->Kt6szY7kljaYZI0aTyM24=#2?R#hfrC3XuNBD*#?NfHkz&PER2M*VHqBSxo0Egb_}=*V{Sd0+$tc;V>UC{0sq`E-h0_##EzT2@1%B&tkJnsLmAUGi`o6>Ia6eUWnMC4#i8 z>=b2fax=i5J(VF%0`L6Ay-6Nhq><=NMl6;c=f;iyJam2Rf3Sba)7R^GT~SW@|mnF40rQ2U}&u6oNr zW(WAUY%|Js{Iuj=#oeT2VaM?ZdD=OG+z3B#3$MMAG-zvXlU#nXK+ZpzR-3$-B_(o0 ztSs)2=Me*eDid>Yx$0v=^aX|8p(3eFWZ}85tgD%lGSPf;%-&gZ)Ii`j>Bf0*9suxq zHhu@=_52Zb#TPk##C104$lk}^so7~f{vhH-k9k>xNrtSnL_xXS;pX|Ayn4f*)46-7 zSgu!|r8ISP3xPNOxT0Z|n247$oBtFAZ5B2>6G>#YzDO)zUS(WS2+9eQ5sY0R1>S-0 z3t5T0=TL<~lO1qmCba<7$yWk(5FJ;yDw$A>&NK~C3H92Z>kAn=2Syy?Hi2_+xN-LH zY#Mms0aDD(2BF31gkQuN%q>?mq;UFPJop&`6(}pI5Q%C;pW@8`_H4K<`?=x~N8QF2 zLm{?BOCAOyl_Q&|hKSg`XacL6Y_)z~PsT<5$D|2}aHAn!PtJ{ZnzI_yv+ez5bWv6M z3K_AZhj_VFgCMm!0nxa>qS=$EWm&sADZS;)d?5)lUA3Z|na+O=`$(lLuBXiN9aObjJcargZt zXs@eQgUcNWEE%;@X!|sxl^Qx5?r7^8-P>8N)mjxa#Y4V{It-85{(2>UV1A6c`VyaI z;fj5QYQEcH0}IuEgblq{e|q(k*oe&<^ZEM|E< zTM*lS1YWZPfzzzK!0$2jj<&Y*Cs;mNcZ!Wtv+dEXr)664HfDfmf-XfMrm14BNEf{5 z$j~y76x2O8e33pZ^ebyWFJ zDeZpiu4ku^$Yt7tSZX6iBKhD?Ec}5u>hS#B<+x5>U(fxgWOQ5~UEulU^ucl|@csek z$(M*caZvz)ef&mS{0(o3x%+l=Tl!ZF!kztTMW}|}^43YeEgsJ#UEPxPFR`lqO{v&I zd4xA(B6cZ+hLKpP;ulF{7Gnmr6l!|RHxhgwhw5Qhm=*)ayosU7wuSS?HaS-_>2#oC zX>ZG;0Y?40-l`mzQX=;_)Tc<662QKW)$aM5CJ9p3H{E?dx(wmL&CV&Z8q;ucb4afKw87QBpDLRp3Cwd0|Y_~RJxp^H0dwM@a)p0T5mf2 z9n)n>-W+u*ru%d{7Iv(z8_A0_RWmUy!(I$-!?JsU>AkSCb8hF7BIj$;jbWEY_fu`P zibO%^7&V;h(_BuuH+V&MKiVt#+uJ=AyzN~)6nH=LvIyqIYMB||yA<85#^IT{4KA@& zxyN~z0|I&XhtW37EO6@}rPw0jW1Dn$E4?k9Q{skewuW)I#%#hMU){xI-xpG!M&Tjl zWp-D&d5_*{XM}p<>TdWX<*{6n<#CxT9iT{!JWGcbrbcuJ?As5e;x{*8BSMAo;1bDK z|Ks2%eY2N+^Z7R(ZV#V`r%mAkyR}B9S-@%v1z=S@^q7t!kfXss5UTLiT@Y$-bGFzR zqG+5m{e+F*iInY;!(AaP4q>8-VV$xd04R)sqwJO!*uZCg!B*uU=^+huz8_&uVO_>m$FD#!C<5n{ z8v9d(J!$3Py-~Dp@00KI)ytpTQGL|)Z+P#k@5O^L``dTt7lcLNJL0q{qeD^%BJTN?`BK?DXN`$Q$qk;#J^1 zODE}O`W6Dn{kDCNgMp+(Z(+MlnB=HoB2uV>reQVY%@dT?ahG2V(P$=5_Y~~Ez=_dv z=t-pfdi3XHhmwLKnOPXAk7rdku3XMh{M-a@wlF=FFs@P1sIj`~^b4D?Py3Ka5?Rl| z?N|IjYC#QE&w%oUaZ5@AssHKpBB2!I>4Y1l2JKbA(C5+f{Omk{X~Nii$%jrVY1 z#fT=OPLvRtR51yg{_sI(mzf0PA-yowp0>e86(*3=SCcey1RYSQM6E~(Ul1l!n5xL7 zURK|r_1T8uY_0LAwU2ZWoU}+aFpjQ)s+5Utk69)ZvUxFGFk)9}cH zNhIDD85*~)FZSdb-vr(S!Yz1?v1^rI7RO?s&Pp@rW7|dsSRd7^fcQH8$%Fvs7jEi` z?(ds1Q$=w9tWhs3vzoKaM(Y8;sAObkZJCi#rtvGmStA`B>hUs-@jNm5>(^eIGa6iY zc#?B;_@52tG(LUwPgI!Q5sX88T$(bJ0mU{EmM5B=7?n0v?Iu&zEGA>Fk zk1xYWl9gV~B0bX*Co55PgLx&IOmD~DMXLXnft`cY8XIOsfdZ;0##7tflCV- z0w-iCEJ3rJ;7cxqmMAk`1g-zE`S8(=1m0{FUBaU{zCfP@?Mu)+IJU-5c}MLzPTCbY4js(l1z(%#SgW`M4)SCjK-y}MvJ;3X@;8wc*&VAbXuuXESkOMWqs zsU^7Ugzt55Q*+la{Jx1enERAvx+^U5?rA&Ea)P$zvy)0O;POPAFM3^ni>=mE5 zd0;%U)M;yEzY_B$KnRJmr{qzqBxaOJ4Sq4>$jTAjQ_l#4qmvd84&R+B_y~F?gTov+OOS(wWDM))2Y9R@H_8eu0;%k$$svzg$iG5 z8OS%OsEvb~(GD7{3nkJ|;jnU!J35!dtnMk%}U+FY?na=Jcj*PwGvH5kre zUlDCxiWJu_LSsYailuSOoVstcm-;OXD8!U|_e@-|uLo~8!$r;Rzr=o7{2kN}NTaX7 zwr|S(A}?;Nno>v5u7Hi=NI2L@5R0N3V`XEsRF&Xe*4}7n2RU>K)-#$k62NT6^<$Yd zykw7a4F2W^^T74|*3ugBMBCysO_UCP1J+BrMi3hn8Y-7(Xedmj*XCh4>WsH|!OryROf2H+e`fOsEEZTbT2EHb zs0jOO89eqiI47BXlTflIi@QnYE`+DxAmKDK*;cI`+fYfWF=ZI{uuKZZp-7S0xV}S= z^hi)M*dI5kmD_-^dHeo|x`t@V%K)Kd7Zgl&zhEFWAhv$n(<^VXODkRwM>}!mX8cnFSDv(!n&KfAxP#&$6!n2uBdN+ggh z){1dyp5qJucOCRioYJDoYEdg#F)mGf&P>kjZCVNS;5=Iu-;`j4mB8FI&Yds>=qaK_bdk<5tj!3LdxR~J<_Mn zeLrqt6(QXT@IGaPh#^9Y0kUMn;-0xlBrl9%Smy?Vw{7S2@x(&! zo0%#uyJPx=W&^grZ9ITRMyO#d{wZ$KU1+E1Y`5ciBN-RS{5Fm8e&mndxs;q7%P$st zTZLg|rpIb@!t9IAY=&g#f)s1NPKnLSY*38*+Gng#q{~)Et~GaUDL%2&ye%VZ)B9a+ zVQ*)#7QR4v<_AtWZmJT_QW~aq5|kP> zAB0sb3>%NH#;wMSx5d`+eV}}ex-S8LS@b3*)Obv>Q>K-$t3Z6>!&1Bn?7XL zJ1DSZN`%^zOG_HL@VGczojjF=4JmkE{hz7bg-k)??4eLnE*(v&b^XP~u z+g)_q#Z+zHdoug<9mZ@e!C-Z=Js_I^htce3%&C&?(s*iC{vV$9?)vsCUQGu$PN!?a zJvn4DSDOAmE;jbgMrxh37!GYen5j-?Mudmq-5LZ;n>aQbS#W8V{Vx5wf5B)FPNGij%I+2sgYYbl{yi>Cp=s@t;xuk4yR$Z7k2UYgxDp&ea_+hV&lSF!gehsG-3BS8dS zF|{^I3Ji@4*#RmKryV6u1dQ8~EJTO;{8F3N#Bm`R0ZJy=9$6tiTI$>=469Q_;^*yx zmMqK8gxM^$8c2CsE-W04*1BhTiy|nAKBKY@QC=Yh)Vcht6ET)sN0buBp=QqrG@{|^x>3z zSO3S;dw*FS0_yf{3ks_4aM(wu-2g`VhxZG`cTeOZLH9JR^rUOPzFuVF4?!0Hg}llR z?{5Gy|GN5XGUB;p)bAh5FHSN4MDq~=4CqQ}?>lrDd1$VW2IVizPU@&qC-7qlwSe@*e?{2S;7OLZuW9XZ^GH#=k8e>5-J6#jz!&opM5gu+x!{s_I0 zRQ)@Ftd&baA2^cHNP9>~NZZw>p@oA4x^Ji?{+8Me4lh0@On?2Hza2p7HIl$zZAz#& zg@dR0JUEFsg(2vGnBYAq}LE(geR{((l-|Z#|p%XTLE(0FV(cTAWu{k3;7PxyOF3j8YRq zU$H0D(X`FbIfmV>%XO4m?4C?N;YS5bM+Igy_w*Ma%)R`kQ8zQLHXcba<0z_^uI#c!^>rcdIlikp3Ny)S`o<_GHTk&mm>_x zh*hNL*9Q4o9t3?S6a{JtM*Hsaab(qJ;p08(_}4P4@0}OY8St{x(M_q%_fHEOTia%o zE#2~D2F#3NB!F$8E*oFJ1eBv1M-p2>Xe8HqX%JiCU91sVbSR9m_Ea3B^;AeLYtjle zv-eb>+Um@1=%L%{@OtppyZF9TA=|CugRO-D`FOc;2?#5;e6xuNvx(pCNoKMkfa!y} zJ`6C`U5!Y(<#~Ruqfo>bdD^ZR@Ye>fz==N{+X#@|k?P#MkhE((MW_Z8!Y6P8aZ+B`}ucwm``(xm$&t%-3 zks3B2E~=4zqnziuo!)X2j0_B$dT$SVFBl&8Z!fPQZh*GYs9f>_-ENq)$JoLt7ep56#V7w_7+%pW3n?cU z-VWA_n~g4(pIa;t$t2C?nd7%xEF#_{NAL=IF&Eb7$6Twzb69zuD7OuWT%k`wb6CNT zhAE7}kGAs$2-p2gn@EmKV_3ajsJB0UF^YJ9yp`&6wtU3zPGsc&F&%m(+@T+$?O~J; zGe3S+CA$4Jl-G&N^4Cx3ljTs*$B=)oN@YTyXiSb7)lhHe*ZwN0Ncc+5B?F_D#Hy=c zXFs&nSd%|oRwe#b++N<$d$2}U(EAWAasY@w;A8KF8+2mtwW)+Ke<0);>SoeIxEB2< znjimtrvHoZJ=1>#n%Aki@qgkgBSHTsh`(sdI7p7l5-Pg1Md#F<{wk?ayf!H4$uYe` z#urF@F>_RR6bfPChB0B&o(hsno%vhl=RjaB?C+5yk*D55p?&8g*A@oM*>E$nGJXT| zr_FbPz0-C1J5(W5RFlYZve^Wg_yRZtd^}uUZ$S}+0idZf%KSJs>kF3qopH(mifCz$ zMgU5C=lxiF&JZ3DP;y57ht1aQuAva$Vgw!VIUS7=%#l9(fw>ZlB5w`wT&@r;*}upfH{iBgW$U$6=avGeq)yhwNgPGd|(_y2wz@5|Nn(88KYtz|j8_xerL(9liMO%GYGzL`ATzNfJ zFn?s#;`|Y~BfZcj>GrZyW4vlKcVX9AbMxo9{IE>sM!f@{ z7KyMH+~!ouH$>Z%s8rQY>-GVuKNe_X&Jx4ZX%BH4?FHYcZ!!>A`T-zp?V#2#fxMI) z0^3i#*R&&;6|-fY6R5PH6er8+YEVAy+>C-mm0IT~3Jr*>)0Lmv3>-@g1RmE|TZNiX z!IG*CA=XL`l>2I$*&U&_0J6uNX%)WWZIdNxnQ)yIbr@N^jZ$X$bF;wxo>(Q+Ws;>KoTW1$9v=@kZ^aWZ z>f2xl*$t3Sz6^(Jvv`-g=FCp^`0dNVQ=DE zYlPfx1Q$f18e%r65Q_Lfis)|&=?@AWIPL@o)_gNY7R|U{sb@^@vQ5M1J`1Mz2h^|n z4o*hNMX8>4^`gEroN=AR&*w~EHb&mA-yiD!Dpl}mYOONFhYbu%Hc;jC^UycY%rr z?m9=DyotD4T(M+EtLYRSzePCM&+Nw&T{F64Pjg*5R$B4iqEKXZBMxOEI&8GTRDMlo zv`8`1HID0IR9M~wYG1+)ZPBOy1ce>H%jg>&@#kAx&0qpsRExF436Ww3@n$UO$}uO- z1>5p`l5T;@TkCmuWbB_^#EEOOxw-R!VGR+Hz<>ghCu zy)0OI+xj`z1pD;@!)Rgu=}HEmdH!+H=IbRy%&PUxM$&qPQO{d_e~F;Pb2H|A=HU`r~I(}q`S;7 z#@uU|o2!kYD|1TfZXQ#dr6+IlgWdr9K;QK)A7v3+lOy>!ikD3sGF}#rjRe-zbBB`9 zwL*BsW*JS4{Z|=sZ)WU8Bud*FGS2Ib%uyRhepf~+NaMOmY}@E8Au4R{?kU({StjRz z*scWh@_C_GYyRp5RoK?wQ;@+7OwRtO&i=cwI{F7-!dTd?zenCr`E%hBX0rPs7oHWH zCP9H;Kl-O27sgGU{ck^in}Spw3H?yK9rycaa^WL#;OXT4)qj`D9)MlHTZwsdWT+k# zTk=^xw0$@qKLb5(1s(&OZ{Mo&r|XRRd<8_F0xmXJH-HTsTmq|n`ntkLoygYoX2{C! z+0WezS3W=QgDPA)?|*`B;01?3ySra-ogr#z#k;W~adv*QZsV!p?CAYM`E6u8LYKa`%45%%=Ip>hv`&u}N$<%tY<}&4=M_ z1?{nUp#cidmXBz~#=I$aeId`;8Opn&qU0>4s)5vdoHecJ^2&Q0)bZ9Azs#ca-{EzqLg}%66YOV_z=_3>JI7#PO9*L{77hEgpVrs$!b33wQ`^ zQuets$EGg;9c0Qb#bR^N@SP(;n3HO*YUOXu9aXH)aBmNE*MHh!*V_mt3=H5|DLN}U zhm^YUSlVG#XH>i1Cy^SFXnx_#?b4OTww$SB=lXloP5qM)&kqOvK%M<4t`G7dVD~k6NOVs-IOM zh2S>wYr(=sFP2^}_9(@AoVkzyQmYGTzPG0;`slh%P?$-L-LEXpF5;b?=}(trqhl9 z&6JA`7yYyykP4Wg@5R=XbjFejE#&BK#*jpl^#2fCl7*Gx@Qmux@rhImT!M*cBq4SR z-JIW@(%$cH2<|LICYFoFl!rstMEKrAKxwn@?p4bmdea}J()|e@P^Adb=ZP7oUj@ud z){jV4KCZ1;yTetWiLC6E-P8?C;P`|DeVrU0N6rZ;jLoiD0Xvp`APjA&-P}i+y;GI#s=^0&>Q56rV^SQ#wOG<@kLNv z;+LqC80)Q3={cfZbL#h0)~Iz`zlJK%IS$iP(C9#eG=S$SMi8dlYMZ^-?kV|Xs$8HD zf{;Hs^xM%;-;Iq26q+Ipn({uU??*R3&dDyLmQ;m{GYX2|y@HXhy^Boq2zZeG{N~jc zxRMCRCSx)v=E9YO!T)#e>4y=XY`KbOqc!1c$R%`{X%LB&i$}LcZuv>2oD$Mz8>1B^ zCXWF$5uCpkq9XwSnxqqxUb1tdR1Cb0yL?|1(<*DAtf84E;`8Wh+p}wGcu-3!2scXj zT1rw!x$Mk!Us{?>b20y~;tWKahrH4vCznI){fXGgDh8cQQ`sGQ8vVR%YbyGZp#@ad4bZh+R8OVIrClmJ9_EgoLNn>5Ap7Gy zn04~-%Vx>nRT#F4MLuJqX8~N>J28;NWR3oSO8)PZlXLTbLpgyv|D~Kt{7}eB4X&@c z?G}9*F*Db9GA8j`rQRu@FwkRAdj%(?7F$FZJ0hr{jKLbaZ{$H308Lh$J6e-XnyL!* zC3jnV6kQHA%m}V)>M=|WY4$Dy-5jm^2tCB8al}9E-#e;UnyI9n8q`&yYj|(!RbY_y zvrC;R%*3ysPPG|SJm!S_oFX1LiI*~w%CE2`EC)6}m?lNHP_R^rx&s07+|lw9OAoP-EL)V1iO>PgwnCMGJUM@vpg zYD*Vh4NUw#x&(DH4e>ryrc%4KsdbDbVrF|0ui#;9RyWARD+YKy$; z$cm9o<xlXk(rCSjpdQ&nDXB&PjYxtP@%sJOhi7dysDcYTIs<9 zMDP{kJ65Rku5;oVJ(gJH*x%*6f5HDtGpS4dtz-Ns34BG4=HJg%==Dc!DUQzrbjpUJ z@#6HvlVn@V>)elcm|Z3IGCd>&aiH13xL`LhaHG_wJjMDd(4mqcpRk342~Dgk%(&aN z%MCD8+O^va=xeVHupkXJot_JeC94kRMQOTMfcE#(Q z+`9=*2hGGZixRTM9gEqtm}2W)I~~v2c9H8L@^&c<{Um_6u6kmaNjbIvJ4myMv~|Bl zU7n|G3L8Gu1pdJ6jvE6n6`Zbb8sGHDnFT(+j=f@fUMupxhMcFCw&i$4epTbILgXh4 zlc*yLr#29yHj@|%ZFGp&kDlqXf8RxOk%m(w1Nn)zXCnbQdDT%4&wb=b$eB*o4>&NS zy;h0u0Plfl$X;mwVw$oo0;dLd_Op3TM9Q~*HKI+pcR;E|abrU3A2Q_#OIaXWl%Js^laMqWnV*N+xL&> zL^t;FA~dj!_777eYux)22^Y`*WWFvv&CI5?o_k`cp}Mc{?^Q$^RW-FTJT<7makSxE zH%#gDL=iYQOs~$oR)jpasjl1>@5>meq8BO{duz*9IO>Wsl{I##KfP7jyS~>VOY_8& zsRP5igzdFwNmuwHN@^`(n0nPiQVor3=}0=)nh+U^t4);u)LWMbHO$_D8Px3=e80pa zl1YNVq?X?}qit`}Dkr*4J31@dIzcGwI2bJ|O)dU$^O;b9OF&!Ky@Fnezy9+ad7M`% zeD&gK21VijLY^=*|A@2_)ot$pp{F!t1|Maf<;bCyA|0x=>sDrwa+05}z}ao9-8NvH zx9u7mFJeT)vuFHeQM(+n*Vyg|0~!V+FXHzn`8z!-DKsjVdOQkO=+IXYBvMC|*g%Hu z$BRWL{)m4%?B5BI4uP?!2WFHEl_#!SS^WCkRsPx7x_dhqc7^6{<$ASQ(-A^BJT;{ugyX$GGZdNC&O?RzlZS7<8f zzt-8&QUAL57@~&$cUU-1D1N!bUmID-|3dJh`~QsdJPO|{z+#o$0&OA{KMCI{Hv&lr z2N8>HTdC;AUn`;{lc64{V zdbt4HEKd(##!pXQ&*o46-?Rp7jimX=^0#rcFB2Djz3IIKf|_wyOb2%BIeLJ=P9-rI zu;v=N+OSNIFGdpj%6}vVjEt1hN4#e_^SA8Z_x)>ssiM`E9uXWzE;n@&gOVzWKs~q+ zq>Ya+`TYh%Q|QLah8oZ^DQ-jP1~9;D>d;kT+g2G%e9OJNrL{9FbfC1*{+5Md%?qlx z?HNoU)LwJZy#lw%rPLiRdaTAU!Jn5&6MV8UHAm}xO?BTWPx$AY52uhJ?z&7WNRmt$ zH+N=r>EzxHi*wayywN@#W6c<7Yy9A=n%*?Ja$4>5oC$Kr{Ie6StTDgWCdoP-@%y(> zhs^$!;0v1?#V*_D`odXn>ls(8`f((iIzc=&kLcNf$(!7#!G)r(&i9WFr!&WvlJ$M1 zkk|Vccjsn9U}lsUmH9`dD&VB6ck2P^E;~DehN&Kpoj@?UVn9!70vG*aq@mjI>2c7C zQcrd|tS}k#_NMMadubxg0}DrI_yE=9>j9Bt>j0MBZARxYBe>D$xG5t@xuJ^gfJ`!Tz=Rg>MW)F>W>YQQ}^ zq43ir-OoR`!oP4O9c=5Cmzi?IGP4jg45ib5p_QeD2;!}5ba{T$&4~X=n-)`+T$L#V zufWqDYS>~BCzs4I_hS;x(*0a`vi)LRg`BO!Pj(^YD}8I(9y}$>`t;~MM>3XSWlRI! zTPAbM4f=-CoQQCTP}XpBpdYfG-s1o(&i)@(y9u*ue~~vyW`RM@ts!rM>$T*rS|i|4 vlgXN(J$N@_feGRcQ~=)4VzqzHC^R~ybjn%Qo8HI&bATW`U-Lj{z(M{8FnYid literal 0 HcmV?d00001 diff --git a/assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz b/assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..6df178060afaa64528d7a96d71d19cee1db85c14 GIT binary patch literal 17287 zcmV*RKwiHeiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POvHbK5x5FpAH=KYa?k%5EjjW6JV18U3E@DUais@jG$iV|(T~ zZ>3TZOhOXYB)|ng*`7G(v!B9^1TUf}o4!Wat%*h4yMacdyV1=c@h6CRV<^x$LNQ`% zdlSe+?+QlYPwk|Bzu({4+EV}a`~Bj-8~v@FpVqgw-mGu!Y;SCB{?uRJdb73u6X>_p ze{D**fb6IKt@|oY?ujHw2o+FZO8B4yfDZ)>>A2@ZAwtx{bPXngdYEtl!*Bq~%f<6q z@GgSFpHx=&5fgZXQIOWHEEZrMhw#cHFhT?H>1Y@HmiACt;XFA*-V`y8DH(v5|9S`3 zdmH^;-|K__mVdsLf4;1&D*NCu^w9w5kM3;v6&EO~tVj6(gqS3kmANru5fsE>yuuyli(8xuLfWQLykH=C0sCwiTDfCP%{`GaD>GGZ1i=# zUm1<|pg%#jPJlT)3(;Ys8Ir>1zhH<1C@>lS4?3GrdT#Tl#f*=NK01ebR>Hf`MLd1F zCQS8IZsHV2h$i9$`Bcq&vs~m?h{J>-eI^aS!I)51F_>M4!2;jDmkaD)q9_(0EmOij zz%vxiDEsN`-^dpyC`7)Xth&tJ1o`KBG=(9`pB3d3E@*U|gh+Rah=lfg6e58>#faIl zYhdf#{Y!xuf#G{7-~b4g*o@y0ku@kgM*1+?zl4YID0q?DMBDEf7W7p=-z-^&=HQEY=ju9qP>Z=B9$&YA?Sg~LcyM^o;+!jh! zV75@AxFkz}DIzj5`zSX?4QRFh_9h8AKf!;a0od;MJ0Tr^KvNVBz`@5~Kgpl(5y2>} z6VkEWnb~THu-FYE%q52Rr;>5XWyx;xpJBfA0h!Wpih_?BPwtFxP8nv_*#Di-bQ$6Z zj*+^`WGh7e0)U~Iax5sjN_nTX2s1_*3OvahY1T+_MtL?E00GAtgX%Wzv*1>(%i9yL z>LO0UFkPdgk5n8n#3di7vrdrDkc8^zFP)g719Lx<%s2~`GJxo49(|U z_c7(-&v?vWpsIy()n?FFHS{(PEGlZdvG9<0Hecj>RJXPb^QmUiHrt)J8powzFxz11 z_m~DJhF?~v77aYhKlkJ~7(oJYeZdW|c*hWzN1Z@Hchz(^x01bfy$hj0Tr{e90U24e zGg;>*eIYWU%twoMXR4(=N*rx<9dH+k9sqDO!bE{u{S-9J&JBeSLIdOww|s}`m08xc zo7y&Q2f0UyK$k+VFBpdO;)vlX4$&Cxb03B|mO+;BVGPf3hy~X4K&F7v*#7N--47qk z-i3;HIi^(nibJGj0EVEb0twmWzcHG`1Mu_DKWE=QQX(rAi~h+Gleeh8-b&8ytldg! zBMQofkel^9cXKU7Y)a&2x%-~*?u!{cLzXF?v80->A3tHCK1J1^?s|FCd%M|Nzxi^x zfLItdMqMxDw}}vO`b{4Mm?+qw-%n4EPO>fCB9VFOM1`S03C^fWpqO>b2D;p@8Ds@P zxyb?k05oP%q(93eBq;9rm+X8L-|cV(#$rW{_2YyH9HIAU1d~wS zD0~{lM~seeh|EBYkTgW>5E3}nOf)K7XABAopN|+C;mb64Lb>>e#06#N8EgZ>?K0TY z!sK5u&;6hK9Swa<5a%f&kwhxQQ&jpG zGfdT52qEYCDyebhS)sPiu)sc)gwIGG_7D@tR1}tn2>BrH*`jIf6tO7F zl1XtK=?2MV0ig6Y`Q2Us`LgwMbmd;RdwjA+tyrK`8~~js_u@fSwiYgy`_X-w z8+E+m!&g^ zP^3uY_WH&lHl*M`3F27^KTgzeq8T-wICaV~d$~D`iY@Xajzbh7B4DVpcs5jBrgTmb zO*jm#n0auKv0T9e@C|%7ExrIA7%`e|h8LV5JtV^*9iuVkLM~l(oC6T^bXFy5WQ1I^rGl;$ zEGGlwh)uDN6duf04t_~+D6m3n_nW*b^*AEI_wJWYqUCdY$L|%ii#NW)!eM97*U~`* zh2`;(k>X2&aX|i!e9KsrCZ(CllH}bA+~vq6DMCyvRmD#$Rp@^Oiee?_So=CbVT>5> ziTF0E;5qhRI~!XY1^w@v&CQ*q{`Wpo=i9fn*Bzy$3xJp)Ao*!PN9u27ztZcxUi<#N z^X;1l0yM$|fv$5Kkj1;e%L+(>33}RwP!bH#`%Bvs$daF?h%p=>a4jhi@xjif`V&Vd z$!LTxLD$O~LnKgt>mlwb$^~HB$0!NIEAXELhRVJSz&KWe?{)qM>DE}H0C$cOiW58qNuk<0WNSDf-?jXF2~6MRD(C8t%I&CmWMDNr2w^=DNt>hnFSg_J>*$S z|4=g+ylakFXPhZ8bSu4M4JlnY9c%9E!UK#MCSnA-|K#33dAHD-?st);HtX-)5_E7Y zH;ob0O1vukn#H0^soQrwj#a_#%o(`=*MA$41Gtv#MF@Qay8qP$-LKsn?5f>BuK6Iq z^5}=5WNG!7xnBKpNk;L{|OMFH0WCQIfhM{bK{RI5x+W_nKJ zdQL`2)OBrTC8w-}Jp)r$en6uU^2GpjKT;#$Lh^GaGwSY3g5I5tYiAhT+;8+4W?XS9 zVEic&aUwuWxd29pZUs+Tm0~FuVgM1ruI8-!RKaHi@JF(ZJ==tZkT%-19JA`jlXW{* z?hd-&z5&a7)hy~B`2PLdH)rRh{r6l&P*1hm%Wfdx`}aZfdIFBY_wQXhx+6z!-@K7b z+AsGnP_zURV=>`@uAi__2}s$Pryo6!Avsa|`)8TDgrJ% zPzbYr*PZ+u_2y`{(%wpBaTfes6_^H|8H&xx+EY}dDEw2d$F&gYVyaeCn@F*VkYWVWCcu|4ZokzuQpsASY0&JOwgv zq-C8GVM`CWLPSx3>wGnbojlJgKdk0TnYridcM5=;GycLL%d?o$Fp1D1O^6nmc_5O1 zA3-r07^JDuXu_fH)~@ix+~IFR-gM75r)__!`gy`;#-{}Z0}I+zXyELZN~uFHD_lJ4 zANq#$yi@J{Uy1!tpw5t6*n`h||F!w1aR1-vZ}t1j`~Q6;_d!mI`20(xwdwj95^%k9 zj!7^8nHKHTlzJbx|=`V@?G76GG{co z)_U1hfW82dmyDp|ishAM7()glBoO06eXmc;(ioB5ql3RTbrn|+88gX-y3%W%)C7tO zOMO5<#^6;U2MZKc=r?r*E*K``4gdnOF%l`$qkj%SY8~403tsA{snwztExW2c&>SojW?|)AJ1tyRKNB|~k5ox|wk5gu^0s}vda3u)( z=d`;DK4+tn3w0HgMp-?{FWJz(-vv4_!D4TTk{hGsp(*d5jj2srFpdY{Wln-p(o*!m_wO&Yu6hEQSfG5K zAF}%D?iJ$t-aJ7J3nj#P>0XXc^o2QX#^?$PrOc)0Wy(Aiw_VCT%~!))(*xZdBx98F z7!kbG8uD#xkAaCcG68@kAsT?ggp1>Z?DCE_=D-XE?-`Bv3YvYZ$c*#f-``6b0&+zILiV1A0L&APaVn4%BZH z#p3EcX08bOp?7QhX)*e5BtX#jX+j$N2$@6w``i8XBK=?QFW>*(OUgN9uyowetzC`g z91;IvXs)@I>i34Fx>n@*@~M-A#`|AAxd~7l(kn@;7ZC@|dH=t;+21bg|ILjh|93yh z-TyF-`C3W@-lw>JAOc_v_`EoT1Py>*ftgib1(8VY(oN|HrXywu&FF~b@iK=D>xy-9 z4fmC~{s#vEi=tq0Bs4=qBSg$cMPp<%K!=^3ft<5~71)Y*5m2R^bKl)qg^?{-HehfI zYx9euF@sy*QNU%JN{xW{VG_(VuIRZ9EsFh{;J@h#Xt)NNtbzsBL4%c$7dFGfyPHaE zssZ2 zNOkwRnum=~5HCGkO9PqVJfzrcN~YfBsZ>6X3n&uqkPLZH5Gv9x3%-lKf6v#qzF0in zQ0V|jw~(M*1c4!7vCq$-hzUFw3KE40?arbclCwMw3ee5wB6;-4KK}0@NRnnF* zmXqtHJAdYgZa$b<{gt|UTod2>^zn4};N$*r<@5)jh|iK~-^()Vkh9^-*arJrQ5gie zQKr}lcrRE=d;wy$c97>08#LQRo-CvXOwPj4WuFvCgo;MFZQ2d$1O6F5hGZnL^pw`Q|xVsl6XGyq#0{XD^H`j)q5VdWpJXT#0(rtWYe z6yPKpfJ5a1AZ<5ix}K}6-=bG8vkC(9&_eVloSN!?GI5`07^vpTpn3kEH#XiB^gr8g zc9!pd?v7Ok=S=2v(zMcFX|;#Nul~Yb;%r`?9DWNWneYe`qk8(rvcQ?Ckqp+I#F}A zGR;hp-aLBUhsA(ZDHWGh>ZHF~3rUIR9BE~>V=i7mW1YloL{=#$iUWg}+Om|4J)r|X ztLheO4bJAQpo}Amx{86iPdZ?yu-n%F0c7fLO>F*jUMP=^XRwRM0S32FX zf=f?4zZCQFIrJ>enwHR>WO*|iyoq+yY{ta^QuLKJW6jbSdS|-G!fL;Khh>x&9pg5k zQFqwC^}su47+$Q(-Sud+6Po#>;i}wiRI-)FNJI7P%(`>NvecV4=&#h(uMa)k2;tJBnoOzpC+2+W3EE?K7T25_fZmU{-)>_>1 zgdc@Qw^}V*!N)gO(N?Uwr>d?kPi4O9c21qe)VLMY^~NgQh1$B6dbjFKcs{D$ic94@ zwQqfuIZI-86obWZFteR%R6L~S`JvTfKTNuX{@282@aB4gnCJiDO}}5z|L$z>Y%cY` z_mSqGcWwlZ)NojN+*E4fk8Xa>MTDt|$yj+a!gOuA{y?ha`_%7R^^pxq($U0ol)Kn^ zI(S4?RGtd;txbz7@hsyvSLr3!!37qR#w)>0&mI@<0aW&NSYRhgb6={g7g1Ta=^gPF z^gpISfH_NI35~NP7^4}6K=bJT&dz3m{=a$CU()}3Ny^LnbR7)dfu8HQ?~pmTAPK-LLWS&iCF|V#{$2gy zke$>;QL&RB&A&wpHc9y)I<7P1;H*kE=M-OBEZvs;x4Qou(|;3YOu2wdwb}nksDN`_ zfy|@->pMmNZ`)g2OZ(4zNd^8t7gE3I^DQ+EJ$6g|aOBh72@6xs3A7$?W%YtHeJ6~o zA(K9hQ3b193fbvZ#obi3wYcTT74%v84s=6tdN-C7dJUhAJZnE{Pc=2A|CZ@zG(f9uUoQU0^_X5-D0{@+I`(*HB)_jHiJBK22UFcA~V@ZX9Ba>P2uHMm|E z$283Q1Xm4WN=|WvxPVbS03->+ALG1mcTR_?h>RT%z!+!FE&N&L7Gj0t9`BxGL7BsUa6JvBK5YboA(j+X16E0|EKdPu0xMCy@CUp4y+mBCA zyyW)1I6hVCk&R|8b&yhltWvL4eOX=9ybeoC`3|OT4S$u{(46taj81WY*xe%}HTZo1 z5G~>+x-@Vtv#BN*6}sIbfD1myF)DyM;mGAJOWo_G`54yKi~t*zyUOf`w92C%+}a2e z7~;Q6+n{1_^QpnDMshnsbgT2O#ur#&;91EAXI?wIcgD@@M*M$M#^0oQ@}JFqG5*iy z=K98x|G$saD*wM^{AV)$P31&)e?h2fNn7UJ3Ei2aRL zJXe@D?{wjb3Jj(Wj>-@Yw+?f#B)HEr-G=_pCHyAM)&H&+<3H?d^q2hqy`f-y1zYlwaknPS@n#mphT>7on@@epX+h+a;|RmWykDJEkd%GI#$tx zt?{i9L9d&CbO28Pj9U_gC=EOF7SCD;mCgzG;TBGx)i*mebXoJ1dAh!)=A$B5LL4Rx zRlG?pO!-&0phmp1jj}cOFQK0uZ&rC$QYoavZDwY5j;`D=-T4K8$AmHqhs+@BJw^N@ z75kT3WR^CQ4|H1PFd=K>BNeG#SC!$`OpizD>kI9*;~(efY8CuLHK9zjtAV>;aA=~9 zb4`T47 zO)FYpTY9)#sJ^GH3T6m8=U2&S+(uSC^PXD}@@D!>*G)z#E45`#bM}t+cTe}tk3Wyz z+aHBT{kDl5PB;$G{%E9_P4JNtxrS@J3KS-Lnk%^!@!nT*$obsZNA+6E**xGJ{%@zh zu~FpzcD9!M-@T;S{NG>F z24aGMQ97%KpP2XzK`ygG3IjliLyuN^W)S~}CcuXTj4%lR1dJx*i5?Ce<;QV$1p+Et zgTRLzc^nar1)d_n5oG=ZV4}wGN4iacPXlxYIRYcfz{``YwO8Gj7924R_!^2QC_)T| znN#ONflK7)zl3yLC^E$=ep~))Oqm!_b^%#X$YAvHD*p)z0sTq-n-N#1AG5d)e2x1s zL}`xoI*&>@5_4#jgcVt)k{owt{!yy0&y3=j2@Ue!UVvXIbIpZ;m_Pv{EU?5p*!yeW z+vsofy|>%jTcyVJ`nv7SrL?Kbcb6x4*eX70u@iT1g8cIXb;2!n_$tS-o<18r)p09_ z@I9QK>FH2Gox9yTyl|)R;CHfMmzV7yG&R-#S2*eNwAJ8zL*P00|Nfhe;`_ht^_}e} ze*b?Wsp9@WH)L$(n{e%waiROXUOzwbC4O%FwL4eA-(>$|AK8B!y#koC|2Ni4@xQjV zx0d!l_mXDpWzAInU^YBuo_aCg4jspDw)K`d5hCVZh39MSt9ff{Q~eTxzFW<{wfR`~pKrd|BEYAh~aq{Z&<~n^fL~(J~a?-T5e5rn^hE=f4vvgmU3w z!UYV&1z!H?RDb@jZ}#65`TvcLo&NItzmHUkWXQ#VL9;sX)01x21>g({f0C*D{x?0# zu??j|RzDJR!oFC+lXKQqAGO!uKM57+x!wp$fhM~X6h^X7NxQoP;O@b40q+9g@kDe7 zpzCdSEAsUlKI5&qI{=!;NPHim00paOXha$EwA$Z1+pIce>sH96V6Y;3SY;5*=B>=S z6z0xj%Y)r8nCH!7bcO{_y^k|6=fg(PWJnTOVTHk;h!Gb%jAOGErlLUPf28DUYHU7Oryj z*utJir-)rJERd5^8JcMB@l+X>XrmN9XjWjNTZbm94^A{UJkd-j&6##haH5T3NW2Bu zgUoyc~K$2DDU&`eeT}wBi+3VZLAu|gT*)39D1NS^K$x1xAt;t&WCY}TeB2f zD(8>GX|=r&T4wIIj=H4VsgJ;3A86h63g&sU^j5j&koSFeO*!cbM!ImltY*p|>CI8X z`(AvDHb>Hr0QTATDUO9oiP#p*OB^piI#>Jr(SN5-e)Lc4{inh=8fd~~wsVfv+KEBdbBay>(O2Auc{~f%Wan1W_RM! zWd=yIC;ZCNt@;uFA{biiyjptQdd_JP{ZA5)84MQj{HW6${m;h6)_O_*v$fR!+)Jvs zzW-^^e4qNC+yYxFgBl)s8N41)88mCTET#-<+DePcprz*KE;KhY5ZQv}rg6)6uDK~v zEAUW?i&~J>iau*=F0Qzki<{@6xR^1`$ECQigZ#myqjuW2P+Zg$xc|mRqw$#f52gskpeQ;-bjLJdEV-elIbPO)v2y;^3JmDHc7m9*dIVacdBM z$PICi>V!Oe+tn?U@5M_+!y`|%@_%K2n!Xsj@f(o&{(p<||IPl+GXBTCqy_!Inc|QH z;FViv{=1Qtg)E$JqhXl6YJXr=!TsvTm#;CNj!gd}vQLtmzeQ;A9mbq?7nSAT>7$6U zjQ>s^MEsy8noIug0a7jh$IyQg%ut}I>cVy(HqGPzw%!!uzxCfN^o*OMoi$MI6p$1%d@yrOwI)> zY7dKSh+7;o2CoV^SfHp>+*Z(zO-q@x#%e%_uBtxQj9DibhV%jj$7qZ$8#SQ)fuw%w z^iS6z?)lqt9A}`|kTD&A>$Hy;`sZ+rDwa;hHzD!WpyE}A-&J6h4RxS+#wwG)7hd38^>bCV)RjS6`gE=rTsW z&`_TZh|vJae%qX4A2M@6s!Wu>-j9;>V|(a7H|&#_hx-_tHA%QZ>+yr@_+Y{3O9a( z@x9~s+!e~1=PyaR355ClHss^kCTLZ1%_wTOGvynElva2TA(p%cnw7m$LO{}RS z_s6@Wim<-nJCT(2X!0ne`Z36S$-JxIX;`|sc4y{Fn7f|ZLavLJb}(;cH)qg4r=!sa z9APm~m$iD0PZKPIrDo`%G(-7^5FZ;-`$aTLO2NYy(;QV|zM`RNTrNMNiv>!`xYxdJP) zR<&_+-`z_!rp>oBY_2nFo@3NpY0^Avjy0Cd{TgMSto!3=@gDkayG-*_t^CJmT2eMc z()=5UfadxC-`dzN%75PUm;V3nCA}~NcPzlG5E1Yyr1U(ALAUOb-A%o*%iCHPbmjk7 zRzM$k-@kWWD01+R5lx7aVF%b3P6kK9W_E2y$$HCm~#KW!r*d61WVkWT@BS#4nt9I5LHFo%zh{zw@^ zJf=#dC#&dN7SPvJTU5u2#9U|g6oHyMJ?FLjX29;zL3-m&sgSXX2S+DIT*ra6^u-dNm{A`gNtk-w zJV~kf`=Rk)yZ@~Xy=H5;7c*q!g)P4SSYO}l@08wu^q2epUXuHugR=aij#&>uRw|1f z8rEyYdFjE>pTwRUdg0j6v1&ynMkdkL%MT;VE-c%nJE;b5MADsI&R)I{`O)+M3wnKO zy323-YUJkqwCE9PCXE3Noj^I;%$fU*y+ADnl-XWo7Helg4^fL_uBpeF5;W80+4Ma-FEc%bPls;60q9 zotY?l{y4&EN0Oh%A6<&Cn9IgfLHYtR^Rm2>gd&IUj z@w)T5>9lLk?go>tJ#6al-%sCy_eb9Kcj7*120(9WDqM4KS~>}OxKttk?a2kHePXuL z$2|Sd_IknoV|{ylYbpP|m-GT0K_L($90&?D*1^RD5pb5^P-$7s!(86$ya1;Y%mGj0 zm@>fupP(=V ze=q3;*qcByMj;({cEeEe%Sz4ZtFIi47>$&gG>N%j2u9%3(JuHcT`fihdV#|boFM>% z00okgDD|k^Qk~9=7vS@edE9R}K+x}h0Up@sZ}h$X&)#~!^Wwz|uq!KfJg{%HL9*M- z#AA#IVo*>9FabkDl$0KF*iqG$fe%(K{HdN51Q}-`hcwh0XlJQ=TFN?fYK$lYzoRe$ zo4}`03SMXH$0wq_GU#mRA{XiF8W8oJ7m zUd_N%>^M!72Ala@)N==rgJZpk!32^(^6;6XR5c$BKQj=`GN$;i*#F1-yYCP8+uHo| z_W%0!&gORU{NLJKU&jBrm-NEj%WC28$u? z%z{DSaQR>&M9c?kYcxj0Tw**pMnuTtd6JyTE1t8|)XL;ebH;J+a5(IAzMdciKBswK zUfIU&g(;vuS3lH$zRE&tD|*G#D3UuZpneh|qOWVcuWDA-nU$88 zb7%?-8G^wT(0AOR^AGj1Dy{F4irSx#_do3Kp6q}9xO=$&#VO!`rBfVh)j0?x-R_{Q?1s8S)j8HSB6e+BXzHVaO?9iq3LvTWIdnfR3~aq4GfivOB5j zTrLr13xtfRp=OXrGz{qlw+G2DhzoGUpf9j5+33!vSoO0$=RzvERw7tXO-Rk0y6X57<7&k4W*&NeuT#i z3e@A1A>cm4akT*_Dorj2WyN!71ggRc+FWUTQ#VkQ;V~vKw344ya52Fl0&?WC6FG5% z?o_1L0|!EWA%+_1)!~SJN;LqN3=dSb06`b##PuNoI8tj*VorPWmSv(UBsoxNgc=6{ z)l@{GptN89^)A~m6${0zznjypBI(|c3wd(}K@c>?K3|(|e4TEZ`D029RWN%s{ahvw zl0NKTq9_(}dLOgZcWRe|Mg&X*jiA6j48tqHk`BS+93C|K`07VH3@81z+kxRdi(i5Z8xz2upCg~cyN18rJ^#3SH z&RVId+i0tE4F=u<2`pItd89UHtzbUiA9fz&yFp+S6*D)vY!bLzoVTz(9x`2npZP|9MkX# z)AqZBd1d&SLhmYY12A?g>TRIQrS!o6Ob`LKE(|Fd>$7$^{|+!*)q1j6ccJ822?3CU z7%~CqsIHNrVvwNn)r$!hX>5r$;B<$qc}2jF9K%vzS^R`4enrDbE_fFe&nR7kp`5Gs z;j||IygB$Az`Vel{HQF;@J;XSW^cWPmEHj61qNlwx3tZ-%n2q0mV8SKZPmg20%CEB zBSaJ7_I^qQ41vIrGQ^ODQuf8A=7NGV(-O#FWyUBSl?8fGA3@zN^T4OP0yYt z^}kDzqWds!R`1HOic{`K0Q+5@p}EJIGkTXWm*s$c2l@j*{Td9|< zBhnZ_coRlT;gJ9=X3)XLN*Lo^rYtt+;l875jgvKwLIChBer@TI!DqOE$EFV)>9 z-G#cl7UoNJcT4K-M$leryYED5JQwCmZTIId!ve6{7s>qTa2!wSrj$!}dF4;<)vf?$L1;^=SsDW*bb3f9i zWA@2C?|}pDJBuT+s-Gz7=5k#O0p^n41dsr5Up3-h@Gvqj})&jajty3Xec%odlIJqM__ zE-$MNzA&@*o65_cGVJe^w#*fnE#+m8TVCb_AZ#)%>y5G;C-C{Ew%`958y6*6oDci! z%<0?ldkzw=jFU3QXKV8B=VYg((w)M*{Fu1Z`y9p}1`#F}>PoudI*@N;&<~K>W{4zM z8feJV-kUT23gA!e9L}XS59PE?3-kFJ@^lmnG5${+?5!F=+BPlB=WEE*Q7p*#KWV79 z$?&IbTA0t*kf)=#A>;ofVSlHzWxj?y9mPz>-x&NZ8UL0T|DEma&5cH^zba{Yf0zVV z91wxn6ow6ECil=t?H%G@Y4z5{1p5=+5Wrmd>v&%28Voo4Z9ZJ~DdB=aOvGQ9>Q%u% zNIEp5dkORiUg9W;zzaY}2H4ZIvT_H`guYKhr~P)u{1E9H3^&?@xdPd*j7EFVpUmaX zufZui*Lqq;RhWD_a=aT0YEX~{gU~Ba8hOc}eh7s>`2!Pmgw*%1O867x zpF0pXF1^n&3Al=dtwM=Nh6skCLt;1x&=k0*$6z33KDz<^=gvQs-jtN}yvL+}Mk41&zT3@X8jRVv)g;eiRqaQn8ZV4i5Q9YM*h@yRP)}xVKim38m^MP5u8jh4cI6tz_P~+0XCzcv%t8Sm zF>ysC26fjFf<#%|Gp?e`_?Y=gG(|)>!AxHAbaIrWn=m0E;#{`C6NWf|3;_Yp5s}mI zDG`i@U_vj7ed>4FIjxE|VyiM6_Q1za zr~3nNFalRJF|k6GE8|swh@>wH$X7IBxvR6JIb3L*$N?fUqRdANKO1Tr=GD`j-Mcmk zsiGPZ0p`^MO&jWg_Y`sUoa%zIa|7EtL_flNLEASg4fFj=ff#||dnjOi?*`_`Q~<%8 z8c#8`XabUf_%|Cj_t+4D{mU2Y>LVFbixpvbKk!PS{J2U z10~U!R(|-D_~xOJ55th>xD*pJ9;uj)0kWKYnd$BUZygwwyK?kDg<+x?k>5TY?*2bV z$Dj62dca=QbkNJRR0OX;NG}kR69UJ(halmSy@4dqZGyd{KY^GqDnzIv?4Kq?8BplR zlQb4M!hdUTv`Vc2W9VaX)l(q%+VFXvf*c8keg2Dv$~*zfH8|AeC0(IR$lHvz2kGgH ztn(c*Gyubx(FlnNO89UU47q^*dBE@#v7rv6s2<|^lJ$6uN2gBLVEDP4O{9ApyBq~` zCDv^wn5+~{9_AZ(euBxOXwpLLCW6UInAZx)>MxguTWM2 zcx(4mD)g)Ye+`BoktBz0v{i=rEd-NwM5cwoK8n<)Sh4{5T7k>0L@vdB@MHuo?O*>3 zFs~H^KRHows{MT+LGT?Tt5!ESOFLLP1D=&`uzl@d0p_(5$+l#Y4=Z830i4>FNk&-g z+NkjRa$nc2&1PdjbT!@34 zK)qyKcFd^|4hg9eu#;BG7{1;2%A@Y(&-uu4?h0-sWpR-$}puhz01oL zPMvgt___N<0HA%RXq9eSYkJpC(VCWj9;w#V;({1(VXoyY^Lx+MxveAM*uG(Yrl~zw zidi3BXm6oE-NDK}zfXhbqu8+c8e9 zFP!HL_F}qwG)$EF-w|b%{sOgeAc$r54A?)rbPa|-_kV8ZA$T>+<4S1T-i=KYb=YP1j)9j>&5^7D7Blts%iSw#31#hN^K;BQiFAg-Sx=*?3r0W-$^6 z$VUMpJ_1x86+_$25L`?UalC~*zGMR*RUeQHQ{~t!gq#=bhp)kr$pya5)~3VHon~Ky zp>{jwS)H2Cu)sdN!JEoiOiAiRxa3c+!hakkitEmn>hp&Fw~_YnW;{FdBo0x8h=8H` z%m?7}&p-eC<$I&nD&da`29^2#b>wvDi(KS%YK6Lb{SJ%>0N^R?>%P;|$tJWpcd2K4m9iB(RjP31hyha@PQduy4`6W(R=9@V=`IZj=`fVrUp3}fms z8lop287xb8e`FJV$m+wP5GLaqoJ?pE1^@z6%o^LwzQ4+Y+-C@iM|m^7S!(kTzsuAF z!Jk@j;uH5e;rFQF$<9*CgK5G;9XR2dsTi>i9 zU#DZv_r8F>`I+IN?Q_dQzFEALS{3s%gLE<74dm;Dw)x&?32=?`_Ur_CMyYK9u7P=t z&^F(D>B5--JSWP1HmQA?tp<5hsZ%D)(olZB@+&vp$pgGv`BlF6YFSoF&!6zkdUk4C zmZf3dG`P@Gmi4G*S%zrUSb62ARkZlhTjzPFwk^Ii%2VAQ0c6wo&{DzdO%+7ZobC5-9~4**Muz!6$A&Kiam<^^wS^}VNF!F~*ItJJnwH>SZJO^BEs9x~s%8!EDr#wdUb z`kcaa%CoPn0D2PUTs^35N?sPAE&Tbs)NOs82WP#C#}kuW3B;5m!728ig7?kVc)WC-vnlpbPh7qRWG3<)25&WLyVF zw}rh6^N_;e7Z^g~%a&*NF4y_Nk)$U|{Y^*UgHzKscgul2vUClGt*N_Rm}_Cw-*W^b z**aHZ5kVb89{WZPOdM&|vq)`=qSzVqd)n5fQSTo5jg&3cW*(@4NoVv z7~Dj=YBZ5x_7D>X@YPoBux4XZvygK_8)RepXu=!lYD$`*5sQKxj-FS_2RXRNy=(U5 zv|B<_=fw-KCs|K?mMC-DJ>`{`cRI#jHA5r)g5Yzmn4sWy6h^W*6JK6UgoycIZH>l= zc-mOaQ!br)V=N}gnY@{2^I5w_|L$z9Z~wHu zwe@CwYiE07YxAf6`u67b_D`VSM(6WV!UbeM^>5u*adJ;2y#U901%OXSyUy*s(@}?= z+Bg7na0WRF03D5N_?RT-f*}}z&-sek1~=Q;r%`#YyE|Mkgw`S`Zyjr@KknqN*uC5N zRc&pCls`=t8K#LSSM|oIOpeR=QeMrd5ltBQEXhYUG_&f}*c4$gAJ(QDy~{O3)@TgP zmXIS{=}B-P3k~fMRmX%H(J-VJD!dYnVoDGZe9-B51#oJ@sqXBaedtpvgE@fKd>4^1 zCdLyKqf;EnE=-=r#h6aziAjua=|57@ru7HQd+I*rNDI=DL)p`3_nAccxXvkVj*<*) zdGVWA|^!r_wTi|RWECmuf53nO$(T=R#IaI6Kq1VP?!kBd=v|= ze7(cf(T+uTKR8S1PWw<{<5mcx> zMq>&>I>x@@yY1|Z!Mm|<0pfQW1yg`lmFT;TrugCJ;Yb{Z60(*kM6uc&2IBHw zqxw?8NTAF=!z8_!R=|i4!7JQDJ#ZlhDhHT0wW4FPIriAOve^`=9aUCa(3SbL-n!UF z1rE<4`f0}T{_gw3{hs1p|BS~B28Jhf2AX70w^-W4pN%ACK(0Nx0dadZ9!pmNBv)x0V1!W^n5and1mv9hSUrzYqm*Tj zPL7=YRYnUYU<9X>X>!Fe8HWhy+3Ds7b(1ZRT8B5Wpwr<@44tc5qQGEV4M!sT=;TNe zeh45K%6pJ)Y6xDTDIyY_vV#Z`9pKpy5hNgqvq`SVMTAY9s1V5+r+ddbepRdFjL~yM z02h*|NPrdMLh;0(XyDpNNUDu246^Pbje`8j449a;I9x4EVHF_Z_f~omQYoyM#xMtC zBmftQf36R8%=O4tL9E9tNuea~a)_42m3z`9BNiB{-Q0|g?yA@6{25b{2C1rB$bwpH zM3J(JYQ}o)R4gyoN*N2e;wLa1Wn15}Df$q@JQq;F4oRC#*p;8r2em09M6?)0u9G4K zOM?mAhJ>Z3@7jtzY0i+O8bKPyY9=N|mda~a`Mi?CXE;xhllRS$h16D|4A2Fro~1gJ m^m&sja3UZHAPe|XKCn#7v`jx#`u_p|0RR88p<{ypOacH$qTLk$ literal 0 HcmV?d00001 diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml new file mode 100644 index 000000000..531cd37e2 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/release-name: rancher-gatekeeper-crd +apiVersion: v1 +description: Installs the CRDs for rancher-gatekeeper. +name: rancher-gatekeeper-crd +type: application +version: 103.0.1+up3.12.0 diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md new file mode 100644 index 000000000..26079c833 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md @@ -0,0 +1,2 @@ +# rancher-gatekeeper-crd +A Rancher chart that installs the CRDs used by rancher-gatekeeper. diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml new file mode 100644 index 000000000..ce98648ba --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml @@ -0,0 +1,757 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assign.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: Assign + listKind: AssignList + plural: assign + singular: assign + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml new file mode 100644 index 000000000..bab801672 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml @@ -0,0 +1,237 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignimage.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignImage + listKind: AssignImageList + plural: assignimage + singular: assignimage + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignImage is the Schema for the assignimage API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignImageSpec defines the desired state of AssignImage. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assignDomain: + description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. + type: string + assignPath: + description: AssignPath sets the domain component on an image string. + type: string + assignTag: + description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. + type: string + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignImageStatus defines the observed state of AssignImage. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml new file mode 100644 index 000000000..468b01fcc --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml @@ -0,0 +1,655 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignmetadata.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignMetadata + listKind: AssignMetadataList + plural: assignmetadata + singular: assignmetadata + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml new file mode 100644 index 000000000..57826ac09 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml @@ -0,0 +1,105 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: configs.config.gatekeeper.sh +spec: + group: config.gatekeeper.sh + names: + kind: Config + listKind: ConfigList + plural: configs + singular: config + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Config is the Schema for the configs API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConfigSpec defines the desired state of Config. + properties: + match: + description: Configuration for namespace exclusion + items: + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + processes: + items: + type: string + type: array + type: object + type: array + readiness: + description: Configuration for readiness tracker + properties: + statsEnabled: + type: boolean + type: object + sync: + description: Configuration for syncing k8s objects + properties: + syncOnly: + description: If non-empty, only entries on this list will be replicated into OPA + items: + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + type: array + type: object + validation: + description: Configuration for validation + properties: + traces: + description: List of requests to trace. Both "user" and "kinds" must be specified + items: + properties: + dump: + description: Also dump the state of OPA with the trace. Set to `All` to dump everything. + type: string + kind: + description: Only trace requests of the following GroupVersionKind + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + user: + description: Only trace requests from the specified user + type: string + type: object + type: array + type: object + type: object + status: + description: ConfigStatus defines the observed state of Config. + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml new file mode 100644 index 000000000..230a541bb --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml @@ -0,0 +1,67 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: constraintpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ConstraintPodStatus + listKind: ConstraintPodStatusList + plural: constraintpodstatuses + singular: constraintpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintPodStatus is the Schema for the constraintpodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. + properties: + constraintUID: + description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + enforced: + type: boolean + errors: + items: + description: Error represents a single error caught while adding a constraint to OPA. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml new file mode 100644 index 000000000..737e3aff1 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml @@ -0,0 +1,357 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + labels: + gatekeeper.sh/system: "yes" + name: constrainttemplates.templates.gatekeeper.sh +spec: + group: templates.gatekeeper.sh + names: + kind: ConstraintTemplate + listKind: ConstraintTemplateList + plural: constrainttemplates + singular: constrainttemplate + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: false + properties: + legacySchema: + default: false + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: true + properties: + legacySchema: + default: true + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: true + properties: + legacySchema: + default: true + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml new file mode 100644 index 000000000..271572bd7 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml @@ -0,0 +1,66 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: constrainttemplatepodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ConstraintTemplatePodStatus + listKind: ConstraintTemplatePodStatusList + plural: constrainttemplatepodstatuses + singular: constrainttemplatepodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus. + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml new file mode 100644 index 000000000..042249cf1 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml @@ -0,0 +1,73 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: expansiontemplate.expansion.gatekeeper.sh +spec: + group: expansion.gatekeeper.sh + names: + kind: ExpansionTemplate + listKind: ExpansionTemplateList + plural: expansiontemplate + singular: expansiontemplate + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ExpansionTemplate is the Schema for the ExpansionTemplate API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + enforcementAction: + description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + type: string + generatedGVK: + description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + templateSource: + description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml new file mode 100644 index 000000000..1bb193336 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml @@ -0,0 +1,676 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: modifyset.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: ModifySet + listKind: ModifySetList + plural: modifyset + singular: modifyset + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml new file mode 100644 index 000000000..fd6a0f6de --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml @@ -0,0 +1,65 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: mutatorpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: MutatorPodStatus + listKind: MutatorPodStatusList + plural: mutatorpodstatuses + singular: mutatorpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: MutatorPodStatus is the Schema for the mutationpodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml new file mode 100644 index 000000000..95e66a8b8 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml @@ -0,0 +1,78 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + labels: + gatekeeper.sh/system: "yes" + name: providers.externaldata.gatekeeper.sh +spec: + group: externaldata.gatekeeper.sh + names: + kind: Provider + listKind: ProviderList + plural: providers + singular: provider + preserveUnknownFields: false + scope: Cluster + versions: + - deprecated: true + deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead. + name: v1alpha1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the Provider API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the Provider specifications. + properties: + caBundle: + description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. + type: string + timeout: + description: Timeout is the timeout when querying the provider. + type: integer + url: + description: URL is the url for the provider. URL is prefixed with https://. + type: string + type: object + type: object + served: true + storage: false + - name: v1beta1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the Provider specifications. + properties: + caBundle: + description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. + type: string + timeout: + description: Timeout is the timeout when querying the provider. + type: integer + url: + description: URL is the url for the provider. URL is prefixed with https://. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl new file mode 100644 index 000000000..6a89079bc --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl @@ -0,0 +1,22 @@ +# Rancher + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml new file mode 100644 index 000000000..e5589e68c --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml @@ -0,0 +1,126 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Chart.Name }}-create + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} + annotations: + "helm.sh/hook": post-install, post-upgrade, post-rollback + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded +spec: + template: + metadata: + name: {{ .Chart.Name }}-create + labels: + app: {{ .Chart.Name }} + spec: + serviceAccountName: {{ .Chart.Name }}-manager + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: create-crds + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - apply + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + restartPolicy: OnFailure + volumes: + - name: crd-manifest + configMap: + name: {{ .Chart.Name }}-manifest +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Chart.Name }}-delete + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ .Chart.Name }}-delete + labels: + app: {{ .Chart.Name }} + spec: + serviceAccountName: {{ .Chart.Name }}-manager + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + initContainers: + - name: remove-finalizers + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - apply + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + containers: + - name: delete-crds + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - delete + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + restartPolicy: OnFailure + volumes: + - name: crd-manifest + configMap: + name: {{ .Chart.Name }}-manifest diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml new file mode 100644 index 000000000..31016b6ef --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-manifest + namespace: {{ .Release.Namespace }} +data: + crd-manifest.yaml: | + {{- $currentScope := . -}} + {{- $crds := (.Files.Glob "crd-manifest/**.yaml") -}} + {{- range $path, $_ := $crds -}} + {{- with $currentScope -}} + {{ .Files.Get $path | nindent 4 }} + --- + {{- end -}}{{- end -}} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml new file mode 100644 index 000000000..d1df38961 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml @@ -0,0 +1,76 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }}-manager + labels: + app: {{ .Chart.Name }}-manager +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: ['create', 'get', 'patch', 'delete'] +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ .Chart.Name }}-manager +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Chart.Name }}-manager + labels: + app: {{ .Chart.Name }}-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Chart.Name }}-manager +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-manager +--- +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-manager +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml new file mode 100644 index 000000000..a30c59d3b --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml new file mode 100644 index 000000000..3304f097b --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml @@ -0,0 +1,21 @@ +# Default values for rancher-gatekeeper-crd. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + +image: + repository: rancher/kubectl + tag: v1.20.2 + +enableRuntimeDefaultSeccompProfile: true + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore b/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md new file mode 100644 index 000000000..c68d23c24 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md @@ -0,0 +1,15 @@ +# Changelog +All notable changes from the upstream OPA Gatekeeper chart will be added to this file + +## [Package Version 00] - 2020-09-10 +### Added +- Enabled the CRD chart generator in `package.yaml` + +### Modified +- Updated namespace to `cattle-gatekeeper-system` +- Updated for Helm 3 compatibility + - Moved crds to `crds` directory + - Removed `crd-install` hooks and templates from crds + +### Removed +- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml new file mode 100644 index 000000000..581fbe168 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper + catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper +apiVersion: v2 +appVersion: v3.12.0 +description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments +home: https://github.com/open-policy-agent/gatekeeper +icon: https://charts.rancher.io/assets/logos/gatekeeper.svg +keywords: +- open policy agent +- security +name: rancher-gatekeeper +sources: +- https://github.com/open-policy-agent/gatekeeper.git +version: 103.0.1+up3.12.0 diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md new file mode 100644 index 000000000..155a81337 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md @@ -0,0 +1,210 @@ +# Gatekeeper Helm Chart + +## Get Repo Info + +```console +helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +# Helm install with gatekeeper-system namespace already created +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper + +# Helm install and create namespace +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +_See [parameters](#parameters) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Upgrade Chart + +**Upgrading from < v3.4.0** +Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. + +Option 1: +A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. + +```console +$ helm uninstall gatekeeper +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +Option 2: +Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. + +```console +$ helm_migrate.sh +$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper +``` + +**Upgrading from >= v3.4.0** +```console +$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper +``` + +_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._ + + +## Exempting Namespace + +The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook. + +_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._ + +## Parameters + +| Parameter | Description | Default | +| :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | +| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | +| postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | +| postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0` | +| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | +| postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` | +| postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | `curlimages/curl` | +| postInstall.probeWebhook.image.tag | Image tag | `7.83.1` | +| postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` | +| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` | +| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` | +| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` | +| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` | +| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` | +| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` | +| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` | +| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | +| postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | +| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0` | +| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` +| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | +| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` | +| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` | +| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | +| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0` | +| preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | +| preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | +| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0` | +| preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | +| preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | +| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` | +| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` | +| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | +| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | +| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| psp.enabled | Enabled PodSecurityPolicy | `true` | +| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | +| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | +| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` | +| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` | +| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | +| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | +| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | +| auditInterval | The frequency with which audit is run | `300` | +| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | +| auditFromCache | Take the roster of resources to audit from the audit cache | `false` | +| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| disableValidatingWebhook | Disable the validating webhook | `false` | +| disableMutation | Disable mutation | `false` | +| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | +| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | +| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | +| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | +| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | +| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` | +| enableExternalData | Enable external data | `true` | +| enableGeneratorResourceExpansion | Enable generator resource expansion (alpha feature) | `false` | +| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | +| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | +| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | +| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | +| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | +| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | +| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | +| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | +| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | +| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| logDenies | Log detailed info on each deny | `false` | +| logLevel | Minimum log level | `INFO` | +| image.pullPolicy | The image pull policy | `IfNotPresent` | +| image.repository | Image repository | `openpolicyagent/gatekeeper` | +| image.release | The image release tag to use | Current release version: `v3.12.0` | +| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | +| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` | +| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` | +| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` | +| controllerManager.healthPort | Health port for controller manager | `9090` | +| controllerManager.port | Webhook-server port for controller manager | `8443` | +| controllerManager.metricsPort | Metrics port for controller manager | `8888` | +| controllerManager.readinessTimeout | Timeout in seconds for the controller manager's readiness probe | `1` | +| controllerManager.livenessTimeout | Timeout in seconds for the controller manager's liveness probe | `1` | +| controllerManager.logLevel | The minimum log level for the controller manager, takes precedence over `logLevel` when specified | `null` +| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | +| controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} | +| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | +| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | +| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | +| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | +| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | +| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | +| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | +| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | +| audit.affinity | The node affinity to use for audit pod scheduling | `{}` | +| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | +| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | +| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | +| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | +| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | +| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` | +| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| audit.healthPort | Health port for audit | `9090` | +| audit.metricsPort | Metrics port for audit | `8888` | +| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` | +| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` | +| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` +| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | +| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | +| podLabels | The labels to add to the Gatekeeper pods | `{}` | +| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | +| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | +| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | +| service.type | Service type | `ClusterIP` | +| service.loadBalancerIP | The IP address of LoadBalancer service | `` | +| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` | +| rbac.create | Enable the creation of RBAC resources | `true` | +| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` | +| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` | + +## Contributing Changes + +Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart. diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md new file mode 100644 index 000000000..dff688f51 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md @@ -0,0 +1,32 @@ +# Rancher OPA Gatekeeper + +This chart is based off of the upstream [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) chart. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/opa-gatekeper/). + +The chart installs the following components: + +- OPA Gatekeeper Controller-Manager - OPA Gatekeeper is a policy engine for providing policy based governance for Kubernetes clusters. The controller installs as a [validating admission controller webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) on the cluster and intercepts all admission requests that create, update or delete a resource in the cluster. +- [Audit](https://github.com/open-policy-agent/gatekeeper#audit) - A periodic audit of the cluster resources against the enforced policies. Any existing resource that violates a policy will be recorded as violations. +- [Constraint Template](https://github.com/open-policy-agent/gatekeeper#constraint-templates) - A template is a CRD (`ConstraintTemplate`) that defines the schema and Rego logic of a policy to be applied to the cluster by Gatekeeper's admission controller webhook. This chart installs a few default `ConstraintTemplate` custom resources. +- [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to). + +For more information on how to configure the Helm chart, refer to the Helm README. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl new file mode 100644 index 000000000..c71a8fb61 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl @@ -0,0 +1,113 @@ + +{{/* +Expand the name of the chart. +*/}} +{{- define "gatekeeper.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gatekeeper.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gatekeeper.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Adds additional pod labels to the common ones +*/}} +{{- define "gatekeeper.podLabels" -}} +{{- if .Values.podLabels }} +{{- toYaml .Values.podLabels | nindent 8 }} +{{- end }} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} + +{{/* +Output post install webhook probe container entry +*/}} +{{- define "gatekeeper.postInstallWebhookProbeContainer" -}} +- name: webhook-probe-post + image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}" + imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }} + command: + - "curl" + args: + - "--retry" + - "99999" + - "--retry-max-time" + - "{{ .Values.postInstall.probeWebhook.waitTimeout }}" + - "--retry-delay" + - "1" + - "--max-time" + - "{{ .Values.postInstall.probeWebhook.httpTimeout }}" + {{- if .Values.postInstall.probeWebhook.insecureHTTPS }} + - "--insecure" + {{- else }} + - "--cacert" + - /certs/ca.crt + {{- end }} + - "-v" + - "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s" + resources: + {{- toYaml .Values.postInstall.resources | nindent 4 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 4 }} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true +{{- end -}} + +{{/* +Output post install webhook probe volume entry +*/}} +{{- define "gatekeeper.postInstallWebhookProbeVolume" -}} +- name: cert + secret: + secretName: {{ .Values.externalCertInjection.secretName }} +{{- end -}} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml new file mode 100644 index 000000000..9abb84ecb --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml @@ -0,0 +1,35 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8sallowedrepos +spec: + crd: + spec: + names: + kind: K8sAllowedRepos + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + repos: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sallowedrepos + + violation[{"msg": msg}] { + container := input.review.object.spec.containers[_] + satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] + not any(satisfied) + msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } + + violation[{"msg": msg}] { + container := input.review.object.spec.initContainers[_] + satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] + not any(satisfied) + msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml new file mode 100644 index 000000000..2c179e570 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml @@ -0,0 +1,38 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-admin +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - projected + - secret + - downwardAPI + - emptyDir +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml new file mode 100644 index 000000000..4b68998cb --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml new file mode 100644 index 000000000..a1adb6044 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml @@ -0,0 +1,156 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-audit + namespace: '{{ .Release.Namespace }}' +spec: + replicas: 1 + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + template: + metadata: + annotations: + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }} + labels: +{{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + affinity: + {{- toYaml .Values.audit.affinity | nindent 8 }} + automountServiceAccountToken: true + containers: + - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' + args: + - --audit-interval={{ .Values.auditInterval }} + - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }} + - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} + - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} + - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} + - --audit-from-cache={{ .Values.auditFromCache }} + - --audit-chunk-size={{ .Values.auditChunkSize }} + - --audit-match-kind-only={{ .Values.auditMatchKindOnly }} + - --emit-audit-events={{ .Values.emitAuditEvents }} + - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }} + - --operation=audit + - --operation=status + {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }} + - --logtostderr + - --health-addr=:{{ .Values.audit.healthPort }} + - --prometheus-port={{ .Values.audit.metricsPort }} + - --enable-external-data={{ .Values.enableExternalData }} + - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} + + {{- range .Values.metricsBackends}} + - --metrics-backend={{ . }} + {{- end }} + + {{- if .Values.audit.logFile}} + - --log-file={{ .Values.audit.logFile }} + {{- end }} + - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: manager + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.audit.healthPort }} + timeoutSeconds: {{ .Values.audit.livenessTimeout }} + name: manager + ports: + - containerPort: {{ .Values.audit.metricsPort }} + name: metrics + protocol: TCP + - containerPort: {{ .Values.audit.healthPort }} + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.audit.healthPort }} + timeoutSeconds: {{ .Values.audit.readinessTimeout }} + resources: + {{- toYaml .Values.audit.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.audit.securityContext | nindent 10}} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true + - mountPath: /tmp/audit + name: tmp-volume + dnsPolicy: {{ .Values.audit.dnsPolicy }} + hostNetwork: {{ .Values.audit.hostNetwork }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.audit.nodeSelector }} +{{ toYaml .Values.audit.nodeSelector | indent 8 }} +{{- end }} + {{- if .Values.audit.priorityClassName }} + priorityClassName: {{ .Values.audit.priorityClassName }} + {{- end }} + securityContext: + {{- toYaml .Values.audit.podSecurityContext | nindent 8 }} + serviceAccountName: gatekeeper-admin + terminationGracePeriodSeconds: 60 + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.audit.tolerations }} +{{ toYaml .Values.audit.tolerations | indent 8 }} +{{- end }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: gatekeeper-webhook-server-cert + {{- if .Values.audit.writeToRAMDisk }} + - emptyDir: + medium: Memory + {{ else }} + - emptyDir: {} + {{- end }} + name: tmp-volume diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml new file mode 100644 index 000000000..5eb8c9b42 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml @@ -0,0 +1,169 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + template: + metadata: + annotations: + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }} + labels: +{{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + affinity: + {{- toYaml .Values.controllerManager.affinity | nindent 8 }} + automountServiceAccountToken: true + containers: + - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + args: + - --port={{ .Values.controllerManager.port }} + - --health-addr=:{{ .Values.controllerManager.healthPort }} + - --prometheus-port={{ .Values.controllerManager.metricsPort }} + - --logtostderr + - --log-denies={{ .Values.logDenies }} + - --emit-admission-events={{ .Values.emitAdmissionEvents }} + - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }} + - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }} + - --exempt-namespace={{ .Release.Namespace }} + - --operation=webhook + - --enable-external-data={{ .Values.enableExternalData }} + - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} + - --log-mutations={{ .Values.logMutations }} + - --mutation-annotations={{ .Values.mutationAnnotations }} + - --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }} + - --max-serving-threads={{ .Values.maxServingThreads }} + - --tls-min-version={{ .Values.controllerManager.tlsMinVersion }} + {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }} + + {{- range .Values.metricsBackends}} + - --metrics-backend={{ . }} + {{- end }} + {{ if .Values.enableTLSHealthcheck}}- --enable-tls-healthcheck{{- end }} + {{ if not .Values.disableMutation}}- --operation=mutation-webhook{{- end }} + + {{- range .Values.disabledBuiltins}} + - --disable-opa-builtin={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespaces}} + - --exempt-namespace={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespacePrefixes}} + - --exempt-namespace-prefix={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespaceSuffixes}} + - --exempt-namespace-suffix={{ . }} + {{- end }} + + {{- if .Values.controllerManager.logFile}} + - --log-file={{ .Values.controllerManager.logFile }} + {{- end }} + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: manager + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.controllerManager.healthPort }} + timeoutSeconds: {{ .Values.controllerManager.livenessTimeout }} + name: manager + ports: + - containerPort: {{ .Values.controllerManager.port }} + name: webhook-server + protocol: TCP + - containerPort: {{ .Values.controllerManager.metricsPort }} + name: metrics + protocol: TCP + - containerPort: {{ .Values.controllerManager.healthPort }} + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.controllerManager.healthPort }} + timeoutSeconds: {{ .Values.controllerManager.readinessTimeout }} + resources: + {{- toYaml .Values.controllerManager.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.controllerManager.securityContext | nindent 10}} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true + dnsPolicy: {{ .Values.controllerManager.dnsPolicy }} + hostNetwork: {{ .Values.controllerManager.hostNetwork }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.controllerManager.nodeSelector }} +{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }} +{{- end }} + {{- if .Values.controllerManager.priorityClassName }} + priorityClassName: {{ .Values.controllerManager.priorityClassName }} + {{- end }} + securityContext: + {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} + serviceAccountName: gatekeeper-admin + terminationGracePeriodSeconds: 60 + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.controllerManager.tolerations }} +{{ toYaml .Values.controllerManager.tolerations | indent 8 }} +{{- end }} + topologySpreadConstraints: + {{- toYaml .Values.controllerManager.topologySpreadConstraints | nindent 8 }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: gatekeeper-webhook-server-cert diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml new file mode 100644 index 000000000..e05213feb --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml @@ -0,0 +1,30 @@ +{{- if .Values.controllerManager.networkPolicy.enabled -}} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + release: '{{ .Release.Name }}' + {{- with .Values.controllerManager.networkPolicy.ingress }} + {{- toYaml . | nindent 4 }} + {{- end }} + podSelector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' +{{- end -}} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml new file mode 100644 index 000000000..424f6a67c --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml @@ -0,0 +1,24 @@ +{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} +{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}} +apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }} +kind: PodDisruptionBudget +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + minAvailable: {{ .Values.pdb.controllerManager.minAvailable }} + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml new file mode 100644 index 000000000..154646366 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml @@ -0,0 +1,23 @@ +{{- if .Values.resourceQuota }} +apiVersion: v1 +kind: ResourceQuota +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-critical-pods + namespace: '{{ .Release.Namespace }}' +spec: + hard: + pods: {{ .Values.podCountLimit }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - {{ .Values.controllerManager.priorityClassName }} + - {{ .Values.audit.priorityClassName }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml new file mode 100644 index 000000000..37ac19cc1 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml @@ -0,0 +1,174 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-role +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - {{ .Values.mutatingWebhookName }} + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.gatekeeper.sh + resources: + - configs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.gatekeeper.sh + resources: + - configs/status + verbs: + - get + - patch + - update +- apiGroups: + - constraints.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - externaldata.gatekeeper.sh + resources: + - providers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mutations.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - gatekeeper-admin + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} +- apiGroups: + - status.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates/finalizers + verbs: + - delete + - get + - patch + - update +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates/status + verbs: + - get + - patch + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - {{ .Values.validatingWebhookName }} + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml new file mode 100644 index 000000000..1018dcdb6 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-role + namespace: '{{ .Release.Namespace }}' +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- with .Values.controllerManager.extraRules }} + {{- toYaml . | nindent 0 }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml new file mode 100644 index 000000000..1fb9f6c87 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-manager-role +subjects: +- kind: ServiceAccount + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml new file mode 100644 index 000000000..fbe9580d5 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-rolebinding + namespace: '{{ .Release.Namespace }}' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gatekeeper-manager-role +subjects: +- kind: ServiceAccount + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml new file mode 100644 index 000000000..0bc3bc43e --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -0,0 +1,60 @@ +{{- if not .Values.disableMutation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: {{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: '{{ .Values.mutatingWebhookName }}' +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/mutate + failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }} + matchPolicy: Exact + name: mutation.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + + {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}} + - key: {{ $key }} + operator: NotIn + values: + {{- range $value }} + - {{ . }} + {{- end }} + {{- end }} + objectSelector: {{ toYaml .Values.mutatingWebhookObjectSelector }} + reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }} + rules: + {{- if .Values.mutatingWebhookCustomRules }} + {{- toYaml .Values.mutatingWebhookCustomRules | nindent 2 }} + {{- else }} + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - '*' + {{- end }} + sideEffects: None + timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..f0dd85d5e --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -0,0 +1,109 @@ +{{- if not .Values.disableValidatingWebhook }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: {{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: '{{ .Values.validatingWebhookName }}' +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/admit + failurePolicy: {{ .Values.validatingWebhookFailurePolicy }} + matchPolicy: Exact + name: validation.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + + {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}} + - key: {{ $key }} + operator: NotIn + values: + {{- range $value }} + - {{ . }} + {{- end }} + {{- end }} + objectSelector: {{ toYaml .Values.validatingWebhookObjectSelector }} + rules: + {{- if .Values.validatingWebhookCustomRules }} + {{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }} + {{- else }} + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + {{- if .Values.enableDeleteOperations }} + - DELETE + {{- end }} + resources: + - '*' + # Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper). + # You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("' + - 'pods/ephemeralcontainers' + - 'pods/exec' + - 'pods/log' + - 'pods/eviction' + - 'pods/portforward' + - 'pods/proxy' + - 'pods/attach' + - 'pods/binding' + - 'deployments/scale' + - 'replicasets/scale' + - 'statefulsets/scale' + - 'replicationcontrollers/scale' + - 'services/proxy' + - 'nodes/proxy' + # For constraints that mitigate CVE-2020-8554 + - 'services/status' + {{- end }} + sideEffects: None + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/admitlabel + failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }} + matchPolicy: Exact + name: check-ignore-label.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + rules: + - apiGroups: + - "" + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - namespaces + sideEffects: None + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml new file mode 100644 index 000000000..a841780a5 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml @@ -0,0 +1,14 @@ +{{- if not .Values.externalCertInjection.enabled }} +apiVersion: v1 +kind: Secret +metadata: + annotations: {{- toYaml .Values.secretAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-webhook-server-cert + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml new file mode 100644 index 000000000..3c0f4453a --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' +spec: + + ports: + - name: https-webhook-server + port: 443 + targetPort: webhook-server +{{- if .Values.service }} +{{- if .Values.service.healthzPort }} + - name: http-webhook-healthz + port: {{ .Values.service.healthzPort }} + targetPort: healthz + {{- end }} + {{- end }} + {{- if .Values.service }} + type: {{ .Values.service.type | default "ClusterIP" }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- end }} + selector: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml new file mode 100644 index 000000000..4b4559df9 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml @@ -0,0 +1,165 @@ +{{- if .Values.postInstall.labelNamespace.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- if .Values.postInstall.labelNamespace.extraAnnotations }} + {{- toYaml .Values.postInstall.labelNamespace.extraAnnotations | trim | nindent 4 }} + {{- end }} +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.postInstall.labelNamespace.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-update-namespace-label + {{- if .Values.postInstall.probeWebhook.enabled }} + volumes: + {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} + initContainers: + {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} + {{- end }} + containers: + - name: kubectl-label + image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}' + imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} + args: + - label + - ns + - {{ .Release.Namespace }} + - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postInstall.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} + - --overwrite + resources: + {{- toYaml .Values.postInstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 12 }} + {{- if .Values.postInstall.labelNamespace.extraNamespaces }} + - name: kubectl-label-extra + image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}" + imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} + args: + - label + - ns + {{- range .Values.postInstall.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - admission.gatekeeper.sh/ignore=extra-namespaces + - --overwrite + resources: + {{- toYaml .Values.postInstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 12 }} + {{- end }} + {{- with .Values.postInstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - {{ .Release.Namespace }} + {{- range .Values.postInstall.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - apiGroups: + - management.cattle.io + resources: + - projects + verbs: + - updatepsa +{{- with .Values.postInstall.labelNamespace.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-update-namespace-label +subjects: + - kind: ServiceAccount + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml new file mode 100644 index 000000000..9e4a75454 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml @@ -0,0 +1,153 @@ +{{- if .Values.postUpgrade.labelNamespace.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- if .Values.postUpgrade.labelNamespace.extraAnnotations }} + {{- toYaml .Values.postUpgrade.labelNamespace.extraAnnotations | trim | nindent 4 }} + {{- end }} +spec: + template: + metadata: + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.postUpgrade.labelNamespace.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-update-namespace-label-post-upgrade + containers: + - name: kubectl-label + image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}' + imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} + args: + - label + - ns + - {{ .Release.Namespace }} + - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postUpgrade.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} + - --overwrite + resources: + {{- toYaml .Values.postUpgrade.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} + {{- if .Values.postUpgrade.labelNamespace.extraNamespaces }} + - name: kubectl-label-extra + image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}" + imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} + args: + - label + - ns + {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - admission.gatekeeper.sh/ignore=extra-namespaces + - --overwrite + resources: + {{- toYaml .Values.postUpgrade.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} + {{- end }} + {{- with .Values.postUpgrade }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - {{ .Release.Namespace }} + {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - apiGroups: + - management.cattle.io + resources: + - projects + verbs: + - updatepsa +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-update-namespace-label-post-upgrade +subjects: + - kind: ServiceAccount + name: gatekeeper-update-namespace-label-post-upgrade + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml new file mode 100644 index 000000000..c9f706527 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml @@ -0,0 +1,46 @@ +{{- if not .Values.disableValidatingWebhook }} +{{- if and (not .Values.postInstall.labelNamespace.enabled) .Values.postInstall.probeWebhook.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-probe-webhook-post-install + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: Never + {{- if .Values.postInstall.probeWebhook.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + volumes: + {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} + containers: + {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} + {{- with .Values.postInstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml new file mode 100644 index 000000000..e93e6a0a7 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml @@ -0,0 +1,57 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8srequiredlabels +spec: + crd: + spec: + names: + kind: K8sRequiredLabels + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + message: + type: string + labels: + type: array + items: + type: object + properties: + key: + type: string + allowedRegex: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8srequiredlabels + + get_message(parameters, _default) = msg { + not parameters.message + msg := _default + } + + get_message(parameters, _default) = msg { + msg := parameters.message + } + + violation[{"msg": msg, "details": {"missing_labels": missing}}] { + provided := {label | input.review.object.metadata.labels[label]} + required := {label | label := input.parameters.labels[_].key} + missing := required - provided + count(missing) > 0 + def_msg := sprintf("you must provide labels: %v", [missing]) + msg := get_message(input.parameters, def_msg) + } + + violation[{"msg": msg}] { + value := input.review.object.metadata.labels[key] + expected := input.parameters.labels[_] + expected.key == key + # do not match if allowedRegex is not defined, or is an empty string + expected.allowedRegex != "" + not re_match(expected.allowedRegex, value) + def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex]) + msg := get_message(input.parameters, def_msg) + } diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml new file mode 100644 index 000000000..28c2d6bb0 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml @@ -0,0 +1,116 @@ +{{- if .Values.upgradeCRDs.enabled }} +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-admin-upgrade-crds + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +rules: + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "create", "update", "patch"] +{{- with .Values.upgradeCRDs.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-admin-upgrade-crds + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +subjects: + - kind: ServiceAccount + name: gatekeeper-admin-upgrade-crds + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: gatekeeper-admin-upgrade-crds + apiGroup: rbac.authorization.k8s.io +{{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + name: gatekeeper-admin-upgrade-crds + namespace: '{{ .Release.Namespace }}' + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-crds-hook + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gatekeeper.name" . }} + chart: {{ template "gatekeeper.name" . }} + gatekeeper.sh/system: "yes" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-weight: "1" + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" +spec: + backoffLimit: 0 + template: + metadata: + name: gatekeeper-update-crds-hook + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + serviceAccountName: gatekeeper-admin-upgrade-crds + restartPolicy: Never + {{- if .Values.images.pullSecrets }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + {{- end }} + containers: + - name: crds-upgrade + image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + args: + - apply + - -f + - crds/ + resources: + {{- toYaml .Values.crds.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.crds.securityContext | nindent 10 }} + {{- with .Values.crds }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml new file mode 100644 index 000000000..9c4f3a3c2 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml @@ -0,0 +1,24 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "mutations.gatekeeper.sh/v1/Assign" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1alpha1/AssignImage" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1/AssignMetadata" false -}} +# {{- set $found "config.gatekeeper.sh/v1alpha1/Config" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintPodStatus" false -}} +# {{- set $found "templates.gatekeeper.sh/v1/ConstraintTemplate" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}} +# {{- set $found "expansion.gatekeeper.sh/v1alpha1/ExpansionTemplate" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1/ModifySet" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}} +# {{- set $found "externaldata.gatekeeper.sh/v1alpha1/Provider" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml new file mode 100644 index 000000000..a30c59d3b --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml new file mode 100644 index 000000000..b57bc6989 --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml @@ -0,0 +1,141 @@ +{{- if and (or (not .Values.disableValidatingWebhook) (not .Values.disableMutation)) .Values.preUninstall.deleteWebhookConfigurations.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets }} + imagePullSecrets: + {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-delete-webhook-configs + containers: + - name: kubectl-delete + image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}' + imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }} + args: + - delete + {{- if not .Values.disableValidatingWebhook }} + - validatingwebhookconfiguration/{{ .Values.validatingWebhookName }} + {{- end }} + {{- if not .Values.disableMutation }} + - mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }} + {{- end }} + resources: + {{- toYaml .Values.preUninstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.preUninstall.securityContext | nindent 10 }} + {{- with .Values.preUninstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .nodeSelector }} +{{ toYaml .nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .tolerations }} +{{ toYaml .tolerations | indent 8 }} +{{- end }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{- if not .Values.disableValidatingWebhook }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + resourceNames: + - {{ .Values.validatingWebhookName }} + verbs: + - delete + {{- end }} + {{- if not .Values.disableMutation }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - {{ .Values.mutatingWebhookName }} + verbs: + - delete + {{- end }} +{{- with .Values.preUninstall.deleteWebhookConfigurations.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-delete-webhook-configs +subjects: + - kind: ServiceAccount + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml new file mode 100644 index 000000000..d1029e24a --- /dev/null +++ b/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml @@ -0,0 +1,271 @@ +replicas: 3 +auditInterval: 60 +metricsBackends: ["prometheus"] +auditMatchKindOnly: false +constraintViolationsLimit: 20 +auditFromCache: false +disableMutation: false +disableValidatingWebhook: false +validatingWebhookName: gatekeeper-validating-webhook-configuration +validatingWebhookTimeoutSeconds: 3 +validatingWebhookFailurePolicy: Ignore +validatingWebhookAnnotations: {} +validatingWebhookExemptNamespacesLabels: {} +validatingWebhookObjectSelector: {} +validatingWebhookCheckIgnoreFailurePolicy: Fail +validatingWebhookCustomRules: {} +enableDeleteOperations: false +enableExternalData: true +enableGeneratorResourceExpansion: false +enableTLSHealthcheck: false +maxServingThreads: -1 +mutatingWebhookName: gatekeeper-mutating-webhook-configuration +mutatingWebhookFailurePolicy: Ignore +mutatingWebhookReinvocationPolicy: Never +mutatingWebhookAnnotations: {} +mutatingWebhookExemptNamespacesLabels: {} +mutatingWebhookObjectSelector: {} +mutatingWebhookTimeoutSeconds: 1 +mutatingWebhookCustomRules: {} +mutationAnnotations: false +auditChunkSize: 500 +logLevel: INFO +logDenies: false +logMutations: false +emitAdmissionEvents: false +emitAuditEvents: false +admissionEventsInvolvedNamespace: false +auditEventsInvolvedNamespace: false +resourceQuota: true +images: + gatekeeper: + repository: rancher/mirrored-openpolicyagent-gatekeeper + tag: v3.12.0 + gatekeepercrd: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.12.0 + pullPolicy: IfNotPresent + pullSecrets: [] +preInstall: + crdRepository: + image: + repository: null + tag: v3.12.0 +postUpgrade: + labelNamespace: + enabled: false + image: + repository: rancher/kubectl + tag: v1.20.2 + pullPolicy: IfNotPresent + pullSecrets: [] + extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] + extraAnnotations: {} + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +postInstall: + labelNamespace: + enabled: true + extraRules: [] + image: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.12.0 + pullPolicy: IfNotPresent + pullSecrets: [] + extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] + extraAnnotations: {} + probeWebhook: + enabled: true + image: + repository: rancher/mirrored-curlimages-curl + tag: 7.83.1 + pullPolicy: IfNotPresent + pullSecrets: [] + waitTimeout: 60 + httpTimeout: 2 + insecureHTTPS: false + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +preUninstall: + deleteWebhookConfigurations: + extraRules: [] + enabled: false + image: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.12.0 + pullPolicy: IfNotPresent + pullSecrets: [] + affinity: {} + tolerations: [] + nodeSelector: {} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +podAnnotations: {} +podLabels: {} +podCountLimit: "100" +secretAnnotations: {} +enableRuntimeDefaultSeccompProfile: true +controllerManager: + exemptNamespaces: [] + exemptNamespacePrefixes: [] + hostNetwork: false + dnsPolicy: ClusterFirst + port: 8443 + metricsPort: 8888 + healthPort: 9090 + readinessTimeout: 1 + livenessTimeout: 1 + priorityClassName: system-cluster-critical + disableCertRotation: false + tlsMinVersion: 1.3 + clientCertName: "" + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: gatekeeper.sh/operation + operator: In + values: + - webhook + topologyKey: kubernetes.io/hostname + weight: 100 + topologySpreadConstraints: [] + tolerations: [] + nodeSelector: {} + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podSecurityContext: + fsGroup: 999 + supplementalGroups: + - 999 + extraRules: [] + networkPolicy: + enabled: false + ingress: { } + # - from: + # - ipBlock: + # cidr: 0.0.0.0/0 +audit: + hostNetwork: false + dnsPolicy: ClusterFirst + metricsPort: 8888 + healthPort: 9090 + readinessTimeout: 1 + livenessTimeout: 1 + priorityClassName: system-cluster-critical + disableCertRotation: true + affinity: {} + tolerations: [] + nodeSelector: {} + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podSecurityContext: + fsGroup: 999 + supplementalGroups: + - 999 + writeToRAMDisk: false + extraRules: [] +crds: + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +pdb: + controllerManager: + minAvailable: 1 +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + kubectl: + repository: rancher/kubectl + tag: v1.20.2 +service: {} +disabledBuiltins: ["{http.send}"] +upgradeCRDs: + enabled: true + extraRules: [] +rbac: + create: true +externalCertInjection: + enabled: false + secretName: gatekeeper-webhook-server-cert diff --git a/index.yaml b/index.yaml index 9f10fd219..b6d0caf0e 100755 --- a/index.yaml +++ b/index.yaml @@ -8721,6 +8721,36 @@ entries: - assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz version: 0.1.400 rancher-gatekeeper: + - annotations: + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper + catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper + apiVersion: v2 + appVersion: v3.12.0 + created: "2023-08-23T17:22:58.94666364-03:00" + description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments + digest: ee25ad45beb67bc91aa47dd7c576ba89cd00ade03db94341c463948901a3c0c6 + home: https://github.com/open-policy-agent/gatekeeper + icon: https://charts.rancher.io/assets/logos/gatekeeper.svg + keywords: + - open policy agent + - security + name: rancher-gatekeeper + sources: + - https://github.com/open-policy-agent/gatekeeper.git + urls: + - assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz + version: 103.0.1+up3.12.0 - annotations: catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match catalog.cattle.io/certified: rancher @@ -9094,6 +9124,20 @@ entries: - assets/rancher-gatekeeper/rancher-gatekeeper-3.1.100.tgz version: 3.1.100 rancher-gatekeeper-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/release-name: rancher-gatekeeper-crd + apiVersion: v1 + created: "2023-08-23T17:22:58.953726661-03:00" + description: Installs the CRDs for rancher-gatekeeper. + digest: d47fba3bc692cd330ea61d70de4c1fd8e4316cd13cdf7bf6f13b17df132bd74d + name: rancher-gatekeeper-crd + type: application + urls: + - assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz + version: 103.0.1+up3.12.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" From a107f0e0780f10df4ec5670dbe816290f786006c Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Wed, 16 Aug 2023 21:33:28 -0300 Subject: [PATCH 16/24] make prepare/patch gatekeeper 3.13.0 --- .../generated-changes/patch/Chart.yaml.patch | 6 ++-- .../generated-changes/patch/README.md.patch | 18 ++++++------ .../patch/templates/_helpers.tpl.patch | 2 +- .../gatekeeper-audit-deployment.yaml.patch | 8 ++--- ...r-controller-manager-deployment.yaml.patch | 8 ++--- ...keeper-manager-role-clusterrole.yaml.patch | 2 +- .../namespace-post-install.yaml.patch | 6 ++-- .../namespace-post-upgrade.yaml.patch | 8 ++--- .../probe-webhook-post-install.yaml.patch | 4 +-- .../templates/upgrade-crds-hook.yaml.patch | 9 +++--- .../webhook-configs-pre-delete.yaml.patch | 17 +++-------- .../generated-changes/patch/values.yaml.patch | 29 ++++++++++--------- packages/rancher-gatekeeper/package.yaml | 4 +-- 13 files changed, 57 insertions(+), 64 deletions(-) diff --git a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch index 622b464d5..c9078fdfd 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/Chart.yaml.patch @@ -5,7 +5,7 @@ + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper -+ catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0' ++ catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows @@ -15,7 +15,7 @@ + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper apiVersion: v2 - appVersion: v3.12.0 + appVersion: v3.13.0 -description: A Helm chart for Gatekeeper +description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments @@ -29,4 +29,4 @@ +name: rancher-gatekeeper sources: - https://github.com/open-policy-agent/gatekeeper.git - version: 3.12.0 + version: 3.13.0 diff --git a/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch b/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch index 49df9ac6e..5a9be3249 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/README.md.patch @@ -1,11 +1,11 @@ --- charts-original/README.md +++ charts/README.md -@@ -118,7 +118,7 @@ - | crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | - | crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | - | crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | --| auditInterval | The frequency with which audit is run | `60` | -+| auditInterval | The frequency with which audit is run | `300` | - | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | - | auditFromCache | Take the roster of resources to audit from the audit cache | `false` | - | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | +@@ -129,7 +129,7 @@ + | crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | + | crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | + | crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | +-| auditInterval | The frequency with which audit is run | `60` | ++| auditInterval | The frequency with which audit is run | `300` | + | constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | + | auditFromCache | Take the roster of resources to audit from the audit cache | `false` | + | auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch index dcd1cbdee..ce45c3b67 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/_helpers.tpl.patch @@ -37,7 +37,7 @@ imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }} command: - "curl" -@@ -69,10 +92,10 @@ +@@ -70,10 +93,10 @@ resources: {{- toYaml .Values.postInstall.resources | nindent 4 }} securityContext: diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch index 67a3e0e96..b6aae9fa0 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-audit-deployment.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/gatekeeper-audit-deployment.yaml +++ charts/templates/gatekeeper-audit-deployment.yaml -@@ -42,11 +42,7 @@ +@@ -45,11 +45,7 @@ {{- toYaml .Values.audit.affinity | nindent 8 }} automountServiceAccountToken: true containers: @@ -13,7 +13,7 @@ args: - --audit-interval={{ .Values.auditInterval }} - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }} -@@ -94,7 +90,7 @@ +@@ -102,7 +98,7 @@ fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager @@ -22,7 +22,7 @@ livenessProbe: httpGet: path: /healthz -@@ -130,9 +126,11 @@ +@@ -138,9 +134,11 @@ dnsPolicy: {{ .Values.audit.dnsPolicy }} hostNetwork: {{ .Values.audit.hostNetwork }} imagePullSecrets: @@ -37,7 +37,7 @@ {{- if .Values.audit.priorityClassName }} priorityClassName: {{ .Values.audit.priorityClassName }} {{- end }} -@@ -140,8 +138,10 @@ +@@ -148,8 +146,10 @@ {{- toYaml .Values.audit.podSecurityContext | nindent 8 }} serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch index 293ff80c8..46e7dfa3e 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-controller-manager-deployment.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/gatekeeper-controller-manager-deployment.yaml +++ charts/templates/gatekeeper-controller-manager-deployment.yaml -@@ -42,11 +42,8 @@ +@@ -44,11 +44,8 @@ {{- toYaml .Values.controllerManager.affinity | nindent 8 }} automountServiceAccountToken: true containers: @@ -14,7 +14,7 @@ args: - --port={{ .Values.controllerManager.port }} - --health-addr=:{{ .Values.controllerManager.healthPort }} -@@ -111,7 +108,6 @@ +@@ -113,7 +110,6 @@ fieldPath: metadata.namespace - name: CONTAINER_NAME value: manager @@ -22,7 +22,7 @@ livenessProbe: httpGet: path: /healthz -@@ -148,9 +144,11 @@ +@@ -150,9 +146,11 @@ dnsPolicy: {{ .Values.controllerManager.dnsPolicy }} hostNetwork: {{ .Values.controllerManager.hostNetwork }} imagePullSecrets: @@ -37,7 +37,7 @@ {{- if .Values.controllerManager.priorityClassName }} priorityClassName: {{ .Values.controllerManager.priorityClassName }} {{- end }} -@@ -158,8 +156,10 @@ +@@ -160,8 +158,10 @@ {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} serviceAccountName: gatekeeper-admin terminationGracePeriodSeconds: 60 diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch index 0199eedb9..9cfd28a45 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/gatekeeper-manager-role-clusterrole.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/gatekeeper-manager-role-clusterrole.yaml +++ charts/templates/gatekeeper-manager-role-clusterrole.yaml -@@ -106,7 +106,7 @@ +@@ -118,7 +118,7 @@ - patch - update - watch diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch index 0cd078747..c7e4a2591 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-install.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/namespace-post-install.yaml +++ charts/templates/namespace-post-install.yaml -@@ -44,7 +44,7 @@ +@@ -47,7 +47,7 @@ {{- end }} containers: - name: kubectl-label @@ -9,7 +9,7 @@ imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} args: - label -@@ -85,12 +85,10 @@ +@@ -88,12 +88,10 @@ {{- toYaml .Values.postInstall.securityContext | nindent 12 }} {{- end }} {{- with .Values.postInstall }} @@ -24,7 +24,7 @@ {{- end }} --- apiVersion: v1 -@@ -132,6 +130,12 @@ +@@ -135,6 +133,12 @@ {{- range .Values.postInstall.labelNamespace.extraNamespaces }} - {{ . }} {{- end }} diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch index cc9af604c..b194955a6 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/namespace-post-upgrade.yaml.patch @@ -1,7 +1,7 @@ --- charts-original/templates/namespace-post-upgrade.yaml +++ charts/templates/namespace-post-upgrade.yaml -@@ -36,7 +36,7 @@ - serviceAccount: gatekeeper-update-namespace-label-post-upgrade +@@ -39,7 +39,7 @@ + {{- end }} containers: - name: kubectl-label - image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}" @@ -9,7 +9,7 @@ imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} args: - label -@@ -77,12 +77,10 @@ +@@ -80,12 +80,10 @@ {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} {{- end }} {{- with .Values.postUpgrade }} @@ -24,7 +24,7 @@ {{- end }} --- apiVersion: v1 -@@ -123,6 +121,12 @@ +@@ -126,6 +124,12 @@ {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} - {{ . }} {{- end }} diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch index 61f57cb65..25cb918db 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/probe-webhook-post-install.yaml.patch @@ -1,6 +1,6 @@ --- charts-original/templates/probe-webhook-post-install.yaml +++ charts/templates/probe-webhook-post-install.yaml -@@ -37,12 +37,10 @@ +@@ -40,12 +40,10 @@ containers: {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} {{- with .Values.postInstall }} @@ -13,5 +13,5 @@ - nodeSelector: - {{- toYaml .nodeSelector | nindent 8 }} {{- end }} - {{- end }} + backoffLimit: 3 {{- end }} diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch index 5dd2ed1b7..eb08bd6dc 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/upgrade-crds-hook.yaml.patch @@ -1,14 +1,15 @@ --- charts-original/templates/upgrade-crds-hook.yaml +++ charts/templates/upgrade-crds-hook.yaml -@@ -87,26 +87,14 @@ +@@ -87,7 +87,7 @@ spec: serviceAccountName: gatekeeper-admin-upgrade-crds restartPolicy: Never - {{- if .Values.image.pullSecrets }} + {{- if .Values.images.pullSecrets }} imagePullSecrets: -- {{- toYaml .Values.image.pullSecrets | nindent 8 }} -+ {{- toYaml .Values.images.pullSecrets | nindent 8 }} + {{- toYaml .Values.image.pullSecrets | nindent 8 }} + {{- end }} +@@ -96,20 +96,8 @@ {{- end }} containers: - name: crds-upgrade @@ -31,7 +32,7 @@ args: - apply - -f -@@ -120,11 +108,9 @@ +@@ -123,11 +111,9 @@ {{- end }} {{- toYaml .Values.crds.securityContext | nindent 10 }} {{- with .Values.crds }} diff --git a/packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch index 3761372aa..9b47c1b16 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/templates/webhook-configs-pre-delete.yaml.patch @@ -1,7 +1,7 @@ --- charts-original/templates/webhook-configs-pre-delete.yaml +++ charts/templates/webhook-configs-pre-delete.yaml -@@ -35,7 +35,7 @@ - serviceAccount: gatekeeper-delete-webhook-configs +@@ -38,7 +38,7 @@ + {{- end }} containers: - name: kubectl-delete - image: "{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}" @@ -9,18 +9,9 @@ imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }} args: - delete -@@ -46,7 +46,7 @@ - - mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }} +@@ -57,12 +57,16 @@ {{- end }} - resources: -- {{- toYaml .Values.preUninstall.resources | nindent 10 }} -+ {{- toYaml .Values.preUninstall.resources | nindent 12 }} - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: -@@ -54,12 +54,16 @@ - {{- end }} - {{- toYaml .Values.preUninstall.securityContext | nindent 10 }} + {{- toYaml .Values.preUninstall.securityContext | nindent 12 }} {{- with .Values.preUninstall }} - nodeSelector: - {{- toYaml .nodeSelector | nindent 8 }} diff --git a/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch b/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch index a3528259c..b2222ffa1 100644 --- a/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch +++ b/packages/rancher-gatekeeper/generated-changes/patch/values.yaml.patch @@ -1,44 +1,44 @@ --- charts-original/values.yaml +++ charts/values.yaml -@@ -37,10 +37,13 @@ +@@ -39,10 +39,13 @@ admissionEventsInvolvedNamespace: false auditEventsInvolvedNamespace: false resourceQuota: true -image: - repository: openpolicyagent/gatekeeper - crdRepository: openpolicyagent/gatekeeper-crds -- release: v3.12.0 +- release: v3.13.0 +images: + gatekeeper: + repository: rancher/mirrored-openpolicyagent-gatekeeper -+ tag: v3.12.0 ++ tag: v3.13.0 + gatekeepercrd: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds -+ tag: v3.12.0 ++ tag: v3.13.0 pullPolicy: IfNotPresent pullSecrets: [] preInstall: -@@ -52,8 +55,8 @@ +@@ -54,8 +57,8 @@ labelNamespace: enabled: false image: - repository: openpolicyagent/gatekeeper-crds -- tag: v3.12.0 +- tag: v3.13.0 + repository: rancher/kubectl + tag: v1.20.2 pullPolicy: IfNotPresent pullSecrets: [] extraNamespaces: [] -@@ -82,7 +85,7 @@ +@@ -85,7 +88,7 @@ enabled: true extraRules: [] image: - repository: openpolicyagent/gatekeeper-crds + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds - tag: v3.12.0 + tag: v3.13.0 pullPolicy: IfNotPresent pullSecrets: [] -@@ -97,7 +100,7 @@ +@@ -101,7 +104,7 @@ probeWebhook: enabled: true image: @@ -47,15 +47,16 @@ tag: 7.83.1 pullPolicy: IfNotPresent pullSecrets: [] -@@ -121,13 +124,13 @@ +@@ -126,14 +129,14 @@ extraRules: [] enabled: false image: - repository: openpolicyagent/gatekeeper-crds + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds - tag: v3.12.0 + tag: v3.13.0 pullPolicy: IfNotPresent pullSecrets: [] + priorityClassName: "" affinity: {} tolerations: [] - nodeSelector: {kubernetes.io/os: linux} @@ -63,7 +64,7 @@ resources: {} securityContext: allowPrivilegeEscalation: false -@@ -171,7 +174,7 @@ +@@ -179,7 +182,7 @@ weight: 100 topologySpreadConstraints: [] tolerations: [] @@ -72,7 +73,7 @@ resources: limits: memory: 512Mi -@@ -209,7 +212,7 @@ +@@ -218,7 +221,7 @@ disableCertRotation: true affinity: {} tolerations: [] @@ -81,7 +82,7 @@ resources: limits: memory: 512Mi -@@ -248,10 +251,16 @@ +@@ -257,10 +260,16 @@ pdb: controllerManager: minAvailable: 1 diff --git a/packages/rancher-gatekeeper/package.yaml b/packages/rancher-gatekeeper/package.yaml index c953f4990..1f04bcb54 100644 --- a/packages/rancher-gatekeeper/package.yaml +++ b/packages/rancher-gatekeeper/package.yaml @@ -1,5 +1,5 @@ -url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.12.0.tgz -version: 103.0.1 +url: https://open-policy-agent.github.io/gatekeeper/charts/gatekeeper-3.13.0.tgz +version: 103.1.0 additionalCharts: - workingDir: charts-crd crdOptions: From 74a37275c14039cf3febcff1eee2b2e28d5de033 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Fri, 25 Aug 2023 23:59:25 +0000 Subject: [PATCH 17/24] make charts --- ...ancher-gatekeeper-crd-103.1.0+up3.13.0.tgz | Bin 0 -> 13483 bytes .../rancher-gatekeeper-103.1.0+up3.13.0.tgz | Bin 0 -> 18027 bytes .../103.1.0+up3.13.0/Chart.yaml | 10 + .../103.1.0+up3.13.0/README.md | 2 + .../assign-customresourcedefinition.yaml | 757 ++++++++++++++++++ .../assignimage-customresourcedefinition.yaml | 237 ++++++ ...signmetadata-customresourcedefinition.yaml | 655 +++++++++++++++ .../config-customresourcedefinition.yaml | 105 +++ ...intpodstatus-customresourcedefinition.yaml | 67 ++ ...ainttemplate-customresourcedefinition.yaml | 357 +++++++++ ...atepodstatus-customresourcedefinition.yaml | 66 ++ ...siontemplate-customresourcedefinition.yaml | 200 +++++ ...atepodstatus-customresourcedefinition.yaml | 62 ++ .../modifyset-customresourcedefinition.yaml | 676 ++++++++++++++++ ...torpodstatus-customresourcedefinition.yaml | 65 ++ .../provider-customresourcedefinition.yaml | 78 ++ .../103.1.0+up3.13.0/templates/_helpers.tpl | 22 + .../103.1.0+up3.13.0/templates/jobs.yaml | 126 +++ .../103.1.0+up3.13.0/templates/manifest.yaml | 14 + .../103.1.0+up3.13.0/templates/rbac.yaml | 76 ++ .../templates/validate-psp-install.yaml | 7 + .../103.1.0+up3.13.0/values.yaml | 21 + .../103.1.0+up3.13.0/.helmignore | 21 + .../103.1.0+up3.13.0/CHANGELOG.md | 15 + .../103.1.0+up3.13.0/Chart.yaml | 26 + .../103.1.0+up3.13.0/README.md | 226 ++++++ .../103.1.0+up3.13.0/app-readme.md | 32 + .../103.1.0+up3.13.0/templates/_helpers.tpl | 114 +++ .../templates/allowedrepos.yaml | 35 + .../gatekeeper-admin-podsecuritypolicy.yaml | 38 + .../gatekeeper-admin-serviceaccount.yaml | 11 + .../gatekeeper-audit-deployment.yaml | 164 ++++ ...ekeeper-controller-manager-deployment.yaml | 171 ++++ ...per-controller-manager-network-policy.yaml | 30 + ...ontroller-manager-poddisruptionbudget.yaml | 24 + ...atekeeper-critical-pods-resourcequota.yaml | 23 + .../gatekeeper-manager-role-clusterrole.yaml | 186 +++++ .../gatekeeper-manager-role-role.yaml | 37 + ...anager-rolebinding-clusterrolebinding.yaml | 20 + ...eeper-manager-rolebinding-rolebinding.yaml | 21 + ...guration-mutatingwebhookconfiguration.yaml | 64 ++ ...ration-validatingwebhookconfiguration.yaml | 113 +++ ...gatekeeper-webhook-server-cert-secret.yaml | 14 + .../gatekeeper-webhook-service-service.yaml | 38 + .../templates/namespace-post-install.yaml | 168 ++++ .../templates/namespace-post-upgrade.yaml | 156 ++++ .../templates/probe-webhook-post-install.yaml | 50 ++ .../templates/requiredlabels.yaml | 57 ++ .../templates/upgrade-crds-hook.yaml | 119 +++ .../templates/validate-install-crd.yaml | 25 + .../templates/validate-psp-install.yaml | 7 + .../templates/webhook-configs-pre-delete.yaml | 144 ++++ .../103.1.0+up3.13.0/values.yaml | 281 +++++++ index.yaml | 44 + release.yaml | 2 + 55 files changed, 6079 insertions(+) create mode 100644 assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.1.0+up3.13.0.tgz create mode 100644 assets/rancher-gatekeeper/rancher-gatekeeper-103.1.0+up3.13.0.tgz create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/Chart.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/README.md create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assign-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignimage-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignmetadata-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/config-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplatepodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/modifyset-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/provider-customresourcedefinition.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/_helpers.tpl create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/jobs.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/manifest.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/rbac.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/validate-psp-install.yaml create mode 100644 charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/values.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/.helmignore create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/CHANGELOG.md create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/Chart.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/README.md create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/app-readme.md create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/_helpers.tpl create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/allowedrepos.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-podsecuritypolicy.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-serviceaccount.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-audit-deployment.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-deployment.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-network-policy.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-critical-pods-resourcequota.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-clusterrole.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-role.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-server-cert-secret.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-service-service.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-install.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-upgrade.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/probe-webhook-post-install.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/requiredlabels.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/upgrade-crds-hook.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-install-crd.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-psp-install.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/webhook-configs-pre-delete.yaml create mode 100644 charts/rancher-gatekeeper/103.1.0+up3.13.0/values.yaml diff --git a/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.1.0+up3.13.0.tgz b/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.1.0+up3.13.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..731b283d58ed2c63047f653622001355fc644fac GIT binary patch literal 13483 zcmZ|01ymeM)GkVb2X_k^+}$N;a1ZY85Znpw!QI`R!EGS8ySux)%!PB#yZ68Ay*F!3 z*Phz;Ro8T_?)_C0hQpwPeSAPvU^M#Tij0QhGVIcBTxNm}h&jPyn{W~Lz_15Lt~xur+2OeGL?s%w#hQm^;1k8b%^W$N{830@_m$yIMJ6pJ zm8gSqLJ)OELgj(6v|AL*MU!T%++6(ZpeV7tSgba@@KBOQj`C?_#BkI~s8cM}NW*cm^aZ)$OZI+!@#5SwyAC8OAK`>(EObOYX(vgeynM78!CqG;=n`gSyL;eA^aw9 zDL8;HBu#WQ4W=6ynISeCB2&`Ba`57A8Y5>_zC`>@!a_&mm#1J?UuQ_;mPQsvS8REM zk09J3UIj6~$^%Zf?Cea6zyh4Pf|NslEp`+p{quO5pvOU5$nvBZL`tr5rxxqjugI*= zq!b}3%-~JUs?&un>^TonFkr> z+ip}W&$@VnykJl=Y6H5vD%*WTo$+6!nr1nEZ)W+VMp%6T$~nhXm(ANQ0Ls`I62BxC zQ^CIpxG^>Lz8d1ABafgCR zpwQfzS0`;YV!LYCYe-!#mTx>yhc(Yc5fcz?S~K>AIenTk+&q81j4P>LYkO?XH*cI} zy6x*xQjg+pVv=xEp++&r5n_@?7mm5--p~=WBX>a#w?7c?Z46LFc&$9&--`pU^TzY- zQZIo8U?h$^E&og3e1b%QRC(B7`Yq*DwxCdsPmYOC`Y0X*>Y-RZ^2NUb-RwLphP}Bw z!Jl^aOBlDB3n_C7y#MiwP zm^s1a_T4Q{+2h7}g9Jb;pF#!$`edO=-Y?}mmEuwpsxCd*ZBe3qXos;XXwzu>lAsY> z=jXdB+6-7!h5Mw9U%bSdx9*4fB8H_0jJr&5N&YO!6I57^W@{;9jF~6?k4h%`;^rcG z_$gEJaa*cEWMw0S8QgC9N-5wKT3{Cysq4xs)zO*3#N(*9g*gR~5(6XHhd~4clPX26)s%V){ll~7w5Add}2hkvbK@bDx_>FDlO&L%<;_2tdg~N z5*p7mj)ri!L&_$vtWnkN>DMoI==O(FAQDswNij_AIB_FauA?b5ZnJY)cZ4~VPTD3& zRQJxo%0K0)Z<%U_i(z(U`5c*Vw3rP+1@40Tyty^pX~d{cPPg@z(f+9#$>sDPKE$i6 zgh*gjDDWiKr4>ibNFYGi)a#Co)&AK=WRA-~BNsGnAyL}xA5Ede&I2QwPr;C;XwDZ^ zkj}w7hIs?XysuqxPKgmcl!UT|j6LWl)v1I}l!4RU$56PgV`eIlj=cU}l<+ujEv(XP zW5J-AO!HSgN(s;bxTC3SaBXA0R&7zx5D)$#`b+TEruc>Qf$8y2H78o8xij_^irH?v z@s4F|BF`)-!Sz(nrrkb411ZfWp@$S|y;+mxc=P;f!3^~oz3$>!H)^3y{RyKV{R0BN zth$iF9Uey0_y+&=;C%{v!hpn3XR)L*%It54+v}{dEG-Im`RC4QkWz}bi)G&R3&?R4 z{Xg_JNse@jGVTMzDhl~Ua*rP*&Ww&)NN zxy1F%Q(g>{jNM*a)g){dH{{QgwQxGrM0{N*=leSc7#(7L0hnIFzM#a9-LhUu{~St9kMyK}o0>W4B0U*{5$y z-a{!vGv@4Klaz5^1kN>ReD3GJ{MvKdaYBp>R4`}es&#yFC2ACu!#Ap7* z8Zyayl1mh!P2tcIfzY7>Dn=!Is&KlOPjeFeKvlGI&Ty5Q&)odiRznfm(@~!b5U7D# zEkOAASzmMC?y(Q?8tF#RJ@KX?IwH9`#}u*aOAx@Z|$Or`fVEzAu*n zG!N{q3SqJEV^#F4`DK9ncmU3#}-cC^J z?+bv%#>)}&e8=Y|W=%8^X^Y&=qtyh6#NVkbusLhtS}$Pve!=k;r&QSJ5q2b%hxbJU zprBjO-R@)WaT1WEC5pXe4zyXfJ^OGzImx00ii+tl7vf2O?vm#ioK2_HvlI`Lo`NAC z)?n=|I>ReGo2h=I`NK*=mPXb?-qWIlXQmAb9+wp>qIsyw+wbph0trY`Yq~qVCB(*c z!Gkn8Ua%f7RB1Z_M4{0Xk{6tFN)hBhC-$7Uh+Y(o!mAY<0?6Pzy?TS|gn-a=LRTfj z>U?sMC5;qkd#LacHaz7oyUv><+_FXF>Kml!CS7b+vpQCpv4N~VSL zG*-0GPY&FIJbuC zq{5C9wN(lW3;4?(=1nM$3iP8Dl-Fi3k|==+cJ!au2s9jw&jM6rScV^@tsphE)_JE=CFn^! z{+=D_!lXYQG}BjWC_WVhO23L!tm6$$dQP* zPo%v5fz6Ui8NFx(j3?;yF;%AK`~0bmahQ-Cy;gZSLIErZwv7l5x05KApEHh)V^^M~ ziZD%eyKJdY;301*!L(1{DvX?kO~60S)Y29&^^W1hE`EGYib)lf4hz86 z0MCN87tt3IrY1v?N}h-|iv8T4W1x<10;er5R0^1^O}`)!4XmJHohP0jWN3UdH$`80vyLa*d~yjYJkX zS7MIGnr1>~yXkIm5-AfI=fDPs;zw)gkSzG-IGS`nBqu1?Lw!b#>i|c5uJ)_7N{j#A zbt|!z%dw$LgQeH3-qzXiDTa0`ITNThew7VV_q1q%0@od@+Yhwyp(^N2`?8Pk*fHmJ zLfZggqIgcCp-h|Xx6B2%->ZNuEDbGSy z6l@>XC=|nM(&E!KMS_ZbF_)CdF-@r#-((cIIO`A+3GSY(Q@l=PLTy?dX1s>-ZV~>S zDp-;dMSGqXkw#UFB(@`o+*ScvlvoLsYhf>hlvV*N^$~n_p&P1{4I)O9d}^%n1l2Q) z*6)$Rr}+T09xu#m39t)oCZ{`ntsd|Pb(*uDcHMriC{0fqY7|= zglCz|bhvNQ=c`XOwHWr4a)N3)#=z9s!{ef-1WgL=w~;>`RQUyot5Qf-e-!D$cu-Up zr|G)X&JRok8EVyPSam9Tf94pcO!MC4avY~q%*a6IfhGnJN^J_{mm=d$L)p-dSs@N` z$iTj{rRGxo1f-Wq^>do?X6kCUoc#=mhx%TDg@&Z(VmmM1$?2?);Ig7*>Ug4QIchdK zhn`Plh-q;qY54sj0P12+=C)ABWeg+D-Rf#Wc=k8F^?uEu`7B>c8DnPR*N#cUG>@P3 z8$}`mSZIkmbFD4AT{53gTSc9r3|WR{ejOUMxLsZ4Wg?0B;Au)wl#~D~#*{DcFcm@; z93=zUd9aj6o3+z1RdbC2i|sdg zU{ejKbdpI@p_w$?I+LwVfn;0z*7IuFLMs!?emVW);>b}Z=@dt$rIgB!hBm7yaqQ}Z zvLwt}M98N^sYSs6&E7!;)0=GgMB5yvY=0`fz}@^nfw^w5b@t#i(VD+P95y6uqQE==NQj=$5VK?DC zH?WU7waKeFXoM54glJ^5u2eDiI$vCBhHE^jc{QWA{!RBq1D&bWLFYD>y1l7|ew7YK zMTcIz)b#9JgEn>Wnj${{7N@J3YcRxo7r#!^yct&;JTAL`JLs)ZlM^7bA;bxd9u!? z5H4GO%uKV7kI@OHWNa8S;;8y_wwkJ0FXIOh7^Ai05(tpk>4aLqi+dKiIp<1ieLTlJ z&k!=besdnmabexuu0NF5V*j^;QJrGXB~Ha*oZX`T^Pn~*9wpFLWtbDPq%`Saa;V=~ z_35xQ(0UWeelBwwF(sBY^UN}#=0%x9zR5$LP{a%QR&WMdfsmH$LGLNI+XDaN<9#4UXI^XU{%iM|{04(I6@-aJ_aMyP15@ovo2Fg|Yra`pe zh6xF_f5vFu#<3P$6F!7@ek_Q+Uq+4#eNoZs`nSC4a_!+z+X`7qIID7LJ6p0VlnXT& zN2cC0KZZO8j@=M8G_57+{>($y;-&xLhpO58k@rtO4c~NB<`F^{RLZ4!b9F|&*xN#i zrhJ@I_AXC275Zs;0_qHe45smsF^f#CC|^~O9YH^Wt-S@_nnx`=VP~Q>5t$$DjovIw z#!#2eF3zh=ySr)H1Xr`Z`}d;Wl5bdPeJl$XV+7N~z2S?*nGPQ8N9<}YQ0B)L8wQQ5 z!U9X#BjJGGtzx-4iDBg;T@On{Q|Bv!F?R8|@_v}UZ{-bcMdzkfhhl4h@)%!Of=fb3fY7SL^*&*>Hbl~-JYZT=?0AlVIy;c2AbD2s;zVC^BO1K3+L z__+b9;9Mj1YcT-xGER7YaUb=`?2J>s=W`AFM%3H1_;nN&hHZ<-TkYmRjLPOW^U*aC zR-2*fQ&Sz__@9WRx`6OIDvpyq>2ZZi{53rd9XEoCrogmjH>B&LU<@7%&&w8e{+1e= z^@OmdRiR}xXY<|3oxq+Y!g|d-TTL8m>c!ueP(cbPwY2F~6FYA7QfjbKI2Yd3SY_FO z^6oGkES1rRUwy;gjM?koacZosWei1PNwI$KzLK6-&3*Rzd(>1D8r8EU{8>244aWrY zhWVz3i0yv#_Q+6j=7lez%w_d)X1xtht2y;(>nB}bRHhsBbD%gv7;L-n z#25QcNxZtt9Qw*NcGkp25f>+TRt2GPyK^vF=@)ZzEpSe`#J&Nx5II!bgqaaY(aI8} zyciAs#X%v`6;$X?Y(o-9_ky;+mX6dE&G(WZ#%y825z?0ssZM~$(i-Dr*rDk^xbSjI z+<=fGD~>ZzNUe%%yUi++`{fKc@Ts($1i9pdNo)J)44$E}sK*tJ=|)2%>yU&^#m?hg z%l2?pJ+O=IQHbGv+zxKk4Nd|r63qp84rK$4ecdu4UqzM4Tba1XH6asvD8!)Fa1vS6 zbuLrsDhNe(0RZeOS0k!p(RGWQRw6|+=3Nr2yIxIpInF4m5)Pb*Kd!3cKk(6XaOv9Z zF?ZV*ReX>n*wbkC3yBnri;ora^?<&AY5ID1D&~RWtj; zCh;lYiy?{3Mvie1dpZDvRXuT{75ORz7pXomH-S+{bBH*d96i2SlWuC+Kc>l>foKpl zf?kiZ6S|`KdBXGnrz6s2)+x1z+r(XpVFmu#&TUf4$*rjAVnSAcOF&DDR5eF*Rd5sLi>?IB zmml(+e%(wL`wWB+{@HdPDo;FnWb{Ap@+V>#7{TwFPS}FqVLl%bL4PztALc0Nf1Zer z{P_k%-xpfoGdA2mtE|wi;6IVagZ_07Y(${->&6TH#|1AX=-=osHt{6?X8$L%sws|N z_pt*pWm_!92c-1~8g}9jeL+CBT^us{TG>HEwjBuLDpGzEt@OXZ-zeKUtp9<^_K)rV z9z_v5_&?~fFM{9UzK8pPjO_Ot8KVAYFbYHfQ8uDI@_R${-w7y2%H?11*ZKh87FF~8 zV=N5Hgd!g!ytIP($6elaxr>CdEr#;Lr7gz%zf9+1RR8Ar_k=kmzT@Y|^6REie?K+Z z7o$xEXdikVNtiDju!5WIVf?t1FR+CSJg~6=4%9&f!g=x{&^aMNaIw`?2}fNTE>?mj zj%K3-0%Q?kdN;Fr5}3b)@$x3k9PK@=-UuVbXg~ry{9OEA_O70u?v9SUxEX&kBmT(# ziHgeVI$*+%mJt0LH#uir;d}-sQ6Po>J3qo(nU(3sDFL{TLz7__=%PE~MU&$S>v7;b zUho*oRu?llP=_&nl61luL~2;WZtt|)ahRrH$N5E!2hnot3sxL+^fh>yY6ehGqM%{O zidNs;9%^kUL9k%w&yOLz_(>dAV~3*42J2<>vOrz>HiPWZ8$y-!wyQZ=TvNZl7^&sR z#-UvG8eZGlgoNe$+dTUZ7gO_@)_y!{D0^x@kv)$2w~~m$tZT!*_x2m@ zUn`~war4@+cD8B2jdFZwXD*@7uxu8uf*LzaT+wgW0L8JK#SRCGuT- zx#UJ}LxiXT2S&^N)0*$o>p<70Ui{ZB_^=NJu8-C&fbtf4As667@^W4E1@!m$`@aVN z-X@56U1aus{*XK6y^!Byy{oNY{%yIV8+^S2j=$4C_*K6p`7NAi(760ExjT<$P|Qr` zMH4YbSXsGuB(ZW0JVOyT@&Q&E<@3Yys!vRO{(?Oxv;>yULiDW zS6E>ATyc#0xk74DgGMNu?Q;c+nfCPBJZwFErYA|dlg~?4l+E(j&nsadK3;BId_GMe zD3gGI`0ZX{N*4l@7OcaM4zaMVVyaV~`}=hmis&L&%NYYs%iT@DPH%ZA!?)`Z;AyS4 z@p8r!0RHVO_GXv$G$B6)XSME%7YdNyNB6i1C(o6EQxLCWi(!NIn^CGhJq8)TK%kPdcl|i_Z0Lp_FA3GprKk zw39!gZxIZy=myniITY8Wsjr{q&f$66?~!CkI^ZvjLl`Vg9r!xneRW}8gf@~ST$}D8 z@z01a;66H*g1$m{zsulWOcPk(UX4eLP)`Qgw$NPI2jRXQ9}ZZbJ3nqxtD&1emLOL` zL*I|(RJWKvq>BNwuS3`M?ivHV2#!P#O~dI1-$BjRt%C7vp`pK2+V`b>VM%zpuYf zmv0C5!LlIY2VRDMGcx@DOxMRy->2(ee3oSY4c%hs|3OUrAL4)Uv%ilazM@l0bVJoa z_#?Y2nb&Gp6-9DKCaE~;SP6Dw`uIEPD1?H5MXIkvJu5g6N0o-qBTe0L!P0Mrx_3dX z7Av|k*Js9xoAH$}4fG>#atIWhxBsJG4lyc9F6z&pA9>T0ag&qR+mnN6*nCjn%q1bN z%u6j5vtwSwB@np~vCP)XDtgaS%%? z#1dwT5$zmQUF8ag7t0sKA3(GI-tyM&-hB9-m#!l{Q${sKu7zL3>UtDK@FyU_f`LE5 z131ZkVG=ZE)0}9eW6O;o|8k=ii$n3g~3ax2i6gs1sJD{d{ft zYOXz2cw6y+n6NTKC5ty-he2LnaDfo2KC|I{m~1XOi9nI8W7bY`pws-jIW|`x4*Ei_ za*uI<6azeO3t?nTV8CDhI<6u(MOUH0EJJ7ZI#SJEsXMdT&3dE1?E3TBX3Omufx@yK z{;uRC9(Cf76(tg19*v_Vu^udqSXV}ntlQUXO*&Kf=#`RJ4L0kNHd}bF{jJm0RetTY z;#z`mH~%MhNc>~2j@jth^t&T&fgf&;^JpSPzwfzDOQ(U2PPM5NSxZHA5=Vz12mJx6 zs1q2g9eAsIP-G?{ex~xP&$!r+q63ge{Eg}bs6tkj8vHqL6;Ca#XbtZ`V*sgdUfaKn z>*yum*s;ljFwE-YCv`0386o$qgQUBrq=t~B2DPNV#RYI=2hb*!Zu;)c zym;E8PZ+&o1(-D^+>{N7&*San!EE*oFC+W)p7M~T7KG?;s=4UnZ9kO#FlzzEZfpto zwB9NdNuE7EVen}Wfn&+1)T|)uabLbXvSFPs*{j1aLq&Iu&-yxNFqoV$)l>6tTzPqi zP7N82vHP-nu9(XyCy7p8r!Lp;u=sXO$cbb5qJ5NzbcdX^`Zx$LhOR@eh?)JXG;hwj zz8=ji_umeN+}}2*PN54zE?Z`7U8&g`>`9>iHgLeTGm5aYo!N~hIDZ8K??PI1tXC17 zp|eAh6#$_%jgeB>VT`FtF7ttb^@}{Y#*yC9G&-N)*QRg?zZW;|lj^999ghZ%!a_P& zV|YrXG{g1$K5M?fLPH2B>9T8obN@4jv205+ZPXVlgRI(mK1yCBwOEFP4qfV^Ojk%J zOmb}w?Jzx-V))K2-t0v)EqpJ%Z6VAt#(urPFr3>TyYo;d^Fr211k&MH={Cevtdg`$ zsam7KW0B(POdD@U91(f83rYR;%fGGUV1G3F9enRbUZnuxm#c2R^9`=pUysd+x+%Tz|J#WA4MV?<0Iq& z)VuSD&*Alv9LCB!9$G`+T;}~YY~m7o-F(m_vJmP4{-K&D1EXy&`}S$+QLDoepRDda z^_)&B9Y6?EU~>Z}V1r~CA4=2pDlm`yAG5252JmU1kp1( z`X;=Ko<&$oIGpYLGzOb56GA6Q8E1AUhW(2eJW(e zpj)9wEX7yveJgfPe7~GK2rOusXzD-8FWJ-dPMU~dw_1|7XJ#9M=veuV37PYl=X;&F!Sf52JR?D_nHme|eURg#Dh&CgwL`oNJdOrFz@T)V5uHa2tJr|E&$FaGjkpT(R?wFKZM z<1iIOd%NupR4k)DD3JP}=!9c)20&P_XkJJu?u0lMja6kTYdwJC9(r_7>r2o zr90HpP4xQLOW5Kk`GM&%YEK69kdwx;s?qR|d~R}02Wj&kz_}>l+vXuF{9M%q(ttW<>kViM+Db1Y+=t>;ZvR)t+@?6Z(_l)+|m>Jeu!v} z$v1krG6#%;|D$II7N6Yd{d>Sz!W#Tx;)p4vhEW*gSoF|2x}lr#P}Q@&jqx(SIe7go z0^|{KGanA}pnOoRt2AQ*FU9bdrv)#7=Vb|t-Zi4d!zP@grwruP* zy!0&e-@`l~)%rII3js9SHG##*bdVv5PeP{(B2r!zB~h=YyFvLD!YfH~6?f~Klh>ws z3C{w5WD&Ezy&Wq|VcCLq<5(^zX7TTIlp1j3&H*LQ_&;edb>2KjvxiI6Yu1Lw&!Oj? zOux}ltPw0~&N9Sl^z8kS6?bKBE0n@r>NiXTlIDvPht*&BeK30lh8ZF8yhiS_-E>OVetYLW zPdR%t*oHMnwR*I3uYCq=>kLX5_y6*7DxQ)vE0CHgRAPBvSWR0t1q5lx@t(m+0z9kX z)jRXQLsGuZuPCi{!=rW13Z7VI6v_SwUG$^EdQgTCGKZT-sp1HKsnnQ85AdU+#%7Y* zc^U1U2nome=|KINQ;tZg940~qE?JGX*uxoa7T>y#M=tMF{K3IJ z*UxvLf>z$XY}g;=yVlzRmd@u@lgwv z38zk)GFGQ!FW`^Lb_s^=`Ht~X{?e~T@^61Jwk!esLHx`(-->3f!{~+}y_YFdcVw&n zHBdyvE#7z=|AtCILxA5O^mdojF5tb0$N$wuOLy?7$rW`I$7{h!oZ zP+QCH84n35l#lT3!ic?+7I%tGX4^~gzQ4j&pURYkg@s)i3&u;3C^`vyhGGug1msT# z8>}MM05f%KXNL3f&VPxweS_aJE}N4aVqpVfKO#N#ido6nPvbVayGSQsA8CF}r`Iee zMrbYzX18Bh3KMIO8&;f$mzuTz2kCYXYXpsb^f>>tRtIpvI(z6-;}|VKs1_9rCoypu zE7MUdz*3zrXeH|z8itg(9eLFb7iDpK3y5bV2IstYxlLSemUB%gn`C2zb?3DaFNdtr z*@B%|2s7r_URJu>bRH{6sKqSoA%(9zw6E@DUxrQ^?D}#7c+8M;$&*GJX$7t}$RcBL+Isph*q))18BMcOR0 ztYGO8nRoqF&1!;oi-o@CgMT_;zh1bIG_vSf!n zv3hYQKLf|=D8V>gf+e=wFZm<1&DLFYk-D3{8%Kga%z3@7d~j|}Z-#UD>1NMM4uG;d z&SF$2gFk=6@uXNowW@KX#8+n8+gu)Z$+iXh1X_gNkNdxPbq-U!ZR{T=aKhv$NOXrxGR>WtMKh#nxF{GKt(jB?61zdC5xW*|hU#!Ie9v=W!;8Z9^ zInZTd2g*=))Z+&Mt?khPV}l6O;M{bw_{|HfnZ(c*tfP$gpM3JRoaDL*y_^cN(FG7z zbxyi7$YBT$ zshvf&XLzrc@GVzv)-O2X)HjJEMc)A`vT@OVwK;KpL}a0R%A7@;Y_rm7_Dba;o^kvJ zHp4R38&qZCQ#JCR?(hP+I<>iW_O_NnX5*8=IY;3s6qDnjUhMy+mGTR+4GU$`21HK& zG7VTMQkQaNi`HGoCRdYt%$RO@Rm`Qe3Q9Yk$5*SJshS(IQ};0q{2y8==zi^l3O$V~ z!V7th^Y^upd4n^|zDV>0t;n}b^yb313;Ec5}Qylw;LP^yJP2#*WyxH+9V2UesDW|1_iJkSU>u~aNRSe_fXOMIpVJI@-yhqL5_R=AjvPJ36%R+f&<@5It&!>*f8 znrL}Ev;_{{L2C-&P}31 z=uBiBw4u_8 zUg1Tk>Z#jdHn)`P2?)CDUKY9|_(z)FPKZolAqpZ9Tl*f9+~`apu6 z+>ctWR|MooY1cdFiRdGCh^g?q{^DI;hQj>E_CtQ}{|KKN@V~Qu80kqlzz}GGBRy5& z+5`}+oYCC;=ZeA$6Nygrk;@YHf5w3RJBsrkbbbh~e~h8R4L^X{&gy?4zC^TVRQu}R z`(M5ffO<&wA8XYG|NklYe}w#7NBrOTt--_pFI4YvWrY3*XcE`z0xk%oHGJL&h-v&d zA_>kS12y}BKoV{kQC6+!0GSeHXd8q=-db8h4Y*;Xkj3msi?6hUBs#W+thkZyoXzO_ z9(%J}(Ed20T;~7vCPm(K-2YegGTT`Zc<{OHgW2xHYLaVrW2|K?!iMzQ3Fo* zqrcO{#SL}6!B7{t@KR2S{K^uvCUBY2$7^iYnPnI)OP075K0Q`lYm(_wlcPdGDk%52Xwvg{4*<3*dp@HhGNz%K36vPsJt zik6mXaf7~xX2dkZGOhKYBcW3LDvULYz%u-J-_Nz}=u6)YMNkRgkb&X029%zpWo2>y zIHM2B;K#$ST<{r}lZ%>odw<};S@a18*6}QSl(fE2SI#>6J6o~6Y1q#t|5mLG#F!oz z&|!JB4^yFSuP-jj3f#|inj2{qKbF*pqJ$FyMPKd+go>*%TORKNM~UC*Q?3~c9|c`7 zLQ-o66Dvu*Q04fhWMNyICERl>TlXOLg_OtR>oTc&y2%ES<*Q08yNcD;1O__Wcs1Cy zc~|&BfjZJKOZXfMh~DN=6Vsjmad&&({7`o5T*(Lvf~RtG56}^Q8)tARO={Qd@Vsme z8<4vkMyEN)PbP`IJ8%>=*X{hC^NLl|2LAY?qeSd%KjFM?U-rxrSKawlR!Vm#(-DG*-BDpts!Wj v(Rk&%9XJpn-xy&V$`5ZKsoFPt7#fXSI{7T~P50xyB#^Is12337IN1LJk@#8G literal 0 HcmV?d00001 diff --git a/assets/rancher-gatekeeper/rancher-gatekeeper-103.1.0+up3.13.0.tgz b/assets/rancher-gatekeeper/rancher-gatekeeper-103.1.0+up3.13.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..7393978880fb48635d264d1a6adfc865981b5c1f GIT binary patch literal 18027 zcmX_nV{oKhv~|ph?MWsR+qP}nwr$(CZQGgHwr!)oy!Y1q`qz1OoqFojsqWruFAzjR zp#uH)0gwYx>WeAR8H!1>NV&5!8!)QS87VTGYbdg_$f~HYNUK^|=-U{%E6Lk(iy2#4 z16_8zJL0h4ldS@1c!ha9NW8e>3urc`zT8>y-&rjzpr3J2f-@&kPC_AK=a7T zsc%eo`jmq?#L%4;iA@Tq(c{=q!i7wT68~UF(b>Yq50zq$rrF|0A*NozGR63Gq%WR1 zanQQDKJ{kHl)m1$n3|rHR&Q;oa&ByNdeXM~o?Bh@tgn4RbFeOcPbNWyzshD?wkqRp zCJ+meCyF792)6qm4oHqtnXLPmdtLiw5v7%E^lnM7&_$DX-9WvO8-OQsuF66 zprNk6SdkQwe~ZxS>?g@e8eny@$w++Ldt_R0$YL6EIj^d-T}qJ*knE5pzwSU`(f&cb zq8h@8QW5ooUn0;a%YqZv$Ke*%uK2VNd&C!=AFo{S>Pl)|fb7Ex;6^cpl;nX{jMmJntHOf zK2fnHB&%hXp*AK;+76-K$dmB1L zM;tukn;#Y=hRpG4yGcOra(+)b92J|Pb@qi-s*Tbtfh8eOjoYay)*DzAbt723;PKr8YqNf`T zeJPnoB=LE`Vfe%=oFaJtD?N+o@}7HC8M|kfLGDiOXN)|ts6TdSrDxQ%EL|=l$0yf5 zX8B)pYvvJb#gf|2iQI;B@Y{26YE+JqAQ`nhO1r>sHQ~h*-R0N!iW^I%9i%6nJ+GBhm`yu~MSKHxWjK%944r$XX~T;t2mV%M zge8(m#Jk?ckN=4Y-Y1e?hK6TTX?#Dj{B!)8-91mPk`p?ruIseqAv2l#7GuFgpX)d^ zDmBJ?Kq#6I5sAuS+E`0C`3=9NFljY1720tO&ahL^b85XI%LsAR@a2EulO-9`ke%ui ztL|pdZtXo=Uw71Y({c`3s%D^nJwzC9%Z7gLl*DFbvwD0C(k{7?2_;TtMBT?YbXE{e zo>tiueCBrtM7y2^E~%+x*|hOk(kTY_p*-EmDoM{(EAlonbLmW^l6K!}9DFNl;!HtJi(030EoDD?>}c)uV|`r^<_t8iEv1-1|_` zbY=^KDp3G-YojI>MMj|Iv77_YM-mBy`i>ALtd4rQ^4utjKRXgAx84Cc#tgPXlRCK} zN7<#7SxgSE`|xm$@)vlT_oJRyU|U<~(i51fQ<&F~ZmG0W0ab@_aK*AOvx>-1sy65D z!|F=Rq8CaZ2VoWO1ChvH?Yb(jiD+opj5ZmABeZLc8=%+k4HHxlyfF$8;tLyICi4y& zu_bu)GBd0usu9leQy4j>b^b=0zY?-QDEWhVP*2kCskuQA_V+hHylzYa%)X$LF$bjn zkcoQK?s$ZbY?&;9E#?+eF`Ov-Z$nK6L$PBlc7p-=_+nrjJQ{@S9_MErGmk&|FE&Zm zL6j|+aNlq>yK~<~Msb1dU>Qw-?ZQ7zX7)vEyuaS@kBtx*MXm_(Lu*G}+v#1~@U2~V z(`@mtjGWtm+Y~5-6_^d;S(v%x1hB5njg7UMcA63^+~?-onurTvOq32@eqseq;j4Q6 zp?9(d5`2aRt(LO{V>JH56&W@gG-P!2)-^|^fz@3z+e=54xGKko|fzC2+CxPGGwE*R!0 z-;p#mfJ7wlZLA_z;DKKCMsfR7yqO2ElM;qVHiMf3(Yik78hIuBf;hy@sIFp=68vgC z+xOq@@SA6W5J%PS^F>BA|6t&=uj1UX`DA5jzPMLt&W9k%iv>-B`V|mO{~4cyW-1~$$Y6Xs|714E|nx%G}d?3LGUzYs0YWHC6W&(;V1i^x79#nFjnMZZZOI0#% zd`6fk1A0fya<5Wk)dj6O_k=G3rWlHQT7P701ByLnH*K01o{Qi;gC2F$?^?8jBe;b&gD=R7&O_r%cdb%Z>kN z!&dU__5(pSz)ranOfPlklO3yiv@~O7szTOpT637$~e!k8*b#vYi9Y0Zy2VGeJ0!sddX*`6YGX(~T zY9vgD5`C>&*jGWE`v9sG8sj!#FpF^!P=~3HqUYQt6X<0a&mUJ6vDf@h&VShlHSk!w zzo}YGDT)?XCyO07wLd+nm>5{AYRRbNmhkz+1C?7wTvW2mU}OSYKx&!rg=}-AiE}h8 z_O!jj3xRB^1im2XQ|p8h@U9ymTgkMr$g`0sJdig>@!&lO#lla{_HqNo-^Qu-R0x1_K2~QM`3Q*zAh1Bj-1Nh()zK z%{o{^%1$FoY3=JUHY?+J7VekMwso<2WFM^nlhhp-B`n?Yo*%{c65G=-7;AnXJ>1m3 z8Sa3Udpg{6#zXAq-G^=8tFHCw9Y8B5r{%{@r}+0qmebxtYyu0ZrZ?4`%0bd>9c=pi zStIohreU}Mas2v*$wY1sI?p}RqW4+`wg!kEFB`?N`K%P9Zx{MU350c~nPawnLoKZr zNJJ{`pDDCTN=aG~-01ott;fl39_k4Lsh8O8uVzC&uV(E@G@SEDXX$xRvh$ZoLO(W9 zj9^@%yEXwlGoYZuAb1=g)aliDgg^LdL!*Nsf$>7yNHlBrag22 zaK>K1eK$M$pb5r^!RrB~*Gos*UFQ}npIO!z%P2~~%(@f~LFQIMR468=m>TojUU21p(>9U;I!uR4 za>MJ|IA&PRnLo{QqtS$=3h;h%s7ogRf(S0ajEvQ@{HSPb>zB>jxT}HqI3w-|+GEtM z5Y_=)tfPW(Z@Jt|&{~fhgzR3YlR!y3?ya~T8gG&Vz|XBEL$MyFa_XwA@2MC@n`8&H zy1c;L1Fp7GYh9L40NO?A`}Jx=&mBcK%sjPvDZPEzxW*XrMa5==u>`Ww$gV+cT6tbM1P&3K$KdG4 zHe3T)V$?(K=emBflf`V+Bj+$M#h1g!=Kr|RTDAXiPp!yuW_Ovx&k@SFN6~YzRvd7f zmhqL<_WOBHgp)e-!9f;X;k>X-@A42K?J7Z(~e$QvRzFTutk911&xMrO+|N zqdd95ROx^5xV>p$Z8}w0i$J#AYcRct6(RUFp+)_aOUPMh8W#E?dh=+@6>~JKIpB@- z=zX)CDH}QGOL@f4--oQRAv%WpzO!~=g?0u|F|7u4Cnh~i?Vh$3YkrudI|_Ljo7Hru zWQ+#>RU=*Y>bNA%fBs&nH4?xTy%d-`7arnw+y>mZ==4xr0YyzmR{d#&P*D62VmeEG@J?AX!N`RYV->qwsa4^Lr+l$lHdh2^z z(@!{6?@qX^^;a{x!MDPqP89aUo`|XG^q?NM^>8PY68Y|@D3uKPAxsJ!=I6l3XMx$| z?x3ecOGFE$&fMe~AKFkrx1FZuOE82yvJCT`*#{bRM4)Q_K!=+e3d+UqKFF#XD8U1f zt&$rRqqq1*joA}Jfe=GA&g6qt?izVX&Ql$!(qmLZ^5*dS3mZ?x(`WqCrletDkpQH6p!i#m}A5% zxD@#fPbmRRw8^xMM!A=2QxjJH&Rsc=eZl?FbM<4kz#|Dl>`83Q4#W401 zHXIvHD+p?ooq4hX2Jcc_KUsb$HUBq_U`dWh1>uwUszQ`RK z70nPNEgNCE&9+~2m^0(NMC_}AXvymza+S=4a#nYWhsaqPc3#;7HURw zG-VA3!t^-8W3HDiE>nwqxZx}&oUoLARfjb7 z`&y>rkoPs)`WXi1T)bU!LRu&DWRHTTm#5$rS`u6Ic@#U)-^^0_=c%p&c z1Sr+nFW~ThIJ3#Q3ndkU21!0+bNeZg3TO;EWsUpL>$o`RvQgI=lj?)%JXSGNI603f zB`CZ*oAfa}-Cxi4fWf`-x$pk`QmcjIlwJ>8FzI>hTSG1~ielJ;T(1%chG&r&SDR8L z8;jVQ?R4|2)Y@Vj{qJ82r_`|mDBv$T<>vhzE^kv(I z?i+g31aPYJfs?>OaO?~g$dc@PBbC-f9xrXPa@57)s~V*{;Ti-TH*m}OMM?2w@MD$H z+S+@6W0i~KUknQwl#>iss7g4d@6;GjfGB<$)`iV;H)hmmX1oUFOsjXOWNaG~w}W(B zl@;RAJChtyr{;0{O$P6J^=;T|WQrp9HLXJ(|I~Pzi77q>hhwjj$&P7{!zuLIo_Tcq zC!ZN3q~sC6RR!svzcu}}i>MVk4_fV#Y4@nb$g$Gk#gJv{ZxOBKNA5Ymy61h1+$?Ct z6SnP@D}0AV(8Z~>GQtI|xW|S9%m|M-qQE=@S*I$$kUY+~ZVq*9W!0B9ClWkhFM6HQ z>uY@K*(c7)WBWPJ9W$3&jaxFO5Hk^|hO}3=t`DJAwoV2a5h(#KJQp@4<6*)O#cMCwFzFV!t-r8pAKPrm7S&Bkl(@BjMTzk6L>BA$0VYjtdD zpL|{8Q$zu(BYfHx6>U4N-A=X~eg9;1l?hMpV6F>2A0KC%f)vp!j~%wEOJ?6V7!!?c z5Z%kYxBDeFTw_eo^~#f?C5w+UBgC5J&B>L#jfpj(n|GLp^o^tS<#%;*7TN^Pd8Frc zLwXVxd$p#1!Syj&3k`)-%Xu!pRLX2!sa~{hDi)Y?)O4wSCCrxq@yM<)kBa(oGh4ei zoL5?z_Dw79V4LOz`zz!9V=t3hQYvCa&`Cc~={p;XFiVE8E>j_7T)&TLYM5rj;4NrL zFn$+MG1rX16FeDVONZB-7lImps>I|ef};I1hn+ad{4)7{xLKw`Mt=8ewX0RxjHRE9 zX3CY3Qds(PQv=mMr&_qvI9gi=MH_8wIBI^sDdS2$#kKHUrxOb!Gp>N3gPd)`VDUVY z2=;>h0WKxA>9nj3KDuN0Ia~CQeamdPW7GO&+#A+?#P zO~kXf1b?{?Lm6x*hozO~fJ0GN&HrC(*-`dPxnRF<w) zYx3shz4|J2O-YD+z7gYNe0pti9~x*q8vqnw@H|+5BU~U`#A7q}Jz7wH$*cv!&LQT= zlPGu2G>&NU`keA|H6(VFQLr>vd`sK(k&qK;kGZfALC&pVF;qOSq#k2@o} z3p7BA%8$OtBy(D-bPuP1<%t47Z}-+#H}h9-q|z>6Yv9|qxlS&xyWIS=Uf1Gith5&e zy(H_;A=hupTLC(7T9TT-iNKNe;FVetcIy=|iWT|MRfl7#^Xz+3HY|x#TFR3v6>nij z@*i`W%Sx%=oF%!9P@Q>M=QkWaeaEwa?rK#}VSsOK%gXo84Kdo8F9EnU%HMjiFK2X# z!!Y~%Rug}&`WR<8+uQv#VfWnI4uOGFQ-%?N0{czy452xTER64Ib343>hB*+_#K|@D z38Br&Gj2`2U$i(tD3c%4spUG@2V+WjU`H8ImYV{~$AzjhvmD&fVRXJ($}1`B&KjP2 zzFXZUJOzsz7I+8@!Q1T)Df!dw#Ym3t)+YR4$!({H3y>%%UNrQ~s}XkX{-Yyrl&}ySI)nSS#7?J?z*nV}X8=y)FTljK2EdW@ ztmV+R7c)qW`ABY<#k{Qd>fn!Pgz2QoAb8(naQTA_M*L}?-}`RauRVt=I#SDk54Hv8 zQ-Ich?Sj@9Kt&$#;NXb|II@|KegIewok>F~NKovQn znMY3(T^z3EgX1%;t@nkHt!$B?LzQziQ3ThK6_xW|V*ov{7jTsN<5b8f4r<2d z!)tdVu%z4K62g?QtD~a_DcsPpk)@*P?xlX%Nz!u9wv&l@@!+`cxu}BZucsIa#bq9! z+S3rvTn4@$dcDSNQ44df)`uUo^6CNiaE~3P;m`7!lw?Lx)60|8m&{#oE8Ih~bpoOB zrnIC9>T8PrUHtf<*H^EgEQAJ-A1q=_w&#+d`(Ee2TFpO^L+&cs|3{(E z8Sr%ArAlmQM9sQw$8gW4P%8#iKkzefbY}aTYPSA1n_gV)$xT*Jv5?I@#>FML_T_2f z{pRwx@ImboXrpkjBoYflfCQbo9S{{kgP*aJl*hb0(HdVuWb{mOwppxSi`YNo+Qt38 zIeL}}2Y9x3Uf%Skm|6${sNe;yea_Hc2}o%O8NkF6O`-$xj21o^Q3QlhBJDfw$kZ$!*=mZNg)Z0oP2-Zs zLJugkyJf8n3Q(GCMl~}H&sA4ZY29lDdLL&<0Jv}%L`4%fpTiEtMkPolb6FQ`r8C*k z#)EvbOl#`T=&zH8L1GjsM<|a13C@+H?Fx>dP`I1-^%?!?E#m-fg6H&xX<7PNc3(21}0+fWkn0-1ksqm?rw zTv$7IZ~7hlm$66&os*VZjn4l`N3mNi`)VM9j60)P$>Lvg&h^l)3F)^~U|syK{I z^~c%|%ZMH|jlmY)o25EYkEabs1GVXqFP1>7M8IXI5Ev`Yze4zq)R5HAit2L9k{3Lp z47q=4QrQVlw{9z+XJM!tid1u~iqR~OZRY*0xTjq5I-6aI{BGc8{1plS$-{TfVSG<( zM`gZZ-WV z%7W)Os2IdjZd%ksADd>0T^=ck^ksO)sfhHh z(+HPmpaag=k?KrF`!aCAEzhZ@u%4qZ)!O@M$Ht7%N#Y{E)anN{vGclSGF{s}GZCC# zXqxIxCb_73+K*>Jx6~+0=O6P|G#$TjcXpSl=r!192z9FM4CB`?S8MS$Cl(nwX91UP z-#rs;DwY``)Gu}qHMVQyGrIlv7&HS*E1{4cqskB7q&jvNwDS~FA5JLfGhxL-R$Z1V-(Ae_Z+gEnFA`K5~UvCGqEE_6nRka?& zQP5abTMiE^qhSb#T=)>Xx_WMTn0bUNYXyoH6sbKZX2VF(#mFig)o%qj#JiL7 zE-^ur-6h7{qo4mqID!)VKay3C&knW3SUu|Od#mpGBicCXjWr=svYCesUcT}1?aCQ`@C$|tI22eZQF_oGU zDlOLi-5@Y|A0*X(rrzwkU96iKGoG>25Yf$}zWugXCrDy@p~o?tB4rx`Ur**{@9bWFk^cP^_U{*z{AGBBw8 z?TLyiC$G3(Pm0=sb*-dzb5k*X29kX-7A?&gOIj6uBn8$HXOeGJU9Ts-JNGD1a})1( zTvebl^H5gX#qAe|T)weKnpqjjr>m`v1HPc?Uw3|TxHdos=O_h!qxD^6C=pHdTGW7p z=)@4y&X@z+j&alE-#8{QIWy{d(ryWZHpvY%UN#>} zFZ<1}Q$lClft1)F*L>rjd(aMJcWG#Zdupv^NTVUS5NHfZt5UBShC1k&-Lz1lB-oQg z83xOhlxnustPC2V`0rRM_2kXb|N{at&X+w zq2|TjqoLtxqe&HUcwNCccDf8olc8uz-pd zo$J>PkC3Z-X6jVaHR_pqjhZI)9F`HRl7HD)*qq=WW6I7GrO}-qOp4!z%+%zW`DWi} zLVOROfSW6{FMv(=IhE(<%wKU?s$?7qH*|fN8KM!HM9hpvnzgA#oX(DF=KS(+z$d#? z-qV5TLHKqc0JAR00?S1VXc!X*;b?qtTMCzP|#kE;If7DJ+YFu8Ek)7p_OQ0qOfkCRK^P`g~Jw>hL(4%CFQpS}?t;frU+&M@; zTlWD+II{_g*O}cAbUVfmbR`%8{UQGD!>BnjO~^JgMr_L6Z~&<0JGK)gkoruV|IT@y z5ZU@{0S5G)2#Mv7g;X=H6q>&Bnj>*HX~`;V87!>9`R$Jb+g~chS+mW%{;ng<2tOKQ z8znN)kSXJvT!Ne2T0vuuCkUrYx0Zf7hM)Pc-%0A>SmFd2BI&Mu06t%JX*q{qbv0|3 z-*Y>~TkXFwXk-S%p5za=!H0>SnI&bpKp#yN&lEmfiSx{jl*qTZ{%tp8Qkp!tYa9T@ zLuKTOu3{Gz-DxO--$O~)ZGRP8=mAc(J*K3fLz*K(3lsn7gVb>-?4Alus{7R!5MG)1 zyv)3Q^sM+Ef4j0ghEyX}rx{YxcJ;pyXll~7x=7yea?q}P0B8~bd4YGIg)!y`{5h)V zAA0RYC)<(;Kkkm}O}elHgBFV@iK^ebB|1K8>Mp?6E7wI9T}a}tF6^FP0!B-ZK(HR( z6`d2cANU97SDSgFW#vrA9E^@nFHEen1If5TKP-!8Kc#1whLw4#XO?y_YLo39h? z5;iuU_A3vLiayszOZJWu#H^t{+{d0AAzI6SQS%)c?Yym%F5*-xW(jyrWnA$SQnNMn zl5R#0hP4~ZUrvHd&yl&m#bx1iF?c{Jy%&mPs>KtkNQq}~QNS!Lf<(O`Mr!4r( z1%I|yr_8%$bfvQ#pZPwwJm25%RCiZzHU9_JQP>0&3}nE?AWW9_tb)iNQIO4p%e>Pl z*P}^q-G#uyh-0u)L5842k$(MIW{rh~#{7CA)cv*a6ZDviOLN@1s zjBD2Quim$k@7fPKY?}%|TdsisYh%Pa8Jo0$+zQQ{+Z?*7{ef_2tPBqAx&tn&&ZqCs z$uRbV{(@|GbE8JLJn5~NB_b9|E58VM^&3D8jYu$iDqB~G9!Vs3rg{@m(#d^QR%&d;zhTtCRHtZirVs|-Ijop%Fi(5m=Cw;m9S@Ur8> z)>S^mYYVWwx$L2O_g!1xI;;8uY>9j9-xx=~Lc(Z1)_lQ9vW?IOx;ph?N9)vL&{3ck zR!&J;SPO_R!w%#)4m&jo$DZ%g};`5Dyn_d04!bWVBHHbX6Vhz&?;-k8f0Bk2?J2R3mK-@$Xb7zZb^S@8D{0i#zBWV(0@S#z zW2XZcVJK@eGix+6%tPQvA{UZP{(D$-VrW#Htyk0wmzIubZ$u+pQOxPtU=I1q zOoHFEjSt(PBaTPg=|c z5H_itXd%se*-E-)#Uc=#T>j$FAVCIhaUmcPGuX#NaERax%Wb79)30MH#v{s+hf@;O z#dqj=84;&{$*xj;yT@6i&`Q+6x;XAA=C7@T$2k?r0*vUPe@L;94Wm&RApOMz@J{uG zndHa4|BR&NAusfUJu~ollLC1{4fF}beDY4fAd-zm+vBWZvxpwm=*!KD^bCXk<}>ZOtywa=MQC|B8#M_yeP zGL2Wuc?Ld0Ett$RXN;Q|LI#Z{!|cc=%_HX)(x-lR^}RfzXW?^ZS|+`Edrr`{^@Qj! zXv^hEi(ux%x8ANsG96Z0E}E*cD5xQ;Mh5}C(kk3&bMALLXUM$p_i?caGc_jj zd?qv;nfX?4+1SooKP!W$&skbhf#8m_V3j_E`YfttEBg1c-AVq^Y$!5L{!`q;W)WZsnuIFG zAQsdgm=^py00|z&dQPfrC#r?b-?#C*@Ps0D>9)`HS^-k)z#pMWBv?yh`9om(Ob*U2 z8WIL7tFe%o#!fqJ9c9vgqN zrvLpwG{*P<#dNQ~8E$#Yf!D*FpPd@Vmku0Z8RB9^YQm(B2j#z|s*I%J&l325mJ=p! zbQu3rm52@E?-CX?E;RSJ>^f*5Ps7FEYzR1$y$N|$GY)NUs=^4~P^GIzr=YrMx5I!b zQ62~~R-|L+YLf(Cpx7O3$bq#4UzjQ>R-m)Le2fA{h*d1#D?mu+;xA|?Vsrgh0CyuL zgyeq|V$W-OKHa;5v}Cb)kAu}@Ib=Zjuy5}@W_vHTc{!70 zofQOkm zAs5*Nj-@$f>F$7`GR5({f;px)mzvaYTU^Lo?AKRX@u-gmg?K|OWMnxe#u8l(E(O(9 zdtF+Dy*=DPg#N()ZFh72dE6bG&w>5fw}L&w{&SuvqMAKC$A5I%R?C0TIg-?1lNy?& zXc()V%T%Cg!w^!{)kY3lL6GxxOO5lPS(kQV0r~5XO-*ieqoFQHUOBkX!G;2OBxb=d zxI*D^X|*9_=IPh4Jou9@K1qcCn5EQ6*b_zq!KD}RUX_o;DgzKC zU1_My3alCO;#Wz;OGMKO&`KDc$ca%_)E;!5zp$UU z28tanBTaM}mV5Np@a;9Xwt%gt`Ym7WW^Gn9f*hTORGTAo?p%4j*s+w@BpQiPSBMch z^-tGzCVya5Ys)v5o-nGfSvl5Anq5G-e<^Uw+v6kS8^#b35_4vSidvi=C{wxg&0TGG< zW%&IbjGaez9|HkQh>vK|z@%wDdxF%Z-)NqG$}a|XF8WG~8jo1MWi^Fz;WwxWTBT~A zupBp{t^U*$~>2@BtKveH%LS&_AfctAFeW$Cf~F`ncL2&Y$y36UF?~5`5IDE{R@tzU;I6LK?^8^KuXO$R`VOC5MtwM!afR70dYcOaLHoWwr&kl+gYZ<^+Xa z4n32hCN|c*`S=?tA^IY%QYV1?LcIbTq&8JG7vjg9=M@b~I!JizJ`W&_hmI(K?K`n3 zA0O&aIm3D|KX5uxyo}26uzr0#d(i*M_v{AzMT|nkqZlGI0HsrY)TaFemvobHD>v(j zgOF8%q{pMf-`#NPZ(ek}J-Pen*o8+x4I2pHRk*;324X3yY?e>>#U|2kw(d-1qQ91| z5e7*XUbJ2gT)4Qu8ua^5$Mm|QbvzJgiT)&1^7P(%H%xizxUj}kO(moaL4#6tg#hdY zVR&(K%O3ThKvu?vpUQ3f8tq)BV%eU%VU`p{qjTyb( z?{xqGKAtZJn|UCLECunSMD!fE(B&^jW)8M(08qHxilmUBA}KEJ7qr7rdJ73Le%)q>TQlwnQaAdJO=E2R_d&!HMbM7otxiZQvcWCs%Zg>Jjqu*za^}` zwxLaKBXgYah8H~h&0w9$HOvVl86jIx4}pSRrbD9ucUwW)1Q%AUvd*1^hfor2fg4Fi z9LI-z9`iZ3JUGajJja?v4&SkrmU)hog5|ZTN5KVl)qQ?%?E|awhDsM@u(4$G^rmQV zF1G)PSIIl!GqjyZ{S9MgNc+J@v1-{KFI(~K7g;Bk*`|2Nt_(dNG84qgG`sxX zcni%|7-*nj|9HAgfCQ~NJ{lrtdr2BIvW80_Yzx) zi!LUP!{G(wg}`@?6HD`KNudLz^Q=^<3oa4|UR)GHsKU^5rE2LO+C4id;?Fw`AQrzM z0Sa9CE{zec^ONWrECBnXq0d#D)ca4z5EnZ%U;|R^58O|D9gPC5Gjj7|z;zQPrOMc) z>t>z?Wp&d_SuqIEu$BH=IC5d-HL!#%sU;>7O!y?cm6F|ZEd4jalQ141tGR6*2Q^mE zhqNB@rB%Ay2(b!uyRzU;O(D11`F!14=(k?& zp#-iK$iNzX0@e?Xg%pYF#cUHr&;mz>%icB1P9ci1WT!Iqwqu)oJyMIw;$m!^}IQPbg=!h z(i&LOvc$O!{j&REo}7f<$hKl5?7v~^_4jL3H&vC7V-wu}bdp+ESArgC4QBjRQkw^8 zf#*EyXrN^Az5a`p+Ei2o)K*b4^a1Qj8AwRgfkytPVF>pqH;UiY8okjzj}1YRr__TV z%j9l|@z6Da5UPEks!tYq{S62F+GtI1g9-{9vZBFoUvzx=!0>iq=6?Rg;HY%x$0e%3lYa`{88sAlGC3d5JjT$s45pkh8TJlR5057C78+V4O-8NqJP`oPJ~n`YM$RSe*s zZ*+}U=$(_IPE)fQcyg5T2kmw@>;Ra(Rv>f|IHZ0hN_(7{B<;VuGZ63@Qs89Cg0sOh z3U~MmgZ7U3pRIZT?4nZp>Og$LC{JS~FfPJ_B_e{C?z)~Kj!X8IaDl3-fcxLyNBCcX zuatZH`Zy#hcX=*$J6LyKSlXix-KB0l8HCkHQ?CDE_qhn!IaZN<(0pGkl#aDQr^mi= zL?Psjvg)6-CL1M}^dGL+&ajXp$QlvByRop5pCM@-LARSOSvCoG$+6L=EW+bv3r*&= zre7+WdYb6h=s9m?a!RIbQAj!?q|XMMMm6fC_P}`9UwJ4fswmG6I_-k8woyMr;#6%F zHBxHU+_X_pfl%DYw>?%Zc0t@pXW(Fco@ZZRQkd0;(|L!DV(9Vsp~1)*j5{jwLHn{WyNnBgpUQs^HiCr6SvoP`;(LS(sRbCzBF2u#3qP&>D=TrTa!R@3rr={14T(lbl9j9 zbH;c1t+y25y{b(!vQxxojAnv6Y}4)ssd`KqlJv5zG)i8ieooY@J?@{nQ(uMDFFWxV zGrY@x)k?{JYkq^_lwJ8^Rh*P^_7%_{xNfWJu-mv@&!(kTUrO2j1L5q@Uc!G0rxvQ0 zYZBzt3!LaN2Vr2R6sla6rV@g#9yP`b8h;x>f|KN`;)d@Tz<0yc+r;E*a9^{4wDEPS zO6c~GJdpC!%O>gCrP6GMASguM8501J(K4Oae^()0fHQ zl2gQQa2s#^{wif)PDT3Td;?`$e&^kL&5Hd_7r5EL9s-q#kiF#cy7M0a&F|LMIWtq+ z)k35^Q*wQfriFc zH=8l;U|nBTv1Xsat_Q)DvC^xe1gaJI_b7D}gU`V8>V`;<`W-+d1iEzLv73S4#i?NG z-=b^+>UN`?I3laL^wYyayFShD@A}L#zIB8Kk*I2lutg`^OZ8t2H!8xKVBj z^Q?7JsD9a8$wft|E9b|!viKe7J|ol|^nKL-pm6aVE;mM0l)4)&0~vWIzjiNCKs0kL z%LQ5@w(jW7 zrJ_we4HC~H3og2sE_R5@)I8Wa|88`Px%z%c+~X7%;UChWYbD2&y|j>;nHK?!p9UwI zRCe!Ud8RSwYAqdrradHbl=Rz#d7)@F&v0K5i8n(Qh|Lj>;wOPuc}ud^2uI^qpeldfP}ntQ zAsJlgmPgn$t#jLrpKc;?M1v9LEw7I#j$0g~aE#mI@Fv>mbUK}vySw_|PN!4+_vP-^ z-cMV*yRUY(w|DnmZvWKT+S}RN{RuiZ(fGWS2#NSloolyM9NdzmCva>q06rb;qM8_G2R>_b-CQs?FldU zxx@CxuX;0ZtivMmv1P?5jM!NkIeUa%Oxz8#e^m}kIDAnXF6)}bdfhj@743)3$#(mE z6Vpu=BfBM351+TybYM3dCNiZk&9NwAXKH%}Y#cL+sTAEtqg9wr?}=l}J#j3RAp($l z>5A!)P#eXAvk3`R6E@GR#gI+ZF-C2SU@xS&eIg**`Znvyw9=j<)zTN=6GQ5@$t!Nj zcQ$Q#O^}&5HOrU=coPKy7NUg`IimW%e{ZI>wz68q=98@5w192ud1}sShM?IZLM7$_ zj-}9%?z67CU@k^HXE^)~Nc00rU>rgmVTl1{fpSQ$_I9HMUv!+?g^~7&wkCKEE!c+` zbHYLrxMvE3+z7Hu0vaN<06N!2<2Or6uxP_Ry#RbpgkF!d$9iZc{44g*P zai~@_iw~^_mOaIT&v+cG3Kkz`_9U+*Z6(5t+Wj~p7pXOU5mZvW&|M~5Q@!~ z5y1$LkzU$kJY*2DAqg}u?M7$chFc3?_d488X#c|7Gf%}#)U|AQVc#Mc;IlMDZdI=# zF!B1+#VgF{btclzU-rSwV4=mTX=AZwJ-tA?BNB`NIct@`uQXjBVLdU#ainI}5ruKA zH;0{Zbyv}Cg=&70%I_1JUUw_zNc7+tY2!AWsg9}+rd2)HYwN+}%VtAlu2&hfWY6c* zdKW4k7kDC%=%*RShx>0o9JV#T_h&rhD70LhM=&Q_?d`q)*=U?d#P#+gw3NL8UyfLq z*`XiVjXRS%28?RLwdqvqn=uPp?uSK|&F3&e6AXQf6-^tn2@Xw!Wi<$|ANxn|+KtA( zFcd9`TdQOT^Ky?6o77*`XBV8F2$xxJtUipn$L_S*9eb*yp$h-1L#vAO0* zrbwPz7j^q3v=v7va6Q0={-vAljK~r6h7s$ds2w0FBixQf?5^EC5LnCC-1U(RfJhi2 zVWuPIctThrqKmYkmN&E;jeo(57ay6#-4`z!|AKeaZ`DTs+WXu`N5SAx)Cgu#r?RNtL7*mAE2aKVyv>Mj(k;^~ zs}ZMr#|2T;SkmY06jKmV5fwFI`NI@M5{%5`4iYXEN2%*zar(AbH$j;M{c7u(?J%{t z*xM)!VFR!X+Rxi+rqa3MW`zX|u>>KL;M5%IM3|m!Ky3P~NTDL{s*8@rReRDWBW^Nu zy}1!vt#7;0_%miy;hv@ovk+M__sBw~tfC&V!JP{9^53%&sW5(oqCvLx9h+hfF(Pu2 z-CdWA@tVW@j6Ud1sr_fD5(-a>6fBMEejO5)p1zyU-AU8OifV*yIGVE(14rde#B)(e z;j=YQ7bowDRwI+%z&fTpK7;B}>O;w#H@N~Q644OxP~6asdY#s3oz`hN(*GX-0RR85 K{XV_`tO5Xy8hFP5 literal 0 HcmV?d00001 diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/Chart.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/Chart.yaml new file mode 100644 index 000000000..2bca8f583 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/release-name: rancher-gatekeeper-crd +apiVersion: v1 +description: Installs the CRDs for rancher-gatekeeper. +name: rancher-gatekeeper-crd +type: application +version: 103.1.0+up3.13.0 diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/README.md b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/README.md new file mode 100644 index 000000000..26079c833 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/README.md @@ -0,0 +1,2 @@ +# rancher-gatekeeper-crd +A Rancher chart that installs the CRDs used by rancher-gatekeeper. diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assign-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assign-customresourcedefinition.yaml new file mode 100644 index 000000000..0221a1948 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assign-customresourcedefinition.yaml @@ -0,0 +1,757 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assign.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: Assign + listKind: AssignList + plural: assign + singular: assign + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: Assign is the Schema for the assign API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignSpec defines the desired state of Assign. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignStatus defines the observed state of Assign. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignimage-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignimage-customresourcedefinition.yaml new file mode 100644 index 000000000..197f2f179 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignimage-customresourcedefinition.yaml @@ -0,0 +1,237 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignimage.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignImage + listKind: AssignImageList + plural: assignimage + singular: assignimage + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignImage is the Schema for the assignimage API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignImageSpec defines the desired state of AssignImage. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + assignDomain: + description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. + type: string + assignPath: + description: AssignPath sets the domain component on an image string. + type: string + assignTag: + description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. + type: string + pathTests: + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + type: object + type: object + status: + description: AssignImageStatus defines the observed state of AssignImage. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignmetadata-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignmetadata-customresourcedefinition.yaml new file mode 100644 index 000000000..65c17ed3a --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignmetadata-customresourcedefinition.yaml @@ -0,0 +1,655 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: assignmetadata.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: AssignMetadata + listKind: AssignMetadataList + plural: assignmetadata + singular: assignmetadata + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: AssignMetadata is the Schema for the assignmetadata API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AssignMetadataSpec defines the desired state of AssignMetadata. + properties: + location: + type: string + match: + description: Match selects which objects are in scope. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + properties: + assign: + description: Assign.value holds the value to be assigned + properties: + externalData: + description: ExternalData describes the external data provider to be used for mutation. + properties: + dataSource: + default: ValueAtLocation + description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. + enum: + - ValueAtLocation + - Username + type: string + default: + description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". + type: string + failurePolicy: + default: Fail + description: FailurePolicy specifies the policy to apply when the external data provider returns an error. + enum: + - UseDefault + - Ignore + - Fail + type: string + provider: + description: Provider is the name of the external data provider. + type: string + type: object + fromMetadata: + description: FromMetadata assigns a value from the specified metadata field. + properties: + field: + description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. + type: string + type: object + value: + description: Value is a constant value that will be assigned to `location` + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + status: + description: AssignMetadataStatus defines the observed state of AssignMetadata. + properties: + byPod: + description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/config-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/config-customresourcedefinition.yaml new file mode 100644 index 000000000..269ca95f9 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/config-customresourcedefinition.yaml @@ -0,0 +1,105 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: configs.config.gatekeeper.sh +spec: + group: config.gatekeeper.sh + names: + kind: Config + listKind: ConfigList + plural: configs + singular: config + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Config is the Schema for the configs API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConfigSpec defines the desired state of Config. + properties: + match: + description: Configuration for namespace exclusion + items: + properties: + excludedNamespaces: + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + processes: + items: + type: string + type: array + type: object + type: array + readiness: + description: Configuration for readiness tracker + properties: + statsEnabled: + type: boolean + type: object + sync: + description: Configuration for syncing k8s objects + properties: + syncOnly: + description: If non-empty, only entries on this list will be replicated into OPA + items: + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + type: array + type: object + validation: + description: Configuration for validation + properties: + traces: + description: List of requests to trace. Both "user" and "kinds" must be specified + items: + properties: + dump: + description: Also dump the state of OPA with the trace. Set to `All` to dump everything. + type: string + kind: + description: Only trace requests of the following GroupVersionKind + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + user: + description: Only trace requests from the specified user + type: string + type: object + type: array + type: object + type: object + status: + description: ConfigStatus defines the observed state of Config. + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml new file mode 100644 index 000000000..230a541bb --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml @@ -0,0 +1,67 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: constraintpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ConstraintPodStatus + listKind: ConstraintPodStatusList + plural: constraintpodstatuses + singular: constraintpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintPodStatus is the Schema for the constraintpodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. + properties: + constraintUID: + description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + enforced: + type: boolean + errors: + items: + description: Error represents a single error caught while adding a constraint to OPA. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml new file mode 100644 index 000000000..737e3aff1 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml @@ -0,0 +1,357 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + labels: + gatekeeper.sh/system: "yes" + name: constrainttemplates.templates.gatekeeper.sh +spec: + group: templates.gatekeeper.sh + names: + kind: ConstraintTemplate + listKind: ConstraintTemplateList + plural: constrainttemplates + singular: constrainttemplate + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: false + properties: + legacySchema: + default: false + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: true + properties: + legacySchema: + default: true + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintTemplate is the Schema for the constrainttemplates API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. + properties: + crd: + properties: + spec: + properties: + names: + properties: + kind: + type: string + shortNames: + items: + type: string + type: array + type: object + validation: + default: + legacySchema: true + properties: + legacySchema: + default: true + type: boolean + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + targets: + items: + properties: + code: + description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) + items: + properties: + engine: + description: 'The engine used to evaluate the code. Example: "Rego". Required.' + type: string + source: + description: The source code for the template. Required. + x-kubernetes-preserve-unknown-fields: true + required: + - engine + - source + type: object + type: array + x-kubernetes-list-map-keys: + - engine + x-kubernetes-list-type: map + libs: + items: + type: string + type: array + rego: + type: string + target: + type: string + type: object + type: array + type: object + status: + description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. + properties: + byPod: + items: + description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: a unique identifier for the pod that wrote the status + type: string + observedGeneration: + format: int64 + type: integer + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + created: + type: boolean + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml new file mode 100644 index 000000000..271572bd7 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml @@ -0,0 +1,66 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: constrainttemplatepodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ConstraintTemplatePodStatus + listKind: ConstraintTemplatePodStatusList + plural: constrainttemplatepodstatuses + singular: constrainttemplatepodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus. + properties: + errors: + items: + description: CreateCRDError represents a single error caught during parsing, compiling, etc. + properties: + code: + type: string + location: + type: string + message: + type: string + required: + - code + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml new file mode 100644 index 000000000..9d248f2cc --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml @@ -0,0 +1,200 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: expansiontemplate.expansion.gatekeeper.sh +spec: + group: expansion.gatekeeper.sh + names: + kind: ExpansionTemplate + listKind: ExpansionTemplateList + plural: expansiontemplate + singular: expansiontemplate + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ExpansionTemplate is the Schema for the ExpansionTemplate API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + enforcementAction: + description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + type: string + generatedGVK: + description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + templateSource: + description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + type: string + type: object + status: + description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate. + properties: + byPod: + items: + description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ExpansionTemplate is the Schema for the ExpansionTemplate API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + enforcementAction: + description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. + type: string + generatedGVK: + description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. + properties: + group: + type: string + kind: + type: string + version: + type: string + type: object + templateSource: + description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template + type: string + type: object + status: + description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate. + properties: + byPod: + items: + description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplatepodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplatepodstatus-customresourcedefinition.yaml new file mode 100644 index 000000000..8f49b4c5f --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplatepodstatus-customresourcedefinition.yaml @@ -0,0 +1,62 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: expansiontemplatepodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: ExpansionTemplatePodStatus + listKind: ExpansionTemplatePodStatusList + plural: expansiontemplatepodstatuses + singular: expansiontemplatepodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: ExpansionTemplatePodStatus is the Schema for the expansiontemplatepodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus. + properties: + errors: + items: + properties: + message: + type: string + type: + type: string + required: + - message + type: object + type: array + id: + description: 'Important: Run "make" to regenerate code after modifying this file' + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + templateUID: + description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/modifyset-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/modifyset-customresourcedefinition.yaml new file mode 100644 index 000000000..46574fd36 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/modifyset-customresourcedefinition.yaml @@ -0,0 +1,676 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: modifyset.mutations.gatekeeper.sh +spec: + group: mutations.gatekeeper.sh + names: + kind: ModifySet + listKind: ModifySetList + plural: modifyset + singular: modifyset + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + properties: + name: + maxLength: 63 + type: string + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} + - name: v1beta1 + schema: + openAPIV3Schema: + description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ModifySetSpec defines the desired state of ModifySet. + properties: + applyTo: + description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. + items: + description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. + properties: + groups: + items: + type: string + type: array + kinds: + items: + type: string + type: array + versions: + items: + type: string + type: array + type: object + type: array + location: + description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' + type: string + match: + description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. + properties: + excludedNamespaces: + description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + kinds: + items: + description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. + properties: + apiGroups: + description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. + items: + type: string + type: array + kinds: + items: + type: string + type: array + type: object + type: array + labelSelector: + description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + name: + description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + namespaceSelector: + description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + namespaces: + description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' + items: + description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' + pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$ + type: string + type: array + scope: + description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) + type: string + source: + description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. + enum: + - All + - Generated + - Original + type: string + type: object + parameters: + description: Parameters define the behavior of the mutator. + properties: + operation: + default: merge + description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" + enum: + - merge + - prune + type: string + pathTests: + description: PathTests are a series of existence tests that can be checked before a mutation is applied + items: + description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." + properties: + condition: + description: Condition describes whether the path either MustExist or MustNotExist in the original object + enum: + - MustExist + - MustNotExist + type: string + subPath: + type: string + type: object + type: array + values: + description: Values describes the values provided to the operation as `values.fromList`. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + status: + description: ModifySetStatus defines the observed state of ModifySet. + properties: + byPod: + items: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: array + type: object + type: object + served: true + storage: false + subresources: + status: {} diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml new file mode 100644 index 000000000..fd6a0f6de --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml @@ -0,0 +1,65 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + labels: + gatekeeper.sh/system: "yes" + name: mutatorpodstatuses.status.gatekeeper.sh +spec: + group: status.gatekeeper.sh + names: + kind: MutatorPodStatus + listKind: MutatorPodStatusList + plural: mutatorpodstatuses + singular: mutatorpodstatus + preserveUnknownFields: false + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: MutatorPodStatus is the Schema for the mutationpodstatuses API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + status: + description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. + properties: + enforced: + type: boolean + errors: + items: + description: MutatorError represents a single error caught while adding a mutator to a system. + properties: + message: + type: string + type: + description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. + type: string + required: + - message + type: object + type: array + id: + type: string + mutatorUID: + description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch + type: string + observedGeneration: + format: int64 + type: integer + operations: + items: + type: string + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/provider-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/provider-customresourcedefinition.yaml new file mode 100644 index 000000000..95e66a8b8 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/provider-customresourcedefinition.yaml @@ -0,0 +1,78 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.11.3 + labels: + gatekeeper.sh/system: "yes" + name: providers.externaldata.gatekeeper.sh +spec: + group: externaldata.gatekeeper.sh + names: + kind: Provider + listKind: ProviderList + plural: providers + singular: provider + preserveUnknownFields: false + scope: Cluster + versions: + - deprecated: true + deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead. + name: v1alpha1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the Provider API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the Provider specifications. + properties: + caBundle: + description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. + type: string + timeout: + description: Timeout is the timeout when querying the provider. + type: integer + url: + description: URL is the url for the provider. URL is prefixed with https://. + type: string + type: object + type: object + served: true + storage: false + - name: v1beta1 + schema: + openAPIV3Schema: + description: Provider is the Schema for the providers API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the Provider specifications. + properties: + caBundle: + description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. + type: string + timeout: + description: Timeout is the timeout when querying the provider. + type: integer + url: + description: URL is the url for the provider. URL is prefixed with https://. + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/_helpers.tpl b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/_helpers.tpl new file mode 100644 index 000000000..6a89079bc --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/_helpers.tpl @@ -0,0 +1,22 @@ +# Rancher + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/jobs.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/jobs.yaml new file mode 100644 index 000000000..e5589e68c --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/jobs.yaml @@ -0,0 +1,126 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Chart.Name }}-create + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} + annotations: + "helm.sh/hook": post-install, post-upgrade, post-rollback + "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded +spec: + template: + metadata: + name: {{ .Chart.Name }}-create + labels: + app: {{ .Chart.Name }} + spec: + serviceAccountName: {{ .Chart.Name }}-manager + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + containers: + - name: create-crds + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - apply + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + restartPolicy: OnFailure + volumes: + - name: crd-manifest + configMap: + name: {{ .Chart.Name }}-manifest +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Chart.Name }}-delete + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-delete-policy": hook-succeeded +spec: + template: + metadata: + name: {{ .Chart.Name }}-delete + labels: + app: {{ .Chart.Name }} + spec: + serviceAccountName: {{ .Chart.Name }}-manager + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + initContainers: + - name: remove-finalizers + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - apply + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + containers: + - name: delete-crds + image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: IfNotPresent + command: + - /bin/kubectl + - delete + - -f + - /etc/config/crd-manifest.yaml + volumeMounts: + - name: crd-manifest + readOnly: true + mountPath: /etc/config + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.securityContext | nindent 12 }} + restartPolicy: OnFailure + volumes: + - name: crd-manifest + configMap: + name: {{ .Chart.Name }}-manifest diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/manifest.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/manifest.yaml new file mode 100644 index 000000000..31016b6ef --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/manifest.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Chart.Name }}-manifest + namespace: {{ .Release.Namespace }} +data: + crd-manifest.yaml: | + {{- $currentScope := . -}} + {{- $crds := (.Files.Glob "crd-manifest/**.yaml") -}} + {{- range $path, $_ := $crds -}} + {{- with $currentScope -}} + {{ .Files.Get $path | nindent 4 }} + --- + {{- end -}}{{- end -}} diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/rbac.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/rbac.yaml new file mode 100644 index 000000000..d1df38961 --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/rbac.yaml @@ -0,0 +1,76 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }}-manager + labels: + app: {{ .Chart.Name }}-manager +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: ['create', 'get', 'patch', 'delete'] +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ .Chart.Name }}-manager +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Chart.Name }}-manager + labels: + app: {{ .Chart.Name }}-manager +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Chart.Name }}-manager +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-manager +--- +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ .Chart.Name }}-manager + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-manager +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +{{- end }} diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/validate-psp-install.yaml new file mode 100644 index 000000000..a30c59d3b --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/values.yaml b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/values.yaml new file mode 100644 index 000000000..3304f097b --- /dev/null +++ b/charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/values.yaml @@ -0,0 +1,21 @@ +# Default values for rancher-gatekeeper-crd. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + +image: + repository: rancher/kubectl + tag: v1.20.2 + +enableRuntimeDefaultSeccompProfile: true + +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/.helmignore b/charts/rancher-gatekeeper/103.1.0+up3.13.0/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/CHANGELOG.md b/charts/rancher-gatekeeper/103.1.0+up3.13.0/CHANGELOG.md new file mode 100644 index 000000000..c68d23c24 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/CHANGELOG.md @@ -0,0 +1,15 @@ +# Changelog +All notable changes from the upstream OPA Gatekeeper chart will be added to this file + +## [Package Version 00] - 2020-09-10 +### Added +- Enabled the CRD chart generator in `package.yaml` + +### Modified +- Updated namespace to `cattle-gatekeeper-system` +- Updated for Helm 3 compatibility + - Moved crds to `crds` directory + - Removed `crd-install` hooks and templates from crds + +### Removed +- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/Chart.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/Chart.yaml new file mode 100644 index 000000000..1eac2f452 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper + catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper +apiVersion: v2 +appVersion: v3.13.0 +description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments +home: https://github.com/open-policy-agent/gatekeeper +icon: https://charts.rancher.io/assets/logos/gatekeeper.svg +keywords: +- open policy agent +- security +name: rancher-gatekeeper +sources: +- https://github.com/open-policy-agent/gatekeeper.git +version: 103.1.0+up3.13.0 diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/README.md b/charts/rancher-gatekeeper/103.1.0+up3.13.0/README.md new file mode 100644 index 000000000..3ec0a2b75 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/README.md @@ -0,0 +1,226 @@ +# Gatekeeper Helm Chart + +## Get Repo Info + +```console +helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +# Helm install with gatekeeper-system namespace already created +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper + +# Helm install and create namespace +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +_See [parameters](#parameters) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Upgrade Chart + +**Upgrading from < v3.4.0** +Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within +the chart. This follows Helm 3 Best Practices. + +Option 1: +A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. + +```console +$ helm uninstall gatekeeper +$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace + +``` + +Option 2: +Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the +original release, while keeping all of the resources. It then updates the annotations of the resources so that the new +chart can import and manage them. + +```console +$ helm_migrate.sh +$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper +``` + +**Upgrading from >= v3.4.0** + +```console +$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper +``` + +_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._ + +## Exempting Namespace + +The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt +the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during +a post-install hook. + +_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more +information._ + +## Parameters + +| Parameter | Description | Default | +|:-----------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | +| postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | +| postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | +| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.13.0` | +| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | +| postInstall.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label Job | `` | +| postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` | +| postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | `curlimages/curl` | +| postInstall.probeWebhook.image.tag | Image tag | `7.83.1` | +| postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | `[]` | +| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` | +| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` | +| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` | +| postInstall.probeWebhook.priorityClassName | Priority class name for gatekeeper-probe-webhook-post-install Job | `` | +| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` | +| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` | +| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` | +| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` | +| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` | +| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | +| postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | +| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | +| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.13.0` | +| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | +| postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` | +| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | +| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` | +| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` | +| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | +| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | +| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.13.0` | +| preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | +| preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | +| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.13.0` | +| preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` | +| preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` | +| preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | +| preUninstall.deleteWebhookConfigurations.priorityClassName | Priority class name for gatekeeper-delete-webhook-configs Job | `` | +| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` | +| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` | +| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | +| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | +| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| psp.enabled | Enabled PodSecurityPolicy | `true` | +| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | +| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | +| upgradeCRDs.priorityClassName | Priority class name for gatekeeper-update-crds-hook Job | `` | +| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` | +| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` | +| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | +| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | +| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | +| auditInterval | The frequency with which audit is run | `300` | +| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | +| auditFromCache | Take the roster of resources to audit from the audit cache | `false` | +| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | +| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | +| disableValidatingWebhook | Disable the validating webhook | `false` | +| disableMutation | Disable mutation | `false` | +| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | +| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | +| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | +| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | +| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | +| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| validatingWebhookURL | Custom URL for Kubernetes API server to use to reach the validating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | +| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` | +| enableExternalData | Enable external data | `true` | +| enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` | +| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | +| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | +| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | +| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | +| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | +| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | +| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | +| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | +| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | +| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | +| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | +| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` | +| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | +| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | +| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | +| logDenies | Log detailed info on each deny | `false` | +| logLevel | Minimum log level | `INFO` | +| image.pullPolicy | The image pull policy | `IfNotPresent` | +| image.repository | Image repository | `openpolicyagent/gatekeeper` | +| image.release | The image release tag to use | Current release version: `v3.13.0` | +| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | +| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | +| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | +| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` | +| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` | +| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` | +| controllerManager.healthPort | Health port for controller manager | `9090` | +| controllerManager.port | Webhook-server port for controller manager | `8443` | +| controllerManager.metricsPort | Metrics port for controller manager | `8888` | +| controllerManager.readinessTimeout | Timeout in seconds for the controller manager's readiness probe | `1` | +| controllerManager.livenessTimeout | Timeout in seconds for the controller manager's liveness probe | `1` | +| controllerManager.logLevel | The minimum log level for the controller manager, takes precedence over `logLevel` when specified | `null` | +| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | +| controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} | +| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | +| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | +| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | +| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | +| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | +| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | +| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | +| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | +| controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` | +| audit.affinity | The node affinity to use for audit pod scheduling | `{}` | +| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | +| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | +| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | +| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | +| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | +| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` | +| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | +| audit.healthPort | Health port for audit | `9090` | +| audit.metricsPort | Metrics port for audit | `8888` | +| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` | +| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` | +| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` | +| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | +| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | +| podLabels | The labels to add to the Gatekeeper pods | `{}` | +| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | +| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | +| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | +| service.type | Service type | `ClusterIP` | +| service.loadBalancerIP | The IP address of LoadBalancer service | `` | +| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` | +| rbac.create | Enable the creation of RBAC resources | `true` | +| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` | +| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` | + +## Contributing Changes + +Please refer +to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) +for modifying the Helm chart. diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/app-readme.md b/charts/rancher-gatekeeper/103.1.0+up3.13.0/app-readme.md new file mode 100644 index 000000000..dff688f51 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/app-readme.md @@ -0,0 +1,32 @@ +# Rancher OPA Gatekeeper + +This chart is based off of the upstream [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) chart. + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/opa-gatekeper/). + +The chart installs the following components: + +- OPA Gatekeeper Controller-Manager - OPA Gatekeeper is a policy engine for providing policy based governance for Kubernetes clusters. The controller installs as a [validating admission controller webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) on the cluster and intercepts all admission requests that create, update or delete a resource in the cluster. +- [Audit](https://github.com/open-policy-agent/gatekeeper#audit) - A periodic audit of the cluster resources against the enforced policies. Any existing resource that violates a policy will be recorded as violations. +- [Constraint Template](https://github.com/open-policy-agent/gatekeeper#constraint-templates) - A template is a CRD (`ConstraintTemplate`) that defines the schema and Rego logic of a policy to be applied to the cluster by Gatekeeper's admission controller webhook. This chart installs a few default `ConstraintTemplate` custom resources. +- [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to). + +For more information on how to configure the Helm chart, refer to the Helm README. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/_helpers.tpl b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/_helpers.tpl new file mode 100644 index 000000000..79581551c --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/_helpers.tpl @@ -0,0 +1,114 @@ + +{{/* +Expand the name of the chart. +*/}} +{{- define "gatekeeper.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "gatekeeper.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "gatekeeper.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Adds additional pod labels to the common ones +*/}} +{{- define "gatekeeper.podLabels" -}} +{{- if .Values.podLabels }} +{{- toYaml .Values.podLabels | nindent 8 }} +{{- end }} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} + +{{/* +Output post install webhook probe container entry +*/}} +{{- define "gatekeeper.postInstallWebhookProbeContainer" -}} +- name: webhook-probe-post + image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}" + imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }} + command: + - "curl" + args: + - "--retry" + - "99999" + - "--retry-connrefused" + - "--retry-max-time" + - "{{ .Values.postInstall.probeWebhook.waitTimeout }}" + - "--retry-delay" + - "1" + - "--max-time" + - "{{ .Values.postInstall.probeWebhook.httpTimeout }}" + {{- if .Values.postInstall.probeWebhook.insecureHTTPS }} + - "--insecure" + {{- else }} + - "--cacert" + - /certs/ca.crt + {{- end }} + - "-v" + - "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s" + resources: + {{- toYaml .Values.postInstall.resources | nindent 4 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 4 }} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true +{{- end -}} + +{{/* +Output post install webhook probe volume entry +*/}} +{{- define "gatekeeper.postInstallWebhookProbeVolume" -}} +- name: cert + secret: + secretName: {{ .Values.externalCertInjection.secretName }} +{{- end -}} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/allowedrepos.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/allowedrepos.yaml new file mode 100644 index 000000000..9abb84ecb --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/allowedrepos.yaml @@ -0,0 +1,35 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8sallowedrepos +spec: + crd: + spec: + names: + kind: K8sAllowedRepos + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + repos: + type: array + items: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8sallowedrepos + + violation[{"msg": msg}] { + container := input.review.object.spec.containers[_] + satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] + not any(satisfied) + msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } + + violation[{"msg": msg}] { + container := input.review.object.spec.initContainers[_] + satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] + not any(satisfied) + msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) + } diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-podsecuritypolicy.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-podsecuritypolicy.yaml new file mode 100644 index 000000000..2c179e570 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-podsecuritypolicy.yaml @@ -0,0 +1,38 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-admin +spec: + allowPrivilegeEscalation: false + fsGroup: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + requiredDropCapabilities: + - ALL + runAsUser: + rule: MustRunAsNonRoot + seLinux: + rule: RunAsAny + supplementalGroups: + ranges: + - max: 65535 + min: 1 + rule: MustRunAs + volumes: + - configMap + - projected + - secret + - downwardAPI + - emptyDir +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-serviceaccount.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-serviceaccount.yaml new file mode 100644 index 000000000..4b68998cb --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-serviceaccount.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-audit-deployment.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-audit-deployment.yaml new file mode 100644 index 000000000..d03c6d3b5 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-audit-deployment.yaml @@ -0,0 +1,164 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-audit + namespace: '{{ .Release.Namespace }}' +spec: + replicas: 1 + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + template: + metadata: + annotations: + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }} + {{- if .Values.auditPodAnnotations }} + {{- toYaml .Values.auditPodAnnotations | trim | nindent 8 }} + {{- end }} + labels: +{{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: audit-controller + gatekeeper.sh/operation: audit + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + affinity: + {{- toYaml .Values.audit.affinity | nindent 8 }} + automountServiceAccountToken: true + containers: + - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' + args: + - --audit-interval={{ .Values.auditInterval }} + - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }} + - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} + - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} + - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} + - --audit-from-cache={{ .Values.auditFromCache }} + - --audit-chunk-size={{ .Values.auditChunkSize }} + - --audit-match-kind-only={{ .Values.auditMatchKindOnly }} + - --emit-audit-events={{ .Values.emitAuditEvents }} + - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }} + - --operation=audit + - --operation=status + {{ if .Values.audit.enablePubsub}} + - --enable-pub-sub={{ .Values.audit.enablePubsub }} + - --audit-connection={{ .Values.audit.connection }} + - --audit-channel={{ .Values.audit.channel }} + {{- end }} + {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }} + - --logtostderr + - --health-addr=:{{ .Values.audit.healthPort }} + - --prometheus-port={{ .Values.audit.metricsPort }} + - --enable-external-data={{ .Values.enableExternalData }} + - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} + + {{- range .Values.metricsBackends}} + - --metrics-backend={{ . }} + {{- end }} + + {{- if .Values.audit.logFile}} + - --log-file={{ .Values.audit.logFile }} + {{- end }} + - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: manager + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.audit.healthPort }} + timeoutSeconds: {{ .Values.audit.livenessTimeout }} + name: manager + ports: + - containerPort: {{ .Values.audit.metricsPort }} + name: metrics + protocol: TCP + - containerPort: {{ .Values.audit.healthPort }} + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.audit.healthPort }} + timeoutSeconds: {{ .Values.audit.readinessTimeout }} + resources: + {{- toYaml .Values.audit.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.audit.securityContext | nindent 10}} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true + - mountPath: /tmp/audit + name: tmp-volume + dnsPolicy: {{ .Values.audit.dnsPolicy }} + hostNetwork: {{ .Values.audit.hostNetwork }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.audit.nodeSelector }} +{{ toYaml .Values.audit.nodeSelector | indent 8 }} +{{- end }} + {{- if .Values.audit.priorityClassName }} + priorityClassName: {{ .Values.audit.priorityClassName }} + {{- end }} + securityContext: + {{- toYaml .Values.audit.podSecurityContext | nindent 8 }} + serviceAccountName: gatekeeper-admin + terminationGracePeriodSeconds: 60 + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.audit.tolerations }} +{{ toYaml .Values.audit.tolerations | indent 8 }} +{{- end }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: gatekeeper-webhook-server-cert + {{- if .Values.audit.writeToRAMDisk }} + - emptyDir: + medium: Memory + {{ else }} + - emptyDir: {} + {{- end }} + name: tmp-volume diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-deployment.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-deployment.yaml new file mode 100644 index 000000000..b2abb99e9 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-deployment.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + strategy: + type: {{ .Values.controllerManager.strategyType }} + template: + metadata: + annotations: + {{- if .Values.podAnnotations }} + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + {{- end }} + labels: +{{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + affinity: + {{- toYaml .Values.controllerManager.affinity | nindent 8 }} + automountServiceAccountToken: true + containers: + - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + args: + - --port={{ .Values.controllerManager.port }} + - --health-addr=:{{ .Values.controllerManager.healthPort }} + - --prometheus-port={{ .Values.controllerManager.metricsPort }} + - --logtostderr + - --log-denies={{ .Values.logDenies }} + - --emit-admission-events={{ .Values.emitAdmissionEvents }} + - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }} + - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }} + - --exempt-namespace={{ .Release.Namespace }} + - --operation=webhook + - --enable-external-data={{ .Values.enableExternalData }} + - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} + - --log-mutations={{ .Values.logMutations }} + - --mutation-annotations={{ .Values.mutationAnnotations }} + - --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }} + - --max-serving-threads={{ .Values.maxServingThreads }} + - --tls-min-version={{ .Values.controllerManager.tlsMinVersion }} + {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }} + + {{- range .Values.metricsBackends}} + - --metrics-backend={{ . }} + {{- end }} + {{ if .Values.enableTLSHealthcheck}}- --enable-tls-healthcheck{{- end }} + {{ if not .Values.disableMutation}}- --operation=mutation-webhook{{- end }} + + {{- range .Values.disabledBuiltins}} + - --disable-opa-builtin={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespaces}} + - --exempt-namespace={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespacePrefixes}} + - --exempt-namespace-prefix={{ . }} + {{- end }} + + {{- range .Values.controllerManager.exemptNamespaceSuffixes}} + - --exempt-namespace-suffix={{ . }} + {{- end }} + + {{- if .Values.controllerManager.logFile}} + - --log-file={{ .Values.controllerManager.logFile }} + {{- end }} + command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CONTAINER_NAME + value: manager + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.controllerManager.healthPort }} + timeoutSeconds: {{ .Values.controllerManager.livenessTimeout }} + name: manager + ports: + - containerPort: {{ .Values.controllerManager.port }} + name: webhook-server + protocol: TCP + - containerPort: {{ .Values.controllerManager.metricsPort }} + name: metrics + protocol: TCP + - containerPort: {{ .Values.controllerManager.healthPort }} + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: {{ .Values.controllerManager.healthPort }} + timeoutSeconds: {{ .Values.controllerManager.readinessTimeout }} + resources: + {{- toYaml .Values.controllerManager.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.controllerManager.securityContext | nindent 10}} + volumeMounts: + - mountPath: /certs + name: cert + readOnly: true + dnsPolicy: {{ .Values.controllerManager.dnsPolicy }} + hostNetwork: {{ .Values.controllerManager.hostNetwork }} + imagePullSecrets: + {{- toYaml .Values.images.pullSecrets | nindent 8 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.controllerManager.nodeSelector }} +{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }} +{{- end }} + {{- if .Values.controllerManager.priorityClassName }} + priorityClassName: {{ .Values.controllerManager.priorityClassName }} + {{- end }} + securityContext: + {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} + serviceAccountName: gatekeeper-admin + terminationGracePeriodSeconds: 60 + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.controllerManager.tolerations }} +{{ toYaml .Values.controllerManager.tolerations | indent 8 }} +{{- end }} + topologySpreadConstraints: + {{- toYaml .Values.controllerManager.topologySpreadConstraints | nindent 8 }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: gatekeeper-webhook-server-cert diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-network-policy.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-network-policy.yaml new file mode 100644 index 000000000..e05213feb --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-network-policy.yaml @@ -0,0 +1,30 @@ +{{- if .Values.controllerManager.networkPolicy.enabled -}} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + release: '{{ .Release.Name }}' + {{- with .Values.controllerManager.networkPolicy.ingress }} + {{- toYaml . | nindent 4 }} + {{- end }} + podSelector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' +{{- end -}} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml new file mode 100644 index 000000000..424f6a67c --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml @@ -0,0 +1,24 @@ +{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} +{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}} +apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }} +kind: PodDisruptionBudget +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-controller-manager + namespace: '{{ .Release.Namespace }}' +spec: + minAvailable: {{ .Values.pdb.controllerManager.minAvailable }} + selector: + matchLabels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-critical-pods-resourcequota.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-critical-pods-resourcequota.yaml new file mode 100644 index 000000000..154646366 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-critical-pods-resourcequota.yaml @@ -0,0 +1,23 @@ +{{- if .Values.resourceQuota }} +apiVersion: v1 +kind: ResourceQuota +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-critical-pods + namespace: '{{ .Release.Namespace }}' +spec: + hard: + pods: {{ .Values.podCountLimit }} + scopeSelector: + matchExpressions: + - operator: In + scopeName: PriorityClass + values: + - {{ .Values.controllerManager.priorityClassName }} + - {{ .Values.audit.priorityClassName }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-clusterrole.yaml new file mode 100644 index 000000000..657460a5d --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-clusterrole.yaml @@ -0,0 +1,186 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + creationTimestamp: null + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-role +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - {{ .Values.mutatingWebhookName }} + resources: + - mutatingwebhookconfigurations + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.gatekeeper.sh + resources: + - configs + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - config.gatekeeper.sh + resources: + - configs/status + verbs: + - get + - patch + - update +- apiGroups: + - constraints.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - expansion.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - externaldata.gatekeeper.sh + resources: + - providers + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - mutations.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: + - policy + resourceNames: + - gatekeeper-admin + resources: + - podsecuritypolicies + verbs: + - use +{{- end }} +- apiGroups: + - status.gatekeeper.sh + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates/finalizers + verbs: + - delete + - get + - patch + - update +- apiGroups: + - templates.gatekeeper.sh + resources: + - constrainttemplates/status + verbs: + - get + - patch + - update +- apiGroups: + - admissionregistration.k8s.io + resourceNames: + - {{ .Values.validatingWebhookName }} + resources: + - validatingwebhookconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-role.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-role.yaml new file mode 100644 index 000000000..1018dcdb6 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-role-role.yaml @@ -0,0 +1,37 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-role + namespace: '{{ .Release.Namespace }}' +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +{{- with .Values.controllerManager.extraRules }} + {{- toYaml . | nindent 0 }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml new file mode 100644 index 000000000..1fb9f6c87 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-manager-role +subjects: +- kind: ServiceAccount + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml new file mode 100644 index 000000000..fbe9580d5 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-manager-rolebinding + namespace: '{{ .Release.Namespace }}' +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: gatekeeper-manager-role +subjects: +- kind: ServiceAccount + name: gatekeeper-admin + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml new file mode 100644 index 000000000..ae85f8d08 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml @@ -0,0 +1,64 @@ +{{- if not .Values.disableMutation }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + annotations: {{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: '{{ .Values.mutatingWebhookName }}' +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.mutatingWebhookURL }} + url: https://{{ .Values.mutatingWebhookURL }}/v1/mutate + {{- else }} + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/mutate + {{- end }} + failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }} + matchPolicy: Exact + name: mutation.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + + {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}} + - key: {{ $key }} + operator: NotIn + values: + {{- range $value }} + - {{ . }} + {{- end }} + {{- end }} + objectSelector: {{ toYaml .Values.mutatingWebhookObjectSelector }} + reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }} + rules: + {{- if .Values.mutatingWebhookCustomRules }} + {{- toYaml .Values.mutatingWebhookCustomRules | nindent 2 }} + {{- else }} + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - '*' + {{- end }} + sideEffects: None + timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml new file mode 100644 index 000000000..933fbbd3c --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml @@ -0,0 +1,113 @@ +{{- if not .Values.disableValidatingWebhook }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + annotations: {{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: '{{ .Values.validatingWebhookName }}' +webhooks: +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + {{- if .Values.validatingWebhookURL }} + url: https://{{ .Values.validatingWebhookURL }}/v1/admit + {{- else }} + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/admit + {{- end }} + failurePolicy: {{ .Values.validatingWebhookFailurePolicy }} + matchPolicy: Exact + name: validation.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: admission.gatekeeper.sh/ignore + operator: DoesNotExist + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + + {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}} + - key: {{ $key }} + operator: NotIn + values: + {{- range $value }} + - {{ . }} + {{- end }} + {{- end }} + objectSelector: {{ toYaml .Values.validatingWebhookObjectSelector }} + rules: + {{- if .Values.validatingWebhookCustomRules }} + {{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }} + {{- else }} + - apiGroups: + - '*' + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + {{- if .Values.enableDeleteOperations }} + - DELETE + {{- end }} + resources: + - '*' + # Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper). + # You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("' + - 'pods/ephemeralcontainers' + - 'pods/exec' + - 'pods/log' + - 'pods/eviction' + - 'pods/portforward' + - 'pods/proxy' + - 'pods/attach' + - 'pods/binding' + - 'deployments/scale' + - 'replicasets/scale' + - 'statefulsets/scale' + - 'replicationcontrollers/scale' + - 'services/proxy' + - 'nodes/proxy' + # For constraints that mitigate CVE-2020-8554 + - 'services/status' + {{- end }} + sideEffects: None + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} +- admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' + path: /v1/admitlabel + failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }} + matchPolicy: Exact + name: check-ignore-label.gatekeeper.sh + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - {{ .Release.Namespace }} + rules: + - apiGroups: + - "" + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - namespaces + sideEffects: None + timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-server-cert-secret.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-server-cert-secret.yaml new file mode 100644 index 000000000..a841780a5 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-server-cert-secret.yaml @@ -0,0 +1,14 @@ +{{- if not .Values.externalCertInjection.enabled }} +apiVersion: v1 +kind: Secret +metadata: + annotations: {{- toYaml .Values.secretAnnotations | trim | nindent 4 }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-webhook-server-cert + namespace: '{{ .Release.Namespace }}' +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-service-service.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-service-service.yaml new file mode 100644 index 000000000..3c0f4453a --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-webhook-service-service.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + name: gatekeeper-webhook-service + namespace: '{{ .Release.Namespace }}' +spec: + + ports: + - name: https-webhook-server + port: 443 + targetPort: webhook-server +{{- if .Values.service }} +{{- if .Values.service.healthzPort }} + - name: http-webhook-healthz + port: {{ .Values.service.healthzPort }} + targetPort: healthz + {{- end }} + {{- end }} + {{- if .Values.service }} + type: {{ .Values.service.type | default "ClusterIP" }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- end }} + selector: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + control-plane: controller-manager + gatekeeper.sh/operation: webhook + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-install.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-install.yaml new file mode 100644 index 000000000..c69be34c2 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-install.yaml @@ -0,0 +1,168 @@ +{{- if .Values.postInstall.labelNamespace.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- if .Values.postInstall.labelNamespace.extraAnnotations }} + {{- toYaml .Values.postInstall.labelNamespace.extraAnnotations | trim | nindent 4 }} + {{- end }} +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.postInstall.labelNamespace.priorityClassName }} + priorityClassName: {{ .Values.postInstall.labelNamespace.priorityClassName }} + {{- end }} + {{- if .Values.postInstall.labelNamespace.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-update-namespace-label + {{- if .Values.postInstall.probeWebhook.enabled }} + volumes: + {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} + initContainers: + {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} + {{- end }} + containers: + - name: kubectl-label + image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}' + imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} + args: + - label + - ns + - {{ .Release.Namespace }} + - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postInstall.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} + - --overwrite + resources: + {{- toYaml .Values.postInstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 12 }} + {{- if .Values.postInstall.labelNamespace.extraNamespaces }} + - name: kubectl-label-extra + image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}" + imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} + args: + - label + - ns + {{- range .Values.postInstall.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - admission.gatekeeper.sh/ignore=extra-namespaces + - --overwrite + resources: + {{- toYaml .Values.postInstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postInstall.securityContext | nindent 12 }} + {{- end }} + {{- with .Values.postInstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - {{ .Release.Namespace }} + {{- range .Values.postInstall.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - apiGroups: + - management.cattle.io + resources: + - projects + verbs: + - updatepsa +{{- with .Values.postInstall.labelNamespace.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-update-namespace-label + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-update-namespace-label +subjects: + - kind: ServiceAccount + name: gatekeeper-update-namespace-label + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-upgrade.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-upgrade.yaml new file mode 100644 index 000000000..dc8cc32b1 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/namespace-post-upgrade.yaml @@ -0,0 +1,156 @@ +{{- if .Values.postUpgrade.labelNamespace.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation + {{- if .Values.postUpgrade.labelNamespace.extraAnnotations }} + {{- toYaml .Values.postUpgrade.labelNamespace.extraAnnotations | trim | nindent 4 }} + {{- end }} +spec: + template: + metadata: + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.postUpgrade.labelNamespace.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-update-namespace-label-post-upgrade + {{- if .Values.postUpgrade.labelNamespace.priorityClassName }} + priorityClassName: {{ .Values.postUpgrade.labelNamespace.priorityClassName }} + {{- end }} + containers: + - name: kubectl-label + image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}' + imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} + args: + - label + - ns + - {{ .Release.Namespace }} + - admission.gatekeeper.sh/ignore=no-self-managing + {{- range .Values.postUpgrade.labelNamespace.podSecurity }} + - {{ . }} + {{- end }} + - --overwrite + resources: + {{- toYaml .Values.postUpgrade.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} + {{- if .Values.postUpgrade.labelNamespace.extraNamespaces }} + - name: kubectl-label-extra + image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}" + imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} + args: + - label + - ns + {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - admission.gatekeeper.sh/ignore=extra-namespaces + - --overwrite + resources: + {{- toYaml .Values.postUpgrade.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} + {{- end }} + {{- with .Values.postUpgrade }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - update + - patch + resourceNames: + - {{ .Release.Namespace }} + {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} + - {{ . }} + {{- end }} + - apiGroups: + - management.cattle.io + resources: + - projects + verbs: + - updatepsa +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-update-namespace-label-post-upgrade + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": post-upgrade + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-update-namespace-label-post-upgrade +subjects: + - kind: ServiceAccount + name: gatekeeper-update-namespace-label-post-upgrade + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/probe-webhook-post-install.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/probe-webhook-post-install.yaml new file mode 100644 index 000000000..19e5a7c65 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/probe-webhook-post-install.yaml @@ -0,0 +1,50 @@ +{{- if not .Values.disableValidatingWebhook }} +{{- if and (not .Values.postInstall.labelNamespace.enabled) .Values.postInstall.probeWebhook.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-probe-webhook-post-install + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": post-install + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: Never + {{- if .Values.postInstall.probeWebhook.priorityClassName }} + priorityClassName: {{ .Values.postInstall.probeWebhook.priorityClassName }} + {{- end }} + {{- if .Values.postInstall.probeWebhook.image.pullSecrets }} + imagePullSecrets: + {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + volumes: + {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} + containers: + {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} + {{- with .Values.postInstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} + backoffLimit: 3 +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/requiredlabels.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/requiredlabels.yaml new file mode 100644 index 000000000..e93e6a0a7 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/requiredlabels.yaml @@ -0,0 +1,57 @@ +apiVersion: templates.gatekeeper.sh/v1beta1 +kind: ConstraintTemplate +metadata: + name: k8srequiredlabels +spec: + crd: + spec: + names: + kind: K8sRequiredLabels + validation: + # Schema for the `parameters` field + openAPIV3Schema: + properties: + message: + type: string + labels: + type: array + items: + type: object + properties: + key: + type: string + allowedRegex: + type: string + targets: + - target: admission.k8s.gatekeeper.sh + rego: | + package k8srequiredlabels + + get_message(parameters, _default) = msg { + not parameters.message + msg := _default + } + + get_message(parameters, _default) = msg { + msg := parameters.message + } + + violation[{"msg": msg, "details": {"missing_labels": missing}}] { + provided := {label | input.review.object.metadata.labels[label]} + required := {label | label := input.parameters.labels[_].key} + missing := required - provided + count(missing) > 0 + def_msg := sprintf("you must provide labels: %v", [missing]) + msg := get_message(input.parameters, def_msg) + } + + violation[{"msg": msg}] { + value := input.review.object.metadata.labels[key] + expected := input.parameters.labels[_] + expected.key == key + # do not match if allowedRegex is not defined, or is an empty string + expected.allowedRegex != "" + not re_match(expected.allowedRegex, value) + def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex]) + msg := get_message(input.parameters, def_msg) + } diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/upgrade-crds-hook.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/upgrade-crds-hook.yaml new file mode 100644 index 000000000..e37dcafd4 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/upgrade-crds-hook.yaml @@ -0,0 +1,119 @@ +{{- if .Values.upgradeCRDs.enabled }} +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-admin-upgrade-crds + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +rules: + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "create", "update", "patch"] +{{- with .Values.upgradeCRDs.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-admin-upgrade-crds + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +subjects: + - kind: ServiceAccount + name: gatekeeper-admin-upgrade-crds + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: gatekeeper-admin-upgrade-crds + apiGroup: rbac.authorization.k8s.io +{{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + name: gatekeeper-admin-upgrade-crds + namespace: '{{ .Release.Namespace }}' + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" + helm.sh/hook-weight: "1" +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-update-crds-hook + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "gatekeeper.name" . }} + chart: {{ template "gatekeeper.name" . }} + gatekeeper.sh/system: "yes" + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-weight: "1" + helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" +spec: + backoffLimit: 3 + template: + metadata: + name: gatekeeper-update-crds-hook + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + serviceAccountName: gatekeeper-admin-upgrade-crds + restartPolicy: Never + {{- if .Values.images.pullSecrets }} + imagePullSecrets: + {{- toYaml .Values.image.pullSecrets | nindent 8 }} + {{- end }} + {{- if .Values.upgradeCRDs.priorityClassName }} + priorityClassName: {{ .Values.upgradeCRDs.priorityClassName }} + {{- end }} + containers: + - name: crds-upgrade + image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}' + imagePullPolicy: '{{ .Values.images.pullPolicy }}' + args: + - apply + - -f + - crds/ + resources: + {{- toYaml .Values.crds.resources | nindent 10 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.crds.securityContext | nindent 10 }} + {{- with .Values.crds }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-install-crd.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-install-crd.yaml new file mode 100644 index 000000000..c0c303938 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-install-crd.yaml @@ -0,0 +1,25 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "mutations.gatekeeper.sh/v1/Assign" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1alpha1/AssignImage" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1/AssignMetadata" false -}} +# {{- set $found "config.gatekeeper.sh/v1alpha1/Config" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintPodStatus" false -}} +# {{- set $found "templates.gatekeeper.sh/v1/ConstraintTemplate" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}} +# {{- set $found "expansion.gatekeeper.sh/v1alpha1/ExpansionTemplate" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/ExpansionTemplatePodStatus" false -}} +# {{- set $found "mutations.gatekeeper.sh/v1/ModifySet" false -}} +# {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}} +# {{- set $found "externaldata.gatekeeper.sh/v1alpha1/Provider" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-psp-install.yaml new file mode 100644 index 000000000..a30c59d3b --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/webhook-configs-pre-delete.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/webhook-configs-pre-delete.yaml new file mode 100644 index 000000000..21c2411f0 --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/webhook-configs-pre-delete.yaml @@ -0,0 +1,144 @@ +{{- if and (or (not .Values.disableValidatingWebhook) (not .Values.disableMutation)) .Values.preUninstall.deleteWebhookConfigurations.enabled }} +apiVersion: batch/v1 +kind: Job +metadata: + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} + labels: + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +spec: + template: + metadata: + annotations: + {{- toYaml .Values.podAnnotations | trim | nindent 8 }} + labels: + {{- include "gatekeeper.podLabels" . }} + app: '{{ template "gatekeeper.name" . }}' + chart: '{{ template "gatekeeper.name" . }}' + gatekeeper.sh/system: "yes" + heritage: '{{ .Release.Service }}' + release: '{{ .Release.Name }}' + spec: + restartPolicy: OnFailure + {{- if .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets }} + imagePullSecrets: + {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }} + {{- end }} + serviceAccount: gatekeeper-delete-webhook-configs + {{- if .Values.preUninstall.deleteWebhookConfigurations.priorityClassName }} + priorityClassName: {{ .Values.preUninstall.deleteWebhookConfigurations.priorityClassName }} + {{- end }} + containers: + - name: kubectl-delete + image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}' + imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }} + args: + - delete + {{- if not .Values.disableValidatingWebhook }} + - validatingwebhookconfiguration/{{ .Values.validatingWebhookName }} + {{- end }} + {{- if not .Values.disableMutation }} + - mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }} + {{- end }} + resources: + {{- toYaml .Values.preUninstall.resources | nindent 12 }} + securityContext: + {{- if .Values.enableRuntimeDefaultSeccompProfile }} + seccompProfile: + type: RuntimeDefault + {{- end }} + {{- toYaml .Values.preUninstall.securityContext | nindent 12 }} + {{- with .Values.preUninstall }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .nodeSelector }} +{{ toYaml .nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .tolerations }} +{{ toYaml .tolerations | indent 8 }} +{{- end }} + affinity: + {{- toYaml .affinity | nindent 8 }} + {{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +rules: + {{- if not .Values.disableValidatingWebhook }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + resourceNames: + - {{ .Values.validatingWebhookName }} + verbs: + - delete + {{- end }} + {{- if not .Values.disableMutation }} + - apiGroups: + - admissionregistration.k8s.io + resources: + - mutatingwebhookconfigurations + resourceNames: + - {{ .Values.mutatingWebhookName }} + verbs: + - delete + {{- end }} +{{- with .Values.preUninstall.deleteWebhookConfigurations.extraRules }} + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +--- +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatekeeper-delete-webhook-configs + labels: + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + annotations: + "helm.sh/hook": pre-delete + "helm.sh/hook-weight": "-5" + "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatekeeper-delete-webhook-configs +subjects: + - kind: ServiceAccount + name: gatekeeper-delete-webhook-configs + namespace: {{ .Release.Namespace | quote }} +{{- end }} +{{- end }} diff --git a/charts/rancher-gatekeeper/103.1.0+up3.13.0/values.yaml b/charts/rancher-gatekeeper/103.1.0+up3.13.0/values.yaml new file mode 100644 index 000000000..8de6db3bc --- /dev/null +++ b/charts/rancher-gatekeeper/103.1.0+up3.13.0/values.yaml @@ -0,0 +1,281 @@ +replicas: 3 +auditInterval: 60 +metricsBackends: ["prometheus"] +auditMatchKindOnly: false +constraintViolationsLimit: 20 +auditFromCache: false +disableMutation: false +disableValidatingWebhook: false +validatingWebhookName: gatekeeper-validating-webhook-configuration +validatingWebhookTimeoutSeconds: 3 +validatingWebhookFailurePolicy: Ignore +validatingWebhookAnnotations: {} +validatingWebhookExemptNamespacesLabels: {} +validatingWebhookObjectSelector: {} +validatingWebhookCheckIgnoreFailurePolicy: Fail +validatingWebhookCustomRules: {} +validatingWebhookURL: null +enableDeleteOperations: false +enableExternalData: true +enableGeneratorResourceExpansion: true +enableTLSHealthcheck: false +maxServingThreads: -1 +mutatingWebhookName: gatekeeper-mutating-webhook-configuration +mutatingWebhookFailurePolicy: Ignore +mutatingWebhookReinvocationPolicy: Never +mutatingWebhookAnnotations: {} +mutatingWebhookExemptNamespacesLabels: {} +mutatingWebhookObjectSelector: {} +mutatingWebhookTimeoutSeconds: 1 +mutatingWebhookCustomRules: {} +mutatingWebhookURL: null +mutationAnnotations: false +auditChunkSize: 500 +logLevel: INFO +logDenies: false +logMutations: false +emitAdmissionEvents: false +emitAuditEvents: false +admissionEventsInvolvedNamespace: false +auditEventsInvolvedNamespace: false +resourceQuota: true +images: + gatekeeper: + repository: rancher/mirrored-openpolicyagent-gatekeeper + tag: v3.13.0 + gatekeepercrd: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.13.0 + pullPolicy: IfNotPresent + pullSecrets: [] +preInstall: + crdRepository: + image: + repository: null + tag: v3.13.0 +postUpgrade: + labelNamespace: + enabled: false + image: + repository: rancher/kubectl + tag: v1.20.2 + pullPolicy: IfNotPresent + pullSecrets: [] + extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] + extraAnnotations: {} + priorityClassName: "" + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +postInstall: + labelNamespace: + enabled: true + extraRules: [] + image: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.13.0 + pullPolicy: IfNotPresent + pullSecrets: [] + extraNamespaces: [] + podSecurity: ["pod-security.kubernetes.io/audit=restricted", + "pod-security.kubernetes.io/audit-version=latest", + "pod-security.kubernetes.io/warn=restricted", + "pod-security.kubernetes.io/warn-version=latest", + "pod-security.kubernetes.io/enforce=restricted", + "pod-security.kubernetes.io/enforce-version=v1.24"] + extraAnnotations: {} + priorityClassName: "" + probeWebhook: + enabled: true + image: + repository: rancher/mirrored-curlimages-curl + tag: 7.83.1 + pullPolicy: IfNotPresent + pullSecrets: [] + waitTimeout: 60 + httpTimeout: 2 + insecureHTTPS: false + priorityClassName: "" + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +preUninstall: + deleteWebhookConfigurations: + extraRules: [] + enabled: false + image: + repository: rancher/mirrored-openpolicyagent-gatekeeper-crds + tag: v3.13.0 + pullPolicy: IfNotPresent + pullSecrets: [] + priorityClassName: "" + affinity: {} + tolerations: [] + nodeSelector: {} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 +podAnnotations: {} +auditPodAnnotations: {} +podLabels: {} +podCountLimit: "100" +secretAnnotations: {} +enableRuntimeDefaultSeccompProfile: true +controllerManager: + exemptNamespaces: [] + exemptNamespacePrefixes: [] + hostNetwork: false + dnsPolicy: ClusterFirst + port: 8443 + metricsPort: 8888 + healthPort: 9090 + readinessTimeout: 1 + livenessTimeout: 1 + priorityClassName: system-cluster-critical + disableCertRotation: false + tlsMinVersion: 1.3 + clientCertName: "" + strategyType: RollingUpdate + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: gatekeeper.sh/operation + operator: In + values: + - webhook + topologyKey: kubernetes.io/hostname + weight: 100 + topologySpreadConstraints: [] + tolerations: [] + nodeSelector: {} + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podSecurityContext: + fsGroup: 999 + supplementalGroups: + - 999 + extraRules: [] + networkPolicy: + enabled: false + ingress: { } + # - from: + # - ipBlock: + # cidr: 0.0.0.0/0 +audit: + enablePubsub: false + hostNetwork: false + dnsPolicy: ClusterFirst + metricsPort: 8888 + healthPort: 9090 + readinessTimeout: 1 + livenessTimeout: 1 + priorityClassName: system-cluster-critical + disableCertRotation: true + affinity: {} + tolerations: [] + nodeSelector: {} + resources: + limits: + memory: 512Mi + requests: + cpu: 100m + memory: 512Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 999 + runAsNonRoot: true + runAsUser: 1000 + podSecurityContext: + fsGroup: 999 + supplementalGroups: + - 999 + writeToRAMDisk: false + extraRules: [] +crds: + affinity: {} + tolerations: [] + nodeSelector: {kubernetes.io/os: linux} + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65532 + runAsNonRoot: true + runAsUser: 65532 +pdb: + controllerManager: + minAvailable: 1 +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false + kubectl: + repository: rancher/kubectl + tag: v1.20.2 +service: {} +disabledBuiltins: ["{http.send}"] +upgradeCRDs: + enabled: true + extraRules: [] + priorityClassName: "" +rbac: + create: true +externalCertInjection: + enabled: false + secretName: gatekeeper-webhook-server-cert diff --git a/index.yaml b/index.yaml index b6d0caf0e..6add247a9 100755 --- a/index.yaml +++ b/index.yaml @@ -8721,6 +8721,36 @@ entries: - assets/rancher-external-ip-webhook/rancher-external-ip-webhook-0.1.400.tgz version: 0.1.400 rancher-gatekeeper: + - annotations: + catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: OPA Gatekeeper + catalog.cattle.io/kube-version: '>= 1.20.0-0' + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-gatekeeper + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: gatekeeper + apiVersion: v2 + appVersion: v3.13.0 + created: "2023-08-28T23:10:42.721448901Z" + description: Modifies Open Policy Agent's upstream gatekeeper chart that provides + policy-based control for cloud native environments + digest: 300e12017c4487cf4c98b437579076b7fc96ab116a81b6e3b188c2a671be1290 + home: https://github.com/open-policy-agent/gatekeeper + icon: https://charts.rancher.io/assets/logos/gatekeeper.svg + keywords: + - open policy agent + - security + name: rancher-gatekeeper + sources: + - https://github.com/open-policy-agent/gatekeeper.git + urls: + - assets/rancher-gatekeeper/rancher-gatekeeper-103.1.0+up3.13.0.tgz + version: 103.1.0+up3.13.0 - annotations: catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match catalog.cattle.io/certified: rancher @@ -9124,6 +9154,20 @@ entries: - assets/rancher-gatekeeper/rancher-gatekeeper-3.1.100.tgz version: 3.1.100 rancher-gatekeeper-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-gatekeeper-system + catalog.cattle.io/release-name: rancher-gatekeeper-crd + apiVersion: v1 + created: "2023-08-25T23:58:48.830847335Z" + description: Installs the CRDs for rancher-gatekeeper. + digest: 433eb32cfc8233840c67cd97bc236a5199b6e311a9c4c26b681d08b89e317a3b + name: rancher-gatekeeper-crd + type: application + urls: + - assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.1.0+up3.13.0.tgz + version: 103.1.0+up3.13.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index 001d9227f..d8fe4665a 100644 --- a/release.yaml +++ b/release.yaml @@ -6,5 +6,7 @@ rancher-backup-crd: - 103.0.0+up4.0.0 rancher-gatekeeper: - 103.0.1+up3.12.0 + - 103.1.0+up3.13.0 rancher-gatekeeper-crd: - 103.0.1+up3.12.0 + - 103.1.0+up3.13.0 From 460bb59e8547378933401da3f92c323abb62e5b5 Mon Sep 17 00:00:00 2001 From: Diogo Souza Date: Sat, 26 Aug 2023 00:00:33 +0000 Subject: [PATCH 18/24] removing unreleased version of opa gatekeeper --- ...ancher-gatekeeper-crd-103.0.1+up3.12.0.tgz | Bin 13235 -> 0 bytes .../rancher-gatekeeper-103.0.1+up3.12.0.tgz | Bin 17287 -> 0 bytes .../103.0.1+up3.12.0/Chart.yaml | 10 - .../103.0.1+up3.12.0/README.md | 2 - .../assign-customresourcedefinition.yaml | 757 ------------------ .../assignimage-customresourcedefinition.yaml | 237 ------ ...signmetadata-customresourcedefinition.yaml | 655 --------------- .../config-customresourcedefinition.yaml | 105 --- ...intpodstatus-customresourcedefinition.yaml | 67 -- ...ainttemplate-customresourcedefinition.yaml | 357 --------- ...atepodstatus-customresourcedefinition.yaml | 66 -- ...siontemplate-customresourcedefinition.yaml | 73 -- .../modifyset-customresourcedefinition.yaml | 676 ---------------- ...torpodstatus-customresourcedefinition.yaml | 65 -- .../provider-customresourcedefinition.yaml | 78 -- .../103.0.1+up3.12.0/templates/_helpers.tpl | 22 - .../103.0.1+up3.12.0/templates/jobs.yaml | 126 --- .../103.0.1+up3.12.0/templates/manifest.yaml | 14 - .../103.0.1+up3.12.0/templates/rbac.yaml | 76 -- .../templates/validate-psp-install.yaml | 7 - .../103.0.1+up3.12.0/values.yaml | 21 - .../103.0.1+up3.12.0/.helmignore | 21 - .../103.0.1+up3.12.0/CHANGELOG.md | 15 - .../103.0.1+up3.12.0/Chart.yaml | 26 - .../103.0.1+up3.12.0/README.md | 210 ----- .../103.0.1+up3.12.0/app-readme.md | 32 - .../103.0.1+up3.12.0/templates/_helpers.tpl | 113 --- .../templates/allowedrepos.yaml | 35 - .../gatekeeper-admin-podsecuritypolicy.yaml | 38 - .../gatekeeper-admin-serviceaccount.yaml | 11 - .../gatekeeper-audit-deployment.yaml | 156 ---- ...ekeeper-controller-manager-deployment.yaml | 169 ---- ...per-controller-manager-network-policy.yaml | 30 - ...ontroller-manager-poddisruptionbudget.yaml | 24 - ...atekeeper-critical-pods-resourcequota.yaml | 23 - .../gatekeeper-manager-role-clusterrole.yaml | 174 ---- .../gatekeeper-manager-role-role.yaml | 37 - ...anager-rolebinding-clusterrolebinding.yaml | 20 - ...eeper-manager-rolebinding-rolebinding.yaml | 21 - ...guration-mutatingwebhookconfiguration.yaml | 60 -- ...ration-validatingwebhookconfiguration.yaml | 109 --- ...gatekeeper-webhook-server-cert-secret.yaml | 14 - .../gatekeeper-webhook-service-service.yaml | 38 - .../templates/namespace-post-install.yaml | 165 ---- .../templates/namespace-post-upgrade.yaml | 153 ---- .../templates/probe-webhook-post-install.yaml | 46 -- .../templates/requiredlabels.yaml | 57 -- .../templates/upgrade-crds-hook.yaml | 116 --- .../templates/validate-install-crd.yaml | 24 - .../templates/validate-psp-install.yaml | 7 - .../templates/webhook-configs-pre-delete.yaml | 141 ---- .../103.0.1+up3.12.0/values.yaml | 271 ------- index.yaml | 44 - release.yaml | 2 - 54 files changed, 5816 deletions(-) delete mode 100644 assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz delete mode 100644 assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml delete mode 100644 charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml delete mode 100644 charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml diff --git a/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz b/assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz deleted file mode 100644 index 5ed680d1124cae6c1b3d66f5b4f51060ac069e08..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 13235 zcmch8RahNM(=P5#aQEO2!3h@J-QC?GI0Ojp?i$?Pg1fszSh%~h4rK4|KlWdotFtbq zXS%wo-s+jBdZyl9MBy->Kt6szY7kljaYZI0aTyM24=#2?R#hfrC3XuNBD*#?NfHkz&PER2M*VHqBSxo0Egb_}=*V{Sd0+$tc;V>UC{0sq`E-h0_##EzT2@1%B&tkJnsLmAUGi`o6>Ia6eUWnMC4#i8 z>=b2fax=i5J(VF%0`L6Ay-6Nhq><=NMl6;c=f;iyJam2Rf3Sba)7R^GT~SW@|mnF40rQ2U}&u6oNr zW(WAUY%|Js{Iuj=#oeT2VaM?ZdD=OG+z3B#3$MMAG-zvXlU#nXK+ZpzR-3$-B_(o0 ztSs)2=Me*eDid>Yx$0v=^aX|8p(3eFWZ}85tgD%lGSPf;%-&gZ)Ii`j>Bf0*9suxq zHhu@=_52Zb#TPk##C104$lk}^so7~f{vhH-k9k>xNrtSnL_xXS;pX|Ayn4f*)46-7 zSgu!|r8ISP3xPNOxT0Z|n247$oBtFAZ5B2>6G>#YzDO)zUS(WS2+9eQ5sY0R1>S-0 z3t5T0=TL<~lO1qmCba<7$yWk(5FJ;yDw$A>&NK~C3H92Z>kAn=2Syy?Hi2_+xN-LH zY#Mms0aDD(2BF31gkQuN%q>?mq;UFPJop&`6(}pI5Q%C;pW@8`_H4K<`?=x~N8QF2 zLm{?BOCAOyl_Q&|hKSg`XacL6Y_)z~PsT<5$D|2}aHAn!PtJ{ZnzI_yv+ez5bWv6M z3K_AZhj_VFgCMm!0nxa>qS=$EWm&sADZS;)d?5)lUA3Z|na+O=`$(lLuBXiN9aObjJcargZt zXs@eQgUcNWEE%;@X!|sxl^Qx5?r7^8-P>8N)mjxa#Y4V{It-85{(2>UV1A6c`VyaI z;fj5QYQEcH0}IuEgblq{e|q(k*oe&<^ZEM|E< zTM*lS1YWZPfzzzK!0$2jj<&Y*Cs;mNcZ!Wtv+dEXr)664HfDfmf-XfMrm14BNEf{5 z$j~y76x2O8e33pZ^ebyWFJ zDeZpiu4ku^$Yt7tSZX6iBKhD?Ec}5u>hS#B<+x5>U(fxgWOQ5~UEulU^ucl|@csek z$(M*caZvz)ef&mS{0(o3x%+l=Tl!ZF!kztTMW}|}^43YeEgsJ#UEPxPFR`lqO{v&I zd4xA(B6cZ+hLKpP;ulF{7Gnmr6l!|RHxhgwhw5Qhm=*)ayosU7wuSS?HaS-_>2#oC zX>ZG;0Y?40-l`mzQX=;_)Tc<662QKW)$aM5CJ9p3H{E?dx(wmL&CV&Z8q;ucb4afKw87QBpDLRp3Cwd0|Y_~RJxp^H0dwM@a)p0T5mf2 z9n)n>-W+u*ru%d{7Iv(z8_A0_RWmUy!(I$-!?JsU>AkSCb8hF7BIj$;jbWEY_fu`P zibO%^7&V;h(_BuuH+V&MKiVt#+uJ=AyzN~)6nH=LvIyqIYMB||yA<85#^IT{4KA@& zxyN~z0|I&XhtW37EO6@}rPw0jW1Dn$E4?k9Q{skewuW)I#%#hMU){xI-xpG!M&Tjl zWp-D&d5_*{XM}p<>TdWX<*{6n<#CxT9iT{!JWGcbrbcuJ?As5e;x{*8BSMAo;1bDK z|Ks2%eY2N+^Z7R(ZV#V`r%mAkyR}B9S-@%v1z=S@^q7t!kfXss5UTLiT@Y$-bGFzR zqG+5m{e+F*iInY;!(AaP4q>8-VV$xd04R)sqwJO!*uZCg!B*uU=^+huz8_&uVO_>m$FD#!C<5n{ z8v9d(J!$3Py-~Dp@00KI)ytpTQGL|)Z+P#k@5O^L``dTt7lcLNJL0q{qeD^%BJTN?`BK?DXN`$Q$qk;#J^1 zODE}O`W6Dn{kDCNgMp+(Z(+MlnB=HoB2uV>reQVY%@dT?ahG2V(P$=5_Y~~Ez=_dv z=t-pfdi3XHhmwLKnOPXAk7rdku3XMh{M-a@wlF=FFs@P1sIj`~^b4D?Py3Ka5?Rl| z?N|IjYC#QE&w%oUaZ5@AssHKpBB2!I>4Y1l2JKbA(C5+f{Omk{X~Nii$%jrVY1 z#fT=OPLvRtR51yg{_sI(mzf0PA-yowp0>e86(*3=SCcey1RYSQM6E~(Ul1l!n5xL7 zURK|r_1T8uY_0LAwU2ZWoU}+aFpjQ)s+5Utk69)ZvUxFGFk)9}cH zNhIDD85*~)FZSdb-vr(S!Yz1?v1^rI7RO?s&Pp@rW7|dsSRd7^fcQH8$%Fvs7jEi` z?(ds1Q$=w9tWhs3vzoKaM(Y8;sAObkZJCi#rtvGmStA`B>hUs-@jNm5>(^eIGa6iY zc#?B;_@52tG(LUwPgI!Q5sX88T$(bJ0mU{EmM5B=7?n0v?Iu&zEGA>Fk zk1xYWl9gV~B0bX*Co55PgLx&IOmD~DMXLXnft`cY8XIOsfdZ;0##7tflCV- z0w-iCEJ3rJ;7cxqmMAk`1g-zE`S8(=1m0{FUBaU{zCfP@?Mu)+IJU-5c}MLzPTCbY4js(l1z(%#SgW`M4)SCjK-y}MvJ;3X@;8wc*&VAbXuuXESkOMWqs zsU^7Ugzt55Q*+la{Jx1enERAvx+^U5?rA&Ea)P$zvy)0O;POPAFM3^ni>=mE5 zd0;%U)M;yEzY_B$KnRJmr{qzqBxaOJ4Sq4>$jTAjQ_l#4qmvd84&R+B_y~F?gTov+OOS(wWDM))2Y9R@H_8eu0;%k$$svzg$iG5 z8OS%OsEvb~(GD7{3nkJ|;jnU!J35!dtnMk%}U+FY?na=Jcj*PwGvH5kre zUlDCxiWJu_LSsYailuSOoVstcm-;OXD8!U|_e@-|uLo~8!$r;Rzr=o7{2kN}NTaX7 zwr|S(A}?;Nno>v5u7Hi=NI2L@5R0N3V`XEsRF&Xe*4}7n2RU>K)-#$k62NT6^<$Yd zykw7a4F2W^^T74|*3ugBMBCysO_UCP1J+BrMi3hn8Y-7(Xedmj*XCh4>WsH|!OryROf2H+e`fOsEEZTbT2EHb zs0jOO89eqiI47BXlTflIi@QnYE`+DxAmKDK*;cI`+fYfWF=ZI{uuKZZp-7S0xV}S= z^hi)M*dI5kmD_-^dHeo|x`t@V%K)Kd7Zgl&zhEFWAhv$n(<^VXODkRwM>}!mX8cnFSDv(!n&KfAxP#&$6!n2uBdN+ggh z){1dyp5qJucOCRioYJDoYEdg#F)mGf&P>kjZCVNS;5=Iu-;`j4mB8FI&Yds>=qaK_bdk<5tj!3LdxR~J<_Mn zeLrqt6(QXT@IGaPh#^9Y0kUMn;-0xlBrl9%Smy?Vw{7S2@x(&! zo0%#uyJPx=W&^grZ9ITRMyO#d{wZ$KU1+E1Y`5ciBN-RS{5Fm8e&mndxs;q7%P$st zTZLg|rpIb@!t9IAY=&g#f)s1NPKnLSY*38*+Gng#q{~)Et~GaUDL%2&ye%VZ)B9a+ zVQ*)#7QR4v<_AtWZmJT_QW~aq5|kP> zAB0sb3>%NH#;wMSx5d`+eV}}ex-S8LS@b3*)Obv>Q>K-$t3Z6>!&1Bn?7XL zJ1DSZN`%^zOG_HL@VGczojjF=4JmkE{hz7bg-k)??4eLnE*(v&b^XP~u z+g)_q#Z+zHdoug<9mZ@e!C-Z=Js_I^htce3%&C&?(s*iC{vV$9?)vsCUQGu$PN!?a zJvn4DSDOAmE;jbgMrxh37!GYen5j-?Mudmq-5LZ;n>aQbS#W8V{Vx5wf5B)FPNGij%I+2sgYYbl{yi>Cp=s@t;xuk4yR$Z7k2UYgxDp&ea_+hV&lSF!gehsG-3BS8dS zF|{^I3Ji@4*#RmKryV6u1dQ8~EJTO;{8F3N#Bm`R0ZJy=9$6tiTI$>=469Q_;^*yx zmMqK8gxM^$8c2CsE-W04*1BhTiy|nAKBKY@QC=Yh)Vcht6ET)sN0buBp=QqrG@{|^x>3z zSO3S;dw*FS0_yf{3ks_4aM(wu-2g`VhxZG`cTeOZLH9JR^rUOPzFuVF4?!0Hg}llR z?{5Gy|GN5XGUB;p)bAh5FHSN4MDq~=4CqQ}?>lrDd1$VW2IVizPU@&qC-7qlwSe@*e?{2S;7OLZuW9XZ^GH#=k8e>5-J6#jz!&opM5gu+x!{s_I0 zRQ)@Ftd&baA2^cHNP9>~NZZw>p@oA4x^Ji?{+8Me4lh0@On?2Hza2p7HIl$zZAz#& zg@dR0JUEFsg(2vGnBYAq}LE(geR{((l-|Z#|p%XTLE(0FV(cTAWu{k3;7PxyOF3j8YRq zU$H0D(X`FbIfmV>%XO4m?4C?N;YS5bM+Igy_w*Ma%)R`kQ8zQLHXcba<0z_^uI#c!^>rcdIlikp3Ny)S`o<_GHTk&mm>_x zh*hNL*9Q4o9t3?S6a{JtM*Hsaab(qJ;p08(_}4P4@0}OY8St{x(M_q%_fHEOTia%o zE#2~D2F#3NB!F$8E*oFJ1eBv1M-p2>Xe8HqX%JiCU91sVbSR9m_Ea3B^;AeLYtjle zv-eb>+Um@1=%L%{@OtppyZF9TA=|CugRO-D`FOc;2?#5;e6xuNvx(pCNoKMkfa!y} zJ`6C`U5!Y(<#~Ruqfo>bdD^ZR@Ye>fz==N{+X#@|k?P#MkhE((MW_Z8!Y6P8aZ+B`}ucwm``(xm$&t%-3 zks3B2E~=4zqnziuo!)X2j0_B$dT$SVFBl&8Z!fPQZh*GYs9f>_-ENq)$JoLt7ep56#V7w_7+%pW3n?cU z-VWA_n~g4(pIa;t$t2C?nd7%xEF#_{NAL=IF&Eb7$6Twzb69zuD7OuWT%k`wb6CNT zhAE7}kGAs$2-p2gn@EmKV_3ajsJB0UF^YJ9yp`&6wtU3zPGsc&F&%m(+@T+$?O~J; zGe3S+CA$4Jl-G&N^4Cx3ljTs*$B=)oN@YTyXiSb7)lhHe*ZwN0Ncc+5B?F_D#Hy=c zXFs&nSd%|oRwe#b++N<$d$2}U(EAWAasY@w;A8KF8+2mtwW)+Ke<0);>SoeIxEB2< znjimtrvHoZJ=1>#n%Aki@qgkgBSHTsh`(sdI7p7l5-Pg1Md#F<{wk?ayf!H4$uYe` z#urF@F>_RR6bfPChB0B&o(hsno%vhl=RjaB?C+5yk*D55p?&8g*A@oM*>E$nGJXT| zr_FbPz0-C1J5(W5RFlYZve^Wg_yRZtd^}uUZ$S}+0idZf%KSJs>kF3qopH(mifCz$ zMgU5C=lxiF&JZ3DP;y57ht1aQuAva$Vgw!VIUS7=%#l9(fw>ZlB5w`wT&@r;*}upfH{iBgW$U$6=avGeq)yhwNgPGd|(_y2wz@5|Nn(88KYtz|j8_xerL(9liMO%GYGzL`ATzNfJ zFn?s#;`|Y~BfZcj>GrZyW4vlKcVX9AbMxo9{IE>sM!f@{ z7KyMH+~!ouH$>Z%s8rQY>-GVuKNe_X&Jx4ZX%BH4?FHYcZ!!>A`T-zp?V#2#fxMI) z0^3i#*R&&;6|-fY6R5PH6er8+YEVAy+>C-mm0IT~3Jr*>)0Lmv3>-@g1RmE|TZNiX z!IG*CA=XL`l>2I$*&U&_0J6uNX%)WWZIdNxnQ)yIbr@N^jZ$X$bF;wxo>(Q+Ws;>KoTW1$9v=@kZ^aWZ z>f2xl*$t3Sz6^(Jvv`-g=FCp^`0dNVQ=DE zYlPfx1Q$f18e%r65Q_Lfis)|&=?@AWIPL@o)_gNY7R|U{sb@^@vQ5M1J`1Mz2h^|n z4o*hNMX8>4^`gEroN=AR&*w~EHb&mA-yiD!Dpl}mYOONFhYbu%Hc;jC^UycY%rr z?m9=DyotD4T(M+EtLYRSzePCM&+Nw&T{F64Pjg*5R$B4iqEKXZBMxOEI&8GTRDMlo zv`8`1HID0IR9M~wYG1+)ZPBOy1ce>H%jg>&@#kAx&0qpsRExF436Ww3@n$UO$}uO- z1>5p`l5T;@TkCmuWbB_^#EEOOxw-R!VGR+Hz<>ghCu zy)0OI+xj`z1pD;@!)Rgu=}HEmdH!+H=IbRy%&PUxM$&qPQO{d_e~F;Pb2H|A=HU`r~I(}q`S;7 z#@uU|o2!kYD|1TfZXQ#dr6+IlgWdr9K;QK)A7v3+lOy>!ikD3sGF}#rjRe-zbBB`9 zwL*BsW*JS4{Z|=sZ)WU8Bud*FGS2Ib%uyRhepf~+NaMOmY}@E8Au4R{?kU({StjRz z*scWh@_C_GYyRp5RoK?wQ;@+7OwRtO&i=cwI{F7-!dTd?zenCr`E%hBX0rPs7oHWH zCP9H;Kl-O27sgGU{ck^in}Spw3H?yK9rycaa^WL#;OXT4)qj`D9)MlHTZwsdWT+k# zTk=^xw0$@qKLb5(1s(&OZ{Mo&r|XRRd<8_F0xmXJH-HTsTmq|n`ntkLoygYoX2{C! z+0WezS3W=QgDPA)?|*`B;01?3ySra-ogr#z#k;W~adv*QZsV!p?CAYM`E6u8LYKa`%45%%=Ip>hv`&u}N$<%tY<}&4=M_ z1?{nUp#cidmXBz~#=I$aeId`;8Opn&qU0>4s)5vdoHecJ^2&Q0)bZ9Azs#ca-{EzqLg}%66YOV_z=_3>JI7#PO9*L{77hEgpVrs$!b33wQ`^ zQuets$EGg;9c0Qb#bR^N@SP(;n3HO*YUOXu9aXH)aBmNE*MHh!*V_mt3=H5|DLN}U zhm^YUSlVG#XH>i1Cy^SFXnx_#?b4OTww$SB=lXloP5qM)&kqOvK%M<4t`G7dVD~k6NOVs-IOM zh2S>wYr(=sFP2^}_9(@AoVkzyQmYGTzPG0;`slh%P?$-L-LEXpF5;b?=}(trqhl9 z&6JA`7yYyykP4Wg@5R=XbjFejE#&BK#*jpl^#2fCl7*Gx@Qmux@rhImT!M*cBq4SR z-JIW@(%$cH2<|LICYFoFl!rstMEKrAKxwn@?p4bmdea}J()|e@P^Adb=ZP7oUj@ud z){jV4KCZ1;yTetWiLC6E-P8?C;P`|DeVrU0N6rZ;jLoiD0Xvp`APjA&-P}i+y;GI#s=^0&>Q56rV^SQ#wOG<@kLNv z;+LqC80)Q3={cfZbL#h0)~Iz`zlJK%IS$iP(C9#eG=S$SMi8dlYMZ^-?kV|Xs$8HD zf{;Hs^xM%;-;Iq26q+Ipn({uU??*R3&dDyLmQ;m{GYX2|y@HXhy^Boq2zZeG{N~jc zxRMCRCSx)v=E9YO!T)#e>4y=XY`KbOqc!1c$R%`{X%LB&i$}LcZuv>2oD$Mz8>1B^ zCXWF$5uCpkq9XwSnxqqxUb1tdR1Cb0yL?|1(<*DAtf84E;`8Wh+p}wGcu-3!2scXj zT1rw!x$Mk!Us{?>b20y~;tWKahrH4vCznI){fXGgDh8cQQ`sGQ8vVR%YbyGZp#@ad4bZh+R8OVIrClmJ9_EgoLNn>5Ap7Gy zn04~-%Vx>nRT#F4MLuJqX8~N>J28;NWR3oSO8)PZlXLTbLpgyv|D~Kt{7}eB4X&@c z?G}9*F*Db9GA8j`rQRu@FwkRAdj%(?7F$FZJ0hr{jKLbaZ{$H308Lh$J6e-XnyL!* zC3jnV6kQHA%m}V)>M=|WY4$Dy-5jm^2tCB8al}9E-#e;UnyI9n8q`&yYj|(!RbY_y zvrC;R%*3ysPPG|SJm!S_oFX1LiI*~w%CE2`EC)6}m?lNHP_R^rx&s07+|lw9OAoP-EL)V1iO>PgwnCMGJUM@vpg zYD*Vh4NUw#x&(DH4e>ryrc%4KsdbDbVrF|0ui#;9RyWARD+YKy$; z$cm9o<xlXk(rCSjpdQ&nDXB&PjYxtP@%sJOhi7dysDcYTIs<9 zMDP{kJ65Rku5;oVJ(gJH*x%*6f5HDtGpS4dtz-Ns34BG4=HJg%==Dc!DUQzrbjpUJ z@#6HvlVn@V>)elcm|Z3IGCd>&aiH13xL`LhaHG_wJjMDd(4mqcpRk342~Dgk%(&aN z%MCD8+O^va=xeVHupkXJot_JeC94kRMQOTMfcE#(Q z+`9=*2hGGZixRTM9gEqtm}2W)I~~v2c9H8L@^&c<{Um_6u6kmaNjbIvJ4myMv~|Bl zU7n|G3L8Gu1pdJ6jvE6n6`Zbb8sGHDnFT(+j=f@fUMupxhMcFCw&i$4epTbILgXh4 zlc*yLr#29yHj@|%ZFGp&kDlqXf8RxOk%m(w1Nn)zXCnbQdDT%4&wb=b$eB*o4>&NS zy;h0u0Plfl$X;mwVw$oo0;dLd_Op3TM9Q~*HKI+pcR;E|abrU3A2Q_#OIaXWl%Js^laMqWnV*N+xL&> zL^t;FA~dj!_777eYux)22^Y`*WWFvv&CI5?o_k`cp}Mc{?^Q$^RW-FTJT<7makSxE zH%#gDL=iYQOs~$oR)jpasjl1>@5>meq8BO{duz*9IO>Wsl{I##KfP7jyS~>VOY_8& zsRP5igzdFwNmuwHN@^`(n0nPiQVor3=}0=)nh+U^t4);u)LWMbHO$_D8Px3=e80pa zl1YNVq?X?}qit`}Dkr*4J31@dIzcGwI2bJ|O)dU$^O;b9OF&!Ky@Fnezy9+ad7M`% zeD&gK21VijLY^=*|A@2_)ot$pp{F!t1|Maf<;bCyA|0x=>sDrwa+05}z}ao9-8NvH zx9u7mFJeT)vuFHeQM(+n*Vyg|0~!V+FXHzn`8z!-DKsjVdOQkO=+IXYBvMC|*g%Hu z$BRWL{)m4%?B5BI4uP?!2WFHEl_#!SS^WCkRsPx7x_dhqc7^6{<$ASQ(-A^BJT;{ugyX$GGZdNC&O?RzlZS7<8f zzt-8&QUAL57@~&$cUU-1D1N!bUmID-|3dJh`~QsdJPO|{z+#o$0&OA{KMCI{Hv&lr z2N8>HTdC;AUn`;{lc64{V zdbt4HEKd(##!pXQ&*o46-?Rp7jimX=^0#rcFB2Djz3IIKf|_wyOb2%BIeLJ=P9-rI zu;v=N+OSNIFGdpj%6}vVjEt1hN4#e_^SA8Z_x)>ssiM`E9uXWzE;n@&gOVzWKs~q+ zq>Ya+`TYh%Q|QLah8oZ^DQ-jP1~9;D>d;kT+g2G%e9OJNrL{9FbfC1*{+5Md%?qlx z?HNoU)LwJZy#lw%rPLiRdaTAU!Jn5&6MV8UHAm}xO?BTWPx$AY52uhJ?z&7WNRmt$ zH+N=r>EzxHi*wayywN@#W6c<7Yy9A=n%*?Ja$4>5oC$Kr{Ie6StTDgWCdoP-@%y(> zhs^$!;0v1?#V*_D`odXn>ls(8`f((iIzc=&kLcNf$(!7#!G)r(&i9WFr!&WvlJ$M1 zkk|Vccjsn9U}lsUmH9`dD&VB6ck2P^E;~DehN&Kpoj@?UVn9!70vG*aq@mjI>2c7C zQcrd|tS}k#_NMMadubxg0}DrI_yE=9>j9Bt>j0MBZARxYBe>D$xG5t@xuJ^gfJ`!Tz=Rg>MW)F>W>YQQ}^ zq43ir-OoR`!oP4O9c=5Cmzi?IGP4jg45ib5p_QeD2;!}5ba{T$&4~X=n-)`+T$L#V zufWqDYS>~BCzs4I_hS;x(*0a`vi)LRg`BO!Pj(^YD}8I(9y}$>`t;~MM>3XSWlRI! zTPAbM4f=-CoQQCTP}XpBpdYfG-s1o(&i)@(y9u*ue~~vyW`RM@ts!rM>$T*rS|i|4 vlgXN(J$N@_feGRcQ~=)4VzqzHC^R~ybjn%Qo8HI&bATW`U-Lj{z(M{8FnYid diff --git a/assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz b/assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz deleted file mode 100644 index 6df178060afaa64528d7a96d71d19cee1db85c14..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 17287 zcmV*RKwiHeiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POvHbK5x5FpAH=KYa?k%5EjjW6JV18U3E@DUais@jG$iV|(T~ zZ>3TZOhOXYB)|ng*`7G(v!B9^1TUf}o4!Wat%*h4yMacdyV1=c@h6CRV<^x$LNQ`% zdlSe+?+QlYPwk|Bzu({4+EV}a`~Bj-8~v@FpVqgw-mGu!Y;SCB{?uRJdb73u6X>_p ze{D**fb6IKt@|oY?ujHw2o+FZO8B4yfDZ)>>A2@ZAwtx{bPXngdYEtl!*Bq~%f<6q z@GgSFpHx=&5fgZXQIOWHEEZrMhw#cHFhT?H>1Y@HmiACt;XFA*-V`y8DH(v5|9S`3 zdmH^;-|K__mVdsLf4;1&D*NCu^w9w5kM3;v6&EO~tVj6(gqS3kmANru5fsE>yuuyli(8xuLfWQLykH=C0sCwiTDfCP%{`GaD>GGZ1i=# zUm1<|pg%#jPJlT)3(;Ys8Ir>1zhH<1C@>lS4?3GrdT#Tl#f*=NK01ebR>Hf`MLd1F zCQS8IZsHV2h$i9$`Bcq&vs~m?h{J>-eI^aS!I)51F_>M4!2;jDmkaD)q9_(0EmOij zz%vxiDEsN`-^dpyC`7)Xth&tJ1o`KBG=(9`pB3d3E@*U|gh+Rah=lfg6e58>#faIl zYhdf#{Y!xuf#G{7-~b4g*o@y0ku@kgM*1+?zl4YID0q?DMBDEf7W7p=-z-^&=HQEY=ju9qP>Z=B9$&YA?Sg~LcyM^o;+!jh! zV75@AxFkz}DIzj5`zSX?4QRFh_9h8AKf!;a0od;MJ0Tr^KvNVBz`@5~Kgpl(5y2>} z6VkEWnb~THu-FYE%q52Rr;>5XWyx;xpJBfA0h!Wpih_?BPwtFxP8nv_*#Di-bQ$6Z zj*+^`WGh7e0)U~Iax5sjN_nTX2s1_*3OvahY1T+_MtL?E00GAtgX%Wzv*1>(%i9yL z>LO0UFkPdgk5n8n#3di7vrdrDkc8^zFP)g719Lx<%s2~`GJxo49(|U z_c7(-&v?vWpsIy()n?FFHS{(PEGlZdvG9<0Hecj>RJXPb^QmUiHrt)J8powzFxz11 z_m~DJhF?~v77aYhKlkJ~7(oJYeZdW|c*hWzN1Z@Hchz(^x01bfy$hj0Tr{e90U24e zGg;>*eIYWU%twoMXR4(=N*rx<9dH+k9sqDO!bE{u{S-9J&JBeSLIdOww|s}`m08xc zo7y&Q2f0UyK$k+VFBpdO;)vlX4$&Cxb03B|mO+;BVGPf3hy~X4K&F7v*#7N--47qk z-i3;HIi^(nibJGj0EVEb0twmWzcHG`1Mu_DKWE=QQX(rAi~h+Gleeh8-b&8ytldg! zBMQofkel^9cXKU7Y)a&2x%-~*?u!{cLzXF?v80->A3tHCK1J1^?s|FCd%M|Nzxi^x zfLItdMqMxDw}}vO`b{4Mm?+qw-%n4EPO>fCB9VFOM1`S03C^fWpqO>b2D;p@8Ds@P zxyb?k05oP%q(93eBq;9rm+X8L-|cV(#$rW{_2YyH9HIAU1d~wS zD0~{lM~seeh|EBYkTgW>5E3}nOf)K7XABAopN|+C;mb64Lb>>e#06#N8EgZ>?K0TY z!sK5u&;6hK9Swa<5a%f&kwhxQQ&jpG zGfdT52qEYCDyebhS)sPiu)sc)gwIGG_7D@tR1}tn2>BrH*`jIf6tO7F zl1XtK=?2MV0ig6Y`Q2Us`LgwMbmd;RdwjA+tyrK`8~~js_u@fSwiYgy`_X-w z8+E+m!&g^ zP^3uY_WH&lHl*M`3F27^KTgzeq8T-wICaV~d$~D`iY@Xajzbh7B4DVpcs5jBrgTmb zO*jm#n0auKv0T9e@C|%7ExrIA7%`e|h8LV5JtV^*9iuVkLM~l(oC6T^bXFy5WQ1I^rGl;$ zEGGlwh)uDN6duf04t_~+D6m3n_nW*b^*AEI_wJWYqUCdY$L|%ii#NW)!eM97*U~`* zh2`;(k>X2&aX|i!e9KsrCZ(CllH}bA+~vq6DMCyvRmD#$Rp@^Oiee?_So=CbVT>5> ziTF0E;5qhRI~!XY1^w@v&CQ*q{`Wpo=i9fn*Bzy$3xJp)Ao*!PN9u27ztZcxUi<#N z^X;1l0yM$|fv$5Kkj1;e%L+(>33}RwP!bH#`%Bvs$daF?h%p=>a4jhi@xjif`V&Vd z$!LTxLD$O~LnKgt>mlwb$^~HB$0!NIEAXELhRVJSz&KWe?{)qM>DE}H0C$cOiW58qNuk<0WNSDf-?jXF2~6MRD(C8t%I&CmWMDNr2w^=DNt>hnFSg_J>*$S z|4=g+ylakFXPhZ8bSu4M4JlnY9c%9E!UK#MCSnA-|K#33dAHD-?st);HtX-)5_E7Y zH;ob0O1vukn#H0^soQrwj#a_#%o(`=*MA$41Gtv#MF@Qay8qP$-LKsn?5f>BuK6Iq z^5}=5WNG!7xnBKpNk;L{|OMFH0WCQIfhM{bK{RI5x+W_nKJ zdQL`2)OBrTC8w-}Jp)r$en6uU^2GpjKT;#$Lh^GaGwSY3g5I5tYiAhT+;8+4W?XS9 zVEic&aUwuWxd29pZUs+Tm0~FuVgM1ruI8-!RKaHi@JF(ZJ==tZkT%-19JA`jlXW{* z?hd-&z5&a7)hy~B`2PLdH)rRh{r6l&P*1hm%Wfdx`}aZfdIFBY_wQXhx+6z!-@K7b z+AsGnP_zURV=>`@uAi__2}s$Pryo6!Avsa|`)8TDgrJ% zPzbYr*PZ+u_2y`{(%wpBaTfes6_^H|8H&xx+EY}dDEw2d$F&gYVyaeCn@F*VkYWVWCcu|4ZokzuQpsASY0&JOwgv zq-C8GVM`CWLPSx3>wGnbojlJgKdk0TnYridcM5=;GycLL%d?o$Fp1D1O^6nmc_5O1 zA3-r07^JDuXu_fH)~@ix+~IFR-gM75r)__!`gy`;#-{}Z0}I+zXyELZN~uFHD_lJ4 zANq#$yi@J{Uy1!tpw5t6*n`h||F!w1aR1-vZ}t1j`~Q6;_d!mI`20(xwdwj95^%k9 zj!7^8nHKHTlzJbx|=`V@?G76GG{co z)_U1hfW82dmyDp|ishAM7()glBoO06eXmc;(ioB5ql3RTbrn|+88gX-y3%W%)C7tO zOMO5<#^6;U2MZKc=r?r*E*K``4gdnOF%l`$qkj%SY8~403tsA{snwztExW2c&>SojW?|)AJ1tyRKNB|~k5ox|wk5gu^0s}vda3u)( z=d`;DK4+tn3w0HgMp-?{FWJz(-vv4_!D4TTk{hGsp(*d5jj2srFpdY{Wln-p(o*!m_wO&Yu6hEQSfG5K zAF}%D?iJ$t-aJ7J3nj#P>0XXc^o2QX#^?$PrOc)0Wy(Aiw_VCT%~!))(*xZdBx98F z7!kbG8uD#xkAaCcG68@kAsT?ggp1>Z?DCE_=D-XE?-`Bv3YvYZ$c*#f-``6b0&+zILiV1A0L&APaVn4%BZH z#p3EcX08bOp?7QhX)*e5BtX#jX+j$N2$@6w``i8XBK=?QFW>*(OUgN9uyowetzC`g z91;IvXs)@I>i34Fx>n@*@~M-A#`|AAxd~7l(kn@;7ZC@|dH=t;+21bg|ILjh|93yh z-TyF-`C3W@-lw>JAOc_v_`EoT1Py>*ftgib1(8VY(oN|HrXywu&FF~b@iK=D>xy-9 z4fmC~{s#vEi=tq0Bs4=qBSg$cMPp<%K!=^3ft<5~71)Y*5m2R^bKl)qg^?{-HehfI zYx9euF@sy*QNU%JN{xW{VG_(VuIRZ9EsFh{;J@h#Xt)NNtbzsBL4%c$7dFGfyPHaE zssZ2 zNOkwRnum=~5HCGkO9PqVJfzrcN~YfBsZ>6X3n&uqkPLZH5Gv9x3%-lKf6v#qzF0in zQ0V|jw~(M*1c4!7vCq$-hzUFw3KE40?arbclCwMw3ee5wB6;-4KK}0@NRnnF* zmXqtHJAdYgZa$b<{gt|UTod2>^zn4};N$*r<@5)jh|iK~-^()Vkh9^-*arJrQ5gie zQKr}lcrRE=d;wy$c97>08#LQRo-CvXOwPj4WuFvCgo;MFZQ2d$1O6F5hGZnL^pw`Q|xVsl6XGyq#0{XD^H`j)q5VdWpJXT#0(rtWYe z6yPKpfJ5a1AZ<5ix}K}6-=bG8vkC(9&_eVloSN!?GI5`07^vpTpn3kEH#XiB^gr8g zc9!pd?v7Ok=S=2v(zMcFX|;#Nul~Yb;%r`?9DWNWneYe`qk8(rvcQ?Ckqp+I#F}A zGR;hp-aLBUhsA(ZDHWGh>ZHF~3rUIR9BE~>V=i7mW1YloL{=#$iUWg}+Om|4J)r|X ztLheO4bJAQpo}Amx{86iPdZ?yu-n%F0c7fLO>F*jUMP=^XRwRM0S32FX zf=f?4zZCQFIrJ>enwHR>WO*|iyoq+yY{ta^QuLKJW6jbSdS|-G!fL;Khh>x&9pg5k zQFqwC^}su47+$Q(-Sud+6Po#>;i}wiRI-)FNJI7P%(`>NvecV4=&#h(uMa)k2;tJBnoOzpC+2+W3EE?K7T25_fZmU{-)>_>1 zgdc@Qw^}V*!N)gO(N?Uwr>d?kPi4O9c21qe)VLMY^~NgQh1$B6dbjFKcs{D$ic94@ zwQqfuIZI-86obWZFteR%R6L~S`JvTfKTNuX{@282@aB4gnCJiDO}}5z|L$z>Y%cY` z_mSqGcWwlZ)NojN+*E4fk8Xa>MTDt|$yj+a!gOuA{y?ha`_%7R^^pxq($U0ol)Kn^ zI(S4?RGtd;txbz7@hsyvSLr3!!37qR#w)>0&mI@<0aW&NSYRhgb6={g7g1Ta=^gPF z^gpISfH_NI35~NP7^4}6K=bJT&dz3m{=a$CU()}3Ny^LnbR7)dfu8HQ?~pmTAPK-LLWS&iCF|V#{$2gy zke$>;QL&RB&A&wpHc9y)I<7P1;H*kE=M-OBEZvs;x4Qou(|;3YOu2wdwb}nksDN`_ zfy|@->pMmNZ`)g2OZ(4zNd^8t7gE3I^DQ+EJ$6g|aOBh72@6xs3A7$?W%YtHeJ6~o zA(K9hQ3b193fbvZ#obi3wYcTT74%v84s=6tdN-C7dJUhAJZnE{Pc=2A|CZ@zG(f9uUoQU0^_X5-D0{@+I`(*HB)_jHiJBK22UFcA~V@ZX9Ba>P2uHMm|E z$283Q1Xm4WN=|WvxPVbS03->+ALG1mcTR_?h>RT%z!+!FE&N&L7Gj0t9`BxGL7BsUa6JvBK5YboA(j+X16E0|EKdPu0xMCy@CUp4y+mBCA zyyW)1I6hVCk&R|8b&yhltWvL4eOX=9ybeoC`3|OT4S$u{(46taj81WY*xe%}HTZo1 z5G~>+x-@Vtv#BN*6}sIbfD1myF)DyM;mGAJOWo_G`54yKi~t*zyUOf`w92C%+}a2e z7~;Q6+n{1_^QpnDMshnsbgT2O#ur#&;91EAXI?wIcgD@@M*M$M#^0oQ@}JFqG5*iy z=K98x|G$saD*wM^{AV)$P31&)e?h2fNn7UJ3Ei2aRL zJXe@D?{wjb3Jj(Wj>-@Yw+?f#B)HEr-G=_pCHyAM)&H&+<3H?d^q2hqy`f-y1zYlwaknPS@n#mphT>7on@@epX+h+a;|RmWykDJEkd%GI#$tx zt?{i9L9d&CbO28Pj9U_gC=EOF7SCD;mCgzG;TBGx)i*mebXoJ1dAh!)=A$B5LL4Rx zRlG?pO!-&0phmp1jj}cOFQK0uZ&rC$QYoavZDwY5j;`D=-T4K8$AmHqhs+@BJw^N@ z75kT3WR^CQ4|H1PFd=K>BNeG#SC!$`OpizD>kI9*;~(efY8CuLHK9zjtAV>;aA=~9 zb4`T47 zO)FYpTY9)#sJ^GH3T6m8=U2&S+(uSC^PXD}@@D!>*G)z#E45`#bM}t+cTe}tk3Wyz z+aHBT{kDl5PB;$G{%E9_P4JNtxrS@J3KS-Lnk%^!@!nT*$obsZNA+6E**xGJ{%@zh zu~FpzcD9!M-@T;S{NG>F z24aGMQ97%KpP2XzK`ygG3IjliLyuN^W)S~}CcuXTj4%lR1dJx*i5?Ce<;QV$1p+Et zgTRLzc^nar1)d_n5oG=ZV4}wGN4iacPXlxYIRYcfz{``YwO8Gj7924R_!^2QC_)T| znN#ONflK7)zl3yLC^E$=ep~))Oqm!_b^%#X$YAvHD*p)z0sTq-n-N#1AG5d)e2x1s zL}`xoI*&>@5_4#jgcVt)k{owt{!yy0&y3=j2@Ue!UVvXIbIpZ;m_Pv{EU?5p*!yeW z+vsofy|>%jTcyVJ`nv7SrL?Kbcb6x4*eX70u@iT1g8cIXb;2!n_$tS-o<18r)p09_ z@I9QK>FH2Gox9yTyl|)R;CHfMmzV7yG&R-#S2*eNwAJ8zL*P00|Nfhe;`_ht^_}e} ze*b?Wsp9@WH)L$(n{e%waiROXUOzwbC4O%FwL4eA-(>$|AK8B!y#koC|2Ni4@xQjV zx0d!l_mXDpWzAInU^YBuo_aCg4jspDw)K`d5hCVZh39MSt9ff{Q~eTxzFW<{wfR`~pKrd|BEYAh~aq{Z&<~n^fL~(J~a?-T5e5rn^hE=f4vvgmU3w z!UYV&1z!H?RDb@jZ}#65`TvcLo&NItzmHUkWXQ#VL9;sX)01x21>g({f0C*D{x?0# zu??j|RzDJR!oFC+lXKQqAGO!uKM57+x!wp$fhM~X6h^X7NxQoP;O@b40q+9g@kDe7 zpzCdSEAsUlKI5&qI{=!;NPHim00paOXha$EwA$Z1+pIce>sH96V6Y;3SY;5*=B>=S z6z0xj%Y)r8nCH!7bcO{_y^k|6=fg(PWJnTOVTHk;h!Gb%jAOGErlLUPf28DUYHU7Oryj z*utJir-)rJERd5^8JcMB@l+X>XrmN9XjWjNTZbm94^A{UJkd-j&6##haH5T3NW2Bu zgUoyc~K$2DDU&`eeT}wBi+3VZLAu|gT*)39D1NS^K$x1xAt;t&WCY}TeB2f zD(8>GX|=r&T4wIIj=H4VsgJ;3A86h63g&sU^j5j&koSFeO*!cbM!ImltY*p|>CI8X z`(AvDHb>Hr0QTATDUO9oiP#p*OB^piI#>Jr(SN5-e)Lc4{inh=8fd~~wsVfv+KEBdbBay>(O2Auc{~f%Wan1W_RM! zWd=yIC;ZCNt@;uFA{biiyjptQdd_JP{ZA5)84MQj{HW6${m;h6)_O_*v$fR!+)Jvs zzW-^^e4qNC+yYxFgBl)s8N41)88mCTET#-<+DePcprz*KE;KhY5ZQv}rg6)6uDK~v zEAUW?i&~J>iau*=F0Qzki<{@6xR^1`$ECQigZ#myqjuW2P+Zg$xc|mRqw$#f52gskpeQ;-bjLJdEV-elIbPO)v2y;^3JmDHc7m9*dIVacdBM z$PICi>V!Oe+tn?U@5M_+!y`|%@_%K2n!Xsj@f(o&{(p<||IPl+GXBTCqy_!Inc|QH z;FViv{=1Qtg)E$JqhXl6YJXr=!TsvTm#;CNj!gd}vQLtmzeQ;A9mbq?7nSAT>7$6U zjQ>s^MEsy8noIug0a7jh$IyQg%ut}I>cVy(HqGPzw%!!uzxCfN^o*OMoi$MI6p$1%d@yrOwI)> zY7dKSh+7;o2CoV^SfHp>+*Z(zO-q@x#%e%_uBtxQj9DibhV%jj$7qZ$8#SQ)fuw%w z^iS6z?)lqt9A}`|kTD&A>$Hy;`sZ+rDwa;hHzD!WpyE}A-&J6h4RxS+#wwG)7hd38^>bCV)RjS6`gE=rTsW z&`_TZh|vJae%qX4A2M@6s!Wu>-j9;>V|(a7H|&#_hx-_tHA%QZ>+yr@_+Y{3O9a( z@x9~s+!e~1=PyaR355ClHss^kCTLZ1%_wTOGvynElva2TA(p%cnw7m$LO{}RS z_s6@Wim<-nJCT(2X!0ne`Z36S$-JxIX;`|sc4y{Fn7f|ZLavLJb}(;cH)qg4r=!sa z9APm~m$iD0PZKPIrDo`%G(-7^5FZ;-`$aTLO2NYy(;QV|zM`RNTrNMNiv>!`xYxdJP) zR<&_+-`z_!rp>oBY_2nFo@3NpY0^Avjy0Cd{TgMSto!3=@gDkayG-*_t^CJmT2eMc z()=5UfadxC-`dzN%75PUm;V3nCA}~NcPzlG5E1Yyr1U(ALAUOb-A%o*%iCHPbmjk7 zRzM$k-@kWWD01+R5lx7aVF%b3P6kK9W_E2y$$HCm~#KW!r*d61WVkWT@BS#4nt9I5LHFo%zh{zw@^ zJf=#dC#&dN7SPvJTU5u2#9U|g6oHyMJ?FLjX29;zL3-m&sgSXX2S+DIT*ra6^u-dNm{A`gNtk-w zJV~kf`=Rk)yZ@~Xy=H5;7c*q!g)P4SSYO}l@08wu^q2epUXuHugR=aij#&>uRw|1f z8rEyYdFjE>pTwRUdg0j6v1&ynMkdkL%MT;VE-c%nJE;b5MADsI&R)I{`O)+M3wnKO zy323-YUJkqwCE9PCXE3Noj^I;%$fU*y+ADnl-XWo7Helg4^fL_uBpeF5;W80+4Ma-FEc%bPls;60q9 zotY?l{y4&EN0Oh%A6<&Cn9IgfLHYtR^Rm2>gd&IUj z@w)T5>9lLk?go>tJ#6al-%sCy_eb9Kcj7*120(9WDqM4KS~>}OxKttk?a2kHePXuL z$2|Sd_IknoV|{ylYbpP|m-GT0K_L($90&?D*1^RD5pb5^P-$7s!(86$ya1;Y%mGj0 zm@>fupP(=V ze=q3;*qcByMj;({cEeEe%Sz4ZtFIi47>$&gG>N%j2u9%3(JuHcT`fihdV#|boFM>% z00okgDD|k^Qk~9=7vS@edE9R}K+x}h0Up@sZ}h$X&)#~!^Wwz|uq!KfJg{%HL9*M- z#AA#IVo*>9FabkDl$0KF*iqG$fe%(K{HdN51Q}-`hcwh0XlJQ=TFN?fYK$lYzoRe$ zo4}`03SMXH$0wq_GU#mRA{XiF8W8oJ7m zUd_N%>^M!72Ala@)N==rgJZpk!32^(^6;6XR5c$BKQj=`GN$;i*#F1-yYCP8+uHo| z_W%0!&gORU{NLJKU&jBrm-NEj%WC28$u? z%z{DSaQR>&M9c?kYcxj0Tw**pMnuTtd6JyTE1t8|)XL;ebH;J+a5(IAzMdciKBswK zUfIU&g(;vuS3lH$zRE&tD|*G#D3UuZpneh|qOWVcuWDA-nU$88 zb7%?-8G^wT(0AOR^AGj1Dy{F4irSx#_do3Kp6q}9xO=$&#VO!`rBfVh)j0?x-R_{Q?1s8S)j8HSB6e+BXzHVaO?9iq3LvTWIdnfR3~aq4GfivOB5j zTrLr13xtfRp=OXrGz{qlw+G2DhzoGUpf9j5+33!vSoO0$=RzvERw7tXO-Rk0y6X57<7&k4W*&NeuT#i z3e@A1A>cm4akT*_Dorj2WyN!71ggRc+FWUTQ#VkQ;V~vKw344ya52Fl0&?WC6FG5% z?o_1L0|!EWA%+_1)!~SJN;LqN3=dSb06`b##PuNoI8tj*VorPWmSv(UBsoxNgc=6{ z)l@{GptN89^)A~m6${0zznjypBI(|c3wd(}K@c>?K3|(|e4TEZ`D029RWN%s{ahvw zl0NKTq9_(}dLOgZcWRe|Mg&X*jiA6j48tqHk`BS+93C|K`07VH3@81z+kxRdi(i5Z8xz2upCg~cyN18rJ^#3SH z&RVId+i0tE4F=u<2`pItd89UHtzbUiA9fz&yFp+S6*D)vY!bLzoVTz(9x`2npZP|9MkX# z)AqZBd1d&SLhmYY12A?g>TRIQrS!o6Ob`LKE(|Fd>$7$^{|+!*)q1j6ccJ822?3CU z7%~CqsIHNrVvwNn)r$!hX>5r$;B<$qc}2jF9K%vzS^R`4enrDbE_fFe&nR7kp`5Gs z;j||IygB$Az`Vel{HQF;@J;XSW^cWPmEHj61qNlwx3tZ-%n2q0mV8SKZPmg20%CEB zBSaJ7_I^qQ41vIrGQ^ODQuf8A=7NGV(-O#FWyUBSl?8fGA3@zN^T4OP0yYt z^}kDzqWds!R`1HOic{`K0Q+5@p}EJIGkTXWm*s$c2l@j*{Td9|< zBhnZ_coRlT;gJ9=X3)XLN*Lo^rYtt+;l875jgvKwLIChBer@TI!DqOE$EFV)>9 z-G#cl7UoNJcT4K-M$leryYED5JQwCmZTIId!ve6{7s>qTa2!wSrj$!}dF4;<)vf?$L1;^=SsDW*bb3f9i zWA@2C?|}pDJBuT+s-Gz7=5k#O0p^n41dsr5Up3-h@Gvqj})&jajty3Xec%odlIJqM__ zE-$MNzA&@*o65_cGVJe^w#*fnE#+m8TVCb_AZ#)%>y5G;C-C{Ew%`958y6*6oDci! z%<0?ldkzw=jFU3QXKV8B=VYg((w)M*{Fu1Z`y9p}1`#F}>PoudI*@N;&<~K>W{4zM z8feJV-kUT23gA!e9L}XS59PE?3-kFJ@^lmnG5${+?5!F=+BPlB=WEE*Q7p*#KWV79 z$?&IbTA0t*kf)=#A>;ofVSlHzWxj?y9mPz>-x&NZ8UL0T|DEma&5cH^zba{Yf0zVV z91wxn6ow6ECil=t?H%G@Y4z5{1p5=+5Wrmd>v&%28Voo4Z9ZJ~DdB=aOvGQ9>Q%u% zNIEp5dkORiUg9W;zzaY}2H4ZIvT_H`guYKhr~P)u{1E9H3^&?@xdPd*j7EFVpUmaX zufZui*Lqq;RhWD_a=aT0YEX~{gU~Ba8hOc}eh7s>`2!Pmgw*%1O867x zpF0pXF1^n&3Al=dtwM=Nh6skCLt;1x&=k0*$6z33KDz<^=gvQs-jtN}yvL+}Mk41&zT3@X8jRVv)g;eiRqaQn8ZV4i5Q9YM*h@yRP)}xVKim38m^MP5u8jh4cI6tz_P~+0XCzcv%t8Sm zF>ysC26fjFf<#%|Gp?e`_?Y=gG(|)>!AxHAbaIrWn=m0E;#{`C6NWf|3;_Yp5s}mI zDG`i@U_vj7ed>4FIjxE|VyiM6_Q1za zr~3nNFalRJF|k6GE8|swh@>wH$X7IBxvR6JIb3L*$N?fUqRdANKO1Tr=GD`j-Mcmk zsiGPZ0p`^MO&jWg_Y`sUoa%zIa|7EtL_flNLEASg4fFj=ff#||dnjOi?*`_`Q~<%8 z8c#8`XabUf_%|Cj_t+4D{mU2Y>LVFbixpvbKk!PS{J2U z10~U!R(|-D_~xOJ55th>xD*pJ9;uj)0kWKYnd$BUZygwwyK?kDg<+x?k>5TY?*2bV z$Dj62dca=QbkNJRR0OX;NG}kR69UJ(halmSy@4dqZGyd{KY^GqDnzIv?4Kq?8BplR zlQb4M!hdUTv`Vc2W9VaX)l(q%+VFXvf*c8keg2Dv$~*zfH8|AeC0(IR$lHvz2kGgH ztn(c*Gyubx(FlnNO89UU47q^*dBE@#v7rv6s2<|^lJ$6uN2gBLVEDP4O{9ApyBq~` zCDv^wn5+~{9_AZ(euBxOXwpLLCW6UInAZx)>MxguTWM2 zcx(4mD)g)Ye+`BoktBz0v{i=rEd-NwM5cwoK8n<)Sh4{5T7k>0L@vdB@MHuo?O*>3 zFs~H^KRHows{MT+LGT?Tt5!ESOFLLP1D=&`uzl@d0p_(5$+l#Y4=Z830i4>FNk&-g z+NkjRa$nc2&1PdjbT!@34 zK)qyKcFd^|4hg9eu#;BG7{1;2%A@Y(&-uu4?h0-sWpR-$}puhz01oL zPMvgt___N<0HA%RXq9eSYkJpC(VCWj9;w#V;({1(VXoyY^Lx+MxveAM*uG(Yrl~zw zidi3BXm6oE-NDK}zfXhbqu8+c8e9 zFP!HL_F}qwG)$EF-w|b%{sOgeAc$r54A?)rbPa|-_kV8ZA$T>+<4S1T-i=KYb=YP1j)9j>&5^7D7Blts%iSw#31#hN^K;BQiFAg-Sx=*?3r0W-$^6 z$VUMpJ_1x86+_$25L`?UalC~*zGMR*RUeQHQ{~t!gq#=bhp)kr$pya5)~3VHon~Ky zp>{jwS)H2Cu)sdN!JEoiOiAiRxa3c+!hakkitEmn>hp&Fw~_YnW;{FdBo0x8h=8H` z%m?7}&p-eC<$I&nD&da`29^2#b>wvDi(KS%YK6Lb{SJ%>0N^R?>%P;|$tJWpcd2K4m9iB(RjP31hyha@PQduy4`6W(R=9@V=`IZj=`fVrUp3}fms z8lop287xb8e`FJV$m+wP5GLaqoJ?pE1^@z6%o^LwzQ4+Y+-C@iM|m^7S!(kTzsuAF z!Jk@j;uH5e;rFQF$<9*CgK5G;9XR2dsTi>i9 zU#DZv_r8F>`I+IN?Q_dQzFEALS{3s%gLE<74dm;Dw)x&?32=?`_Ur_CMyYK9u7P=t z&^F(D>B5--JSWP1HmQA?tp<5hsZ%D)(olZB@+&vp$pgGv`BlF6YFSoF&!6zkdUk4C zmZf3dG`P@Gmi4G*S%zrUSb62ARkZlhTjzPFwk^Ii%2VAQ0c6wo&{DzdO%+7ZobC5-9~4**Muz!6$A&Kiam<^^wS^}VNF!F~*ItJJnwH>SZJO^BEs9x~s%8!EDr#wdUb z`kcaa%CoPn0D2PUTs^35N?sPAE&Tbs)NOs82WP#C#}kuW3B;5m!728ig7?kVc)WC-vnlpbPh7qRWG3<)25&WLyVF zw}rh6^N_;e7Z^g~%a&*NF4y_Nk)$U|{Y^*UgHzKscgul2vUClGt*N_Rm}_Cw-*W^b z**aHZ5kVb89{WZPOdM&|vq)`=qSzVqd)n5fQSTo5jg&3cW*(@4NoVv z7~Dj=YBZ5x_7D>X@YPoBux4XZvygK_8)RepXu=!lYD$`*5sQKxj-FS_2RXRNy=(U5 zv|B<_=fw-KCs|K?mMC-DJ>`{`cRI#jHA5r)g5Yzmn4sWy6h^W*6JK6UgoycIZH>l= zc-mOaQ!br)V=N}gnY@{2^I5w_|L$z9Z~wHu zwe@CwYiE07YxAf6`u67b_D`VSM(6WV!UbeM^>5u*adJ;2y#U901%OXSyUy*s(@}?= z+Bg7na0WRF03D5N_?RT-f*}}z&-sek1~=Q;r%`#YyE|Mkgw`S`Zyjr@KknqN*uC5N zRc&pCls`=t8K#LSSM|oIOpeR=QeMrd5ltBQEXhYUG_&f}*c4$gAJ(QDy~{O3)@TgP zmXIS{=}B-P3k~fMRmX%H(J-VJD!dYnVoDGZe9-B51#oJ@sqXBaedtpvgE@fKd>4^1 zCdLyKqf;EnE=-=r#h6aziAjua=|57@ru7HQd+I*rNDI=DL)p`3_nAccxXvkVj*<*) zdGVWA|^!r_wTi|RWECmuf53nO$(T=R#IaI6Kq1VP?!kBd=v|= ze7(cf(T+uTKR8S1PWw<{<5mcx> zMq>&>I>x@@yY1|Z!Mm|<0pfQW1yg`lmFT;TrugCJ;Yb{Z60(*kM6uc&2IBHw zqxw?8NTAF=!z8_!R=|i4!7JQDJ#ZlhDhHT0wW4FPIriAOve^`=9aUCa(3SbL-n!UF z1rE<4`f0}T{_gw3{hs1p|BS~B28Jhf2AX70w^-W4pN%ACK(0Nx0dadZ9!pmNBv)x0V1!W^n5and1mv9hSUrzYqm*Tj zPL7=YRYnUYU<9X>X>!Fe8HWhy+3Ds7b(1ZRT8B5Wpwr<@44tc5qQGEV4M!sT=;TNe zeh45K%6pJ)Y6xDTDIyY_vV#Z`9pKpy5hNgqvq`SVMTAY9s1V5+r+ddbepRdFjL~yM z02h*|NPrdMLh;0(XyDpNNUDu246^Pbje`8j449a;I9x4EVHF_Z_f~omQYoyM#xMtC zBmftQf36R8%=O4tL9E9tNuea~a)_42m3z`9BNiB{-Q0|g?yA@6{25b{2C1rB$bwpH zM3J(JYQ}o)R4gyoN*N2e;wLa1Wn15}Df$q@JQq;F4oRC#*p;8r2em09M6?)0u9G4K zOM?mAhJ>Z3@7jtzY0i+O8bKPyY9=N|mda~a`Mi?CXE;xhllRS$h16D|4A2Fro~1gJ m^m&sja3UZHAPe|XKCn#7v`jx#`u_p|0RR88p<{ypOacH$qTLk$ diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml deleted file mode 100644 index 531cd37e2..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/Chart.yaml +++ /dev/null @@ -1,10 +0,0 @@ -annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/hidden: "true" - catalog.cattle.io/namespace: cattle-gatekeeper-system - catalog.cattle.io/release-name: rancher-gatekeeper-crd -apiVersion: v1 -description: Installs the CRDs for rancher-gatekeeper. -name: rancher-gatekeeper-crd -type: application -version: 103.0.1+up3.12.0 diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md deleted file mode 100644 index 26079c833..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/README.md +++ /dev/null @@ -1,2 +0,0 @@ -# rancher-gatekeeper-crd -A Rancher chart that installs the CRDs used by rancher-gatekeeper. diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml deleted file mode 100644 index ce98648ba..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assign-customresourcedefinition.yaml +++ /dev/null @@ -1,757 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - labels: - gatekeeper.sh/system: "yes" - name: assign.mutations.gatekeeper.sh -spec: - group: mutations.gatekeeper.sh - names: - kind: Assign - listKind: AssignList - plural: assign - singular: assign - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: Assign is the Schema for the assign API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - properties: - name: - maxLength: 63 - type: string - type: object - spec: - description: AssignSpec defines the desired state of Assign. - properties: - applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. - items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. - properties: - groups: - items: - type: string - type: array - kinds: - items: - type: string - type: array - versions: - items: - type: string - type: array - type: object - type: array - location: - description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' - type: string - match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. - properties: - excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) - type: string - source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. - enum: - - All - - Generated - - Original - type: string - type: object - parameters: - description: Parameters define the behavior of the mutator. - properties: - assign: - description: Assign.value holds the value to be assigned - properties: - externalData: - description: ExternalData describes the external data provider to be used for mutation. - properties: - dataSource: - default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. - enum: - - ValueAtLocation - - Username - type: string - default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". - type: string - failurePolicy: - default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. - enum: - - UseDefault - - Ignore - - Fail - type: string - provider: - description: Provider is the name of the external data provider. - type: string - type: object - fromMetadata: - description: FromMetadata assigns a value from the specified metadata field. - properties: - field: - description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. - type: string - type: object - value: - description: Value is a constant value that will be assigned to `location` - x-kubernetes-preserve-unknown-fields: true - type: object - pathTests: - items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." - properties: - condition: - description: Condition describes whether the path either MustExist or MustNotExist in the original object - enum: - - MustExist - - MustNotExist - type: string - subPath: - type: string - type: object - type: array - type: object - type: object - status: - description: AssignStatus defines the observed state of Assign. - properties: - byPod: - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Assign is the Schema for the assign API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AssignSpec defines the desired state of Assign. - properties: - applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. - items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. - properties: - groups: - items: - type: string - type: array - kinds: - items: - type: string - type: array - versions: - items: - type: string - type: array - type: object - type: array - location: - description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' - type: string - match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. - properties: - excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) - type: string - source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. - enum: - - All - - Generated - - Original - type: string - type: object - parameters: - description: Parameters define the behavior of the mutator. - properties: - assign: - description: Assign.value holds the value to be assigned - properties: - externalData: - description: ExternalData describes the external data provider to be used for mutation. - properties: - dataSource: - default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. - enum: - - ValueAtLocation - - Username - type: string - default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". - type: string - failurePolicy: - default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. - enum: - - UseDefault - - Ignore - - Fail - type: string - provider: - description: Provider is the name of the external data provider. - type: string - type: object - fromMetadata: - description: FromMetadata assigns a value from the specified metadata field. - properties: - field: - description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. - type: string - type: object - value: - description: Value is a constant value that will be assigned to `location` - x-kubernetes-preserve-unknown-fields: true - type: object - pathTests: - items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." - properties: - condition: - description: Condition describes whether the path either MustExist or MustNotExist in the original object - enum: - - MustExist - - MustNotExist - type: string - subPath: - type: string - type: object - type: array - type: object - type: object - status: - description: AssignStatus defines the observed state of Assign. - properties: - byPod: - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - description: Assign is the Schema for the assign API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AssignSpec defines the desired state of Assign. - properties: - applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. - items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. - properties: - groups: - items: - type: string - type: array - kinds: - items: - type: string - type: array - versions: - items: - type: string - type: array - type: object - type: array - location: - description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.' - type: string - match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. - properties: - excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) - type: string - source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. - enum: - - All - - Generated - - Original - type: string - type: object - parameters: - description: Parameters define the behavior of the mutator. - properties: - assign: - description: Assign.value holds the value to be assigned - properties: - externalData: - description: ExternalData describes the external data provider to be used for mutation. - properties: - dataSource: - default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. - enum: - - ValueAtLocation - - Username - type: string - default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". - type: string - failurePolicy: - default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. - enum: - - UseDefault - - Ignore - - Fail - type: string - provider: - description: Provider is the name of the external data provider. - type: string - type: object - fromMetadata: - description: FromMetadata assigns a value from the specified metadata field. - properties: - field: - description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. - type: string - type: object - value: - description: Value is a constant value that will be assigned to `location` - x-kubernetes-preserve-unknown-fields: true - type: object - pathTests: - items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." - properties: - condition: - description: Condition describes whether the path either MustExist or MustNotExist in the original object - enum: - - MustExist - - MustNotExist - type: string - subPath: - type: string - type: object - type: array - type: object - type: object - status: - description: AssignStatus defines the observed state of Assign. - properties: - byPod: - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml deleted file mode 100644 index bab801672..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignimage-customresourcedefinition.yaml +++ /dev/null @@ -1,237 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - labels: - gatekeeper.sh/system: "yes" - name: assignimage.mutations.gatekeeper.sh -spec: - group: mutations.gatekeeper.sh - names: - kind: AssignImage - listKind: AssignImageList - plural: assignimage - singular: assignimage - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: AssignImage is the Schema for the assignimage API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - properties: - name: - maxLength: 63 - type: string - type: object - spec: - description: AssignImageSpec defines the desired state of AssignImage. - properties: - applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. - items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. - properties: - groups: - items: - type: string - type: array - kinds: - items: - type: string - type: array - versions: - items: - type: string - type: array - type: object - type: array - location: - description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.' - type: string - match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. - properties: - excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) - type: string - source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. - enum: - - All - - Generated - - Original - type: string - type: object - parameters: - description: Parameters define the behavior of the mutator. - properties: - assignDomain: - description: AssignDomain sets the domain component on an image string. The trailing slash should not be included. - type: string - assignPath: - description: AssignPath sets the domain component on an image string. - type: string - assignTag: - description: AssignImage sets the image component on an image string. It must start with a `:` or `@`. - type: string - pathTests: - items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." - properties: - condition: - description: Condition describes whether the path either MustExist or MustNotExist in the original object - enum: - - MustExist - - MustNotExist - type: string - subPath: - type: string - type: object - type: array - type: object - type: object - status: - description: AssignImageStatus defines the observed state of AssignImage. - properties: - byPod: - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml deleted file mode 100644 index 468b01fcc..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/assignmetadata-customresourcedefinition.yaml +++ /dev/null @@ -1,655 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - labels: - gatekeeper.sh/system: "yes" - name: assignmetadata.mutations.gatekeeper.sh -spec: - group: mutations.gatekeeper.sh - names: - kind: AssignMetadata - listKind: AssignMetadataList - plural: assignmetadata - singular: assignmetadata - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: AssignMetadata is the Schema for the assignmetadata API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - properties: - name: - maxLength: 63 - type: string - type: object - spec: - description: AssignMetadataSpec defines the desired state of AssignMetadata. - properties: - location: - type: string - match: - description: Match selects which objects are in scope. - properties: - excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) - type: string - source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. - enum: - - All - - Generated - - Original - type: string - type: object - parameters: - properties: - assign: - description: Assign.value holds the value to be assigned - properties: - externalData: - description: ExternalData describes the external data provider to be used for mutation. - properties: - dataSource: - default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. - enum: - - ValueAtLocation - - Username - type: string - default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". - type: string - failurePolicy: - default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. - enum: - - UseDefault - - Ignore - - Fail - type: string - provider: - description: Provider is the name of the external data provider. - type: string - type: object - fromMetadata: - description: FromMetadata assigns a value from the specified metadata field. - properties: - field: - description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. - type: string - type: object - value: - description: Value is a constant value that will be assigned to `location` - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - status: - description: AssignMetadataStatus defines the observed state of AssignMetadata. - properties: - byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: AssignMetadata is the Schema for the assignmetadata API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AssignMetadataSpec defines the desired state of AssignMetadata. - properties: - location: - type: string - match: - description: Match selects which objects are in scope. - properties: - excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) - type: string - source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. - enum: - - All - - Generated - - Original - type: string - type: object - parameters: - properties: - assign: - description: Assign.value holds the value to be assigned - properties: - externalData: - description: ExternalData describes the external data provider to be used for mutation. - properties: - dataSource: - default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. - enum: - - ValueAtLocation - - Username - type: string - default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". - type: string - failurePolicy: - default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. - enum: - - UseDefault - - Ignore - - Fail - type: string - provider: - description: Provider is the name of the external data provider. - type: string - type: object - fromMetadata: - description: FromMetadata assigns a value from the specified metadata field. - properties: - field: - description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. - type: string - type: object - value: - description: Value is a constant value that will be assigned to `location` - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - status: - description: AssignMetadataStatus defines the observed state of AssignMetadata. - properties: - byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - description: AssignMetadata is the Schema for the assignmetadata API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: AssignMetadataSpec defines the desired state of AssignMetadata. - properties: - location: - type: string - match: - description: Match selects which objects are in scope. - properties: - excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) - type: string - source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. - enum: - - All - - Generated - - Original - type: string - type: object - parameters: - properties: - assign: - description: Assign.value holds the value to be assigned - properties: - externalData: - description: ExternalData describes the external data provider to be used for mutation. - properties: - dataSource: - default: ValueAtLocation - description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters. - enum: - - ValueAtLocation - - Username - type: string - default: - description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault". - type: string - failurePolicy: - default: Fail - description: FailurePolicy specifies the policy to apply when the external data provider returns an error. - enum: - - UseDefault - - Ignore - - Fail - type: string - provider: - description: Provider is the name of the external data provider. - type: string - type: object - fromMetadata: - description: FromMetadata assigns a value from the specified metadata field. - properties: - field: - description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`. - type: string - type: object - value: - description: Value is a constant value that will be assigned to `location` - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - status: - description: AssignMetadataStatus defines the observed state of AssignMetadata. - properties: - byPod: - description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file' - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml deleted file mode 100644 index 57826ac09..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/config-customresourcedefinition.yaml +++ /dev/null @@ -1,105 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - labels: - gatekeeper.sh/system: "yes" - name: configs.config.gatekeeper.sh -spec: - group: config.gatekeeper.sh - names: - kind: Config - listKind: ConfigList - plural: configs - singular: config - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Config is the Schema for the configs API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ConfigSpec defines the desired state of Config. - properties: - match: - description: Configuration for namespace exclusion - items: - properties: - excludedNamespaces: - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - processes: - items: - type: string - type: array - type: object - type: array - readiness: - description: Configuration for readiness tracker - properties: - statsEnabled: - type: boolean - type: object - sync: - description: Configuration for syncing k8s objects - properties: - syncOnly: - description: If non-empty, only entries on this list will be replicated into OPA - items: - properties: - group: - type: string - kind: - type: string - version: - type: string - type: object - type: array - type: object - validation: - description: Configuration for validation - properties: - traces: - description: List of requests to trace. Both "user" and "kinds" must be specified - items: - properties: - dump: - description: Also dump the state of OPA with the trace. Set to `All` to dump everything. - type: string - kind: - description: Only trace requests of the following GroupVersionKind - properties: - group: - type: string - kind: - type: string - version: - type: string - type: object - user: - description: Only trace requests from the specified user - type: string - type: object - type: array - type: object - type: object - status: - description: ConfigStatus defines the observed state of Config. - type: object - type: object - served: true - storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml deleted file mode 100644 index 230a541bb..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml +++ /dev/null @@ -1,67 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - labels: - gatekeeper.sh/system: "yes" - name: constraintpodstatuses.status.gatekeeper.sh -spec: - group: status.gatekeeper.sh - names: - kind: ConstraintPodStatus - listKind: ConstraintPodStatusList - plural: constraintpodstatuses - singular: constraintpodstatus - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: ConstraintPodStatus is the Schema for the constraintpodstatuses API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus. - properties: - constraintUID: - description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - enforced: - type: boolean - errors: - items: - description: Error represents a single error caught while adding a constraint to OPA. - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: object - served: true - storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml deleted file mode 100644 index 737e3aff1..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml +++ /dev/null @@ -1,357 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - gatekeeper.sh/system: "yes" - name: constrainttemplates.templates.gatekeeper.sh -spec: - group: templates.gatekeeper.sh - names: - kind: ConstraintTemplate - listKind: ConstraintTemplateList - plural: constrainttemplates - singular: constrainttemplate - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. - properties: - crd: - properties: - spec: - properties: - names: - properties: - kind: - type: string - shortNames: - items: - type: string - type: array - type: object - validation: - default: - legacySchema: false - properties: - legacySchema: - default: false - type: boolean - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - targets: - items: - properties: - code: - description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) - items: - properties: - engine: - description: 'The engine used to evaluate the code. Example: "Rego". Required.' - type: string - source: - description: The source code for the template. Required. - x-kubernetes-preserve-unknown-fields: true - required: - - engine - - source - type: object - type: array - x-kubernetes-list-map-keys: - - engine - x-kubernetes-list-type: map - libs: - items: - type: string - type: array - rego: - type: string - target: - type: string - type: object - type: array - type: object - status: - description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. - properties: - byPod: - items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller - properties: - errors: - items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - description: a unique identifier for the pod that wrote the status - type: string - observedGeneration: - format: int64 - type: integer - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - created: - type: boolean - type: object - type: object - served: true - storage: true - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. - properties: - crd: - properties: - spec: - properties: - names: - properties: - kind: - type: string - shortNames: - items: - type: string - type: array - type: object - validation: - default: - legacySchema: true - properties: - legacySchema: - default: true - type: boolean - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - targets: - items: - properties: - code: - description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) - items: - properties: - engine: - description: 'The engine used to evaluate the code. Example: "Rego". Required.' - type: string - source: - description: The source code for the template. Required. - x-kubernetes-preserve-unknown-fields: true - required: - - engine - - source - type: object - type: array - x-kubernetes-list-map-keys: - - engine - x-kubernetes-list-type: map - libs: - items: - type: string - type: array - rego: - type: string - target: - type: string - type: object - type: array - type: object - status: - description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. - properties: - byPod: - items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller - properties: - errors: - items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - description: a unique identifier for the pod that wrote the status - type: string - observedGeneration: - format: int64 - type: integer - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - created: - type: boolean - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - description: ConstraintTemplate is the Schema for the constrainttemplates API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate. - properties: - crd: - properties: - spec: - properties: - names: - properties: - kind: - type: string - shortNames: - items: - type: string - type: array - type: object - validation: - default: - legacySchema: true - properties: - legacySchema: - default: true - type: boolean - openAPIV3Schema: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - targets: - items: - properties: - code: - description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field) - items: - properties: - engine: - description: 'The engine used to evaluate the code. Example: "Rego". Required.' - type: string - source: - description: The source code for the template. Required. - x-kubernetes-preserve-unknown-fields: true - required: - - engine - - source - type: object - type: array - x-kubernetes-list-map-keys: - - engine - x-kubernetes-list-type: map - libs: - items: - type: string - type: array - rego: - type: string - target: - type: string - type: object - type: array - type: object - status: - description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate. - properties: - byPod: - items: - description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller - properties: - errors: - items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - description: a unique identifier for the pod that wrote the status - type: string - observedGeneration: - format: int64 - type: integer - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - created: - type: boolean - type: object - type: object - served: true - storage: false - subresources: - status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml deleted file mode 100644 index 271572bd7..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml +++ /dev/null @@ -1,66 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - labels: - gatekeeper.sh/system: "yes" - name: constrainttemplatepodstatuses.status.gatekeeper.sh -spec: - group: status.gatekeeper.sh - names: - kind: ConstraintTemplatePodStatus - listKind: ConstraintTemplatePodStatusList - plural: constrainttemplatepodstatuses - singular: constrainttemplatepodstatus - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus. - properties: - errors: - items: - description: CreateCRDError represents a single error caught during parsing, compiling, etc. - properties: - code: - type: string - location: - type: string - message: - type: string - required: - - code - - message - type: object - type: array - id: - description: 'Important: Run "make" to regenerate code after modifying this file' - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - templateUID: - description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated. - type: string - type: object - type: object - served: true - storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml deleted file mode 100644 index 042249cf1..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml +++ /dev/null @@ -1,73 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - labels: - gatekeeper.sh/system: "yes" - name: expansiontemplate.expansion.gatekeeper.sh -spec: - group: expansion.gatekeeper.sh - names: - kind: ExpansionTemplate - listKind: ExpansionTemplateList - plural: expansiontemplate - singular: expansiontemplate - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ExpansionTemplate is the Schema for the ExpansionTemplate API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate. - properties: - applyTo: - description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded. - items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. - properties: - groups: - items: - type: string - type: array - kinds: - items: - type: string - type: array - versions: - items: - type: string - type: array - type: object - type: array - enforcementAction: - description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation. - type: string - generatedGVK: - description: GeneratedGVK specifies the GVK of the resources which the generator resource creates. - properties: - group: - type: string - kind: - type: string - version: - type: string - type: object - templateSource: - description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template - type: string - type: object - type: object - served: true - storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml deleted file mode 100644 index 1bb193336..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/modifyset-customresourcedefinition.yaml +++ /dev/null @@ -1,676 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - labels: - gatekeeper.sh/system: "yes" - name: modifyset.mutations.gatekeeper.sh -spec: - group: mutations.gatekeeper.sh - names: - kind: ModifySet - listKind: ModifySetList - plural: modifyset - singular: modifyset - preserveUnknownFields: false - scope: Cluster - versions: - - name: v1 - schema: - openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - properties: - name: - maxLength: 63 - type: string - type: object - spec: - description: ModifySetSpec defines the desired state of ModifySet. - properties: - applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. - items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. - properties: - groups: - items: - type: string - type: array - kinds: - items: - type: string - type: array - versions: - items: - type: string - type: array - type: object - type: array - location: - description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' - type: string - match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. - properties: - excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) - type: string - source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. - enum: - - All - - Generated - - Original - type: string - type: object - parameters: - description: Parameters define the behavior of the mutator. - properties: - operation: - default: merge - description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" - enum: - - merge - - prune - type: string - pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied - items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." - properties: - condition: - description: Condition describes whether the path either MustExist or MustNotExist in the original object - enum: - - MustExist - - MustNotExist - type: string - subPath: - type: string - type: object - type: array - values: - description: Values describes the values provided to the operation as `values.fromList`. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - status: - description: ModifySetStatus defines the observed state of ModifySet. - properties: - byPod: - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: true - subresources: - status: {} - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ModifySetSpec defines the desired state of ModifySet. - properties: - applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. - items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. - properties: - groups: - items: - type: string - type: array - kinds: - items: - type: string - type: array - versions: - items: - type: string - type: array - type: object - type: array - location: - description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' - type: string - match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. - properties: - excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) - type: string - source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. - enum: - - All - - Generated - - Original - type: string - type: object - parameters: - description: Parameters define the behavior of the mutator. - properties: - operation: - default: merge - description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" - enum: - - merge - - prune - type: string - pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied - items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." - properties: - condition: - description: Condition describes whether the path either MustExist or MustNotExist in the original object - enum: - - MustExist - - MustNotExist - type: string - subPath: - type: string - type: object - type: array - values: - description: Values describes the values provided to the operation as `values.fromList`. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - status: - description: ModifySetStatus defines the observed state of ModifySet. - properties: - byPod: - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: ModifySetSpec defines the desired state of ModifySet. - properties: - applyTo: - description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs. - items: - description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed. - properties: - groups: - items: - type: string - type: array - kinds: - items: - type: string - type: array - versions: - items: - type: string - type: array - type: object - type: array - location: - description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.' - type: string - match: - description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything. - properties: - excludedNamespaces: - description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - kinds: - items: - description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope. - properties: - apiGroups: - description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required. - items: - type: string - type: array - kinds: - items: - type: string - type: array - type: object - type: array - labelSelector: - description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.' - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - name: - description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - namespaceSelector: - description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. - properties: - key: - description: key is the label key that the selector applies to. - type: string - operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. - type: object - type: object - namespaces: - description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.' - items: - description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.' - pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ - type: string - type: array - scope: - description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`) - type: string - source: - description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources. - enum: - - All - - Generated - - Original - type: string - type: object - parameters: - description: Parameters define the behavior of the mutator. - properties: - operation: - default: merge - description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge" - enum: - - merge - - prune - type: string - pathTests: - description: PathTests are a series of existence tests that can be checked before a mutation is applied - items: - description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate." - properties: - condition: - description: Condition describes whether the path either MustExist or MustNotExist in the original object - enum: - - MustExist - - MustNotExist - type: string - subPath: - type: string - type: object - type: array - values: - description: Values describes the values provided to the operation as `values.fromList`. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - status: - description: ModifySetStatus defines the observed state of ModifySet. - properties: - byPod: - items: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: array - type: object - type: object - served: true - storage: false - subresources: - status: {} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml deleted file mode 100644 index fd6a0f6de..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml +++ /dev/null @@ -1,65 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.10.0 - labels: - gatekeeper.sh/system: "yes" - name: mutatorpodstatuses.status.gatekeeper.sh -spec: - group: status.gatekeeper.sh - names: - kind: MutatorPodStatus - listKind: MutatorPodStatusList - plural: mutatorpodstatuses - singular: mutatorpodstatus - preserveUnknownFields: false - scope: Namespaced - versions: - - name: v1beta1 - schema: - openAPIV3Schema: - description: MutatorPodStatus is the Schema for the mutationpodstatuses API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus. - properties: - enforced: - type: boolean - errors: - items: - description: MutatorError represents a single error caught while adding a mutator to a system. - properties: - message: - type: string - type: - description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type. - type: string - required: - - message - type: object - type: array - id: - type: string - mutatorUID: - description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch - type: string - observedGeneration: - format: int64 - type: integer - operations: - items: - type: string - type: array - type: object - type: object - served: true - storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml deleted file mode 100644 index 95e66a8b8..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/crd-manifest/provider-customresourcedefinition.yaml +++ /dev/null @@ -1,78 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.3 - labels: - gatekeeper.sh/system: "yes" - name: providers.externaldata.gatekeeper.sh -spec: - group: externaldata.gatekeeper.sh - names: - kind: Provider - listKind: ProviderList - plural: providers - singular: provider - preserveUnknownFields: false - scope: Cluster - versions: - - deprecated: true - deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead. - name: v1alpha1 - schema: - openAPIV3Schema: - description: Provider is the Schema for the Provider API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines the Provider specifications. - properties: - caBundle: - description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. - type: string - timeout: - description: Timeout is the timeout when querying the provider. - type: integer - url: - description: URL is the url for the provider. URL is prefixed with https://. - type: string - type: object - type: object - served: true - storage: false - - name: v1beta1 - schema: - openAPIV3Schema: - description: Provider is the Schema for the providers API - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: Spec defines the Provider specifications. - properties: - caBundle: - description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate. - type: string - timeout: - description: Timeout is the timeout when querying the provider. - type: integer - url: - description: URL is the url for the provider. URL is prefixed with https://. - type: string - type: object - type: object - served: true - storage: true diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl deleted file mode 100644 index 6a89079bc..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/_helpers.tpl +++ /dev/null @@ -1,22 +0,0 @@ -# Rancher - -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- end -}} -{{- end -}} - -{{/* -Windows cluster will add default taint for linux nodes, -add below linux tolerations to workloads could be scheduled to those linux nodes -*/}} -{{- define "linux-node-tolerations" -}} -- key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -{{- end -}} - -{{- define "linux-node-selector" -}} -kubernetes.io/os: linux -{{- end -}} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml deleted file mode 100644 index e5589e68c..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/jobs.yaml +++ /dev/null @@ -1,126 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ .Chart.Name }}-create - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Chart.Name }} - annotations: - "helm.sh/hook": post-install, post-upgrade, post-rollback - "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded -spec: - template: - metadata: - name: {{ .Chart.Name }}-create - labels: - app: {{ .Chart.Name }} - spec: - serviceAccountName: {{ .Chart.Name }}-manager - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} - securityContext: - runAsNonRoot: true - runAsUser: 1000 - containers: - - name: create-crds - image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: IfNotPresent - command: - - /bin/kubectl - - apply - - -f - - /etc/config/crd-manifest.yaml - volumeMounts: - - name: crd-manifest - readOnly: true - mountPath: /etc/config - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- toYaml .Values.securityContext | nindent 12 }} - restartPolicy: OnFailure - volumes: - - name: crd-manifest - configMap: - name: {{ .Chart.Name }}-manifest ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: {{ .Chart.Name }}-delete - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Chart.Name }} - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-delete-policy": hook-succeeded -spec: - template: - metadata: - name: {{ .Chart.Name }}-delete - labels: - app: {{ .Chart.Name }} - spec: - serviceAccountName: {{ .Chart.Name }}-manager - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.nodeSelector }} -{{ toYaml .Values.nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.tolerations }} -{{ toYaml .Values.tolerations | indent 8 }} -{{- end }} - securityContext: - runAsNonRoot: true - runAsUser: 1000 - initContainers: - - name: remove-finalizers - image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: IfNotPresent - command: - - /bin/kubectl - - apply - - -f - - /etc/config/crd-manifest.yaml - volumeMounts: - - name: crd-manifest - readOnly: true - mountPath: /etc/config - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- toYaml .Values.securityContext | nindent 12 }} - containers: - - name: delete-crds - image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} - imagePullPolicy: IfNotPresent - command: - - /bin/kubectl - - delete - - -f - - /etc/config/crd-manifest.yaml - volumeMounts: - - name: crd-manifest - readOnly: true - mountPath: /etc/config - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- toYaml .Values.securityContext | nindent 12 }} - restartPolicy: OnFailure - volumes: - - name: crd-manifest - configMap: - name: {{ .Chart.Name }}-manifest diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml deleted file mode 100644 index 31016b6ef..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/manifest.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ .Chart.Name }}-manifest - namespace: {{ .Release.Namespace }} -data: - crd-manifest.yaml: | - {{- $currentScope := . -}} - {{- $crds := (.Files.Glob "crd-manifest/**.yaml") -}} - {{- range $path, $_ := $crds -}} - {{- with $currentScope -}} - {{ .Files.Get $path | nindent 4 }} - --- - {{- end -}}{{- end -}} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml deleted file mode 100644 index d1df38961..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/rbac.yaml +++ /dev/null @@ -1,76 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ .Chart.Name }}-manager - labels: - app: {{ .Chart.Name }}-manager -rules: -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: ['create', 'get', 'patch', 'delete'] -{{- if .Values.global.cattle.psp.enabled }} -- apiGroups: ['policy'] - resources: ['podsecuritypolicies'] - verbs: ['use'] - resourceNames: - - {{ .Chart.Name }}-manager -{{- end }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ .Chart.Name }}-manager - labels: - app: {{ .Chart.Name }}-manager -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ .Chart.Name }}-manager -subjects: -- kind: ServiceAccount - name: {{ .Chart.Name }}-manager - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ .Chart.Name }}-manager - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Chart.Name }}-manager ---- -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: {{ .Chart.Name }}-manager - namespace: {{ .Release.Namespace }} - labels: - app: {{ .Chart.Name }}-manager -spec: - privileged: false - allowPrivilegeEscalation: false - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - rule: 'MustRunAsNonRoot' - seLinux: - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - - min: 1 - max: 65535 - readOnlyRootFilesystem: false - volumes: - - 'configMap' - - 'secret' -{{- end }} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml deleted file mode 100644 index a30c59d3b..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} diff --git a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml b/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml deleted file mode 100644 index 3304f097b..000000000 --- a/charts/rancher-gatekeeper-crd/103.0.1+up3.12.0/values.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# Default values for rancher-gatekeeper-crd. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -global: - cattle: - systemDefaultRegistry: "" - psp: - enabled: false - -image: - repository: rancher/kubectl - tag: v1.20.2 - -enableRuntimeDefaultSeccompProfile: true - -securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore b/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore deleted file mode 100644 index f0c131944..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/.helmignore +++ /dev/null @@ -1,21 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*~ -# Various IDEs -.project -.idea/ -*.tmproj diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md deleted file mode 100644 index c68d23c24..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/CHANGELOG.md +++ /dev/null @@ -1,15 +0,0 @@ -# Changelog -All notable changes from the upstream OPA Gatekeeper chart will be added to this file - -## [Package Version 00] - 2020-09-10 -### Added -- Enabled the CRD chart generator in `package.yaml` - -### Modified -- Updated namespace to `cattle-gatekeeper-system` -- Updated for Helm 3 compatibility - - Moved crds to `crds` directory - - Removed `crd-install` hooks and templates from crds - -### Removed -- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml deleted file mode 100644 index 581fbe168..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/Chart.yaml +++ /dev/null @@ -1,26 +0,0 @@ -annotations: - catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: OPA Gatekeeper - catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0' - catalog.cattle.io/namespace: cattle-gatekeeper-system - catalog.cattle.io/os: linux - catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 - catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' - catalog.cattle.io/release-name: rancher-gatekeeper - catalog.cattle.io/type: cluster-tool - catalog.cattle.io/ui-component: gatekeeper -apiVersion: v2 -appVersion: v3.12.0 -description: Modifies Open Policy Agent's upstream gatekeeper chart that provides - policy-based control for cloud native environments -home: https://github.com/open-policy-agent/gatekeeper -icon: https://charts.rancher.io/assets/logos/gatekeeper.svg -keywords: -- open policy agent -- security -name: rancher-gatekeeper -sources: -- https://github.com/open-policy-agent/gatekeeper.git -version: 103.0.1+up3.12.0 diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md deleted file mode 100644 index 155a81337..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/README.md +++ /dev/null @@ -1,210 +0,0 @@ -# Gatekeeper Helm Chart - -## Get Repo Info - -```console -helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts -helm repo update -``` - -_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ - -## Install Chart - -```console -# Helm install with gatekeeper-system namespace already created -$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper - -# Helm install and create namespace -$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace - -``` - -_See [parameters](#parameters) below._ - -_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ - -## Upgrade Chart - -**Upgrading from < v3.4.0** -Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within the chart. This follows Helm 3 Best Practices. - -Option 1: -A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater. - -```console -$ helm uninstall gatekeeper -$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace - -``` - -Option 2: -Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. - -```console -$ helm_migrate.sh -$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper -``` - -**Upgrading from >= v3.4.0** -```console -$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper -``` - -_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._ - - -## Exempting Namespace - -The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during a post-install hook. - -_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more information._ - -## Parameters - -| Parameter | Description | Default | -| :-------------------------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------------------ | -| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` | -| postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` | -| postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` | -| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0` | -| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` | -| postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` | -| postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` | -| postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | `curlimages/curl` | -| postInstall.probeWebhook.image.tag | Image tag | `7.83.1` | -| postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | `[]` | -| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` | -| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` | -| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` | -| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` | -| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` | -| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` | -| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` | -| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` | -| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` | -| postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` | -| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` | -| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.12.0` | -| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` -| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` | -| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` | -| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` | -| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` | -| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` | -| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.12.0` | -| preUninstall.deleteWebhooks.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` | -| preUninstall.deleteWebhooks.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` | -| preUninstall.deleteWebhooks.image.tag | Image tag | Current release version: `v3.12.0` | -| preUninstall.deleteWebhooks.image.pullPolicy | Image pullPolicy | `IfNotPresent` | -| preUninstall.deleteWebhooks.image.pullSecrets | Image pullSecrets | `[]` | -| preUninstall.deleteWebhooks.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` | -| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` | -| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` | -| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` | -| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` | -| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| psp.enabled | Enabled PodSecurityPolicy | `true` | -| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` | -| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` | -| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` | -| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` | -| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` | -| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` | -| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` | -| auditInterval | The frequency with which audit is run | `300` | -| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` | -| auditFromCache | Take the roster of resources to audit from the audit cache | `false` | -| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` | -| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` | -| disableValidatingWebhook | Disable the validating webhook | `false` | -| disableMutation | Disable mutation | `false` | -| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` | -| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` | -| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` | -| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` | -| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` | -| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` | -| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | -| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | -| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` | -| enableExternalData | Enable external data | `true` | -| enableGeneratorResourceExpansion | Enable generator resource expansion (alpha feature) | `false` | -| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` | -| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` | -| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` | -| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` | -| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` | -| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` | -| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` | -| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` | -| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` | -| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` | -| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` | -| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` | -| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` | -| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | -| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` | -| logDenies | Log detailed info on each deny | `false` | -| logLevel | Minimum log level | `INFO` | -| image.pullPolicy | The image pull policy | `IfNotPresent` | -| image.repository | Image repository | `openpolicyagent/gatekeeper` | -| image.release | The image release tag to use | Current release version: `v3.12.0` | -| image.pullSecrets | Specify an array of imagePullSecrets | `[]` | -| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi | -| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` | -| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` | -| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` | -| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` | -| controllerManager.healthPort | Health port for controller manager | `9090` | -| controllerManager.port | Webhook-server port for controller manager | `8443` | -| controllerManager.metricsPort | Metrics port for controller manager | `8888` | -| controllerManager.readinessTimeout | Timeout in seconds for the controller manager's readiness probe | `1` | -| controllerManager.livenessTimeout | Timeout in seconds for the controller manager's liveness probe | `1` | -| controllerManager.logLevel | The minimum log level for the controller manager, takes precedence over `logLevel` when specified | `null` -| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` | -| controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} | -| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` | -| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` | -| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` | -| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` | -| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` | -| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` | -| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` | -| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` | -| audit.affinity | The node affinity to use for audit pod scheduling | `{}` | -| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` | -| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` | -| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` | -| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} | -| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` | -| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` | -| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` | -| audit.healthPort | Health port for audit | `9090` | -| audit.metricsPort | Metrics port for audit | `8888` | -| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` | -| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` | -| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` -| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` | -| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` | -| podLabels | The labels to add to the Gatekeeper pods | `{}` | -| podCountLimit | The maximum number of Gatekeeper pods to run | `100` | -| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` | -| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` | -| service.type | Service type | `ClusterIP` | -| service.loadBalancerIP | The IP address of LoadBalancer service | `` | -| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` | -| rbac.create | Enable the creation of RBAC resources | `true` | -| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` | -| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` | - -## Contributing Changes - -Please refer to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart) for modifying the Helm chart. diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md b/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md deleted file mode 100644 index dff688f51..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/app-readme.md +++ /dev/null @@ -1,32 +0,0 @@ -# Rancher OPA Gatekeeper - -This chart is based off of the upstream [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) chart. - -For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/opa-gatekeper/). - -The chart installs the following components: - -- OPA Gatekeeper Controller-Manager - OPA Gatekeeper is a policy engine for providing policy based governance for Kubernetes clusters. The controller installs as a [validating admission controller webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) on the cluster and intercepts all admission requests that create, update or delete a resource in the cluster. -- [Audit](https://github.com/open-policy-agent/gatekeeper#audit) - A periodic audit of the cluster resources against the enforced policies. Any existing resource that violates a policy will be recorded as violations. -- [Constraint Template](https://github.com/open-policy-agent/gatekeeper#constraint-templates) - A template is a CRD (`ConstraintTemplate`) that defines the schema and Rego logic of a policy to be applied to the cluster by Gatekeeper's admission controller webhook. This chart installs a few default `ConstraintTemplate` custom resources. -- [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to). - -For more information on how to configure the Helm chart, refer to the Helm README. - -## Upgrading to Kubernetes v1.25+ - -Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. - -As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. - -> **Note:** -> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. - -> **Note:** -> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** -> -> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. - -Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. - -As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl deleted file mode 100644 index c71a8fb61..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/_helpers.tpl +++ /dev/null @@ -1,113 +0,0 @@ - -{{/* -Expand the name of the chart. -*/}} -{{- define "gatekeeper.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "gatekeeper.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "gatekeeper.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Adds additional pod labels to the common ones -*/}} -{{- define "gatekeeper.podLabels" -}} -{{- if .Values.podLabels }} -{{- toYaml .Values.podLabels | nindent 8 }} -{{- end }} -{{- end -}} - -{{- define "system_default_registry" -}} -{{- if .Values.global.cattle.systemDefaultRegistry -}} -{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} -{{- else -}} -{{- "" -}} -{{- end -}} -{{- end -}} - -{{/* -Windows cluster will add default taint for linux nodes, -add below linux tolerations to workloads could be scheduled to those linux nodes -*/}} -{{- define "linux-node-tolerations" -}} -- key: "cattle.io/os" - value: "linux" - effect: "NoSchedule" - operator: "Equal" -{{- end -}} - -{{- define "linux-node-selector" -}} -kubernetes.io/os: linux -{{- end -}} - -{{/* -Output post install webhook probe container entry -*/}} -{{- define "gatekeeper.postInstallWebhookProbeContainer" -}} -- name: webhook-probe-post - image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}" - imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }} - command: - - "curl" - args: - - "--retry" - - "99999" - - "--retry-max-time" - - "{{ .Values.postInstall.probeWebhook.waitTimeout }}" - - "--retry-delay" - - "1" - - "--max-time" - - "{{ .Values.postInstall.probeWebhook.httpTimeout }}" - {{- if .Values.postInstall.probeWebhook.insecureHTTPS }} - - "--insecure" - {{- else }} - - "--cacert" - - /certs/ca.crt - {{- end }} - - "-v" - - "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s" - resources: - {{- toYaml .Values.postInstall.resources | nindent 4 }} - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- toYaml .Values.postInstall.securityContext | nindent 4 }} - volumeMounts: - - mountPath: /certs - name: cert - readOnly: true -{{- end -}} - -{{/* -Output post install webhook probe volume entry -*/}} -{{- define "gatekeeper.postInstallWebhookProbeVolume" -}} -- name: cert - secret: - secretName: {{ .Values.externalCertInjection.secretName }} -{{- end -}} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml deleted file mode 100644 index 9abb84ecb..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/allowedrepos.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - name: k8sallowedrepos -spec: - crd: - spec: - names: - kind: K8sAllowedRepos - validation: - # Schema for the `parameters` field - openAPIV3Schema: - properties: - repos: - type: array - items: - type: string - targets: - - target: admission.k8s.gatekeeper.sh - rego: | - package k8sallowedrepos - - violation[{"msg": msg}] { - container := input.review.object.spec.containers[_] - satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] - not any(satisfied) - msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) - } - - violation[{"msg": msg}] { - container := input.review.object.spec.initContainers[_] - satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)] - not any(satisfied) - msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos]) - } diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml deleted file mode 100644 index 2c179e570..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-podsecuritypolicy.yaml +++ /dev/null @@ -1,38 +0,0 @@ -{{- if .Values.global.cattle.psp.enabled }} -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-admin -spec: - allowPrivilegeEscalation: false - fsGroup: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - requiredDropCapabilities: - - ALL - runAsUser: - rule: MustRunAsNonRoot - seLinux: - rule: RunAsAny - supplementalGroups: - ranges: - - max: 65535 - min: 1 - rule: MustRunAs - volumes: - - configMap - - projected - - secret - - downwardAPI - - emptyDir -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml deleted file mode 100644 index 4b68998cb..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-admin-serviceaccount.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-admin - namespace: '{{ .Release.Namespace }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml deleted file mode 100644 index a1adb6044..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-audit-deployment.yaml +++ /dev/null @@ -1,156 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - control-plane: audit-controller - gatekeeper.sh/operation: audit - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-audit - namespace: '{{ .Release.Namespace }}' -spec: - replicas: 1 - selector: - matchLabels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - control-plane: audit-controller - gatekeeper.sh/operation: audit - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - template: - metadata: - annotations: - {{- if .Values.podAnnotations }} - {{- toYaml .Values.podAnnotations | trim | nindent 8 }} - {{- end }} - labels: -{{- include "gatekeeper.podLabels" . }} - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - control-plane: audit-controller - gatekeeper.sh/operation: audit - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - spec: - affinity: - {{- toYaml .Values.audit.affinity | nindent 8 }} - automountServiceAccountToken: true - containers: - - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' - args: - - --audit-interval={{ .Values.auditInterval }} - - --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }} - - --constraint-violations-limit={{ .Values.constraintViolationsLimit }} - - --validating-webhook-configuration-name={{ .Values.validatingWebhookName }} - - --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }} - - --audit-from-cache={{ .Values.auditFromCache }} - - --audit-chunk-size={{ .Values.auditChunkSize }} - - --audit-match-kind-only={{ .Values.auditMatchKindOnly }} - - --emit-audit-events={{ .Values.emitAuditEvents }} - - --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }} - - --operation=audit - - --operation=status - {{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }} - - --logtostderr - - --health-addr=:{{ .Values.audit.healthPort }} - - --prometheus-port={{ .Values.audit.metricsPort }} - - --enable-external-data={{ .Values.enableExternalData }} - - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} - - {{- range .Values.metricsBackends}} - - --metrics-backend={{ . }} - {{- end }} - - {{- if .Values.audit.logFile}} - - --log-file={{ .Values.audit.logFile }} - {{- end }} - - --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }} - command: - - /manager - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: CONTAINER_NAME - value: manager - imagePullPolicy: '{{ .Values.images.pullPolicy }}' - livenessProbe: - httpGet: - path: /healthz - port: {{ .Values.audit.healthPort }} - timeoutSeconds: {{ .Values.audit.livenessTimeout }} - name: manager - ports: - - containerPort: {{ .Values.audit.metricsPort }} - name: metrics - protocol: TCP - - containerPort: {{ .Values.audit.healthPort }} - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: {{ .Values.audit.healthPort }} - timeoutSeconds: {{ .Values.audit.readinessTimeout }} - resources: - {{- toYaml .Values.audit.resources | nindent 10 }} - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- toYaml .Values.audit.securityContext | nindent 10}} - volumeMounts: - - mountPath: /certs - name: cert - readOnly: true - - mountPath: /tmp/audit - name: tmp-volume - dnsPolicy: {{ .Values.audit.dnsPolicy }} - hostNetwork: {{ .Values.audit.hostNetwork }} - imagePullSecrets: - {{- toYaml .Values.images.pullSecrets | nindent 8 }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.audit.nodeSelector }} -{{ toYaml .Values.audit.nodeSelector | indent 8 }} -{{- end }} - {{- if .Values.audit.priorityClassName }} - priorityClassName: {{ .Values.audit.priorityClassName }} - {{- end }} - securityContext: - {{- toYaml .Values.audit.podSecurityContext | nindent 8 }} - serviceAccountName: gatekeeper-admin - terminationGracePeriodSeconds: 60 - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.audit.tolerations }} -{{ toYaml .Values.audit.tolerations | indent 8 }} -{{- end }} - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: gatekeeper-webhook-server-cert - {{- if .Values.audit.writeToRAMDisk }} - - emptyDir: - medium: Memory - {{ else }} - - emptyDir: {} - {{- end }} - name: tmp-volume diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml deleted file mode 100644 index 5eb8c9b42..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-deployment.yaml +++ /dev/null @@ -1,169 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-controller-manager - namespace: '{{ .Release.Namespace }}' -spec: - replicas: {{ .Values.replicas }} - selector: - matchLabels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - template: - metadata: - annotations: - {{- if .Values.podAnnotations }} - {{- toYaml .Values.podAnnotations | trim | nindent 8 }} - {{- end }} - labels: -{{- include "gatekeeper.podLabels" . }} - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - spec: - affinity: - {{- toYaml .Values.controllerManager.affinity | nindent 8 }} - automountServiceAccountToken: true - containers: - - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}' - imagePullPolicy: '{{ .Values.images.pullPolicy }}' - args: - - --port={{ .Values.controllerManager.port }} - - --health-addr=:{{ .Values.controllerManager.healthPort }} - - --prometheus-port={{ .Values.controllerManager.metricsPort }} - - --logtostderr - - --log-denies={{ .Values.logDenies }} - - --emit-admission-events={{ .Values.emitAdmissionEvents }} - - --admission-events-involved-namespace={{ .Values.admissionEventsInvolvedNamespace }} - - --log-level={{ (.Values.controllerManager.logLevel | empty | not) | ternary .Values.controllerManager.logLevel .Values.logLevel }} - - --exempt-namespace={{ .Release.Namespace }} - - --operation=webhook - - --enable-external-data={{ .Values.enableExternalData }} - - --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }} - - --log-mutations={{ .Values.logMutations }} - - --mutation-annotations={{ .Values.mutationAnnotations }} - - --disable-cert-rotation={{ .Values.controllerManager.disableCertRotation }} - - --max-serving-threads={{ .Values.maxServingThreads }} - - --tls-min-version={{ .Values.controllerManager.tlsMinVersion }} - {{ if ne .Values.controllerManager.clientCertName "" }}- --client-cert-name={{ .Values.controllerManager.clientCertName }}{{- end }} - - {{- range .Values.metricsBackends}} - - --metrics-backend={{ . }} - {{- end }} - {{ if .Values.enableTLSHealthcheck}}- --enable-tls-healthcheck{{- end }} - {{ if not .Values.disableMutation}}- --operation=mutation-webhook{{- end }} - - {{- range .Values.disabledBuiltins}} - - --disable-opa-builtin={{ . }} - {{- end }} - - {{- range .Values.controllerManager.exemptNamespaces}} - - --exempt-namespace={{ . }} - {{- end }} - - {{- range .Values.controllerManager.exemptNamespacePrefixes}} - - --exempt-namespace-prefix={{ . }} - {{- end }} - - {{- range .Values.controllerManager.exemptNamespaceSuffixes}} - - --exempt-namespace-suffix={{ . }} - {{- end }} - - {{- if .Values.controllerManager.logFile}} - - --log-file={{ .Values.controllerManager.logFile }} - {{- end }} - command: - - /manager - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: CONTAINER_NAME - value: manager - livenessProbe: - httpGet: - path: /healthz - port: {{ .Values.controllerManager.healthPort }} - timeoutSeconds: {{ .Values.controllerManager.livenessTimeout }} - name: manager - ports: - - containerPort: {{ .Values.controllerManager.port }} - name: webhook-server - protocol: TCP - - containerPort: {{ .Values.controllerManager.metricsPort }} - name: metrics - protocol: TCP - - containerPort: {{ .Values.controllerManager.healthPort }} - name: healthz - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: {{ .Values.controllerManager.healthPort }} - timeoutSeconds: {{ .Values.controllerManager.readinessTimeout }} - resources: - {{- toYaml .Values.controllerManager.resources | nindent 10 }} - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- toYaml .Values.controllerManager.securityContext | nindent 10}} - volumeMounts: - - mountPath: /certs - name: cert - readOnly: true - dnsPolicy: {{ .Values.controllerManager.dnsPolicy }} - hostNetwork: {{ .Values.controllerManager.hostNetwork }} - imagePullSecrets: - {{- toYaml .Values.images.pullSecrets | nindent 8 }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .Values.controllerManager.nodeSelector }} -{{ toYaml .Values.controllerManager.nodeSelector | indent 8 }} -{{- end }} - {{- if .Values.controllerManager.priorityClassName }} - priorityClassName: {{ .Values.controllerManager.priorityClassName }} - {{- end }} - securityContext: - {{- toYaml .Values.controllerManager.podSecurityContext | nindent 8 }} - serviceAccountName: gatekeeper-admin - terminationGracePeriodSeconds: 60 - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .Values.controllerManager.tolerations }} -{{ toYaml .Values.controllerManager.tolerations | indent 8 }} -{{- end }} - topologySpreadConstraints: - {{- toYaml .Values.controllerManager.topologySpreadConstraints | nindent 8 }} - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: gatekeeper-webhook-server-cert diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml deleted file mode 100644 index e05213feb..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-network-policy.yaml +++ /dev/null @@ -1,30 +0,0 @@ -{{- if .Values.controllerManager.networkPolicy.enabled -}} -kind: NetworkPolicy -apiVersion: networking.k8s.io/v1 -metadata: - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-controller-manager -spec: - ingress: - - from: - - podSelector: - matchLabels: - app: '{{ template "gatekeeper.name" . }}' - release: '{{ .Release.Name }}' - {{- with .Values.controllerManager.networkPolicy.ingress }} - {{- toYaml . | nindent 4 }} - {{- end }} - podSelector: - matchLabels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' -{{- end -}} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml deleted file mode 100644 index 424f6a67c..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml +++ /dev/null @@ -1,24 +0,0 @@ -{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} -{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}} -apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }} -kind: PodDisruptionBudget -metadata: - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-controller-manager - namespace: '{{ .Release.Namespace }}' -spec: - minAvailable: {{ .Values.pdb.controllerManager.minAvailable }} - selector: - matchLabels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml deleted file mode 100644 index 154646366..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-critical-pods-resourcequota.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.resourceQuota }} -apiVersion: v1 -kind: ResourceQuota -metadata: - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-critical-pods - namespace: '{{ .Release.Namespace }}' -spec: - hard: - pods: {{ .Values.podCountLimit }} - scopeSelector: - matchExpressions: - - operator: In - scopeName: PriorityClass - values: - - {{ .Values.controllerManager.priorityClassName }} - - {{ .Values.audit.priorityClassName }} -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml deleted file mode 100644 index 37ac19cc1..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-clusterrole.yaml +++ /dev/null @@ -1,174 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - creationTimestamp: null - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-manager-role -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - '*' - resources: - - '*' - verbs: - - get - - list - - watch -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - {{ .Values.mutatingWebhookName }} - resources: - - mutatingwebhookconfigurations - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - config.gatekeeper.sh - resources: - - configs - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - config.gatekeeper.sh - resources: - - configs/status - verbs: - - get - - patch - - update -- apiGroups: - - constraints.gatekeeper.sh - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - externaldata.gatekeeper.sh - resources: - - providers - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mutations.gatekeeper.sh - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -{{- if .Values.global.cattle.psp.enabled }} -- apiGroups: - - policy - resourceNames: - - gatekeeper-admin - resources: - - podsecuritypolicies - verbs: - - use -{{- end }} -- apiGroups: - - status.gatekeeper.sh - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - templates.gatekeeper.sh - resources: - - constrainttemplates - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - templates.gatekeeper.sh - resources: - - constrainttemplates/finalizers - verbs: - - delete - - get - - patch - - update -- apiGroups: - - templates.gatekeeper.sh - resources: - - constrainttemplates/status - verbs: - - get - - patch - - update -- apiGroups: - - admissionregistration.k8s.io - resourceNames: - - {{ .Values.validatingWebhookName }} - resources: - - validatingwebhookconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml deleted file mode 100644 index 1018dcdb6..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-role-role.yaml +++ /dev/null @@ -1,37 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - creationTimestamp: null - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-manager-role - namespace: '{{ .Release.Namespace }}' -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -{{- with .Values.controllerManager.extraRules }} - {{- toYaml . | nindent 0 }} -{{- end }} -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml deleted file mode 100644 index 1fb9f6c87..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-manager-rolebinding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gatekeeper-manager-role -subjects: -- kind: ServiceAccount - name: gatekeeper-admin - namespace: '{{ .Release.Namespace }}' -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml deleted file mode 100644 index fbe9580d5..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-manager-rolebinding-rolebinding.yaml +++ /dev/null @@ -1,21 +0,0 @@ -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-manager-rolebinding - namespace: '{{ .Release.Namespace }}' -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: gatekeeper-manager-role -subjects: -- kind: ServiceAccount - name: gatekeeper-admin - namespace: '{{ .Release.Namespace }}' -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml deleted file mode 100644 index 0bc3bc43e..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-mutating-webhook-configuration-mutatingwebhookconfiguration.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if not .Values.disableMutation }} -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - annotations: {{- toYaml .Values.mutatingWebhookAnnotations | trim | nindent 4 }} - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: '{{ .Values.mutatingWebhookName }}' -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: gatekeeper-webhook-service - namespace: '{{ .Release.Namespace }}' - path: /v1/mutate - failurePolicy: {{ .Values.mutatingWebhookFailurePolicy }} - matchPolicy: Exact - name: mutation.gatekeeper.sh - namespaceSelector: - matchExpressions: - - key: admission.gatekeeper.sh/ignore - operator: DoesNotExist - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - {{ .Release.Namespace }} - - {{- range $key, $value := .Values.mutatingWebhookExemptNamespacesLabels}} - - key: {{ $key }} - operator: NotIn - values: - {{- range $value }} - - {{ . }} - {{- end }} - {{- end }} - objectSelector: {{ toYaml .Values.mutatingWebhookObjectSelector }} - reinvocationPolicy: {{ .Values.mutatingWebhookReinvocationPolicy }} - rules: - {{- if .Values.mutatingWebhookCustomRules }} - {{- toYaml .Values.mutatingWebhookCustomRules | nindent 2 }} - {{- else }} - - apiGroups: - - '*' - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - resources: - - '*' - {{- end }} - sideEffects: None - timeoutSeconds: {{ .Values.mutatingWebhookTimeoutSeconds }} -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml deleted file mode 100644 index f0dd85d5e..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-validating-webhook-configuration-validatingwebhookconfiguration.yaml +++ /dev/null @@ -1,109 +0,0 @@ -{{- if not .Values.disableValidatingWebhook }} -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - annotations: {{- toYaml .Values.validatingWebhookAnnotations | trim | nindent 4 }} - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: '{{ .Values.validatingWebhookName }}' -webhooks: -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: gatekeeper-webhook-service - namespace: '{{ .Release.Namespace }}' - path: /v1/admit - failurePolicy: {{ .Values.validatingWebhookFailurePolicy }} - matchPolicy: Exact - name: validation.gatekeeper.sh - namespaceSelector: - matchExpressions: - - key: admission.gatekeeper.sh/ignore - operator: DoesNotExist - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - {{ .Release.Namespace }} - - {{- range $key, $value := .Values.validatingWebhookExemptNamespacesLabels}} - - key: {{ $key }} - operator: NotIn - values: - {{- range $value }} - - {{ . }} - {{- end }} - {{- end }} - objectSelector: {{ toYaml .Values.validatingWebhookObjectSelector }} - rules: - {{- if .Values.validatingWebhookCustomRules }} - {{- toYaml .Values.validatingWebhookCustomRules | nindent 2 }} - {{- else }} - - apiGroups: - - '*' - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - {{- if .Values.enableDeleteOperations }} - - DELETE - {{- end }} - resources: - - '*' - # Explicitly list all known subresources except "status" (to avoid destabilizing the cluster and increasing load on gatekeeper). - # You can find a rough list of subresources by doing a case-sensitive search in the Kubernetes codebase for 'Subresource("' - - 'pods/ephemeralcontainers' - - 'pods/exec' - - 'pods/log' - - 'pods/eviction' - - 'pods/portforward' - - 'pods/proxy' - - 'pods/attach' - - 'pods/binding' - - 'deployments/scale' - - 'replicasets/scale' - - 'statefulsets/scale' - - 'replicationcontrollers/scale' - - 'services/proxy' - - 'nodes/proxy' - # For constraints that mitigate CVE-2020-8554 - - 'services/status' - {{- end }} - sideEffects: None - timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} -- admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - name: gatekeeper-webhook-service - namespace: '{{ .Release.Namespace }}' - path: /v1/admitlabel - failurePolicy: {{ .Values.validatingWebhookCheckIgnoreFailurePolicy }} - matchPolicy: Exact - name: check-ignore-label.gatekeeper.sh - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: NotIn - values: - - {{ .Release.Namespace }} - rules: - - apiGroups: - - "" - apiVersions: - - '*' - operations: - - CREATE - - UPDATE - resources: - - namespaces - sideEffects: None - timeoutSeconds: {{ .Values.validatingWebhookTimeoutSeconds }} -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml deleted file mode 100644 index a841780a5..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-server-cert-secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if not .Values.externalCertInjection.enabled }} -apiVersion: v1 -kind: Secret -metadata: - annotations: {{- toYaml .Values.secretAnnotations | trim | nindent 4 }} - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-webhook-server-cert - namespace: '{{ .Release.Namespace }}' -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml deleted file mode 100644 index 3c0f4453a..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/gatekeeper-webhook-service-service.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - name: gatekeeper-webhook-service - namespace: '{{ .Release.Namespace }}' -spec: - - ports: - - name: https-webhook-server - port: 443 - targetPort: webhook-server -{{- if .Values.service }} -{{- if .Values.service.healthzPort }} - - name: http-webhook-healthz - port: {{ .Values.service.healthzPort }} - targetPort: healthz - {{- end }} - {{- end }} - {{- if .Values.service }} - type: {{ .Values.service.type | default "ClusterIP" }} - {{- if .Values.service.loadBalancerIP }} - loadBalancerIP: {{ .Values.service.loadBalancerIP }} - {{- end }} - {{- end }} - selector: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - control-plane: controller-manager - gatekeeper.sh/operation: webhook - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml deleted file mode 100644 index 4b4559df9..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-install.yaml +++ /dev/null @@ -1,165 +0,0 @@ -{{- if .Values.postInstall.labelNamespace.enabled }} -apiVersion: batch/v1 -kind: Job -metadata: - name: gatekeeper-update-namespace-label - namespace: {{ .Release.Namespace | quote }} - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation - {{- if .Values.postInstall.labelNamespace.extraAnnotations }} - {{- toYaml .Values.postInstall.labelNamespace.extraAnnotations | trim | nindent 4 }} - {{- end }} -spec: - template: - metadata: - annotations: - {{- toYaml .Values.podAnnotations | trim | nindent 8 }} - labels: - {{- include "gatekeeper.podLabels" . }} - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - spec: - restartPolicy: OnFailure - {{- if .Values.postInstall.labelNamespace.image.pullSecrets }} - imagePullSecrets: - {{- .Values.postInstall.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} - {{- end }} - serviceAccount: gatekeeper-update-namespace-label - {{- if .Values.postInstall.probeWebhook.enabled }} - volumes: - {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} - initContainers: - {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} - {{- end }} - containers: - - name: kubectl-label - image: '{{ template "system_default_registry" . }}{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}' - imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} - args: - - label - - ns - - {{ .Release.Namespace }} - - admission.gatekeeper.sh/ignore=no-self-managing - {{- range .Values.postInstall.labelNamespace.podSecurity }} - - {{ . }} - {{- end }} - - --overwrite - resources: - {{- toYaml .Values.postInstall.resources | nindent 12 }} - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- toYaml .Values.postInstall.securityContext | nindent 12 }} - {{- if .Values.postInstall.labelNamespace.extraNamespaces }} - - name: kubectl-label-extra - image: "{{ .Values.postInstall.labelNamespace.image.repository }}:{{ .Values.postInstall.labelNamespace.image.tag }}" - imagePullPolicy: {{ .Values.postInstall.labelNamespace.image.pullPolicy }} - args: - - label - - ns - {{- range .Values.postInstall.labelNamespace.extraNamespaces }} - - {{ . }} - {{- end }} - - admission.gatekeeper.sh/ignore=extra-namespaces - - --overwrite - resources: - {{- toYaml .Values.postInstall.resources | nindent 12 }} - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- toYaml .Values.postInstall.securityContext | nindent 12 }} - {{- end }} - {{- with .Values.postInstall }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} - affinity: - {{- toYaml .affinity | nindent 8 }} - {{- end }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: gatekeeper-update-namespace-label - namespace: {{ .Release.Namespace | quote }} - labels: - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation ---- -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gatekeeper-update-namespace-label - labels: - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -rules: - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - update - - patch - resourceNames: - - {{ .Release.Namespace }} - {{- range .Values.postInstall.labelNamespace.extraNamespaces }} - - {{ . }} - {{- end }} - - apiGroups: - - management.cattle.io - resources: - - projects - verbs: - - updatepsa -{{- with .Values.postInstall.labelNamespace.extraRules }} - {{- toYaml . | nindent 2 }} -{{- end }} -{{- end }} ---- -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: gatekeeper-update-namespace-label - labels: - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gatekeeper-update-namespace-label -subjects: - - kind: ServiceAccount - name: gatekeeper-update-namespace-label - namespace: {{ .Release.Namespace | quote }} -{{- end }} -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml deleted file mode 100644 index 9e4a75454..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/namespace-post-upgrade.yaml +++ /dev/null @@ -1,153 +0,0 @@ -{{- if .Values.postUpgrade.labelNamespace.enabled }} -apiVersion: batch/v1 -kind: Job -metadata: - name: gatekeeper-update-namespace-label-post-upgrade - namespace: {{ .Release.Namespace | quote }} - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation - {{- if .Values.postUpgrade.labelNamespace.extraAnnotations }} - {{- toYaml .Values.postUpgrade.labelNamespace.extraAnnotations | trim | nindent 4 }} - {{- end }} -spec: - template: - metadata: - labels: - {{- include "gatekeeper.podLabels" . }} - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - spec: - restartPolicy: OnFailure - {{- if .Values.postUpgrade.labelNamespace.image.pullSecrets }} - imagePullSecrets: - {{- .Values.postUpgrade.labelNamespace.image.pullSecrets | toYaml | nindent 12 }} - {{- end }} - serviceAccount: gatekeeper-update-namespace-label-post-upgrade - containers: - - name: kubectl-label - image: '{{ template "system_default_registry" . }}{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}' - imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} - args: - - label - - ns - - {{ .Release.Namespace }} - - admission.gatekeeper.sh/ignore=no-self-managing - {{- range .Values.postUpgrade.labelNamespace.podSecurity }} - - {{ . }} - {{- end }} - - --overwrite - resources: - {{- toYaml .Values.postUpgrade.resources | nindent 12 }} - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} - {{- if .Values.postUpgrade.labelNamespace.extraNamespaces }} - - name: kubectl-label-extra - image: "{{ .Values.postUpgrade.labelNamespace.image.repository }}:{{ .Values.postUpgrade.labelNamespace.image.tag }}" - imagePullPolicy: {{ .Values.postUpgrade.labelNamespace.image.pullPolicy }} - args: - - label - - ns - {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} - - {{ . }} - {{- end }} - - admission.gatekeeper.sh/ignore=extra-namespaces - - --overwrite - resources: - {{- toYaml .Values.postUpgrade.resources | nindent 12 }} - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- toYaml .Values.postUpgrade.securityContext | nindent 12 }} - {{- end }} - {{- with .Values.postUpgrade }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} - affinity: - {{- toYaml .affinity | nindent 8 }} - {{- end }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: gatekeeper-update-namespace-label-post-upgrade - labels: - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation ---- -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gatekeeper-update-namespace-label-post-upgrade - labels: - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -rules: - - apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - update - - patch - resourceNames: - - {{ .Release.Namespace }} - {{- range .Values.postUpgrade.labelNamespace.extraNamespaces }} - - {{ . }} - {{- end }} - - apiGroups: - - management.cattle.io - resources: - - projects - verbs: - - updatepsa -{{- end }} ---- -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: gatekeeper-update-namespace-label-post-upgrade - labels: - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": post-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gatekeeper-update-namespace-label-post-upgrade -subjects: - - kind: ServiceAccount - name: gatekeeper-update-namespace-label-post-upgrade - namespace: {{ .Release.Namespace | quote }} -{{- end }} -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml deleted file mode 100644 index c9f706527..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/probe-webhook-post-install.yaml +++ /dev/null @@ -1,46 +0,0 @@ -{{- if not .Values.disableValidatingWebhook }} -{{- if and (not .Values.postInstall.labelNamespace.enabled) .Values.postInstall.probeWebhook.enabled }} -apiVersion: batch/v1 -kind: Job -metadata: - name: gatekeeper-probe-webhook-post-install - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - annotations: - "helm.sh/hook": post-install - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -spec: - template: - metadata: - annotations: - {{- toYaml .Values.podAnnotations | trim | nindent 8 }} - labels: - {{- include "gatekeeper.podLabels" . }} - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - spec: - restartPolicy: Never - {{- if .Values.postInstall.probeWebhook.image.pullSecrets }} - imagePullSecrets: - {{- .Values.postInstall.probeWebhook.image.pullSecrets | toYaml | nindent 12 }} - {{- end }} - volumes: - {{- include "gatekeeper.postInstallWebhookProbeVolume" . | nindent 8 }} - containers: - {{- include "gatekeeper.postInstallWebhookProbeContainer" . | nindent 8 }} - {{- with .Values.postInstall }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} - affinity: - {{- toYaml .affinity | nindent 8 }} - {{- end }} -{{- end }} -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml deleted file mode 100644 index e93e6a0a7..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/requiredlabels.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: templates.gatekeeper.sh/v1beta1 -kind: ConstraintTemplate -metadata: - name: k8srequiredlabels -spec: - crd: - spec: - names: - kind: K8sRequiredLabels - validation: - # Schema for the `parameters` field - openAPIV3Schema: - properties: - message: - type: string - labels: - type: array - items: - type: object - properties: - key: - type: string - allowedRegex: - type: string - targets: - - target: admission.k8s.gatekeeper.sh - rego: | - package k8srequiredlabels - - get_message(parameters, _default) = msg { - not parameters.message - msg := _default - } - - get_message(parameters, _default) = msg { - msg := parameters.message - } - - violation[{"msg": msg, "details": {"missing_labels": missing}}] { - provided := {label | input.review.object.metadata.labels[label]} - required := {label | label := input.parameters.labels[_].key} - missing := required - provided - count(missing) > 0 - def_msg := sprintf("you must provide labels: %v", [missing]) - msg := get_message(input.parameters, def_msg) - } - - violation[{"msg": msg}] { - value := input.review.object.metadata.labels[key] - expected := input.parameters.labels[_] - expected.key == key - # do not match if allowedRegex is not defined, or is an empty string - expected.allowedRegex != "" - not re_match(expected.allowedRegex, value) - def_msg := sprintf("Label <%v: %v> does not satisfy allowed regex: %v", [key, value, expected.allowedRegex]) - msg := get_message(input.parameters, def_msg) - } diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml deleted file mode 100644 index 28c2d6bb0..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/upgrade-crds-hook.yaml +++ /dev/null @@ -1,116 +0,0 @@ -{{- if .Values.upgradeCRDs.enabled }} -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gatekeeper-admin-upgrade-crds - labels: - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - helm.sh/hook: pre-install,pre-upgrade - helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" - helm.sh/hook-weight: "1" -rules: - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["get", "create", "update", "patch"] -{{- with .Values.upgradeCRDs.extraRules }} - {{- toYaml . | nindent 2 }} -{{- end }} -{{- end }} ---- -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: gatekeeper-admin-upgrade-crds - labels: - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - helm.sh/hook: pre-install,pre-upgrade - helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" - helm.sh/hook-weight: "1" -subjects: - - kind: ServiceAccount - name: gatekeeper-admin-upgrade-crds - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: gatekeeper-admin-upgrade-crds - apiGroup: rbac.authorization.k8s.io -{{- end }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - name: gatekeeper-admin-upgrade-crds - namespace: '{{ .Release.Namespace }}' - annotations: - helm.sh/hook: pre-install,pre-upgrade - helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" - helm.sh/hook-weight: "1" ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: gatekeeper-update-crds-hook - namespace: {{ .Release.Namespace }} - labels: - app: {{ template "gatekeeper.name" . }} - chart: {{ template "gatekeeper.name" . }} - gatekeeper.sh/system: "yes" - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} - annotations: - helm.sh/hook: pre-install,pre-upgrade - helm.sh/hook-weight: "1" - helm.sh/hook-delete-policy: "hook-succeeded,before-hook-creation" -spec: - backoffLimit: 0 - template: - metadata: - name: gatekeeper-update-crds-hook - annotations: - {{- toYaml .Values.podAnnotations | trim | nindent 8 }} - labels: - {{- include "gatekeeper.podLabels" . }} - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - spec: - serviceAccountName: gatekeeper-admin-upgrade-crds - restartPolicy: Never - {{- if .Values.images.pullSecrets }} - imagePullSecrets: - {{- toYaml .Values.images.pullSecrets | nindent 8 }} - {{- end }} - containers: - - name: crds-upgrade - image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeepercrd.repository }}:{{ .Values.images.gatekeepercrd.tag }}' - imagePullPolicy: '{{ .Values.images.pullPolicy }}' - args: - - apply - - -f - - crds/ - resources: - {{- toYaml .Values.crds.resources | nindent 10 }} - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- toYaml .Values.crds.securityContext | nindent 10 }} - {{- with .Values.crds }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} - affinity: - {{- toYaml .affinity | nindent 8 }} - {{- end }} -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml deleted file mode 100644 index 9c4f3a3c2..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-install-crd.yaml +++ /dev/null @@ -1,24 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -# {{- $found := dict -}} -# {{- set $found "mutations.gatekeeper.sh/v1/Assign" false -}} -# {{- set $found "mutations.gatekeeper.sh/v1alpha1/AssignImage" false -}} -# {{- set $found "mutations.gatekeeper.sh/v1/AssignMetadata" false -}} -# {{- set $found "config.gatekeeper.sh/v1alpha1/Config" false -}} -# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintPodStatus" false -}} -# {{- set $found "templates.gatekeeper.sh/v1/ConstraintTemplate" false -}} -# {{- set $found "status.gatekeeper.sh/v1beta1/ConstraintTemplatePodStatus" false -}} -# {{- set $found "expansion.gatekeeper.sh/v1alpha1/ExpansionTemplate" false -}} -# {{- set $found "mutations.gatekeeper.sh/v1/ModifySet" false -}} -# {{- set $found "status.gatekeeper.sh/v1beta1/MutatorPodStatus" false -}} -# {{- set $found "externaldata.gatekeeper.sh/v1alpha1/Provider" false -}} -# {{- range .Capabilities.APIVersions -}} -# {{- if hasKey $found (toString .) -}} -# {{- set $found (toString .) true -}} -# {{- end -}} -# {{- end -}} -# {{- range $_, $exists := $found -}} -# {{- if (eq $exists false) -}} -# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} -# {{- end -}} -# {{- end -}} -#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml deleted file mode 100644 index a30c59d3b..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/validate-psp-install.yaml +++ /dev/null @@ -1,7 +0,0 @@ -#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} -#{{- if .Values.global.cattle.psp.enabled }} -#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} -#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} -#{{- end }} -#{{- end }} -#{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml deleted file mode 100644 index b57bc6989..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/templates/webhook-configs-pre-delete.yaml +++ /dev/null @@ -1,141 +0,0 @@ -{{- if and (or (not .Values.disableValidatingWebhook) (not .Values.disableMutation)) .Values.preUninstall.deleteWebhookConfigurations.enabled }} -apiVersion: batch/v1 -kind: Job -metadata: - name: gatekeeper-delete-webhook-configs - namespace: {{ .Release.Namespace | quote }} - labels: - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -spec: - template: - metadata: - annotations: - {{- toYaml .Values.podAnnotations | trim | nindent 8 }} - labels: - {{- include "gatekeeper.podLabels" . }} - app: '{{ template "gatekeeper.name" . }}' - chart: '{{ template "gatekeeper.name" . }}' - gatekeeper.sh/system: "yes" - heritage: '{{ .Release.Service }}' - release: '{{ .Release.Name }}' - spec: - restartPolicy: OnFailure - {{- if .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets }} - imagePullSecrets: - {{- .Values.preUninstall.deleteWebhookConfigurations.image.pullSecrets | toYaml | nindent 12 }} - {{- end }} - serviceAccount: gatekeeper-delete-webhook-configs - containers: - - name: kubectl-delete - image: '{{ template "system_default_registry" . }}{{ .Values.preUninstall.deleteWebhookConfigurations.image.repository }}:{{ .Values.preUninstall.deleteWebhookConfigurations.image.tag }}' - imagePullPolicy: {{ .Values.preUninstall.deleteWebhookConfigurations.image.pullPolicy }} - args: - - delete - {{- if not .Values.disableValidatingWebhook }} - - validatingwebhookconfiguration/{{ .Values.validatingWebhookName }} - {{- end }} - {{- if not .Values.disableMutation }} - - mutatingwebhookconfiguration/{{ .Values.mutatingWebhookName }} - {{- end }} - resources: - {{- toYaml .Values.preUninstall.resources | nindent 12 }} - securityContext: - {{- if .Values.enableRuntimeDefaultSeccompProfile }} - seccompProfile: - type: RuntimeDefault - {{- end }} - {{- toYaml .Values.preUninstall.securityContext | nindent 10 }} - {{- with .Values.preUninstall }} - nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} -{{- if .nodeSelector }} -{{ toYaml .nodeSelector | indent 8 }} -{{- end }} - tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} -{{- if .tolerations }} -{{ toYaml .tolerations | indent 8 }} -{{- end }} - affinity: - {{- toYaml .affinity | nindent 8 }} - {{- end }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: gatekeeper-delete-webhook-configs - namespace: {{ .Release.Namespace | quote }} - labels: - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation ---- -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: gatekeeper-delete-webhook-configs - labels: - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -rules: - {{- if not .Values.disableValidatingWebhook }} - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - resourceNames: - - {{ .Values.validatingWebhookName }} - verbs: - - delete - {{- end }} - {{- if not .Values.disableMutation }} - - apiGroups: - - admissionregistration.k8s.io - resources: - - mutatingwebhookconfigurations - resourceNames: - - {{ .Values.mutatingWebhookName }} - verbs: - - delete - {{- end }} -{{- with .Values.preUninstall.deleteWebhookConfigurations.extraRules }} - {{- toYaml . | nindent 2 }} -{{- end }} -{{- end }} ---- -{{- if .Values.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: gatekeeper-delete-webhook-configs - labels: - release: {{ .Release.Name }} - heritage: {{ .Release.Service }} - annotations: - "helm.sh/hook": pre-delete - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: gatekeeper-delete-webhook-configs -subjects: - - kind: ServiceAccount - name: gatekeeper-delete-webhook-configs - namespace: {{ .Release.Namespace | quote }} -{{- end }} -{{- end }} diff --git a/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml b/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml deleted file mode 100644 index d1029e24a..000000000 --- a/charts/rancher-gatekeeper/103.0.1+up3.12.0/values.yaml +++ /dev/null @@ -1,271 +0,0 @@ -replicas: 3 -auditInterval: 60 -metricsBackends: ["prometheus"] -auditMatchKindOnly: false -constraintViolationsLimit: 20 -auditFromCache: false -disableMutation: false -disableValidatingWebhook: false -validatingWebhookName: gatekeeper-validating-webhook-configuration -validatingWebhookTimeoutSeconds: 3 -validatingWebhookFailurePolicy: Ignore -validatingWebhookAnnotations: {} -validatingWebhookExemptNamespacesLabels: {} -validatingWebhookObjectSelector: {} -validatingWebhookCheckIgnoreFailurePolicy: Fail -validatingWebhookCustomRules: {} -enableDeleteOperations: false -enableExternalData: true -enableGeneratorResourceExpansion: false -enableTLSHealthcheck: false -maxServingThreads: -1 -mutatingWebhookName: gatekeeper-mutating-webhook-configuration -mutatingWebhookFailurePolicy: Ignore -mutatingWebhookReinvocationPolicy: Never -mutatingWebhookAnnotations: {} -mutatingWebhookExemptNamespacesLabels: {} -mutatingWebhookObjectSelector: {} -mutatingWebhookTimeoutSeconds: 1 -mutatingWebhookCustomRules: {} -mutationAnnotations: false -auditChunkSize: 500 -logLevel: INFO -logDenies: false -logMutations: false -emitAdmissionEvents: false -emitAuditEvents: false -admissionEventsInvolvedNamespace: false -auditEventsInvolvedNamespace: false -resourceQuota: true -images: - gatekeeper: - repository: rancher/mirrored-openpolicyagent-gatekeeper - tag: v3.12.0 - gatekeepercrd: - repository: rancher/mirrored-openpolicyagent-gatekeeper-crds - tag: v3.12.0 - pullPolicy: IfNotPresent - pullSecrets: [] -preInstall: - crdRepository: - image: - repository: null - tag: v3.12.0 -postUpgrade: - labelNamespace: - enabled: false - image: - repository: rancher/kubectl - tag: v1.20.2 - pullPolicy: IfNotPresent - pullSecrets: [] - extraNamespaces: [] - podSecurity: ["pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=restricted", - "pod-security.kubernetes.io/enforce-version=v1.24"] - extraAnnotations: {} - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 -postInstall: - labelNamespace: - enabled: true - extraRules: [] - image: - repository: rancher/mirrored-openpolicyagent-gatekeeper-crds - tag: v3.12.0 - pullPolicy: IfNotPresent - pullSecrets: [] - extraNamespaces: [] - podSecurity: ["pod-security.kubernetes.io/audit=restricted", - "pod-security.kubernetes.io/audit-version=latest", - "pod-security.kubernetes.io/warn=restricted", - "pod-security.kubernetes.io/warn-version=latest", - "pod-security.kubernetes.io/enforce=restricted", - "pod-security.kubernetes.io/enforce-version=v1.24"] - extraAnnotations: {} - probeWebhook: - enabled: true - image: - repository: rancher/mirrored-curlimages-curl - tag: 7.83.1 - pullPolicy: IfNotPresent - pullSecrets: [] - waitTimeout: 60 - httpTimeout: 2 - insecureHTTPS: false - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 -preUninstall: - deleteWebhookConfigurations: - extraRules: [] - enabled: false - image: - repository: rancher/mirrored-openpolicyagent-gatekeeper-crds - tag: v3.12.0 - pullPolicy: IfNotPresent - pullSecrets: [] - affinity: {} - tolerations: [] - nodeSelector: {} - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 -podAnnotations: {} -podLabels: {} -podCountLimit: "100" -secretAnnotations: {} -enableRuntimeDefaultSeccompProfile: true -controllerManager: - exemptNamespaces: [] - exemptNamespacePrefixes: [] - hostNetwork: false - dnsPolicy: ClusterFirst - port: 8443 - metricsPort: 8888 - healthPort: 9090 - readinessTimeout: 1 - livenessTimeout: 1 - priorityClassName: system-cluster-critical - disableCertRotation: false - tlsMinVersion: 1.3 - clientCertName: "" - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchExpressions: - - key: gatekeeper.sh/operation - operator: In - values: - - webhook - topologyKey: kubernetes.io/hostname - weight: 100 - topologySpreadConstraints: [] - tolerations: [] - nodeSelector: {} - resources: - limits: - memory: 512Mi - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - podSecurityContext: - fsGroup: 999 - supplementalGroups: - - 999 - extraRules: [] - networkPolicy: - enabled: false - ingress: { } - # - from: - # - ipBlock: - # cidr: 0.0.0.0/0 -audit: - hostNetwork: false - dnsPolicy: ClusterFirst - metricsPort: 8888 - healthPort: 9090 - readinessTimeout: 1 - livenessTimeout: 1 - priorityClassName: system-cluster-critical - disableCertRotation: true - affinity: {} - tolerations: [] - nodeSelector: {} - resources: - limits: - memory: 512Mi - requests: - cpu: 100m - memory: 512Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 999 - runAsNonRoot: true - runAsUser: 1000 - podSecurityContext: - fsGroup: 999 - supplementalGroups: - - 999 - writeToRAMDisk: false - extraRules: [] -crds: - affinity: {} - tolerations: [] - nodeSelector: {kubernetes.io/os: linux} - resources: {} - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsGroup: 65532 - runAsNonRoot: true - runAsUser: 65532 -pdb: - controllerManager: - minAvailable: 1 -global: - cattle: - systemDefaultRegistry: "" - psp: - enabled: false - kubectl: - repository: rancher/kubectl - tag: v1.20.2 -service: {} -disabledBuiltins: ["{http.send}"] -upgradeCRDs: - enabled: true - extraRules: [] -rbac: - create: true -externalCertInjection: - enabled: false - secretName: gatekeeper-webhook-server-cert diff --git a/index.yaml b/index.yaml index 6add247a9..298dc39fb 100755 --- a/index.yaml +++ b/index.yaml @@ -8751,36 +8751,6 @@ entries: urls: - assets/rancher-gatekeeper/rancher-gatekeeper-103.1.0+up3.13.0.tgz version: 103.1.0+up3.13.0 - - annotations: - catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match - catalog.cattle.io/certified: rancher - catalog.cattle.io/display-name: OPA Gatekeeper - catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.28.0-0' - catalog.cattle.io/namespace: cattle-gatekeeper-system - catalog.cattle.io/os: linux - catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1 - catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' - catalog.cattle.io/release-name: rancher-gatekeeper - catalog.cattle.io/type: cluster-tool - catalog.cattle.io/ui-component: gatekeeper - apiVersion: v2 - appVersion: v3.12.0 - created: "2023-08-23T17:22:58.94666364-03:00" - description: Modifies Open Policy Agent's upstream gatekeeper chart that provides - policy-based control for cloud native environments - digest: ee25ad45beb67bc91aa47dd7c576ba89cd00ade03db94341c463948901a3c0c6 - home: https://github.com/open-policy-agent/gatekeeper - icon: https://charts.rancher.io/assets/logos/gatekeeper.svg - keywords: - - open policy agent - - security - name: rancher-gatekeeper - sources: - - https://github.com/open-policy-agent/gatekeeper.git - urls: - - assets/rancher-gatekeeper/rancher-gatekeeper-103.0.1+up3.12.0.tgz - version: 103.0.1+up3.12.0 - annotations: catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match catalog.cattle.io/certified: rancher @@ -9168,20 +9138,6 @@ entries: urls: - assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.1.0+up3.13.0.tgz version: 103.1.0+up3.13.0 - - annotations: - catalog.cattle.io/certified: rancher - catalog.cattle.io/hidden: "true" - catalog.cattle.io/namespace: cattle-gatekeeper-system - catalog.cattle.io/release-name: rancher-gatekeeper-crd - apiVersion: v1 - created: "2023-08-23T17:22:58.953726661-03:00" - description: Installs the CRDs for rancher-gatekeeper. - digest: d47fba3bc692cd330ea61d70de4c1fd8e4316cd13cdf7bf6f13b17df132bd74d - name: rancher-gatekeeper-crd - type: application - urls: - - assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.0.1+up3.12.0.tgz - version: 103.0.1+up3.12.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index d8fe4665a..bb82c8e53 100644 --- a/release.yaml +++ b/release.yaml @@ -5,8 +5,6 @@ rancher-backup-crd: - 102.0.2+up3.1.2 - 103.0.0+up4.0.0 rancher-gatekeeper: - - 103.0.1+up3.12.0 - 103.1.0+up3.13.0 rancher-gatekeeper-crd: - - 103.0.1+up3.12.0 - 103.1.0+up3.13.0 From 3291345346666f508e8e1bb7c7767e7e8c5dd688 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Mon, 21 Aug 2023 15:47:16 -0300 Subject: [PATCH 19/24] Copy rancher-sriov version 102.x.x to 103.0.0 --- .../rancher-sriov/generated-changes/patch/Chart.yaml.patch | 2 +- packages/rancher-sriov/package.yaml | 3 ++- packages/rancher-sriov/templates/crd-template/Chart.yaml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch b/packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch index cdf00d38d..81107b5d3 100644 --- a/packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch +++ b/packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch @@ -9,7 +9,7 @@ + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux -+ catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' ++ catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: sriov + catalog.cattle.io/upstream-version: 1.2.0 apiVersion: v2 diff --git a/packages/rancher-sriov/package.yaml b/packages/rancher-sriov/package.yaml index c0f0f5274..a9c9d2301 100644 --- a/packages/rancher-sriov/package.yaml +++ b/packages/rancher-sriov/package.yaml @@ -1,10 +1,11 @@ url: https://github.com/k8snetworkplumbingwg/sriov-network-operator.git subdirectory: deployment/sriov-network-operator commit: bcab8844d807ee1db558533248273ccd492874bb # the commit points to the tag v1.2.0 -version: 102.1.0 +version: 103.0.0 additionalCharts: - workingDir: charts-crd crdOptions: templateDirectory: crd-template crdDirectory: templates addCRDValidationToMainChart: true +doNotRelease: true diff --git a/packages/rancher-sriov/templates/crd-template/Chart.yaml b/packages/rancher-sriov/templates/crd-template/Chart.yaml index 6d001906e..ec8eda26f 100644 --- a/packages/rancher-sriov/templates/crd-template/Chart.yaml +++ b/packages/rancher-sriov/templates/crd-template/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 -version: 102.0.0 +version: 103.0.0 description: Installs the CRDs for rke2-sriov. name: sriov-crd type: application From a64c8be173b815bd503958edbfc3dc2c6d0d9e02 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Mon, 21 Aug 2023 16:49:01 -0300 Subject: [PATCH 20/24] Copy rancher-nfd from 01 to 103.0.0 --- packages/rancher-nfd/package.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/rancher-nfd/package.yaml b/packages/rancher-nfd/package.yaml index 9f5e9f688..38eb86674 100644 --- a/packages/rancher-nfd/package.yaml +++ b/packages/rancher-nfd/package.yaml @@ -1,4 +1,4 @@ url: https://github.com/kubernetes-sigs/node-feature-discovery/releases/download/v0.13.2/node-feature-discovery-chart-0.13.2.tgz -packageVersion: 01 +version: 103.0.0 # node-feature-discovery is only used as a dependency of sriov doNotRelease: true From a96cebe648cdd313e0fd2870784f436202622c26 Mon Sep 17 00:00:00 2001 From: Michael Fritch Date: Tue, 26 Sep 2023 08:35:44 -0600 Subject: [PATCH 21/24] Update sriov version to 103.0.0 follow-up to bcab8844d807ee1db558533248273ccd492874bb Signed-off-by: Michael Fritch --- .../generated-changes/patch/Chart.yaml.patch | 2 +- .../generated-changes/patch/values.yaml.patch | 28 +++++++++---------- packages/rancher-sriov/package.yaml | 1 - release.yaml | 4 +++ 4 files changed, 19 insertions(+), 16 deletions(-) diff --git a/packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch b/packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch index 81107b5d3..06a1f1315 100644 --- a/packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch +++ b/packages/rancher-sriov/generated-changes/patch/Chart.yaml.patch @@ -5,7 +5,7 @@ + catalog.cattle.io/auto-install: sriov-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/experimental: "true" -+ catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0' ++ catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux diff --git a/packages/rancher-sriov/generated-changes/patch/values.yaml.patch b/packages/rancher-sriov/generated-changes/patch/values.yaml.patch index 0e52a1636..d4f9c13cb 100644 --- a/packages/rancher-sriov/generated-changes/patch/values.yaml.patch +++ b/packages/rancher-sriov/generated-changes/patch/values.yaml.patch @@ -35,26 +35,26 @@ - resourcesInjector: ghcr.io/k8snetworkplumbingwg/network-resources-injector - webhook: ghcr.io/k8snetworkplumbingwg/sriov-network-operator-webhook + operator: -+ image: rancher/hardened-sriov-network-operator -+ tag: v1.2.0-build20221014 ++ repository: rancher/hardened-sriov-network-operator ++ tag: v1.2.0-build20230912 + sriovConfigDaemon: -+ image: rancher/hardened-sriov-network-config-daemon -+ tag: v1.2.0-build20221014 ++ repository: rancher/hardened-sriov-network-config-daemon ++ tag: v1.2.0-build20230912 + sriovCni: -+ image: rancher/hardened-sriov-cni -+ tag: v2.6.3-build20221014 ++ repository: rancher/hardened-sriov-cni ++ tag: v2.6.3-build20230913 + ibSriovCni: -+ image: rancher/hardened-ib-sriov-cni -+ tag: v1.0.2-build20221014 ++ repository: rancher/hardened-ib-sriov-cni ++ tag: v1.0.2-build20230911 + sriovDevicePlugin: -+ image: rancher/hardened-sriov-network-device-plugin -+ tag: v3.5.1-build20221014 ++ repository: rancher/hardened-sriov-network-device-plugin ++ tag: v3.5.1-build20230911 + resourcesInjector: -+ image: rancher/hardened-sriov-network-resources-injector -+ tag: v1.5-build20221014 ++ repository: rancher/hardened-sriov-network-resources-injector ++ tag: v1.5-build20230911 + webhook: -+ image: rancher/hardened-sriov-network-webhook -+ tag: v1.2.0-build20221014 ++ repository: rancher/hardened-sriov-network-webhook ++ tag: v1.2.0-build20230912 + +# cert_manager enables integration with cert-manager to generate +# certificates for the operator webhooks. Otherwise the chart will diff --git a/packages/rancher-sriov/package.yaml b/packages/rancher-sriov/package.yaml index a9c9d2301..dca717b37 100644 --- a/packages/rancher-sriov/package.yaml +++ b/packages/rancher-sriov/package.yaml @@ -8,4 +8,3 @@ additionalCharts: templateDirectory: crd-template crdDirectory: templates addCRDValidationToMainChart: true -doNotRelease: true diff --git a/release.yaml b/release.yaml index bb82c8e53..809383fc2 100644 --- a/release.yaml +++ b/release.yaml @@ -8,3 +8,7 @@ rancher-gatekeeper: - 103.1.0+up3.13.0 rancher-gatekeeper-crd: - 103.1.0+up3.13.0 +sriov: + - 103.0.0+up0.1.0 +sriov-crd: + - 103.0.0+up0.1.0 From e4982e7acde02942e7ae7406850f942c063a55ba Mon Sep 17 00:00:00 2001 From: Michael Fritch Date: Tue, 26 Sep 2023 08:35:14 -0600 Subject: [PATCH 22/24] Update nfd to v0.14.1 Signed-off-by: Michael Fritch --- packages/rancher-nfd/package.yaml | 2 +- .../patch/charts/rancher-nfd/values.yaml.patch | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/rancher-nfd/package.yaml b/packages/rancher-nfd/package.yaml index 38eb86674..dc6718be5 100644 --- a/packages/rancher-nfd/package.yaml +++ b/packages/rancher-nfd/package.yaml @@ -1,4 +1,4 @@ -url: https://github.com/kubernetes-sigs/node-feature-discovery/releases/download/v0.13.2/node-feature-discovery-chart-0.13.2.tgz +url: https://github.com/kubernetes-sigs/node-feature-discovery/releases/download/v0.14.1/node-feature-discovery-chart-0.14.1.tgz version: 103.0.0 # node-feature-discovery is only used as a dependency of sriov doNotRelease: true diff --git a/packages/rancher-sriov/generated-changes/patch/charts/rancher-nfd/values.yaml.patch b/packages/rancher-sriov/generated-changes/patch/charts/rancher-nfd/values.yaml.patch index 811a8d50a..f5df01689 100644 --- a/packages/rancher-sriov/generated-changes/patch/charts/rancher-nfd/values.yaml.patch +++ b/packages/rancher-sriov/generated-changes/patch/charts/rancher-nfd/values.yaml.patch @@ -8,7 +8,7 @@ pullPolicy: IfNotPresent # tag, if defined will use the given image tag, else Chart.AppVersion will be used - # tag -+ tag: v0.13.2-build20230605 ++ tag: v0.14.1-build20230926 imagePullSecrets: [] nameOverride: "" From cc7431cbcc1b1251c7290d6c2c38b726fe49c6cf Mon Sep 17 00:00:00 2001 From: Michael Fritch Date: Tue, 26 Sep 2023 17:16:47 -0600 Subject: [PATCH 23/24] make charts Signed-off-by: Michael Fritch --- .../sriov-crd/sriov-crd-103.0.0+up0.1.0.tgz | Bin 0 -> 3468 bytes assets/sriov/sriov-103.0.0+up0.1.0.tgz | Bin 0 -> 20136 bytes charts/sriov-crd/103.0.0+up0.1.0/Chart.yaml | 12 + ...vnetwork.openshift.io_sriovibnetworks.yaml | 79 +++ ...openshift.io_sriovnetworknodepolicies.yaml | 136 +++++ ...k.openshift.io_sriovnetworknodestates.yaml | 159 ++++++ ....openshift.io_sriovnetworkpoolconfigs.yaml | 66 +++ ...iovnetwork.openshift.io_sriovnetworks.yaml | 111 ++++ ...ork.openshift.io_sriovoperatorconfigs.yaml | 91 ++++ charts/sriov/103.0.0+up0.1.0/.helmignore | 23 + charts/sriov/103.0.0+up0.1.0/Chart.yaml | 29 + charts/sriov/103.0.0+up0.1.0/README.md | 73 +++ charts/sriov/103.0.0+up0.1.0/app-README.md | 13 + .../charts/rancher-nfd/.helmignore | 23 + .../charts/rancher-nfd/Chart.yaml | 14 + .../charts/rancher-nfd/README.md | 10 + .../charts/rancher-nfd/crds/nfd-api-crds.yaml | 361 ++++++++++++ .../charts/rancher-nfd/templates/_helpers.tpl | 107 ++++ .../templates/cert-manager-certs.yaml | 67 +++ .../templates/cert-manager-issuer.yaml | 42 ++ .../rancher-nfd/templates/clusterrole.yaml | 119 ++++ .../templates/clusterrolebinding.yaml | 52 ++ .../charts/rancher-nfd/templates/master.yaml | 159 ++++++ .../charts/rancher-nfd/templates/nfd-gc.yaml | 74 +++ .../templates/nfd-master-conf.yaml | 10 + .../templates/nfd-topologyupdater-conf.yaml | 10 + .../templates/nfd-worker-conf.yaml | 10 + .../rancher-nfd/templates/prometheus.yaml | 26 + .../charts/rancher-nfd/templates/role.yaml | 19 + .../rancher-nfd/templates/rolebinding.yaml | 18 + .../charts/rancher-nfd/templates/service.yaml | 18 + .../rancher-nfd/templates/serviceaccount.yaml | 58 ++ .../templates/topologyupdater-crds.yaml | 278 ++++++++++ .../templates/topologyupdater.yaml | 156 ++++++ .../charts/rancher-nfd/templates/worker.yaml | 152 ++++++ .../charts/rancher-nfd/values.yaml | 513 ++++++++++++++++++ .../sriov/103.0.0+up0.1.0/templates/NOTES.txt | 17 + .../103.0.0+up0.1.0/templates/_helpers.tpl | 85 +++ .../templates/_webhook-certs.tpl | 31 ++ .../templates/certmanagercerts.yaml | 41 ++ .../templates/clusterrole.yaml | 109 ++++ .../templates/clusterrolebinding.yaml | 29 + .../103.0.0+up0.1.0/templates/configmap.yaml | 25 + .../103.0.0+up0.1.0/templates/operator.yaml | 98 ++++ .../sriov/103.0.0+up0.1.0/templates/role.yaml | 125 +++++ .../templates/rolebinding.yaml | 44 ++ .../103.0.0+up0.1.0/templates/secrets.yaml | 20 + .../templates/serviceaccount.yaml | 15 + .../templates/validate-install-crd.yaml | 19 + charts/sriov/103.0.0+up0.1.0/values.yaml | 64 +++ index.yaml | 49 ++ 51 files changed, 3859 insertions(+) create mode 100644 assets/sriov-crd/sriov-crd-103.0.0+up0.1.0.tgz create mode 100644 assets/sriov/sriov-103.0.0+up0.1.0.tgz create mode 100644 charts/sriov-crd/103.0.0+up0.1.0/Chart.yaml create mode 100644 charts/sriov-crd/103.0.0+up0.1.0/templates/sriovnetwork.openshift.io_sriovibnetworks.yaml create mode 100644 charts/sriov-crd/103.0.0+up0.1.0/templates/sriovnetwork.openshift.io_sriovnetworknodepolicies.yaml create mode 100644 charts/sriov-crd/103.0.0+up0.1.0/templates/sriovnetwork.openshift.io_sriovnetworknodestates.yaml create mode 100644 charts/sriov-crd/103.0.0+up0.1.0/templates/sriovnetwork.openshift.io_sriovnetworkpoolconfigs.yaml create mode 100644 charts/sriov-crd/103.0.0+up0.1.0/templates/sriovnetwork.openshift.io_sriovnetworks.yaml create mode 100644 charts/sriov-crd/103.0.0+up0.1.0/templates/sriovnetwork.openshift.io_sriovoperatorconfigs.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/.helmignore create mode 100644 charts/sriov/103.0.0+up0.1.0/Chart.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/README.md create mode 100644 charts/sriov/103.0.0+up0.1.0/app-README.md create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/.helmignore create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/Chart.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/README.md create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/crds/nfd-api-crds.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/_helpers.tpl create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-certs.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-issuer.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/clusterrole.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/clusterrolebinding.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/master.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-gc.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-master-conf.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-topologyupdater-conf.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-worker-conf.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/prometheus.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/role.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/rolebinding.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/service.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/serviceaccount.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater-crds.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/worker.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/values.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/NOTES.txt create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/_helpers.tpl create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/_webhook-certs.tpl create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/certmanagercerts.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/clusterrole.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/clusterrolebinding.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/configmap.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/operator.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/role.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/rolebinding.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/secrets.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/serviceaccount.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/templates/validate-install-crd.yaml create mode 100644 charts/sriov/103.0.0+up0.1.0/values.yaml diff --git a/assets/sriov-crd/sriov-crd-103.0.0+up0.1.0.tgz b/assets/sriov-crd/sriov-crd-103.0.0+up0.1.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..c99d6302e10f694fc9dc731f3dd17b12235c511c GIT binary patch literal 3468 zcmV;74Ri7ziwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PH+lbK^Fz`E_ZnO&`AbrbA1x z#YQ4kl5*m&?SKDyR+Zv9KM70x*2gnA{7zu+Ap4KQMfk( zgfXs&qMXT-EdY-w67pfoBT9wXqI}mwq3D33e*%IqFF@f$!>1SpjgTo4o)KNWm1tal%N8Hv)gkC11>;3;GX5GwY5l1jbl6k62~F+jApk+ z8SzegztwKF|2K)-txl`G_1dfd?%mY?6-IGL6v|z5jiGwv;-ST3WHO)w)uQ}2bBFfR zd$MA*DDnTpqoek`|L+|f9_`ouzX{lCHk)(yPhyHs3Yq>(wjMr6?Kq>()&ph!37jQT z@#q#MPlSi(IG~Ig6OT|4pD3b($U;m3@HkU~harmQ5LxRX>0>{kp^w54pSWJTbQI>Oa&ixEF~|% zh*(|$v>c~5-TVFC++~2dI5y8PP#e(f5EIh$p9^fm=}mV+Efzf1dqJio3p1uOb9G_v zZOxv=0$R1Hbc*#$QE33fk4@S zpFp5gEKhcKhg4-Q3Iwx614xWe+{QN+m4ZUl`PMMc*SM{Sg21sWiVNQT)3l0>~1FWKGc6j?0#&<3>8m zDq?9{zX_8eWo4FgImJ9P8qQZVWx$26!^blF0A4^SGZV*_To%yHre!1efOtBlsYK{a zr9U?JwfPgp#Y*dzuJvR`E|GGAXSXnf)DusYB3_`&qG_%Ko=Ku6QFax!vN3wT5|(iTaJ@OJAz zml=M+LNJXdSKP-NJ>A$<5H2CP3quF%t_pDxZM?xsaY>S*iZM?f3w04$7m;-l`C3Kf zk|S3vCf)HagZ!e>CYpDe;o|)CPERf9NU!ubMiWtHO3M2S*@DwB^}t+HaUB?J}nB4=X4ZRp7Y#@$Qr3D(yQi zc7Ir@`c_F<)qVGi_T>AECA5e#8YR&QbaH0YyV%g2^34K6^zQ>M)fK9exg(x11tX2z zWT?`J@Z$An)azl0p5mg+1g4lE%|C3QyXu}T_pX*m<%c$ygtzXw>z*sXSyvA52|VuG z=z81i^81Na<_y$H6rj=e4?k#w?HnHO+20R+^V{z1r@x2k?{WIucbG2}n-$o;#{~@) zI&{1wV3!R9kxC?H_sd!hItj2^*O}VD5SxgZBVg*CCJ|S}d)Q5Bb zlE#CXqP$Q}jW@G$Hy3WrQiV|txl(2_1R?}k4$uICb7i-MDh%J8b%FT4Kq+6D?-4TJ z<*!RD-LKD0j^Stsf5KgS7jk}VCo!pRRp#JBAm65bTXkiyyLEpKMNxlpDV zsSwMGL`kCiL0R+mDvA0i>`r1Id_dv_a8t0Yv{%|zVnMl}YFxs{O^TLvS8X}G0|6Zd zC?-@Ot3JV7+CDV!5eh+l1Z_nEI77K?9}#)7l6?RDx}^NdyS6hs>*Adm`&+za>}MnW z-{lgfLLYcREfs2-e`I&~W&K~H?9#`8O8UQh2M0_2-_GH2-T&PLd=vfO)C@P%{WYh# zCCy)hQ`-BrY?pL?Wjfs}G=7Z~75lz3vRJ6QzIE5P?)rWOU0>tHt2ce8VJ?G$o^Na) z?Qpttf!L6_&ww}!+uX{uxJOgcZ!KlXLVmxoA^~TYZg#A@Sg^pHr9#D-^J=@QlgA!C zwe5pvvoIR`sQ21j0)!4N8te8j1ZIU_bTMNw@qt0!~$-|s8=+rb)2QzKaI%IBBS)^9#0>x(ns}eIuqH7@)5pO+o))mW&Hno*FD&L@1 zB3IOGF<;voNEY*b^=nQv zi%$#RMyjf~BH`#IOcckD5(YM%wE%=fs@|A+ABAvnUBIs#Gq2}JZwiO~Bm3%a1)ksk zk2w$R(PP;GK*{^R2gghA{~qn{x9k4@Cg9EY|7Xqc%O3#Ta30!TmqBo!08Ehzj{s&k zx8cos1~A3i{2{&i{eYKP7z>3{`%AD^gX9jdyx#ed0J#2XP!*%Ourq0;;%etvK zhW`y#GSAQdtA72b^!XqC-{SXw_Vzn<{=W%$^ZEZKvi^cxzc9lu%Ii0u%~#0b>o5M) z`FfqNzk0sDT9#fhH~&h$_7f5BFB;3)&-_HhtH15D0I&INAM$kfbXzXgrF~HX)DsAz za0e)Z%YH0(CR@w>#r#`;ZFtXIpZ3wiA*2!2L1|eR&wT6RoBu{pL|L_kvie*5LbWsp zzp1C+%;j`D?j!u)|7#n{ZaChsdER=~pJXaIoQpXhoCOc%(a2ze7ohjB1MfNeiw_3X zLr{aWk5`O9MUcg1S>hTs|fzbsd&cKBa@{(s!w z+h6Ga9UdOn-~ZkSyxsoaq8Wa{HsEzSRsPBUJchd|xWKThH#m>7!4}~>|3#fbmlPK2 z)?wW`tXqe#)jFK_;EEkYM_|jKppj^h&k07HU41(rL`gek=Yr6(TJItxLp@hIB%R#X zBf(FM$N1P!hQs_5aQ7QzwvE?izgPLpRmMfSyTW6DDnJ{m)9r2QoHV8B(EcO#1I`~n z1|$r%{(Ou>KF-x%5$l;j{c35xK!R+a0pdqgn%!WUMto^0MlyZgqM`tH*xZv7*)tM4 z;wg=@t*g9kci%7;d_;|mlP~c#=UR|0T|80`&0dqu79$(kw;voNgU4pd0dQt5bj9!O z@!@A3{#IN=vupC9-md#xB7~Yo)`H7#bHYSTZLK4{Lq7s%p>2=$iKLz;D_d~Ne2^*b z-V~RZ{BTLY0D+7M4UNVOf&2!>-g+7sFX~4ugz?I4iDyM}S}oA@w0`y6B4LU~n2M4u u>N8@^D!n(pQb;M`^_fwnI=^)*sD>J9sG)|p0RIgD0RR8QC1Uabb^ri3{?U2> literal 0 HcmV?d00001 diff --git a/assets/sriov/sriov-103.0.0+up0.1.0.tgz b/assets/sriov/sriov-103.0.0+up0.1.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..aadbd9b447d0b5be012af72fc4bb65431d40f0db GIT binary patch literal 20136 zcmV*TKwQ5ciwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0POv1e;YTFD2&hBKR*QymHEZ;sGApE?BRdC=TRg%(Gy$JN{W+R zZ;l4+21$&XKnFlm;>13m{rTb6_ZuZjcCy3^o9adv3WY+UssL1RhUubrG=ogIOE?ey z@&u*d@AnV(_SFCVen0>J;NW2Jm%-kCfA8R6crfVyr9T+%?(O~s^q&Hme2KV#>@WRC zx0UbQAEZD+sDJ`f!bcqdJSbp5r>+Nu2#||u4@QDIm~a7uU<4GqI3Dxg%%SjRrC)f6 z2|U5b9{~o5H$$wn8oCb=!*fIg3`U?UScJNz6>p<4au$ejOvwm*`|oeSz#Sa8eWwrp z4Gi4jYx(or(oYGTBOXEzjevgW=nn8D7ieDk3FRXYU=rPzz6}wZW5J#JTBh4sq=)Wn zgY(e+do{`o1qgEFNYo9zOY21;7YxC9(#XIay8R9e@dx{4G3>xF{E)5SBknOA3iasf z(m6f<00rx8OOK;nZrByfs&t~v*p05L-y0OS}kf&}8g3nDHM z>&&R^z)Xmck9xf+7PDyVdUW2qea#JkFo@=3Os03!o*ozT+_89cuqUy!Ks+g?xNFF( zxRY}vcrTz+%6ptSm@Zttn09W_@{Tf}k2;Q_p##n|a7?BhiSCCYM}6CwLret31Tpm~ znnN6nfNuByvF&mRP$A>BjNdlHg%J7dQu-i!SoAkKb>1=`1Ih-Q!)8#1#6UspOLIpfJ4=F)J@D7$AD9WZMm+VAHITn;H zW5uX9gUm++`A)_9C%+SLIsyx|cst_=2mY`>-0lB;Fzf)0&5>HHk0F{{o?M|Rz0y0r z`nqL%1h;O+BRBib6+c^3a>_8V0?y z1*ArQqjf-LCY#j#1e)sQ0^DISQ?(phOHeRHL~=1Q0PsZWHb~DRF++*6Y4G4KI2SX- z?l4EHf>Msa9S(xdRtyb5-tq$fzHAswYMiaJQ50w3Q>BX+Xy?FqV=CkfymdCyvnsMuE6QQ_O`VzZP9% z=;>M!N9>XYC>FYKI%Q}I1-hp8TlLyB_AKka*8c>Whk>MI@9g~g+c?H^uOmQ-y>lSBXDjfq>sXYF4ZhDq6mzafJKC0GF4M^LW6+b$-m@Gf<#(c zoo|#G=!pP01pNLxa4)qj>z-LN9DM!^rbvL0`n=P5OBsN^kLARJ0lHK_nd3JjC{r>`2D3}0_rv&*~NjHNF1jY!FSRiT< z7R%7i^$c-T@(~1-AZLjnlbRUzu~;hGUdmV1gE0b(3JI}ebFk5#N&4{QT1M4f!2-oHcXpsMV zulmEh{C~B(zmfmXQGWlu_p)6HE~3mWxnVe%b|2 zQdw#=85w6~WZJ?5pMYQy@xZ~Z`ibXP(PV<}LD%W#WI;zEd&H1Z1LGE?&A0@=MKDla zX8^-cb;Iraj5KUjU&t0@mpB+B4@$wr=^TL{6W68c`~;)G=KwMU0zAi3zzPb46oD_s zOGTLDvnyFwN^u?{Z`VUk>#|aMMqJ{_0aVBvY}?Y=+QRR2u zbwT&0yZQv9^Eo9NVcr^HU0q{5L&4nTGwt0TNlgb6FNplc?z$SG#_HVo+TNK)-4vG@ zdK|_ZAMzax!<;88cCaUUSn88c;J1hhl%r1(iq>j;XS^I`G~O%37TC*wujy+Yg{x9H z-)W~5BfSUFf`(dzxaIv)dMfeIsG!H!&4>H~!VMLm=h27=qs_0-VfFc;{`#y+1YEM$ERvDv! z-kHa#{RzoRa{K}ceGWWjnT!$OW?#W9*_5L+#3JLVmyU9Fr-17|Syy;^Yq;AnZtRiy zR(YSx_chY{AW}K$<|$K(hMnXZhwP+GHl5Ru9;g2m^nYVWI?`xclNHdQ{}1;LUgh-v zgZ}UAYDR=2N9+YaQ>p}1-k?K=K zjt(nj`t57(dIY;3@g^>&U9fwwzpbI&NMIZZ;K~`^mEb$td$9w2O1>39$~-|qm*aUD z;K{Npk)2EB?hcC?jfA!dRF8Im?D8_fzLTONxQoS;cIb?k(t5#@31Wx{aCBIu7T(yN z+<5RtLW~u*wNWD$*<}Nj-b3-;j~kI1*SD;A{P1#!$$ z?f#X!eBpJ=yq5_m+5gcSIo?-lOcg<73j_z?MS!{bYg?ihBOwCrdPW~s5OQQRRn)2z zSNRbwGc{`IY~8gtcH`)4B6#)o)*p}be;&7Fe*Kp{H?CT(0j%LnP}BN9ILQ0|iFyijv#i=o{x%&g;pqt(qP)7Nn zo4~M#akA9_=E<9JBvd;S8WF!+W{sqeLl#@>++yO7z$xbuVx2h>(1!w!;?sTQLQyK| z6TOx@SbwTNFh@I+^4+PCGo05~ZR9*{T(7W#l}Dl(k(8(kEPf zE9xp}cbY^)wmk?8J#uCyQI|94P$ zGx;O5Kcdiw0;$hhv=LIj(8SBKk6{?{G64EOCP$(a)0SAoYY~?{FpGlm#Z`kzV)Vd=aF38$keDf z_KJ-08Sj9uI#yFtr43Sw?+rzzB2M@WPecVqFI$0}LvMx&${@2Q&>ChVFia*4>cd?T zYdQ6PEhue|7EkpDpErW&2?deFqK6h(9s0_{(K~ieH{x=l6FaVjT{G24d^XpuIFzdw zD^P<{{GlVLZZdVNG37fl43Z|AqG9FCPoFB+Rlj}tZO772Jy1iTe`$WvzZDNX6;+Xs z#q$zXw)p3!=>ns>=cTD^@hhR}#xnc@rN;g<%GBe{z^3#6`}_Ix|E~tGHuwLZr951S zeW%&uD>DOWfQ&nWwBkOegSD6Dqv6rpML6~^sR!8=6Yg6^G zK9Bm`W&rCk`C>y=ht`*#=T)U3{}tAA7_KoGK-2zTf4HCb{|z_yzn-UL!iB`*Krz94 z7?w$aC=4kR$ae_#9PIOseSb;>3U2UTAKm=&%ZFEk{s?qm_g^1?!TxIq2K#$nH(P7C z|NYI?+l%4rRK;;w#X{VBN_e-kszWnE) zvhsea>MQxr>*}gEC-cR_^S zVifq!@Wx(uMt(UkIP?!#^heye0TJI|JB}L?`C*E-2YyFu!r`*;J|++ z|M5ycc(uRZe|54%M}XC4J2;*U7TQ|W<9 z3>pP(3)W6nUXcxYn_9QwY!COAV3#Sv(dm>&|zN;kmxdz?%F4?JTb~8J%`y z8Bzh*_y`R2DJ@MlW#XyGN$=wJnvToJ?}bzsrsimj4)JzL)#d-6)E168GLw2@AF4kd$09OTjgF z`vm<@I1d`Cegb*u#w)GSO-CxL!ZvfEr!~UqJ4W^RrfW8!TfE5jut_0H$S`GCERO=n zxdvtKis^2946C>eHaM5LbgKdyCQ-f~J~3@kQLb_zs;;cbPg8PC2gph&ss09^KaXna z2sq8QZ{m*RL#fs9dkXK1C76}^_cv8czyK4&Dr7mldFrvqm#1GZf_Z#=i3K*L5h#^mAuoz z&#c&RV+mV|#?|HN`G=dMv(uZ?_lMt?qVcG~w}Hg!20yM-82mh*r)O_Z&rZKPJUf0u zl#?)Jbx5abHKKid^5OL89d zpl5?jR)Ie`JN)k5$<5*M`_rqd)AKVqzSo!M@7|qUwr{FhflmbubMaVBeh_UY*>0IJuOBuco#&7P28A%0MQo+;^vEHy4N3KeQjiB%){)^rLq_U0t7C z-dz9ZMfGGU!cBsa<^ew_Mp+4fx_D(}9kJ8?=xhzmFmM}R~@ z@W=7}l%Ch^SozoO=FYOlZ&V0N`-d^`lLv_SA;m-_PeMs$E)Wq58bovC1rX0uA1qM1 zcDxOrZo^~9REdw&=~w!kU1-TAHv5UP+$9CJ$&s>Xj@6y>L%*xRE|^|`h01*`DZEl_1}0I z*6IRmy8qQ57V^Jr;{QKWY1$Dei8kDB+oAMg!IchVwD#Cl3RrRB%m$?7@3~ab5tx8e;r=5%ISq2*9fB#@NAOGoKcd)mS|Ibk>q*q42 z`vV$!d7oGNu6;#D&2x-@e*T*nM#!docRc1lRthxfe+RGf_dj0k4*Hw<{~Tq@=sZ&a zUId7M7XhWWQ3$F-a`hI2F6gGNWvlxd-R|}_=qq(`OL6@->Mn=M6ofsIdcl#fFRPow;Mu)mbqg49I{vqdw9nf7b}`N5iU>eY|z8;0ibO$gLK!Fzs zgiy><&mr+UTY#XcP8t0oRL5+Quah_buWc8c>x>`jONkN)k;({!+>U#Eb#o;sL!B*P z@{@fyx&l6CyyH%>=&64-`W<)tFV<84+6S{~PyS>75k!T=cOy=@;7C8+IjhZJ6qrbWSB-AoF1R>jvF#6ZS0PVeFS^DI-~#WxC`!4ANBqS z#Vt}gM-}sAH3>s;y*o0*|NEn3rV1VK*1cS#CV-fa~%*e zy1+i-01|*8UxGWR^5>YPZU@--qdHfj_AhqiS{dL8@|Iqp(#BO}dUiXVtx8lY(F;@} zqAB9wV=Bw1T)=;QVe>_2FTwiMQ!#Kn6bjx$_W}{$NviZNY(u;)2c-UtVup z^?66xd-_iwi);mYWhBM%3d0GQ5TYBMoc51F|Etafuw z2^Lr#T+`|LY-pF5(5FZ0-l|H+t#5xKU*}SDI}W&zL#_xBg;NIo7(E?W0)*-c5kU9I ziv%3Y0nUM`g>rOu+5&{a1)sxN_ikf=1>$y-4|+AL5h-8Cg`Qg;}JjD}2B z2Nxbb^nHdn2av0`my`;9HB5F{J}I}W)J*-42z$3zLJ5zptu1iDkV2kgfq19mq=~c` zxPw=J>o{7PEOzx5r$(EW4?7+8DlKBHvduk)L!swOxCBy<1!GL0PTsYo5d-=b(x~%~ zfBd8K4e%ls0B6Fl-T{Y#DH1m(TWOp@p20g;&((+{rcR3yp{A{@ssEWnIn8>yb>5pI z;mGICu54j8r#{&4_tVfj-vGCl{##;G%z!_kY_8c#O?o6|)aUuk@sb!)&(f*y)lksM z1bY|;;G?3z9U4nYC$h(8WZl-p)z|ea<*7n08G`uvH=4ed_715yG7B6>pTu=YlEBHi zgIH93;PyIFy~60u%o*e-r?@)b04ah!QP<=Y34MH05q4|KE=y2KSb-StbWRDN%r``X zIG{|?E}5h@Z)tw@iCM{Jup|iiyz?{Cne{OdDxp2nDYPdv2AyOkz&|Q(w*3Qq0$khFx>9WO|3kH# zmX-EPptbcJ+{%413201dARACdwR~`*YUfw@xCOgmr8qyPyx9-THJseN%66tlL(%gH z?u{{#Z`AE9IeVlKH)0_NDY5;8fyU^&!EsermNVR!lB6%c`ejf(iakj#KSd zh1$eF*H+k}nO%WXNZtsl>IvwATIg6m9>(Fm#^I25dV2x&JD^ z|2N#*-}rx?rEGyqNW2+h)ylwi?4bmhgE8bPIjdUgqL2%Q;2eCsea($T4^`knGQFGj z%9rX=i)e-Kw}ElIxZpZYudf$zt*M%x#Is)tDlD|&w*&5G*qbQ_u8&MYRzam=6Y4H; z#I&Z#ts0hCVkziKI5neZp5Xr`Cdo3IyyUT-&Y+K%kc=_-jN6yWf#owbOu7i zq-H3WCUh?tj8{)g1Y#2?MWXzM`rHNC@j~~ZHkJgH20^S{slI{BA5VsH57fd-f+d(E zX!3DGe*uY9Y$A?;2W9W>W{4pm(ZykaQsxm?0P^^jU`mO?)FchoZgm&@#HC?$H>1F( z%G!}imPs~jjaK!Edk2)RT6nMq~ha{!{ z$+49z!rQWjS=dr*WJa+{HEAcDUcl|T?SMo3Gaj<>QnhlP!OD+q%EV|_Bu3DispY?; z@;2+*rjDUH*Ok>9WBl715^-e{dIB$Edzy#H!xQY~E$vW;K{9rsv5m>pm|iZB)}d)< z5(N{icS(3W{OT4R;4_;jS#60M*YF7ZW7Vi-Zv>0bKMWhxl3Asq&rJ&+c{5-j85aYP zhT2^3+$1KNawObI9+a~~@t?soWt~a0LCrFQsU(X}J!uPkY1#jmc>PyXh4+|V3LG-= zd&+isrt?4hgF^oI&H10_DVaku!w!r?W{kk1?+*6dK__LujKH_YNFYyeFoVp$lj1m$ z%{E?LM*38_D0ezQ2^r`w5EGay`9RaMKH_TqkTCQS85expnbA2KfwDz4Zo%Pr%6lpp znt|n5A-U|_qU9ZBzH)yS-=?0aZemJ0jzYoFD0K88q0~g_#8=InN1&yn1Hw?@b*7c%t#Ioc{}b26i0+pnm@E9`tt$`JadToB97NMThazu`emdLItZce9)6~91-L@ z6FE&$@Ez{9~jQ=01#G(;oAZNPImyFm=yQEUaIv%i@+2w zkaZiViYVYn``glCf9&!eadj<@SQe;*!n;;?}F1hA)C=S*-0$W>K;NQ;P9y{+3 zudYunoul)!x6ak|;pMe+eD0i`Uptp4@6SJ+{JXlMv;_#gh{gftvyncwVje5=K!qti zGf578OU+q05&6rvaS`%7u?u@qIw2-$CzIFzBH}G0MD1K2n1lzv8zz z)Xnh%JpF~3F~nyy@JC>nyjzSwKlRs~`cYtlzHZ4!XXn=^qntfsRd8z{`AY)l*n>f^ z1S}$s!1L7p*f>B5I9=pg9PcjyGVvYFqmsNr8dAz>ev1H_Opqr4oXD4Bq>QNDgV+6jmUQpvw3K>*dUz7(^*I5l#LKa&*N8H zT02*38kj+DjNyRZX~UglKUTz;svQjTnjyiKn#EoY++?g6BIxcIK|jDmcB0?dW(I6O z1t@M{1cnw0nfQkxzJLq{0SYjm%O<3BEE5(dXU9cRv88+@*GCsXS$E0=OAT(ILekhB zCXXtU-Nra|?Iy$syzal2?MfK&A9Exa_V|T;Hs}CtZ4*xo^dymbIyGD}OFJMZZ=?js ziLPH$`Q&2B@@pI@J1-?X<|q3PaS$Sd!(|j8Uh=wxzUED`DRfAP$!gA3w*ELw^bw7S z7=b}Y5yrnV;U$iAcnMQij=+SQ>x{#Gzu(bm-!oM^S^@?1?!rc~IN=@)3@0bd@1+h| z+UNy7qu~gA1l_}T@4CR|-h}=+36__X3OUQn7HA@$SVRu_86~npMr^4UKXFN;L5yws z$h@6zSK1Yz9YSJ;7=X4WFtWcE?D4YQ13acF{0VOER!PFcP@Qpp9#IDf-;)vYI(TF2v{E2dXloEoeSR+c}d&v0Pxa1mT^d-AvTp#NT zun+;t=?Q#C`&b|c?=itrsc_|hENKLM3hp4u^d|LLM0AfucJ;Fh117Q(^#2)gRbwuj zAjm_UL$=&8YuubJv=Zq>ELeguQ%*^}o_(8;{988$JI6NQ^Hw3$^Hw^@^YFC^^1PJ` z6y4^#P9Y5YXZb80>s;S%N6QgVxq}@QtuN~k(}G>AK-Pab0^O6}A{!IjMr+i6>E(O` zx@Yvtn<1%cbXzoIHYA-efCN3VwN7zL%SRKHO2UNCmv|gzo&dEcjTl4zal|m08i1Hg zPt`e3^Y}!a9f~yt9q{E2;pt51IRCb2aEN#)8>&yi11oVd!`6D7&q&c78s;{IS{E@hD4l$DA!-A6FPefCmVLr$ivOfWZhH zBr2Lw4zA)f)i4Nt&9qYfYGYSC%C6Ad@YUHBnUGOiT3ja|dSQh9QMz-QT6dBUr53GJ ze4CsB(1q+o0KMBd!QoxtT zmxpJ^WzVlpPD-C&UmaZ(pI?1n(&*LIN$JB9+FxCr?3O;=D}P!Fq7=sU@h>;u|8#Pd z?R?BTKU=PgdFNIN?jXfVw|Y{l*#Ww}5QftFN|EZT4ifg>4T{X033e!Wq&YyI|9Gc za0E`&t;o;yEve|94`>Qm9#T!6@@p2M`liB%Hbv--h}f9MZM~Ij`?*+=dr+DWH&Z#p zM44df1F~byn2%j^v_+b~-CyewX1;g;wwK4(?{<$4R~Q4%AJWcv;;udhf`(F^T|S^a zyJ38zjt)r;75bP=O9!PA2ffU>dd+$O62H7Ys3WW_@2=j*<9>;z=srx1J`6+1=9JY9 zy}>b{&_}*jvL7-(2K{~?wd4ZRBu6U$*&1eJ*$gSRm+a)N+TI-gvwV8(7bvT$<775| zFH+S9{kVQ5vRqIGr^p=#)VqBEuFQBQr1e-txL=B}5AW+MS7K}L;_G$z0q9D*TuI6@ z1fsAMT^^!%@N@KSfwFdExg?sy2T5li-DuZx2?E2qnPwYaJfK-0Ewlr+NF?Il`0&1* z5vgDLiN>S_FX{tvl$+h~2OxfWT!z2|`IN!#4(NJ_2+HfoW{`*z?W{gtCJIo6ko-T| z!gqdYriW55bp)ITpknS{+KuE}LdWfy`0?85Az79yruOYaR8wcDU^oi7p_07Z;hYhP?l|0(m1o z{u;^KUO4brI;ibJHJj}wpmJEIL`Au1useoTqT$-+_ywP`{rLTN8)+xMhJeqX=S#=r zfVD@ZfBzk*sAS;t=QnYdF&m>g4K$T`Yc)G_y-Qhf5uqU>?#t5gG#TJ-PLJJ6MRKq! z7sJ7R$>3Iw2N*tVL=v%~$0GEwqyJXppjZ!l{_My<;(BlHu$Va|mil7`rCNZsSxz%k zq&On|^4Vo4q@93I<(ViGG}SW}-9x!Z^7MKR7LakBbWrU}jG=ey*xj>aA6fkqGPF>! zUNje|`ttK~Hu9tSd}-ut%T>QSU%Eyx8wz#H+)^zEeytW+g$7>Nbv1p|mOr7UznN}G z(v=WEee5nElYJjNq~q_?)HYm^ZO4#jmtdsvIm7}cu z+|Kp+#reDQ@Bh>J>EigX#eIb>aEq4UjlRw$=b>3;z#HvXXvwUd2tef^SP* z{&*>0nm1s==v=uwOdu#z4-%{WDJE5SG-ok9-JTJz0j0Mb1o+mlpQ)2OSmdL@2z>Oy z=-2eK;Rt-xgR^7X>uKHlFs}D<1U}B9DGK2facB4*|JrFFVfm7({qyP5&Qfe0T^{q4 zBq&>K3ZlGBG;6t7ClpM`2eX=qx|tW7dC_)W)LhBQYBpQoJk&e3!BS}r zhiNvy~c8 z`Cd;r;2|d7oBT;HR7?~VB`%Idg8Xgu)g2B36%ttoGMPi7I9{C$qS7q9!yN6TB96%6 zync738c@7#bAk))m?&ro2_mtY5HdQKHfL1&g>iC7Dt_sk$(!;VrSkrNk`m-*hJp|= z?uzhXp#U1tDp1;sV?r*OdXBlTZ?2UTVg|T6CyY3qFj3uC+X(t%gjzdoAYaVE3lpj7`0Ps7RgsWFlMGBHN&NDG4B|SK6)BzZny#hPm-aJ6eblYwhcvtD-!`tuCuK~@j&%Rl1>KwOL*$drK4Ibt zwME$`3zKkcP-oSRY*M!R4!b(*V`Fu0l=OFThO(3(DFjHeR+a%&3UJYI}5iXTMaJ!)uk|tPI z{KV~b&5!OXu$qL^Y6D^H&Xos3f7f;(N^92*L`v@IZ@a4v&UQo74;!5pu+}s>+3k+i zhbIT1?Kstc)^fls5J!8~A3k&q*gR|uR{^@7!6XyknR=^_;nZt8Y=xRFM{4Rlcx;MI zK5RG|;FOHOmo`r~<%vrR|Br{5a7;dUN4XwXj0)M{|Jgk_$i;sg4)^v38~@L9l>C|$ z==}fIeO;1DIn53_PpC<)e1w?56YN2O$`aqlLB|vi6>=%JQKOCBs&r`{BDM3RUEpUG zZSZLPPvn`MEy|{lm}ItQ$HD}6EembwDf=uBxC4Ms)L97yVJmejBC{%)%Qa4$u4PkY zCk<_Z31;Rp2IfhuabNidB95%_t5v1{KNzEc-YJjNMCA;bhXE3ZAkH6!io5FYfX|;@ zzVN2zePA&+Pde+INaljolTM^;8*7|M8gOnRJ%mw=g|IG0S@(E1sQYHK zaJ>>XZw@>yi&V9?MrO%3u?DuugZx?~n=*r5Ln4qo;1`rpCs zCjbAllxF>J3tS--hqlklCYvxd$p+HnD46KPI=!tirGg6v!w{2cG7orX3pgO&p_5+# zlZ(ep6#4!qn^i+ld;A-MqeC@O3Ka;w%TzLOTFX{5AIrt62c5VlYm}zJje10a_{L4`= zfhHY&n!ebsM=A3$Ne@}EZMFZHYe4hCV*%RdDb>B3xK&(5l}vVt@?IM9=5=E{QHKK> zY^|!-Id;!456{o?WoFM8odZ?;mIG1_CYeGZqxZ`+I18{9GAg}u0hhw3mUbpxTm@sw zm-dnQ0#|VU>ijqL@+>#?GF>3;PBY9`rv}mh8H>`+yPBSLtZA7R zpAYYcv67Xf({QgcoARrGt~sJ*X!Z!pG``z9qa>oLb#9_K4xqu^6P8fbtOS=y-QJ~9ZiZiI}$_> zENu$Zu`xvb|)GGmYmH z2q!QKsfAm&pKCoIui-Fzz-sSMZ!cu9Kf zEPerAs6%}hjE-|T-_X5f(4=^DK8M85KXyP@#UC4E(kmQ>%cpyDK-Yo3&)$rRB1$Ee zO=(`Q`>*@mTxadj5Tl50K_VDlB3NJ;9HRg(uaHNH&rPP_q=YKSxfJQdXLnAUofO4`-+oYdBh14H~qDOn}R2OPx225`%fEJrbwSH2lTS-Bm8 zX|RvNFPqZ78AV%Pqgjt+4)&w)OlR4z;Vq#mJffXU-hS{&c>qs2=wh;f0rtDql<}DF zc=4wt^EnH;lo|mqs0v$K;JY}u+z#+D*Fn9Q50ci@6%rMr3y2xik-4nguo8){j&VUE zK57V!jJb>g#2-lG^s%FQ)GHc$>|9wA??R~=6?0=rJV)yxB{=22e*`9E;va_i0x}o` zD8PK)JaOfM3q$OL$wwt976CsD&uZ0IF&=a#I6#lrZY8i=w0r=xQmt0uhM0IDyaIYP zYrav|N`@e<_?2mX=_VF5i00_MTyyJHoVxL-x)7NzD%Q8w^t!9iC9mDvD7C40o{hvR z;z!Bk(fGB(Ow%{-L~J5!GfDM{>gtbLU}&iuUhHKHDNtdeq0;q^Px`Es-{vANR!smVM!m- z;FsRrX)Z1H|MX7klkNZY_x1++`Tf7aU~~WfSxW6;ibtQCaB_#oR@h;D;HikOaC1@N zRS-KN&RRn=GTp5VF=+i8fwvV3)H` zv)j66SGi5r5JSO|+#$M@We~AFXviaCsui=2mCxR(_sqJwl#tJ$r%%17(b4}<>iXJC zOZ`7(gRX7}H0b~R{Xstd*WlGA{=@T>w052xTec32wdmzp|Hb+g^hc@Zai_8_kP-Og z!~!C}ouH@!K3Tz%gZQOK@?oXr{I>>P9O!2iLC`q=_wxB4c3<@mHuL{E$}`OWVw9+_ zRuU9KLsiOzyvO5@DjZtQe;W+$+1CHP&HR6s@(lAo#XDc;tT%B4E9ZLZ{U33P*OnIZ zKgk&Oz&(J5`9Ik2@8#$JU~jmY|Ibl!-ka1|C)=!B;39qu-cy1FW%iC9c=29upKoUz z{c~Llld0=bhA4MEI!`?R7t}X!zR=C^I`{Bir3)fOoxmQkGBsolP{W&z{hS$u9WVtpBumum2|oWWcx%e zvavsj+o*;7e|X?GQ=0U@gZ*6mkHM=~oBiMCDZiKIj(J@CkF|vtiX%mTHM_c1A&MRm zuBTm)sizwMmh=B%fqzVC(*Fkg1^sWhx5@wcEaj=@|2o56e1&4*VIeaf87srkVVx0N zYBGzhKXA*J=Jib}mKO5gFvr7Hz$W?MFUJ4a>%ZE_|K}*B{y!s6*0}rkH3@H!4<})5 za=cYV$X)pgxp2Y_&0}b+jcYm0V|2cSdu+jgYrIcTHt4?rPw_aHN^FhnT zlSZ;!_X1LNi6lq2!olH(AM0Lk9M1CbEs1fs)**hLaFI_w)(ymbzCr&YQ7>2Gi02R2 z_~fHs?8?&)c&n`5Pd#&=)J^c@Lsm|@rx~^{y`HaHTIhd;vwzHA?Ib|G{x>{$^(t@w z?+y+&@jsuXJYJX3BIxMyn3r7l!{}ZhqPBgD!I2{_=={>`lN=*;VE|K-5mALn2}A6_ zFl2Orav5Vragw?z7PDxqjvS<}r6V$f#6xpL1n-4W5cCGGU+IukNn{IWiiiR`j&R_c zbYQVe?Yo14JL~|xX@e=b#&g64oQESoq991}gO%oha7zBCC=Hkc7D(`fb3;@C)Vlb#eRo_mVQ6@6S0hBamh^v#5x(+7OD1fXKkVJ@k zG(_bx&iBr~9Q)7&{ z!Y$d7Q|vBg2(yIRG1!pN5V8CXo)lYW@AagS_*UX+?t=M}pAlD)VN8#aZ@LEPMCUDJ zC}fBuqB%TwUyI6V38-@RyJ{InjLR{J0u_p8ftUacd2~wfzhc-b8KP`d3GaMZ33Y~q zz(AjT*inR-!zExywgMuOf~OBhxZpiy2w*bFPB1&2JvyI91dC-)O(Hyw1ZBMEqXi0j z98Vp{ycrhAlM8rH&R&H&QB&HT`&;p-e4D{lJL9-um`qbI6z|uJfMk4tIe_L<-HU|K z@{y#@<;m4`%n)iY^3+#!Pd?Gfy0WHP>V=(O>Yiia zR$OTai;8CL3&pZPH0K3Qqf(jS_sKS+5wYvsnynw?6#DM}Us8Y>1^1*nia!{6!4$#N3rG7mE|L4Vj z|Lv2r{l8zl_}F*;{_Edf{I{!qyxjiZ+n?+of7{-E@#5o;@4vskIQbQCfBHzG`K|uz z(~FPjon|_y6nUqj+?%UP-b8oD8EEF)4$B zqC_j{stW2!&>eW8$6OjzeiR^oTMfJ6s1y&^0G(qJ@eE%ptfU2@_$WpUu!s<8mHbcP zEDwgz%S47K49J&btRsV5gHVz}!S#%{c`hLh6+= z{yUW|X?dICFfJ%lv7c<@o}2@6xN$%xW#fP>nG;nGmnU$wG<%>P=U%C^Cmv+*RT{_Z zlP_h~?Meb><3j#(xsbDCcYJbjd2)1keR6D-c!uUw>fD%s#bAsC9BhxIH7CJ>K=v>- zrSrmS0tiAr^1p4Kmm9D33esicwcdEGH(qN~zC5RFyw<6*@mg=Z)*G+&AJbj5@mg=Z z)*G+&#%sOtT34u98?W`Vd95GpnpRKr(kQU z$@quVg$rV~p z8lQX&-mmL&k-Z>af@R}HL0{2{qo+vs^Zbc>N+|Hf)A*F&1j+(A=11nsX82j-y;<;Q zO8b-V_v3Q_Rq)3qBTz*~piEnb$H$i^S6Az4PN_HUjB;^$5m&2DK$IW2>U2apzq=pX zua4fpc+-<@ISa^o0UoPsVF41En)ab9zsRQ@s#zm7N~bN89`OL7ur%*c1Kg5SNQLax zB@OKIh73xL{kw~U!pcRpseh`r6R*K_9n1l4+rfMbFIVnhMQ+|TW=dXbp5*mrNqz_m zD9J0{VlqW6WSEqUdq{omOp+RpZPH9e9g1EGjV8vkQ(A{#PaI zD***M#w?YzJq2S69GeXCrn-`S2nYtfTTG^4yaZFckiQ@?0758c6}?j*J3eM_8nJgk zS<>r#C(_xk^U1GM;8GEu~{}~({WY**(`5yT(F+XgXiRiWelTst>$cfa_4O^iwD zs$hu!Oq(-b`L@Y}c8;3kHi8xRWDLZ|Z^dMWzBc`SH5Tn`!!NYEQ@^-!~xE5^0m2YNM&`n_5fh>=!tf2kG z*%kB3{IPM@IP)62#+mmx@2{4%j{i6}v^h-b_g0{@O;PvQwk@31TF+$~e=1-1%6kMB zrzhVTDDXtiuU#*A%3O$vdpj$Hnq^Hrv?{q%BVOtOW<*VcM5%{VkS;Ysq#jZR$~xsn za|bdqWHnLIJa7+^9kn829c`A%jAqeL>aSi`w)&)$-lU6C&iJ_u5 zy6BHif7#@VH7Gu>)7hH(&){n|O+AT=xvs&GVXBPP0CH}!R+}~oue81jK7rpNDo{y7 zYxDnA`hVRS3g&o9C_|5JqapuOe}8vBm;d=-INap_f0nWZF7&l46}Cr@H@KT20#pEe zb;S>Qw{VKM+t~uwGt2>xLS>2pK0`qOrU4ymza=Kq9l%fk1zsQ}^-|9v@jF|9psBuD z{32v%g71;9C(HlZc7arc)Lmn96AXlifdCWacHHBun=3&X>TH1{I-gSlJ{(;EA2Z%@ zr&#pVzZ(6HJN_5zsekQ**|aDBv48Rf=_P>1(7TO7ptoaRy8JHeymZI#w)4^zbNQPx zJng*vznv}c0WwS@4o;6xc*hMHRo8i3>?7FI)fxR~$6aub`l$Cu*k-Dn|Cc9+$L~+v zx&Qb!n&$tje(wIyV1IXSlmGKs%9aXT28{0u99y-h(-qzufevDN*0Da$~ zL|sMpkwBgbk~D+Nzk>{QtY)X8eeoq1Xl~TDNUydoI96XFA0%}d0?=O|CNM`nfI5a+ zNAF6w;Oy-&2pL^qA8{}V&^?x#QwFMPE>1uKRA42paD?Cv`>4YpnX22D3q*YRnD_vO zVSqjTJr9wGC)m@MS5?chUj!kayPeJzLYB^+*z5Ty4CqqA>&Z3Por!s{-O;4AZvZA-u*lO9m>wZ$D(An)eBP6~qYC%5YRaEX zsh|IQ!~H`3_x|8ue>4A|qvX?uJw?i%6|(CL-9aXYPHYpBi7&Cy6RDUqC;z%4Uyc!H z>S;Djj(Jm>9mgV}w+u7+ZYD86ljbJA&fq^~rW-4k;|usR8u&VJLo7e7SdlW7GNo53 z0h%&ti3u~Ob~`r#DE}A%C^z8?|5)J*(`O7y#w#_QuR`RdVvWJfR5!CA>tCx3tz@M@ zF>FGn@wZl3n1D2sCS zqA`$Ec@RHKT_nu3Kq`Vs+`$=K)J0lJ&!Vcx9L+JV06>9GJy%_0wa)6&Dp*Wo^bOD$ zIz%pDwg(jz8rvuz9-fMS76dvjl6~i>l>3?Ww^&T{6qPQov`PbFlK@WF&3tbIIIZA2 zj^|;JTBj+giSuMgqpS|8Stw@-jf7pAzB+!)$~GM6uKUq^zBFg!wcVn0l8{kB$5GK? zo+rXQgaVIoP#?Ic6`QxL_RO}wni1}1*qfy9AJ*{H=;MFsnszRjc)~k?N8Zf3+heEq#yhm} z4rQso@eVz&cSz3sIuDV2-_|{(#9o7MNW$ZqRitQ*tiS&cmXFuibm5!wH+$kmCNEbm`7a6zgx7_9w4>wg?gxr1b^{ww`lqAAK(0& z`t#p^-L7_Mq7X7EN5Oar2)YY!Won8RgRBPbkW>c7&XD}QshlCUl`fhEm^O*&MBDt8 zy-+k!pH!jVV5FBKb`qd@3OR`hkH(HcO=4wh*2J-HWdtjbZ!6vO^_a$f`!pSmVPkM@ zFsKD$b8Qh?O1Ge>E-joN<=YJJHD=d{&10!=452!^Hz{x`?O2_U!YH@0*DAVw1`>E- z3F9{d<(j4^_fnHl%KNr529caeYM$73m6ys`>5XvB?rIv(hHu(?XW|W>wYyp7Ia0J~ z;GzDX9G7%+!;offBE_M3-U_nHvtdUt9>92#U=k)yba2`{n!2PjwaA`AL7Da*NIfYG z1B`rqdeWYIY>TXN%SfEm8KhJm7>%QDMAov+wghZRz|&1=YPjIP2{`+11dh~loTGkA z_>_V75f`N(UTj-y%%mb|2~(!BWH8!x04%j|M3LC44RS|jGsswKip%IGA%*cEuM&5V{C?k5HT=`h&k}p zZ3Su-d187Kwyl|)yXT>GuO-t$Wg{_@qDk~61(9gp9tj7Ww&he=`HYH{>YtKJG)4E} z3ZIvNlrPxLAy^!d=6Xu++g1*Y=+|hW;r5yY_;jSWI0H8uz2_EE# zm(u_W5Foh1L%5sI$>G+Jc z*b0ff4Y6bQw3EH-fwjW=t)Pf}R%fbIt4aYD0(vubU{&4E zl1+EfWP&_Vr~0VN@hUI8UJrbVxC)DDBH$neNVW1Z=9djGo*hFA@!|(w3s~7S$vh zZy=f`(=A$NwaxNV&FKPb4tlSMzrb^J==)8QJImzuoAeC{HDq{>h7y)S=ITEFH(5Z!nR}cicd-~u{A;o*l z;te#qMKy<5T6dt$a-!#0O@&)jtp==N0a-xyh0eTvfGoavuz(E1aiGuksl42)tQ9~7 zAJX3&q2^fH4l`53ZlPN0!UG$8=F zJy%!D6*Y__*= 1.16.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: sriov + catalog.cattle.io/upstream-version: 1.2.0 +apiVersion: v2 +appVersion: 1.2.0 +description: SR-IOV network operator configures and manages SR-IOV networks in the + kubernetes cluster +home: https://github.com/k8snetworkplumbingwg/sriov-network-operator +icon: https://charts.rancher.io/assets/logos/sr-iov.svg +keywords: +- sriov +- Networking +kubeVersion: '>= 1.16.0' +maintainers: +- email: charts@rancher.com + name: Rancher Labs +name: sriov +sources: +- https://github.com/rancher/charts +type: application +version: 103.0.0+up0.1.0 diff --git a/charts/sriov/103.0.0+up0.1.0/README.md b/charts/sriov/103.0.0+up0.1.0/README.md new file mode 100644 index 000000000..b34d479bd --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/README.md @@ -0,0 +1,73 @@ +# SR-IOV Network Operator Helm Chart + +SR-IOV Network Operator Helm Chart provides an easy way to install, configure and manage +the lifecycle of SR-IOV network operator. + +## SR-IOV Network Operator +SR-IOV Network Operator leverages [Kubernetes CRDs](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) +and [Operator SDK](https://github.com/operator-framework/operator-sdk) to configure and manage SR-IOV networks in a Kubernetes cluster. + +SR-IOV Network Operator features: +- Initialize the supported SR-IOV NIC types on selected nodes. +- Provision/upgrade SR-IOV device plugin executable on selected node. +- Provision/upgrade SR-IOV CNI plugin executable on selected nodes. +- Manage configuration of SR-IOV device plugin on host. +- Generate net-att-def CRs for SR-IOV CNI plugin +- Supports operation in a virtualized Kubernetes deployment + - Discovers VFs attached to the Virtual Machine (VM) + - Does not require attached of associated PFs + - VFs can be associated to SriovNetworks by selecting the appropriate PciAddress as the RootDevice in the SriovNetworkNodePolicy + +## QuickStart + +### Prerequisites + +- Kubernetes v1.17+ +- Helm v3 + +### Install Helm + +Helm provides an install script to copy helm binary to your system: +``` +$ curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 +$ chmod 500 get_helm.sh +$ ./get_helm.sh +``` + +For additional information and methods for installing Helm, refer to the official [helm website](https://helm.sh/) + +### Deploy SR-IOV Network Operator + +``` +# Install Operator +$ helm install -n sriov-network-operator --create-namespace --wait sriov-network-operator ./ + +# View deployed resources +$ kubectl -n sriov-network-operator get pods +``` + +## Chart parameters + +In order to tailor the deployment of the network operator to your cluster needs +We have introduced the following Chart parameters. + +### Operator parameters + +| Name | Type | Default | description | +| ---- | ---- | ------- | ----------- | +| `operator.resourcePrefix` | string | `openshift.io` | Device plugin resource prefix | +| `operator.enableAdmissionController` | bool | `false` | Enable SR-IOV network resource injector and operator webhook | +| `operator.cniBinPath` | string | `/opt/cni/bin` | Path for CNI binary | +| `operator.clusterType` | string | `kubernetes` | Cluster environment type | + +### Images parameters + +| Name | description | +| ---- | ----------- | +| `images.operator` | Operator controller image | +| `images.sriovConfigDaemon` | Daemon node agent image | +| `images.sriovCni` | SR-IOV CNI image | +| `images.ibSriovCni` | InfiniBand SR-IOV CNI image | +| `images.sriovDevicePlugin` | SR-IOV device plugin image | +| `images.resourcesInjector` | Resources Injector image | +| `images.webhook` | Operator Webhook image | diff --git a/charts/sriov/103.0.0+up0.1.0/app-README.md b/charts/sriov/103.0.0+up0.1.0/app-README.md new file mode 100644 index 000000000..4dda94a83 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/app-README.md @@ -0,0 +1,13 @@ +# Rancher SR-IOV Network Operator + +This chart is based on the upstream [k8snetworkplumbingwg/sriov-network-operator](https://github.com/k8snetworkplumbingwg/sriov-network-operator) project. The chart deploys the SR-IOV Operator and its CRDs, which are designed to help the user provision and configure the SR-IOV CNI in a cluster that uses [Multus CNI](https://github.com/k8snetworkplumbingwg/multus-cni), to provide high performing extra network interfaces to pods. This chart is expected to be deployed on an RKE2 cluster and only meant for advanced use cases where multiple CNI plugins and high performing network interfaces on pods are required. Users who do not need these features are not advised to install this chart. + +The chart installs the following components: + + - SR-IOV Operator - An operator that helps provision and configure the SR-IOV CNI plugin and SR-IOV Device plugin + - SR-IOV Network Config Daemon - A Daemon deployed by the Operator that discovers SR-IOV NICs on each node + +Note that SR-IOV requires NICs that support SR-IOV and the activation of specific configuration options in the operating system. Nodes that fulfill these requirements should be labeled with: `feature.node.kubernetes.io/network-sriov.capable=true`. + +The SR-IOV Network Config Daemon will be deployed on such capable nodes. For more information on how to use this feature, refer to our RKE2 networking docs. + diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/.helmignore b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/Chart.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/Chart.yaml new file mode 100644 index 000000000..a45c4dc39 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +appVersion: v0.14.1 +description: 'Detects hardware features available on each node in a Kubernetes cluster, + and advertises those features using node labels. ' +home: https://github.com/kubernetes-sigs/node-feature-discovery +keywords: +- feature-discovery +- feature-detection +- node-labels +name: rancher-nfd +sources: +- https://github.com/kubernetes-sigs/node-feature-discovery +type: application +version: 0.14.1 diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/README.md b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/README.md new file mode 100644 index 000000000..16b5254d5 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/README.md @@ -0,0 +1,10 @@ +# Node Feature Discovery + +Node Feature Discovery (NFD) is a Kubernetes add-on for detecting hardware +features and system configuration. Detected features are advertised as node +labels. NFD provides flexible configuration and extension points for a wide +range of vendor and application specific node labeling needs. + +See +[NFD documentation](https://kubernetes-sigs.github.io/node-feature-discovery/v0.14/deployment/helm.html) +for deployment instructions. diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/crds/nfd-api-crds.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/crds/nfd-api-crds.yaml new file mode 100644 index 000000000..6866c7ffe --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/crds/nfd-api-crds.yaml @@ -0,0 +1,361 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + name: nodefeatures.nfd.k8s-sigs.io +spec: + group: nfd.k8s-sigs.io + names: + kind: NodeFeature + listKind: NodeFeatureList + plural: nodefeatures + singular: nodefeature + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: NodeFeature resource holds the features discovered for one node + in the cluster. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NodeFeatureSpec describes a NodeFeature object. + properties: + features: + description: Features is the full "raw" features data that has been + discovered. + properties: + attributes: + additionalProperties: + description: AttributeFeatureSet is a set of features having + string value. + properties: + elements: + additionalProperties: + type: string + type: object + required: + - elements + type: object + description: Attributes contains all the attribute-type features + of the node. + type: object + flags: + additionalProperties: + description: FlagFeatureSet is a set of simple features only + containing names without values. + properties: + elements: + additionalProperties: + description: Nil is a dummy empty struct for protobuf + compatibility + type: object + type: object + required: + - elements + type: object + description: Flags contains all the flag-type features of the + node. + type: object + instances: + additionalProperties: + description: InstanceFeatureSet is a set of features each of + which is an instance having multiple attributes. + properties: + elements: + items: + description: InstanceFeature represents one instance of + a complex features, e.g. a device. + properties: + attributes: + additionalProperties: + type: string + type: object + required: + - attributes + type: object + type: array + required: + - elements + type: object + description: Instances contains all the instance-type features + of the node. + type: object + type: object + labels: + additionalProperties: + type: string + description: Labels is the set of node labels that are requested to + be created. + type: object + type: object + required: + - spec + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.12.1 + name: nodefeaturerules.nfd.k8s-sigs.io +spec: + group: nfd.k8s-sigs.io + names: + kind: NodeFeatureRule + listKind: NodeFeatureRuleList + plural: nodefeaturerules + shortNames: + - nfr + singular: nodefeaturerule + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: NodeFeatureRule resource specifies a configuration for feature-based + customization of node objects, such as node labeling. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NodeFeatureRuleSpec describes a NodeFeatureRule. + properties: + rules: + description: Rules is a list of node customization rules. + items: + description: Rule defines a rule for node customization such as + labeling. + properties: + extendedResources: + additionalProperties: + type: string + description: ExtendedResources to create if the rule matches. + type: object + labels: + additionalProperties: + type: string + description: Labels to create if the rule matches. + type: object + labelsTemplate: + description: LabelsTemplate specifies a template to expand for + dynamically generating multiple labels. Data (after template + expansion) must be keys with an optional value ([=]) + separated by newlines. + type: string + matchAny: + description: MatchAny specifies a list of matchers one of which + must match. + items: + description: MatchAnyElem specifies one sub-matcher of MatchAny. + properties: + matchFeatures: + description: MatchFeatures specifies a set of matcher + terms all of which must match. + items: + description: FeatureMatcherTerm defines requirements + against one feature set. All requirements (specified + as MatchExpressions) are evaluated against each element + in the feature set. + properties: + feature: + type: string + matchExpressions: + additionalProperties: + description: "MatchExpression specifies an expression + to evaluate against a set of input values. It + contains an operator that is applied when matching + the input and an array of values that the operator + evaluates the input against. \n NB: CreateMatchExpression + or MustCreateMatchExpression() should be used + for creating new instances. \n NB: Validate() + must be called if Op or Value fields are modified + or if a new instance is created from scratch + without using the helper functions." + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: Value is the list of values that + the operand evaluates the input against. + Value should be empty if the operator is + Exists, DoesNotExist, IsTrue or IsFalse. + Value should contain exactly one element + if the operator is Gt or Lt and exactly + two elements if the operator is GtLt. In + other cases Value should contain at least + one element. + items: + type: string + type: array + required: + - op + type: object + description: MatchExpressionSet contains a set of + MatchExpressions, each of which is evaluated against + a set of input values. + type: object + required: + - feature + - matchExpressions + type: object + type: array + required: + - matchFeatures + type: object + type: array + matchFeatures: + description: MatchFeatures specifies a set of matcher terms + all of which must match. + items: + description: FeatureMatcherTerm defines requirements against + one feature set. All requirements (specified as MatchExpressions) + are evaluated against each element in the feature set. + properties: + feature: + type: string + matchExpressions: + additionalProperties: + description: "MatchExpression specifies an expression + to evaluate against a set of input values. It contains + an operator that is applied when matching the input + and an array of values that the operator evaluates + the input against. \n NB: CreateMatchExpression or + MustCreateMatchExpression() should be used for creating + new instances. \n NB: Validate() must be called if + Op or Value fields are modified or if a new instance + is created from scratch without using the helper functions." + properties: + op: + description: Op is the operator to be applied. + enum: + - In + - NotIn + - InRegexp + - Exists + - DoesNotExist + - Gt + - Lt + - GtLt + - IsTrue + - IsFalse + type: string + value: + description: Value is the list of values that the + operand evaluates the input against. Value should + be empty if the operator is Exists, DoesNotExist, + IsTrue or IsFalse. Value should contain exactly + one element if the operator is Gt or Lt and exactly + two elements if the operator is GtLt. In other + cases Value should contain at least one element. + items: + type: string + type: array + required: + - op + type: object + description: MatchExpressionSet contains a set of MatchExpressions, + each of which is evaluated against a set of input values. + type: object + required: + - feature + - matchExpressions + type: object + type: array + name: + description: Name of the rule. + type: string + taints: + description: Taints to create if the rule matches. + items: + description: The node this Taint is attached to has the "effect" + on any pod that does not tolerate the Taint. + properties: + effect: + description: Required. The effect of the taint on pods + that do not tolerate the taint. Valid effects are NoSchedule, + PreferNoSchedule and NoExecute. + type: string + key: + description: Required. The taint key to be applied to + a node. + type: string + timeAdded: + description: TimeAdded represents the time at which the + taint was added. It is only written for NoExecute taints. + format: date-time + type: string + value: + description: The taint value corresponding to the taint + key. + type: string + required: + - effect + - key + type: object + type: array + vars: + additionalProperties: + type: string + description: Vars is the variables to store if the rule matches. + Variables do not directly inflict any changes in the node + object. However, they can be referenced from other rules enabling + more complex rule hierarchies, without exposing intermediary + output values as labels. + type: object + varsTemplate: + description: VarsTemplate specifies a template to expand for + dynamically generating multiple variables. Data (after template + expansion) must be keys with an optional value ([=]) + separated by newlines. + type: string + required: + - name + type: object + type: array + required: + - rules + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/_helpers.tpl b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/_helpers.tpl new file mode 100644 index 000000000..928ece78f --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/_helpers.tpl @@ -0,0 +1,107 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "node-feature-discovery.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "node-feature-discovery.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "node-feature-discovery.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "node-feature-discovery.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "node-feature-discovery.labels" -}} +helm.sh/chart: {{ include "node-feature-discovery.chart" . }} +{{ include "node-feature-discovery.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "node-feature-discovery.selectorLabels" -}} +app.kubernetes.io/name: {{ include "node-feature-discovery.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create the name of the service account which the nfd master will use +*/}} +{{- define "node-feature-discovery.master.serviceAccountName" -}} +{{- if .Values.master.serviceAccount.create -}} + {{ default (include "node-feature-discovery.fullname" .) .Values.master.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.master.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account which the nfd worker will use +*/}} +{{- define "node-feature-discovery.worker.serviceAccountName" -}} +{{- if .Values.worker.serviceAccount.create -}} + {{ default (printf "%s-worker" (include "node-feature-discovery.fullname" .)) .Values.worker.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.worker.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account which topologyUpdater will use +*/}} +{{- define "node-feature-discovery.topologyUpdater.serviceAccountName" -}} +{{- if .Values.topologyUpdater.serviceAccount.create -}} + {{ default (printf "%s-topology-updater" (include "node-feature-discovery.fullname" .)) .Values.topologyUpdater.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.topologyUpdater.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account which nfd-gc will use +*/}} +{{- define "node-feature-discovery.gc.serviceAccountName" -}} +{{- if .Values.gc.serviceAccount.create -}} + {{ default (printf "%s-gc" (include "node-feature-discovery.fullname" .)) .Values.gc.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.gc.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-certs.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-certs.yaml new file mode 100644 index 000000000..ac2e51fc1 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-certs.yaml @@ -0,0 +1,67 @@ +{{- if .Values.tls.certManager }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nfd-master-cert + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + secretName: nfd-master-cert + subject: + organizations: + - node-feature-discovery + commonName: nfd-master + dnsNames: + # must match the service name + - {{ include "node-feature-discovery.fullname" . }}-master + # first one is configured for use by the worker; below are for completeness + - {{ include "node-feature-discovery.fullname" . }}-master.{{ include "node-feature-discovery.namespace" . }}.svc + - {{ include "node-feature-discovery.fullname" . }}-master.{{ include "node-feature-discovery.namespace" . }}.svc.cluster.local + # localhost needed for grpc_health_probe + - localhost + issuerRef: + name: nfd-ca-issuer + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nfd-worker-cert + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + secretName: nfd-worker-cert + subject: + organizations: + - node-feature-discovery + commonName: nfd-worker + dnsNames: + - {{ include "node-feature-discovery.fullname" . }}-worker.{{ include "node-feature-discovery.namespace" . }}.svc.cluster.local + issuerRef: + name: nfd-ca-issuer + kind: Issuer + group: cert-manager.io + +{{- if .Values.topologyUpdater.enable }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nfd-topology-updater-cert + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + secretName: nfd-topology-updater-cert + subject: + organizations: + - node-feature-discovery + commonName: nfd-topology-updater + dnsNames: + - {{ include "node-feature-discovery.fullname" . }}-topology-updater.{{ include "node-feature-discovery.namespace" . }}.svc.cluster.local + issuerRef: + name: nfd-ca-issuer + kind: Issuer + group: cert-manager.io +{{- end }} + +{{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-issuer.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-issuer.yaml new file mode 100644 index 000000000..f3c57acea --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/cert-manager-issuer.yaml @@ -0,0 +1,42 @@ +{{- if .Values.tls.certManager }} +# See https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers +# - Create a self signed issuer +# - Use this to create a CA cert +# - Use this to now create a CA issuer +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: nfd-ca-bootstrap + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + selfSigned: {} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nfd-ca-cert + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + isCA: true + secretName: nfd-ca-cert + subject: + organizations: + - node-feature-discovery + commonName: nfd-ca-cert + issuerRef: + name: nfd-ca-bootstrap + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: nfd-ca-issuer + namespace: {{ include "node-feature-discovery.namespace" . }} +spec: + ca: + secretName: nfd-ca-cert +{{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/clusterrole.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/clusterrole.yaml new file mode 100644 index 000000000..d4329338b --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/clusterrole.yaml @@ -0,0 +1,119 @@ +{{- if .Values.master.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "node-feature-discovery.fullname" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + - nodes/status + verbs: + - get + - patch + - update + - list +- apiGroups: + - nfd.k8s-sigs.io + resources: + - nodefeatures + - nodefeaturerules + verbs: + - get + - list + - watch +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create +- apiGroups: + - coordination.k8s.io + resources: + - leases + resourceNames: + - "nfd-master.nfd.kubernetes.io" + verbs: + - get + - update +{{- end }} + +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list +- apiGroups: + - "" + resources: + - nodes/proxy + verbs: + - get +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - topology.node.k8s.io + resources: + - noderesourcetopologies + verbs: + - create + - get + - update +{{- end }} + +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-gc + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +rules: +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes/proxy + verbs: + - get +- apiGroups: + - topology.node.k8s.io + resources: + - noderesourcetopologies + verbs: + - delete + - list +- apiGroups: + - nfd.k8s-sigs.io + resources: + - nodefeatures + verbs: + - delete + - list +{{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/clusterrolebinding.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..8e3aef83e --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/clusterrolebinding.yaml @@ -0,0 +1,52 @@ +{{- if .Values.master.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "node-feature-discovery.fullname" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "node-feature-discovery.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ include "node-feature-discovery.master.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} +{{- end }} + +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.rbac.create }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater +subjects: +- kind: ServiceAccount + name: {{ include "node-feature-discovery.topologyUpdater.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} +{{- end }} + +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-gc + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "node-feature-discovery.fullname" . }}-gc +subjects: +- kind: ServiceAccount + name: {{ .Values.gc.serviceAccount.name | default "nfd-gc" }} + namespace: {{ include "node-feature-discovery.namespace" . }} +{{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/master.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/master.yaml new file mode 100644 index 000000000..e77ca136c --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/master.yaml @@ -0,0 +1,159 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-master + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: master + {{- with .Values.master.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.master.replicaCount }} + selector: + matchLabels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} + role: master + template: + metadata: + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} + role: master + {{- with .Values.master.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "node-feature-discovery.master.serviceAccountName" . }} + enableServiceLinks: false + securityContext: + {{- toYaml .Values.master.podSecurityContext | nindent 8 }} + containers: + - name: master + securityContext: + {{- toYaml .Values.master.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + livenessProbe: + exec: + command: + - "/usr/bin/grpc_health_probe" + - "-addr=:{{ .Values.master.port | default "8080" }}" + {{- if .Values.tls.enable }} + - "-tls" + - "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt" + {{- end }} + initialDelaySeconds: 10 + periodSeconds: 10 + readinessProbe: + exec: + command: + - "/usr/bin/grpc_health_probe" + - "-addr=:{{ .Values.master.port | default "8080" }}" + {{- if .Values.tls.enable }} + - "-tls" + - "-tls-ca-cert=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-tls-client-key=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-tls-client-cert=/etc/kubernetes/node-feature-discovery/certs/tls.crt" + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 10 + ports: + - containerPort: {{ .Values.master.port | default "8080" }} + name: grpc + - containerPort: {{ .Values.master.metricsPort | default "8081" }} + name: metrics + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "nfd-master" + resources: + {{- toYaml .Values.master.resources | nindent 12 }} + args: + {{- if .Values.master.instance | empty | not }} + - "-instance={{ .Values.master.instance }}" + {{- end }} + - "-port={{ .Values.master.port | default "8080" }}" + {{- if not .Values.enableNodeFeatureApi }} + - "-enable-nodefeature-api=false" + {{- else if gt (int .Values.master.replicaCount) 1 }} + - "-enable-leader-election" + {{- end }} + {{- if .Values.master.extraLabelNs | empty | not }} + - "-extra-label-ns={{- join "," .Values.master.extraLabelNs }}" + {{- end }} + {{- if .Values.master.denyLabelNs | empty | not }} + - "-deny-label-ns={{- join "," .Values.master.denyLabelNs }}" + {{- end }} + {{- if .Values.master.resourceLabels | empty | not }} + - "-resource-labels={{- join "," .Values.master.resourceLabels }}" + {{- end }} + {{- if .Values.master.enableTaints }} + - "-enable-taints" + {{- end }} + {{- if .Values.master.crdController | kindIs "invalid" | not }} + - "-crd-controller={{ .Values.master.crdController }}" + {{- else }} + ## By default, disable crd controller for other than the default instances + - "-crd-controller={{ .Values.master.instance | empty }}" + {{- end }} + {{- if .Values.master.featureRulesController | kindIs "invalid" | not }} + - "-featurerules-controller={{ .Values.master.featureRulesController }}" + {{- end }} + {{- if .Values.master.resyncPeriod }} + - "-resync-period={{ .Values.master.resyncPeriod }}" + {{- end }} + {{- if .Values.master.nfdApiParallelism | empty | not }} + - "-nfd-api-parallelism={{ .Values.master.nfdApiParallelism }}" + {{- end }} + {{- if .Values.tls.enable }} + - "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" + {{- end }} + - "-metrics={{ .Values.master.metricsPort | default "8081" }}" + volumeMounts: + {{- if .Values.tls.enable }} + - name: nfd-master-cert + mountPath: "/etc/kubernetes/node-feature-discovery/certs" + readOnly: true + {{- end }} + - name: nfd-master-conf + mountPath: "/etc/kubernetes/node-feature-discovery" + readOnly: true + volumes: + {{- if .Values.tls.enable }} + - name: nfd-master-cert + secret: + secretName: nfd-master-cert + {{- end }} + - name: nfd-master-conf + configMap: + name: {{ include "node-feature-discovery.fullname" . }}-master-conf + items: + - key: nfd-master.conf + path: nfd-master.conf + {{- with .Values.master.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.master.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.master.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-gc.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-gc.yaml new file mode 100644 index 000000000..ec67a114e --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-gc.yaml @@ -0,0 +1,74 @@ +{{- if and .Values.gc.enable (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-gc + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: gc + {{- with .Values.gc.deploymentAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.gc.replicaCount | default 1 }} + selector: + matchLabels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} + role: gc + template: + metadata: + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} + role: gc + {{- with .Values.gc.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ .Values.gc.serviceAccountName | default "nfd-gc" }} + dnsPolicy: ClusterFirstWithHostNet + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.gc.podSecurityContext | nindent 8 }} + containers: + - name: gc + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - "nfd-gc" + args: + {{- if .Values.gc.interval | empty | not }} + - "-gc-interval={{ .Values.gc.interval }}" + {{- end }} + resources: + {{- toYaml .Values.gc.resources | nindent 12 }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsNonRoot: true + + {{- with .Values.gc.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.gc.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.gc.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-master-conf.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-master-conf.yaml new file mode 100644 index 000000000..c806a8e5d --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-master-conf.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-master-conf + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +data: + nfd-master.conf: |- + {{- .Values.master.config | toYaml | nindent 4 }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-topologyupdater-conf.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-topologyupdater-conf.yaml new file mode 100644 index 000000000..9867f5089 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-topologyupdater-conf.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater-conf + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +data: + nfd-topology-updater.conf: |- + {{- .Values.topologyUpdater.config | toYaml | nindent 4 }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-worker-conf.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-worker-conf.yaml new file mode 100644 index 000000000..61d2a481a --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/nfd-worker-conf.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-worker-conf + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +data: + nfd-worker.conf: |- + {{- .Values.worker.config | toYaml | nindent 4 }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/prometheus.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/prometheus.yaml new file mode 100644 index 000000000..b9f4b4640 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/prometheus.yaml @@ -0,0 +1,26 @@ +{{- if .Values.prometheus.enable }} +# Prometheus Monitor Service (Metrics) +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "node-feature-discovery.fullname" . }} + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 4 }} + {{- with .Values.prometheus.labels }} + {{ toYaml . | nindent 4 }} + {{- end }} +spec: + podMetricsEndpoints: + - honorLabels: true + interval: 10s + path: /metrics + port: metrics + scheme: http + namespaceSelector: + matchNames: + - {{ include "node-feature-discovery.namespace" . }} + selector: + matchExpressions: + - {key: app.kubernetes.io/instance, operator: In, values: ["{{ .Release.Name }}"]} + - {key: app.kubernetes.io/name, operator: In, values: ["{{ include "node-feature-discovery.name" . }}"]} +{{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/role.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/role.yaml new file mode 100644 index 000000000..c71ede442 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/role.yaml @@ -0,0 +1,19 @@ +{{- if .Values.worker.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-worker + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +rules: +- apiGroups: + - nfd.k8s-sigs.io + resources: + - nodefeatures + verbs: + - create + - get + - update +{{- end }} + diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/rolebinding.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/rolebinding.yaml new file mode 100644 index 000000000..d8025be9b --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/rolebinding.yaml @@ -0,0 +1,18 @@ +{{- if .Values.worker.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-worker + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "node-feature-discovery.fullname" . }}-worker +subjects: +- kind: ServiceAccount + name: {{ include "node-feature-discovery.worker.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} +{{- end }} + diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/service.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/service.yaml new file mode 100644 index 000000000..0d4789818 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-master + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: master +spec: + type: {{ .Values.master.service.type }} + ports: + - port: {{ .Values.master.service.port | default "8080" }} + targetPort: grpc + protocol: TCP + name: grpc + selector: + {{- include "node-feature-discovery.selectorLabels" . | nindent 4 }} + role: master diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/serviceaccount.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/serviceaccount.yaml new file mode 100644 index 000000000..dae09503e --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/serviceaccount.yaml @@ -0,0 +1,58 @@ +{{- if .Values.master.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "node-feature-discovery.master.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + {{- with .Values.master.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "node-feature-discovery.topologyUpdater.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + {{- with .Values.topologyUpdater.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- if and .Values.gc.enable .Values.gc.rbac.create (or .Values.enableNodeFeatureApi .Values.topologyUpdater.enable) }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Values.gc.serviceAccount.name | default "nfd-gc" }} + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + {{- with .Values.gc.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} + +{{- if .Values.worker.serviceAccount.create }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "node-feature-discovery.worker.serviceAccountName" . }} + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + {{- with .Values.worker.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater-crds.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater-crds.yaml new file mode 100644 index 000000000..b6b919689 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater-crds.yaml @@ -0,0 +1,278 @@ +{{- if and .Values.topologyUpdater.enable .Values.topologyUpdater.createCRDs -}} +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes/enhancements/pull/1870 + controller-gen.kubebuilder.io/version: v0.11.2 + creationTimestamp: null + name: noderesourcetopologies.topology.node.k8s.io +spec: + group: topology.node.k8s.io + names: + kind: NodeResourceTopology + listKind: NodeResourceTopologyList + plural: noderesourcetopologies + shortNames: + - node-res-topo + singular: noderesourcetopology + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: NodeResourceTopology describes node resources and their topology. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + topologyPolicies: + items: + type: string + type: array + zones: + description: ZoneList contains an array of Zone objects. + items: + description: Zone represents a resource topology zone, e.g. socket, + node, die or core. + properties: + attributes: + description: AttributeList contains an array of AttributeInfo objects. + items: + description: AttributeInfo contains one attribute of a Zone. + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + costs: + description: CostList contains an array of CostInfo objects. + items: + description: CostInfo describes the cost (or distance) between + two Zones. + properties: + name: + type: string + value: + format: int64 + type: integer + required: + - name + - value + type: object + type: array + name: + type: string + parent: + type: string + resources: + description: ResourceInfoList contains an array of ResourceInfo + objects. + items: + description: ResourceInfo contains information about one resource + type. + properties: + allocatable: + anyOf: + - type: integer + - type: string + description: Allocatable quantity of the resource, corresponding + to allocatable in node status, i.e. total amount of this + resource available to be used by pods. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + available: + anyOf: + - type: integer + - type: string + description: Available is the amount of this resource currently + available for new (to be scheduled) pods, i.e. Allocatable + minus the resources reserved by currently running pods. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the resource, corresponding to capacity + in node status, i.e. total amount of this resource that + the node has. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + name: + description: Name of the resource. + type: string + required: + - allocatable + - available + - capacity + - name + type: object + type: array + type: + type: string + required: + - name + - type + type: object + type: array + required: + - topologyPolicies + - zones + type: object + served: true + storage: false + - name: v1alpha2 + schema: + openAPIV3Schema: + description: NodeResourceTopology describes node resources and their topology. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + attributes: + description: AttributeList contains an array of AttributeInfo objects. + items: + description: AttributeInfo contains one attribute of a Zone. + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + topologyPolicies: + description: 'DEPRECATED (to be removed in v1beta1): use top level attributes + if needed' + items: + type: string + type: array + zones: + description: ZoneList contains an array of Zone objects. + items: + description: Zone represents a resource topology zone, e.g. socket, + node, die or core. + properties: + attributes: + description: AttributeList contains an array of AttributeInfo objects. + items: + description: AttributeInfo contains one attribute of a Zone. + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + costs: + description: CostList contains an array of CostInfo objects. + items: + description: CostInfo describes the cost (or distance) between + two Zones. + properties: + name: + type: string + value: + format: int64 + type: integer + required: + - name + - value + type: object + type: array + name: + type: string + parent: + type: string + resources: + description: ResourceInfoList contains an array of ResourceInfo + objects. + items: + description: ResourceInfo contains information about one resource + type. + properties: + allocatable: + anyOf: + - type: integer + - type: string + description: Allocatable quantity of the resource, corresponding + to allocatable in node status, i.e. total amount of this + resource available to be used by pods. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + available: + anyOf: + - type: integer + - type: string + description: Available is the amount of this resource currently + available for new (to be scheduled) pods, i.e. Allocatable + minus the resources reserved by currently running pods. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + capacity: + anyOf: + - type: integer + - type: string + description: Capacity of the resource, corresponding to capacity + in node status, i.e. total amount of this resource that + the node has. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + name: + description: Name of the resource. + type: string + required: + - allocatable + - available + - capacity + - name + type: object + type: array + type: + type: string + required: + - name + - type + type: object + type: array + required: + - zones + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] +{{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater.yaml new file mode 100644 index 000000000..f51c10e6d --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/topologyupdater.yaml @@ -0,0 +1,156 @@ +{{- if .Values.topologyUpdater.enable -}} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: topology-updater + {{- with .Values.topologyUpdater.daemonsetAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} + role: topology-updater + template: + metadata: + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} + role: topology-updater + {{- with .Values.topologyUpdater.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ include "node-feature-discovery.topologyUpdater.serviceAccountName" . }} + dnsPolicy: ClusterFirstWithHostNet + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.topologyUpdater.podSecurityContext | nindent 8 }} + containers: + - name: topology-updater + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: "{{ .Values.image.pullPolicy }}" + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: NODE_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.hostIP + command: + - "nfd-topology-updater" + args: + - "-podresources-socket=/host-var/lib/kubelet-podresources/kubelet.sock" + {{- if .Values.topologyUpdater.updateInterval | empty | not }} + - "-sleep-interval={{ .Values.topologyUpdater.updateInterval }}" + {{- else }} + - "-sleep-interval=3s" + {{- end }} + {{- if .Values.topologyUpdater.watchNamespace | empty | not }} + - "-watch-namespace={{ .Values.topologyUpdater.watchNamespace }}" + {{- else }} + - "-watch-namespace=*" + {{- end }} + {{- if .Values.tls.enable }} + - "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" + {{- end }} + {{- if .Values.topologyUpdater.podSetFingerprint }} + - "-pods-fingerprint" + {{- end }} + {{- if .Values.topologyUpdater.kubeletConfigPath | empty | not }} + - "-kubelet-config-uri=file:///host-var/kubelet-config" + {{- end }} + {{- if .Values.topologyUpdater.kubeletStateDir | empty }} + # Disable kubelet state tracking by giving an empty path + - "-kubelet-state-dir=" + {{- end }} + - -metrics={{ .Values.topologyUpdater.metricsPort | default "8081"}} + ports: + - name: metrics + containerPort: {{ .Values.topologyUpdater.metricsPort | default "8081"}} + volumeMounts: + {{- if .Values.topologyUpdater.kubeletConfigPath | empty | not }} + - name: kubelet-config + mountPath: /host-var/kubelet-config + {{- end }} + - name: kubelet-podresources-sock + mountPath: /host-var/lib/kubelet-podresources/kubelet.sock + - name: host-sys + mountPath: /host-sys + {{- if .Values.topologyUpdater.kubeletStateDir | empty | not }} + - name: kubelet-state-files + mountPath: /host-var/lib/kubelet + readOnly: true + {{- end }} + {{- if .Values.tls.enable }} + - name: nfd-topology-updater-cert + mountPath: "/etc/kubernetes/node-feature-discovery/certs" + readOnly: true + {{- end }} + - name: nfd-topology-updater-conf + mountPath: "/etc/kubernetes/node-feature-discovery" + readOnly: true + + resources: + {{- toYaml .Values.topologyUpdater.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.topologyUpdater.securityContext | nindent 12 }} + volumes: + - name: host-sys + hostPath: + path: "/sys" + {{- if .Values.topologyUpdater.kubeletConfigPath | empty | not }} + - name: kubelet-config + hostPath: + path: {{ .Values.topologyUpdater.kubeletConfigPath }} + {{- end }} + - name: kubelet-podresources-sock + hostPath: + {{- if .Values.topologyUpdater.kubeletPodResourcesSockPath | empty | not }} + path: {{ .Values.topologyUpdater.kubeletPodResourcesSockPath }} + {{- else }} + path: /var/lib/kubelet/pod-resources/kubelet.sock + {{- end }} + {{- if .Values.topologyUpdater.kubeletStateDir | empty | not }} + - name: kubelet-state-files + hostPath: + path: {{ .Values.topologyUpdater.kubeletStateDir }} + {{- end }} + - name: nfd-topology-updater-conf + configMap: + name: {{ include "node-feature-discovery.fullname" . }}-topology-updater-conf + items: + - key: nfd-topology-updater.conf + path: nfd-topology-updater.conf + {{- if .Values.tls.enable }} + - name: nfd-topology-updater-cert + secret: + secretName: nfd-topology-updater-cert + {{- end }} + + + {{- with .Values.topologyUpdater.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologyUpdater.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.topologyUpdater.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/worker.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/worker.yaml new file mode 100644 index 000000000..0e56eb5d1 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/templates/worker.yaml @@ -0,0 +1,152 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "node-feature-discovery.fullname" . }}-worker + namespace: {{ include "node-feature-discovery.namespace" . }} + labels: + {{- include "node-feature-discovery.labels" . | nindent 4 }} + role: worker + {{- with .Values.worker.daemonsetAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 6 }} + role: worker + template: + metadata: + labels: + {{- include "node-feature-discovery.selectorLabels" . | nindent 8 }} + role: worker + {{- with .Values.worker.annotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + dnsPolicy: ClusterFirstWithHostNet + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "node-feature-discovery.worker.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.worker.podSecurityContext | nindent 8 }} + containers: + - name: worker + securityContext: + {{- toYaml .Values.worker.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + {{- toYaml .Values.worker.resources | nindent 12 }} + command: + - "nfd-worker" + args: + - "-server={{ include "node-feature-discovery.fullname" . }}-master:{{ .Values.master.service.port }}" + {{- if not .Values.enableNodeFeatureApi }} + - "-enable-nodefeature-api=false" + {{- end }} +{{- if .Values.tls.enable }} + - "-ca-file=/etc/kubernetes/node-feature-discovery/certs/ca.crt" + - "-key-file=/etc/kubernetes/node-feature-discovery/certs/tls.key" + - "-cert-file=/etc/kubernetes/node-feature-discovery/certs/tls.crt" +{{- end }} + - "-metrics={{ .Values.worker.metricsPort | default "8081"}}" + ports: + - name: metrics + containerPort: {{ .Values.worker.metricsPort | default "8081"}} + volumeMounts: + - name: host-boot + mountPath: "/host-boot" + readOnly: true + - name: host-os-release + mountPath: "/host-etc/os-release" + readOnly: true + - name: host-sys + mountPath: "/host-sys" + readOnly: true + - name: host-usr-lib + mountPath: "/host-usr/lib" + readOnly: true + - name: host-lib + mountPath: "/host-lib" + readOnly: true + {{- if .Values.worker.mountUsrSrc }} + - name: host-usr-src + mountPath: "/host-usr/src" + readOnly: true + {{- end }} + - name: source-d + mountPath: "/etc/kubernetes/node-feature-discovery/source.d/" + readOnly: true + - name: features-d + mountPath: "/etc/kubernetes/node-feature-discovery/features.d/" + readOnly: true + - name: nfd-worker-conf + mountPath: "/etc/kubernetes/node-feature-discovery" + readOnly: true +{{- if .Values.tls.enable }} + - name: nfd-worker-cert + mountPath: "/etc/kubernetes/node-feature-discovery/certs" + readOnly: true +{{- end }} + volumes: + - name: host-boot + hostPath: + path: "/boot" + - name: host-os-release + hostPath: + path: "/etc/os-release" + - name: host-sys + hostPath: + path: "/sys" + - name: host-usr-lib + hostPath: + path: "/usr/lib" + - name: host-lib + hostPath: + path: "/lib" + {{- if .Values.worker.mountUsrSrc }} + - name: host-usr-src + hostPath: + path: "/usr/src" + {{- end }} + - name: source-d + hostPath: + path: "/etc/kubernetes/node-feature-discovery/source.d/" + - name: features-d + hostPath: + path: "/etc/kubernetes/node-feature-discovery/features.d/" + - name: nfd-worker-conf + configMap: + name: {{ include "node-feature-discovery.fullname" . }}-worker-conf + items: + - key: nfd-worker.conf + path: nfd-worker.conf +{{- if .Values.tls.enable }} + - name: nfd-worker-cert + secret: + secretName: nfd-worker-cert +{{- end }} + {{- with .Values.worker.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.worker.priorityClassName }} + priorityClassName: {{ . | quote }} + {{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/values.yaml b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/values.yaml new file mode 100644 index 000000000..c3f372c79 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/charts/rancher-nfd/values.yaml @@ -0,0 +1,513 @@ +image: + repository: rancher/hardened-node-feature-discovery + # This should be set to 'IfNotPresent' for released version + pullPolicy: IfNotPresent + # tag, if defined will use the given image tag, else Chart.AppVersion will be used + tag: v0.14.1-build20230926 +imagePullSecrets: [] + +nameOverride: "" +fullnameOverride: "" +namespaceOverride: "" + +enableNodeFeatureApi: true + +master: + config: ### + # noPublish: false + # extraLabelNs: ["added.ns.io","added.kubernets.io"] + # denyLabelNs: ["denied.ns.io","denied.kubernetes.io"] + # resourceLabels: ["vendor-1.com/feature-1","vendor-2.io/feature-2"] + # enableTaints: false + # labelWhiteList: "foo" + # resyncPeriod: "2h" + # klog: + # addDirHeader: false + # alsologtostderr: false + # logBacktraceAt: + # logtostderr: true + # skipHeaders: false + # stderrthreshold: 2 + # v: 0 + # vmodule: + ## NOTE: the following options are not dynamically run-time configurable + ## and require a nfd-master restart to take effect after being changed + # logDir: + # logFile: + # logFileMaxSize: 1800 + # skipLogHeaders: false + # leaderElection: + # leaseDuration: 15s + # # this value has to be lower than leaseDuration and greater than retryPeriod*1.2 + # renewDeadline: 10s + # # this value has to be greater than 0 + # retryPeriod: 2s + # nfdApiParallelism: 10 + ### + # The TCP port that nfd-master listens for incoming requests. Default: 8080 + port: 8080 + metricsPort: 8081 + instance: + featureApi: + resyncPeriod: + denyLabelNs: [] + extraLabelNs: [] + resourceLabels: [] + enableTaints: false + crdController: null + featureRulesController: null + nfdApiParallelism: null + deploymentAnnotations: {} + replicaCount: 1 + + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsNonRoot: true + # runAsUser: 1000 + + serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + + rbac: + create: true + + service: + type: ClusterIP + port: 8080 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + + tolerations: + - key: "node-role.kubernetes.io/master" + operator: "Equal" + value: "" + effect: "NoSchedule" + - key: "node-role.kubernetes.io/control-plane" + operator: "Equal" + value: "" + effect: "NoSchedule" + + annotations: {} + + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: "node-role.kubernetes.io/master" + operator: In + values: [""] + - weight: 1 + preference: + matchExpressions: + - key: "node-role.kubernetes.io/control-plane" + operator: In + values: [""] + +worker: + config: ### + #core: + # labelWhiteList: + # noPublish: false + # sleepInterval: 60s + # featureSources: [all] + # labelSources: [all] + # klog: + # addDirHeader: false + # alsologtostderr: false + # logBacktraceAt: + # logtostderr: true + # skipHeaders: false + # stderrthreshold: 2 + # v: 0 + # vmodule: + ## NOTE: the following options are not dynamically run-time configurable + ## and require a nfd-worker restart to take effect after being changed + # logDir: + # logFile: + # logFileMaxSize: 1800 + # skipLogHeaders: false + #sources: + # cpu: + # cpuid: + ## NOTE: whitelist has priority over blacklist + # attributeBlacklist: + # - "BMI1" + # - "BMI2" + # - "CLMUL" + # - "CMOV" + # - "CX16" + # - "ERMS" + # - "F16C" + # - "HTT" + # - "LZCNT" + # - "MMX" + # - "MMXEXT" + # - "NX" + # - "POPCNT" + # - "RDRAND" + # - "RDSEED" + # - "RDTSCP" + # - "SGX" + # - "SSE" + # - "SSE2" + # - "SSE3" + # - "SSE4" + # - "SSE42" + # - "SSSE3" + # - "TDX_GUEST" + # attributeWhitelist: + # kernel: + # kconfigFile: "/path/to/kconfig" + # configOpts: + # - "NO_HZ" + # - "X86" + # - "DMI" + # pci: + # deviceClassWhitelist: + # - "0200" + # - "03" + # - "12" + # deviceLabelFields: + # - "class" + # - "vendor" + # - "device" + # - "subsystem_vendor" + # - "subsystem_device" + # usb: + # deviceClassWhitelist: + # - "0e" + # - "ef" + # - "fe" + # - "ff" + # deviceLabelFields: + # - "class" + # - "vendor" + # - "device" + # local: + # hooksEnabled: false + # custom: + # # The following feature demonstrates the capabilities of the matchFeatures + # - name: "my custom rule" + # labels: + # my-ng-feature: "true" + # # matchFeatures implements a logical AND over all matcher terms in the + # # list (i.e. all of the terms, or per-feature matchers, must match) + # matchFeatures: + # - feature: cpu.cpuid + # matchExpressions: + # AVX512F: {op: Exists} + # - feature: cpu.cstate + # matchExpressions: + # enabled: {op: IsTrue} + # - feature: cpu.pstate + # matchExpressions: + # no_turbo: {op: IsFalse} + # scaling_governor: {op: In, value: ["performance"]} + # - feature: cpu.rdt + # matchExpressions: + # RDTL3CA: {op: Exists} + # - feature: cpu.sst + # matchExpressions: + # bf.enabled: {op: IsTrue} + # - feature: cpu.topology + # matchExpressions: + # hardware_multithreading: {op: IsFalse} + # + # - feature: kernel.config + # matchExpressions: + # X86: {op: Exists} + # LSM: {op: InRegexp, value: ["apparmor"]} + # - feature: kernel.loadedmodule + # matchExpressions: + # e1000e: {op: Exists} + # - feature: kernel.selinux + # matchExpressions: + # enabled: {op: IsFalse} + # - feature: kernel.version + # matchExpressions: + # major: {op: In, value: ["5"]} + # minor: {op: Gt, value: ["10"]} + # + # - feature: storage.block + # matchExpressions: + # rotational: {op: In, value: ["0"]} + # dax: {op: In, value: ["0"]} + # + # - feature: network.device + # matchExpressions: + # operstate: {op: In, value: ["up"]} + # speed: {op: Gt, value: ["100"]} + # + # - feature: memory.numa + # matchExpressions: + # node_count: {op: Gt, value: ["2"]} + # - feature: memory.nv + # matchExpressions: + # devtype: {op: In, value: ["nd_dax"]} + # mode: {op: In, value: ["memory"]} + # + # - feature: system.osrelease + # matchExpressions: + # ID: {op: In, value: ["fedora", "centos"]} + # - feature: system.name + # matchExpressions: + # nodename: {op: InRegexp, value: ["^worker-X"]} + # + # - feature: local.label + # matchExpressions: + # custom-feature-knob: {op: Gt, value: ["100"]} + # + # # The following feature demonstrates the capabilities of the matchAny + # - name: "my matchAny rule" + # labels: + # my-ng-feature-2: "my-value" + # # matchAny implements a logical IF over all elements (sub-matchers) in + # # the list (i.e. at least one feature matcher must match) + # matchAny: + # - matchFeatures: + # - feature: kernel.loadedmodule + # matchExpressions: + # driver-module-X: {op: Exists} + # - feature: pci.device + # matchExpressions: + # vendor: {op: In, value: ["8086"]} + # class: {op: In, value: ["0200"]} + # - matchFeatures: + # - feature: kernel.loadedmodule + # matchExpressions: + # driver-module-Y: {op: Exists} + # - feature: usb.device + # matchExpressions: + # vendor: {op: In, value: ["8086"]} + # class: {op: In, value: ["02"]} + # + # # The following features demonstreate label templating capabilities + # - name: "my template rule" + # labelsTemplate: | + # {{ range .system.osrelease }}my-system-feature.{{ .Name }}={{ .Value }} + # {{ end }} + # matchFeatures: + # - feature: system.osrelease + # matchExpressions: + # ID: {op: InRegexp, value: ["^open.*"]} + # VERSION_ID.major: {op: In, value: ["13", "15"]} + # + # - name: "my template rule 2" + # labelsTemplate: | + # {{ range .pci.device }}my-pci-device.{{ .class }}-{{ .device }}=with-cpuid + # {{ end }} + # matchFeatures: + # - feature: pci.device + # matchExpressions: + # class: {op: InRegexp, value: ["^06"]} + # vendor: ["8086"] + # - feature: cpu.cpuid + # matchExpressions: + # AVX: {op: Exists} + # + # # The following examples demonstrate vars field and back-referencing + # # previous labels and vars + # - name: "my dummy kernel rule" + # labels: + # "my.kernel.feature": "true" + # matchFeatures: + # - feature: kernel.version + # matchExpressions: + # major: {op: Gt, value: ["2"]} + # + # - name: "my dummy rule with no labels" + # vars: + # "my.dummy.var": "1" + # matchFeatures: + # - feature: cpu.cpuid + # matchExpressions: {} + # + # - name: "my rule using backrefs" + # labels: + # "my.backref.feature": "true" + # matchFeatures: + # - feature: rule.matched + # matchExpressions: + # my.kernel.feature: {op: IsTrue} + # my.dummy.var: {op: Gt, value: ["0"]} + # +### + + metricsPort: 8081 + daemonsetAnnotations: {} + podSecurityContext: {} + # fsGroup: 2000 + + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsNonRoot: true + # runAsUser: 1000 + + serviceAccount: + # Specifies whether a service account should be created. + # We create this by default to make it easier for downstream users to apply PodSecurityPolicies. + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: + + rbac: + create: true + + # Allow users to mount the hostPath /usr/src, useful for RHCOS on s390x + # Does not work on systems without /usr/src AND a read-only /usr, such as Talos + mountUsrSrc: false + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + + tolerations: [] + + annotations: {} + + affinity: {} + + priorityClassName: "" + +topologyUpdater: + config: ### + ## key = node name, value = list of resources to be excluded. + ## use * to exclude from all nodes. + ## an example for how the exclude list should looks like + #excludeList: + # node1: [cpu] + # node2: [memory, example/deviceA] + # *: [hugepages-2Mi] +### + + enable: false + createCRDs: false + + serviceAccount: + create: true + annotations: {} + name: + rbac: + create: true + + metricsPort: 8081 + kubeletConfigPath: + kubeletPodResourcesSockPath: + updateInterval: 60s + watchNamespace: "*" + kubeletStateDir: /var/lib/kubelet + + podSecurityContext: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: [ "ALL" ] + readOnlyRootFilesystem: true + runAsUser: 0 + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + tolerations: [] + annotations: {} + daemonsetAnnotations: {} + affinity: {} + podSetFingerprint: true + +gc: + enable: true + replicaCount: 1 + + serviceAccount: + create: true + annotations: {} + name: + rbac: + create: true + + interval: 1h + + podSecurityContext: {} + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + + nodeSelector: {} + tolerations: [] + annotations: {} + deploymentAnnotations: {} + affinity: {} + +# Optionally use encryption for worker <--> master comms +# TODO: verify hostname is not yet supported +# +# If you do not enable certManager (and have it installed) you will +# need to manually, or otherwise, provision the TLS certs as secrets +tls: + enable: false + certManager: false + +prometheus: + enable: false + labels: {} diff --git a/charts/sriov/103.0.0+up0.1.0/templates/NOTES.txt b/charts/sriov/103.0.0+up0.1.0/templates/NOTES.txt new file mode 100644 index 000000000..44a8bf935 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/NOTES.txt @@ -0,0 +1,17 @@ +Get Network Operator deployed resources by running the following commands: + +$ kubectl -n {{ .Release.Namespace }} get pods + +For additional instructions on how to use SR-IOV network operator, +refer to: https://github.com/k8snetworkplumbingwg/sriov-network-operator + +{{- if .Values.operator.enableAdmissionController }} +{{- if not .Values.cert_manager }} +Thank you for installing {{ .Chart.Name }}. + +WARNING! Self signed certificates have been generated for webhooks. +These certificates have a one-year validity and will not be rotated +automatically. This should not be a production cluster. Please deploy +and use cert-manager for production clusters. +{{- end }} +{{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/templates/_helpers.tpl b/charts/sriov/103.0.0+up0.1.0/templates/_helpers.tpl new file mode 100644 index 000000000..dff1d171f --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/_helpers.tpl @@ -0,0 +1,85 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "sriov-network-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "sriov-network-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "sriov-network-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "sriov-network-operator.labels" -}} +helm.sh/chart: {{ include "sriov-network-operator.chart" . }} +{{ include "sriov-network-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "sriov-network-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "sriov-network-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "sriov-network-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "sriov-network-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/sriov/103.0.0+up0.1.0/templates/_webhook-certs.tpl b/charts/sriov/103.0.0+up0.1.0/templates/_webhook-certs.tpl new file mode 100644 index 000000000..f1448968b --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/_webhook-certs.tpl @@ -0,0 +1,31 @@ +{{/* +Generate TLS certificates for webhooks. +Note: these 2 lines, that are repeated several times below, are a trick to +ensure the CA certs are generated only once: + $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) + $_ := set . "ca" $ca +Please, don't try to "simplify" them as without this trick, every generated +certificate would be signed by a different CA. +*/}} +{{- define "sriov_operator_ca_cert" }} +{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- printf "%s" $ca.Cert | b64enc -}} +{{- end }} +{{- define "sriov_operator_cert" }} +{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- $cn := printf "operator-webhook-service.%s.svc" .Release.Namespace -}} +{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end }} +{{- define "sriov_resource_injector_cert" }} +{{- $ca := .ca | default (genCA "sriov-network-operator.k8s.cni.cncf.io" 365) -}} +{{- $_ := set . "ca" $ca -}} +{{- $cn := printf "network-resources-injector-service.%s.svc" .Release.Namespace -}} +{{- $cert := genSignedCert $cn nil (list $cn) 365 $ca -}} +tls.crt: {{ $cert.Cert | b64enc }} +tls.key: {{ $cert.Key | b64enc }} +{{- end }} + diff --git a/charts/sriov/103.0.0+up0.1.0/templates/certmanagercerts.yaml b/charts/sriov/103.0.0+up0.1.0/templates/certmanagercerts.yaml new file mode 100644 index 000000000..e3575aa56 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/certmanagercerts.yaml @@ -0,0 +1,41 @@ +{{- if and (.Values.operator.enableAdmissionController) (.Values.cert_manager) -}} +{{- if not (.Capabilities.APIVersions.Has "cert-manager.io/v1") -}} +{{- required "cert-manager is required but not found" "" -}} +{{- end -}} +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: sriov-network-operator-selfsigned-issuer + namespace: {{ .Release.Namespace }} +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: operator-webhook-service + namespace: {{ .Release.Namespace }} +spec: + secretName: operator-webhook-service + dnsNames: + - operator-webhook-service.{{ .Release.Namespace }}.svc + issuerRef: + name: sriov-network-operator-selfsigned-issuer + privateKey: + rotationPolicy: Always +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: network-resources-injector-service + namespace: {{ .Release.Namespace }} +spec: + secretName: network-resources-injector-secret + dnsNames: + - network-resources-injector-service.{{ .Release.Namespace }}.svc + issuerRef: + name: sriov-network-operator-selfsigned-issuer + privateKey: + rotationPolicy: Always +{{- end -}} + diff --git a/charts/sriov/103.0.0+up0.1.0/templates/clusterrole.yaml b/charts/sriov/103.0.0+up0.1.0/templates/clusterrole.yaml new file mode 100644 index 000000000..da327471f --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/clusterrole.yaml @@ -0,0 +1,109 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "patch", "update"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["*"] + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["get"] + - apiGroups: [""] + resources: ["namespaces", "serviceaccounts"] + verbs: ["*"] + - apiGroups: ["k8s.cni.cncf.io"] + resources: ["network-attachment-definitions"] + verbs: ["*"] + - apiGroups: ["rbac.authorization.k8s.io"] + resources: ["clusterroles", "clusterrolebindings"] + verbs: ["*"] + - apiGroups: ["admissionregistration.k8s.io"] + resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] + verbs: ["*"] + - apiGroups: ["sriovnetwork.openshift.io"] + resources: ["*"] + verbs: ["*"] + - apiGroups: ["machineconfiguration.openshift.io"] + resources: ["*"] + verbs: ["*"] + - apiGroups: ["config.openshift.io"] + resources: ["infrastructures"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-network-config-daemon + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "list", "watch", "patch", "update"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["*"] + - apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["get"] + - apiGroups: [""] + resources: ["pods/eviction"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-admin + {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" + {{- end }} +rules: +- apiGroups: + - sriovnetwork.openshift.io + resources: + - '*' + verbs: + - "get" + - "watch" + - "list" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-edit + {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }} + rbac.authorization.k8s.io/aggregate-to-edit: "true" + {{- end }} +rules: +- apiGroups: + - sriovnetwork.openshift.io + resources: + - '*' + verbs: + - "get" + - "watch" + - "list" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: sriov-view + {{- if .Values.global.rbac.userRoles.aggregateToDefaultRoles }} + rbac.authorization.k8s.io/aggregate-to-view: "true" + {{- end }} +rules: +- apiGroups: + - sriovnetwork.openshift.io + resources: + - '*' + verbs: + - "get" + - "watch" + - "list" + diff --git a/charts/sriov/103.0.0+up0.1.0/templates/clusterrolebinding.yaml b/charts/sriov/103.0.0+up0.1.0/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..c10aa9be7 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/clusterrolebinding.yaml @@ -0,0 +1,29 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +roleRef: + kind: ClusterRole + name: {{ include "sriov-network-operator.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: {{ include "sriov-network-operator.fullname" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: sriov-network-config-daemon + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +roleRef: + kind: ClusterRole + name: sriov-network-config-daemon + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + namespace: {{ .Release.Namespace }} + name: sriov-network-config-daemon diff --git a/charts/sriov/103.0.0+up0.1.0/templates/configmap.yaml b/charts/sriov/103.0.0+up0.1.0/templates/configmap.yaml new file mode 100644 index 000000000..455bd91ff --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/configmap.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: supported-nic-ids +data: + Intel_i40e_XXV710: "8086 158a 154c" + Intel_i40e_25G_SFP28: "8086 158b 154c" + Intel_i40e_10G_X710_SFP: "8086 1572 154c" + Intel_i40e_XXV710_N3000: "8086 0d58 154c" + Intel_i40e_40G_XL710_QSFP: "8086 1583 154c" + Intel_ice_Columbiaville_E810-CQDA2_2CQDA2: "8086 1592 1889" + Intel_ice_Columbiaville_E810-XXVDA4: "8086 1593 1889" + Intel_ice_Columbiaville_E810-XXVDA2: "8086 159b 1889" + Intel_ice_Columbiaville_E810: "8086 1591 1889" + Nvidia_mlx5_ConnectX-4: "15b3 1013 1014" + Nvidia_mlx5_ConnectX-4LX: "15b3 1015 1016" + Nvidia_mlx5_ConnectX-5: "15b3 1017 1018" + Nvidia_mlx5_ConnectX-5_Ex: "15b3 1019 101a" + Nvidia_mlx5_ConnectX-6: "15b3 101b 101c" + Nvidia_mlx5_ConnectX-6_Dx: "15b3 101d 101e" + Nvidia_mlx5_MT42822_BlueField-2_integrated_ConnectX-6_Dx: "15b3 a2d6 101e" + Broadcom_bnxt_BCM57414_2x25G: "14e4 16d7 16dc" + Broadcom_bnxt_BCM75508_2x100G: "14e4 1750 1806" + Qlogic_qede_QL45000_50G: "1077 1654 1664" + Red_Hat_Virtio_network_device: "1af4 1000 1000" diff --git a/charts/sriov/103.0.0+up0.1.0/templates/operator.yaml b/charts/sriov/103.0.0+up0.1.0/templates/operator.yaml new file mode 100644 index 000000000..ac3cb4c34 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/operator.yaml @@ -0,0 +1,98 @@ +{{- if not (.Capabilities.APIVersions.Has "k8s.cni.cncf.io/v1/NetworkAttachmentDefinition") -}} +{{- required "rke2-multus is required but not found" "" -}} +{{- end -}} +apiVersion: sriovnetwork.openshift.io/v1 +kind: SriovOperatorConfig +metadata: + name: default + namespace: {{ .Release.Namespace }} +spec: + # Add fields here + enableInjector: {{ .Values.operator.enableAdmissionController }} + enableOperatorWebhook: {{ .Values.operator.enableAdmissionController }} + configDaemonNodeSelector: {feature.node.kubernetes.io/network-sriov.capable: "true"} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + name: sriov-network-operator + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 33% + template: + metadata: + labels: + name: sriov-network-operator + spec: + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.operator.nodeSelector }} +{{ toYaml .Values.operator.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.operator.tolerations }} +{{ toYaml .Values.operator.tolerations | indent 8 }} +{{- end }} + serviceAccountName: {{ include "sriov-network-operator.fullname" . }} + priorityClassName: "system-node-critical" + containers: + - name: {{ include "sriov-network-operator.fullname" . }} + image: {{ include "system_default_registry" . }}{{ .Values.images.operator.image }}:{{ .Values.images.operator.tag }} + command: + - sriov-network-operator + imagePullPolicy: IfNotPresent + resources: + requests: + cpu: 100m + memory: 100Mi + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: SRIOV_CNI_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.sriovCni.image }}:{{ .Values.images.sriovCni.tag }} + - name: SRIOV_INFINIBAND_CNI_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.ibSriovCni.image }}:{{ .Values.images.ibSriovCni.tag }} + - name: SRIOV_DEVICE_PLUGIN_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.sriovDevicePlugin.image }}:{{ .Values.images.sriovDevicePlugin.tag }} + - name: NETWORK_RESOURCES_INJECTOR_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.resourcesInjector.image }}:{{ .Values.images.resourcesInjector.tag }} + - name: OPERATOR_NAME + value: sriov-network-operator + - name: SRIOV_NETWORK_CONFIG_DAEMON_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.sriovConfigDaemon.image }}:{{ .Values.images.sriovConfigDaemon.tag }} + - name: SRIOV_NETWORK_WEBHOOK_IMAGE + value: {{ include "system_default_registry" . }}{{ .Values.images.webhook.image }}:{{ .Values.images.webhook.tag }} + - name: RESOURCE_PREFIX + value: {{ .Values.operator.resourcePrefix }} + - name: ENABLE_ADMISSION_CONTROLLER + value: {{ .Values.operator.enableAdmissionController | quote }} + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: RELEASE_VERSION + value: {{ .Release.AppVersion }} + - name: SRIOV_CNI_BIN_PATH + value: {{ .Values.operator.cniBinPath }} + - name: CLUSTER_TYPE + value: {{ .Values.operator.clusterType }} + {{- if .Values.operator.enableAdmissionController }} + {{- if not .Values.cert_manager }} + - name: WEBHOOK_CA_BUNDLE + value: "{{ include "sriov_operator_ca_cert" . }}" + {{- end }} + {{- end }} diff --git a/charts/sriov/103.0.0+up0.1.0/templates/role.yaml b/charts/sriov/103.0.0+up0.1.0/templates/role.yaml new file mode 100644 index 000000000..35a9d50af --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/role.yaml @@ -0,0 +1,125 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - pods + - services + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + verbs: + - '*' + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - '*' + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - sriov-network-operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - rbac.authorization.k8s.io + resources: + - serviceaccounts + - roles + - rolebindings + verbs: + - '*' + - apiGroups: + - config.openshift.io + resources: + - infrastructures + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: sriov-network-config-daemon + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - '*' + - apiGroups: + - apps + resources: + - daemonsets + verbs: + - '*' + - apiGroups: + - sriovnetwork.openshift.io + resources: + - '*' + - sriovnetworknodestates + verbs: + - '*' + - apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - update + - apiGroups: + - 'coordination.k8s.io' + resources: + - 'leases' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: operator-webhook-sa + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get diff --git a/charts/sriov/103.0.0+up0.1.0/templates/rolebinding.yaml b/charts/sriov/103.0.0+up0.1.0/templates/rolebinding.yaml new file mode 100644 index 000000000..d2cf1849a --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/rolebinding.yaml @@ -0,0 +1,44 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ include "sriov-network-operator.fullname" . }} + apiGroup: rbac.authorization.k8s.io +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: sriov-network-config-daemon + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: sriov-network-config-daemon + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: sriov-network-config-daemon + apiGroup: rbac.authorization.k8s.io +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: operator-webhook-sa + namespace: {{ .Release.Namespace }} +subjects: +- kind: ServiceAccount + name: operator-webhook-sa +roleRef: + kind: Role + name: operator-webhook-sa + apiGroup: rbac.authorization.k8s.io diff --git a/charts/sriov/103.0.0+up0.1.0/templates/secrets.yaml b/charts/sriov/103.0.0+up0.1.0/templates/secrets.yaml new file mode 100644 index 000000000..3d345be46 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/secrets.yaml @@ -0,0 +1,20 @@ +{{- if not .Values.cert_manager -}} +{{- if .Values.operator.enableAdmissionController }} +apiVersion: v1 +kind: Secret +metadata: + name: operator-webhook-service + namespace: {{ .Release.Namespace }} +data: {{ include "sriov_operator_cert" . | nindent 2 }} +{{- end }} +--- +{{- if .Values.operator.enableAdmissionController }} +apiVersion: v1 +kind: Secret +metadata: + name: network-resources-injector-secret + namespace: {{ .Release.Namespace }} +data: {{ include "sriov_resource_injector_cert" . | nindent 2 }} +{{- end }} +{{- end }} + diff --git a/charts/sriov/103.0.0+up0.1.0/templates/serviceaccount.yaml b/charts/sriov/103.0.0+up0.1.0/templates/serviceaccount.yaml new file mode 100644 index 000000000..fc0bb5705 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "sriov-network-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: sriov-network-config-daemon + namespace: {{ .Release.Namespace }} + labels: + {{- include "sriov-network-operator.labels" . | nindent 4 }} diff --git a/charts/sriov/103.0.0+up0.1.0/templates/validate-install-crd.yaml b/charts/sriov/103.0.0+up0.1.0/templates/validate-install-crd.yaml new file mode 100644 index 000000000..48ffe7075 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/templates/validate-install-crd.yaml @@ -0,0 +1,19 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovIBNetwork" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkNodePolicy" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkNodeState" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetworkPoolConfig" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovNetwork" false -}} +# {{- set $found "sriovnetwork.openshift.io/v1/SriovOperatorConfig" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/sriov/103.0.0+up0.1.0/values.yaml b/charts/sriov/103.0.0+up0.1.0/values.yaml new file mode 100644 index 000000000..a11283956 --- /dev/null +++ b/charts/sriov/103.0.0+up0.1.0/values.yaml @@ -0,0 +1,64 @@ +operator: + tolerations: + - key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + effect: "NoSchedule" + - effect: NoExecute + key: node-role.kubernetes.io/etcd + operator: Exists + nodeSelector: {} + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "node-role.kubernetes.io/master" + operator: In + values: [ "" ] + - matchExpressions: + - key: "node-role.kubernetes.io/control-plane" + operator: In + values: [ "" ] + nameOverride: "" + fullnameOverride: "" + resourcePrefix: "rancher.io" + enableAdmissionController: false + cniBinPath: "/opt/cni/bin" + clusterType: "kubernetes" + +# Image URIs for sriov-network-operator components +images: + operator: + repository: rancher/hardened-sriov-network-operator + tag: v1.2.0-build20230912 + sriovConfigDaemon: + repository: rancher/hardened-sriov-network-config-daemon + tag: v1.2.0-build20230912 + sriovCni: + repository: rancher/hardened-sriov-cni + tag: v2.6.3-build20230913 + ibSriovCni: + repository: rancher/hardened-ib-sriov-cni + tag: v1.0.2-build20230911 + sriovDevicePlugin: + repository: rancher/hardened-sriov-network-device-plugin + tag: v3.5.1-build20230911 + resourcesInjector: + repository: rancher/hardened-sriov-network-resources-injector + tag: v1.5-build20230911 + webhook: + repository: rancher/hardened-sriov-network-webhook + tag: v1.2.0-build20230912 + +# cert_manager enables integration with cert-manager to generate +# certificates for the operator webhooks. Otherwise the chart will +# generate ad-hoc certificates with no automated renewal at expiration, +# not recommended for production clusters. +cert_manager: false + +global: + cattle: + systemDefaultRegistry: "" + rbac: + userRoles: + aggregateToDefaultRoles: false diff --git a/index.yaml b/index.yaml index 298dc39fb..0176cbc82 100755 --- a/index.yaml +++ b/index.yaml @@ -16509,6 +16509,39 @@ entries: - assets/rio/rio-0.8.000.tgz version: 0.8.000 sriov: + - annotations: + catalog.cattle.io/auto-install: sriov-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/experimental: "true" + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: sriov + catalog.cattle.io/upstream-version: 1.2.0 + apiVersion: v2 + appVersion: 1.2.0 + created: "2023-09-26T17:13:13.630583533-06:00" + description: SR-IOV network operator configures and manages SR-IOV networks in + the kubernetes cluster + digest: 2c7728a1571b3487d8d8facae1545dee2155de2fcb639a5b16a976840ca935aa + home: https://github.com/k8snetworkplumbingwg/sriov-network-operator + icon: https://charts.rancher.io/assets/logos/sr-iov.svg + keywords: + - sriov + - Networking + kubeVersion: '>= 1.16.0' + maintainers: + - email: charts@rancher.com + name: Rancher Labs + name: sriov + sources: + - https://github.com/rancher/charts + type: application + urls: + - assets/sriov/sriov-103.0.0+up0.1.0.tgz + version: 103.0.0+up0.1.0 - annotations: catalog.cattle.io/auto-install: sriov-crd=match catalog.cattle.io/certified: rancher @@ -16804,6 +16837,22 @@ entries: - assets/sriov/sriov-100.0.0+up0.1.0.tgz version: 100.0.0+up0.1.0 sriov-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/experimental: "true" + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-sriov-system + catalog.cattle.io/permits-os: linux + catalog.cattle.io/release-name: sriov-crd + apiVersion: v2 + created: "2023-09-26T17:13:13.63307864-06:00" + description: Installs the CRDs for rke2-sriov. + digest: 98b506e305ff4fc48aa0015c1876fd86aa6cca3f6b1e0b416f18f3d0bd865138 + name: sriov-crd + type: application + urls: + - assets/sriov-crd/sriov-crd-103.0.0+up0.1.0.tgz + version: 103.0.0+up0.1.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/experimental: "true" From db9fa73318d3697101fe50863512b47b7769ab71 Mon Sep 17 00:00:00 2001 From: rancherbot Date: Wed, 1 Nov 2023 21:20:47 +0000 Subject: [PATCH 24/24] Updating resync.yaml --- regsync.yaml | 47 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/regsync.yaml b/regsync.yaml index 15e428358..866572ac5 100644 --- a/regsync.yaml +++ b/regsync.yaml @@ -58,6 +58,8 @@ sync: - v3.0.0 - v3.1.0 - v3.1.1 + - v3.1.2 + - v4.0.0 - source: docker.io/rancher/banzaicloud-fluentd target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/banzaicloud-fluentd' type: repository @@ -261,6 +263,12 @@ sync: tags: allow: - 7.1.5 +- source: docker.io/rancher/hardened-ib-sriov-cni + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-ib-sriov-cni' + type: repository + tags: + allow: + - v1.0.2-build20230911 - source: docker.io/rancher/hardened-node-feature-discovery target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-node-feature-discovery' type: repository @@ -269,6 +277,43 @@ sync: - v0.11.2-build20220901 - v0.12.1-build20230120 - v0.13.2-build20230605 + - v0.14.1-build20230926 +- source: docker.io/rancher/hardened-sriov-cni + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-sriov-cni' + type: repository + tags: + allow: + - v2.6.3-build20230913 +- source: docker.io/rancher/hardened-sriov-network-config-daemon + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-sriov-network-config-daemon' + type: repository + tags: + allow: + - v1.2.0-build20230912 +- source: docker.io/rancher/hardened-sriov-network-device-plugin + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-sriov-network-device-plugin' + type: repository + tags: + allow: + - v3.5.1-build20230911 +- source: docker.io/rancher/hardened-sriov-network-operator + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-sriov-network-operator' + type: repository + tags: + allow: + - v1.2.0-build20230912 +- source: docker.io/rancher/hardened-sriov-network-resources-injector + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-sriov-network-resources-injector' + type: repository + tags: + allow: + - v1.5-build20230911 +- source: docker.io/rancher/hardened-sriov-network-webhook + target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/hardened-sriov-network-webhook' + type: repository + tags: + allow: + - v1.2.0-build20230912 - source: docker.io/rancher/harvester-cloud-provider target: '{{ env "REGISTRY_ENDPOINT" }}/rancher/harvester-cloud-provider' type: repository @@ -1260,6 +1305,7 @@ sync: allow: - v3.10.0 - v3.12.0 + - v3.13.0 - v3.3.0 - v3.5.1 - v3.6.0 @@ -1273,6 +1319,7 @@ sync: allow: - v3.10.0 - v3.12.0 + - v3.13.0 - v3.6.0 - v3.7.1 - v3.8.1