andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3208 from rancher/feat-2-8-batch-7 

[release-v2.8] Feature Charts batch release for rancher-backup, rancher-gatekeeper and sriov
pull/3215/head
Sakala Venkata Krishna Rohit 2023-11-01 14:38:28 -07:00 committed by GitHub
parent e264f95bb7 db9fa73318
commit 4d40599e40
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
194 changed files with 13754 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/rancher-backup-crd/rancher-backup-crd-102.0.2+up3.1.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-backup-crd/rancher-backup-crd-103.0.0+up4.0.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-backup/rancher-backup-102.0.2+up3.1.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-backup/rancher-backup-103.0.0+up4.0.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-gatekeeper-crd/rancher-gatekeeper-crd-103.1.0+up3.13.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-gatekeeper/rancher-gatekeeper-103.1.0+up3.13.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/sriov-crd/sriov-crd-103.0.0+up0.1.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/sriov/sriov-103.0.0+up0.1.0.tgz Normal file
View File

Binary file not shown.

11
charts/rancher-backup-crd/102.0.2+up3.1.2/Chart.yaml Normal file
View File

@ -0,0 +1,11 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-resources-system
catalog.cattle.io/release-name: rancher-backup-crd
apiVersion: v2
appVersion: 3.1.2
description: Installs the CRDs for rancher-backup.
name: rancher-backup-crd
type: application
version: 102.0.2+up3.1.2

3
charts/rancher-backup-crd/102.0.2+up3.1.2/README.md Normal file
View File

@ -0,0 +1,3 @@
# Rancher Backup CRD
A Rancher chart that installs the CRDs used by `rancher-backup`.

141
charts/rancher-backup-crd/102.0.2+up3.1.2/templates/backup.yaml Normal file
View File

@ -0,0 +1,141 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: backups.resources.cattle.io
spec:
group: resources.cattle.io
names:
kind: Backup
plural: backups
singular: backup
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .status.storageLocation
name: Location
type: string
- jsonPath: .status.backupType
name: Type
type: string
- jsonPath: .status.filename
name: Latest-Backup
type: string
- jsonPath: .spec.resourceSetName
name: ResourceSet
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
type: string
name: v1
schema:
openAPIV3Schema:
properties:
spec:
properties:
encryptionConfigSecretName:
description: Name of the Secret containing the encryption config
nullable: true
type: string
resourceSetName:
description: Name of the ResourceSet CR to use for backup
nullable: true
type: string
retentionCount:
minimum: 1
type: integer
schedule:
description: Cron schedule for recurring backups
example:
Descriptors: '@midnight'
Standard crontab specs: 0 0 * * *
nullable: true
type: string
storageLocation:
nullable: true
properties:
s3:
nullable: true
properties:
bucketName:
nullable: true
type: string
credentialSecretName:
nullable: true
type: string
credentialSecretNamespace:
nullable: true
type: string
endpoint:
nullable: true
type: string
endpointCA:
nullable: true
type: string
folder:
nullable: true
type: string
insecureTLSSkipVerify:
type: boolean
region:
nullable: true
type: string
type: object
type: object
required:
- resourceSetName
type: object
status:
properties:
backupType:
nullable: true
type: string
conditions:
items:
properties:
lastTransitionTime:
nullable: true
type: string
lastUpdateTime:
nullable: true
type: string
message:
nullable: true
type: string
reason:
nullable: true
type: string
status:
nullable: true
type: string
type:
nullable: true
type: string
type: object
nullable: true
type: array
filename:
nullable: true
type: string
lastSnapshotTs:
nullable: true
type: string
nextSnapshotAt:
nullable: true
type: string
observedGeneration:
type: integer
storageLocation:
nullable: true
type: string
summary:
nullable: true
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}

118
charts/rancher-backup-crd/102.0.2+up3.1.2/templates/resourceset.yaml Normal file
View File

@ -0,0 +1,118 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: resourcesets.resources.cattle.io
spec:
group: resources.cattle.io
names:
kind: ResourceSet
plural: resourcesets
singular: resourceset
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
properties:
controllerReferences:
items:
properties:
apiVersion:
nullable: true
type: string
name:
nullable: true
type: string
namespace:
nullable: true
type: string
replicas:
type: integer
resource:
nullable: true
type: string
type: object
nullable: true
type: array
resourceSelectors:
items:
properties:
apiVersion:
nullable: true
type: string
excludeKinds:
items:
nullable: true
type: string
nullable: true
type: array
excludeResourceNameRegexp:
nullable: true
type: string
kinds:
items:
nullable: true
type: string
nullable: true
type: array
kindsRegexp:
nullable: true
type: string
labelSelectors:
nullable: true
properties:
matchExpressions:
items:
properties:
key:
nullable: true
type: string
operator:
nullable: true
type: string
values:
items:
nullable: true
type: string
nullable: true
type: array
type: object
nullable: true
type: array
matchLabels:
additionalProperties:
nullable: true
type: string
nullable: true
type: object
type: object
namespaceRegexp:
nullable: true
type: string
namespaces:
items:
nullable: true
type: string
nullable: true
type: array
resourceNameRegexp:
nullable: true
type: string
resourceNames:
items:
nullable: true
type: string
nullable: true
type: array
type: object
nullable: true
required:
- apiVersion
type: array
required:
- resourceSelectors
type: object
served: true
storage: true
subresources:
status: {}

122
charts/rancher-backup-crd/102.0.2+up3.1.2/templates/restore.yaml Normal file
View File

@ -0,0 +1,122 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: restores.resources.cattle.io
spec:
group: resources.cattle.io
names:
kind: Restore
plural: restores
singular: restore
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .status.backupSource
name: Backup-Source
type: string
- jsonPath: .spec.backupFilename
name: Backup-File
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
type: string
name: v1
schema:
openAPIV3Schema:
properties:
spec:
properties:
backupFilename:
nullable: true
type: string
deleteTimeoutSeconds:
maximum: 10
type: integer
encryptionConfigSecretName:
nullable: true
type: string
ignoreErrors:
type: boolean
prune:
nullable: true
type: boolean
storageLocation:
nullable: true
properties:
s3:
nullable: true
properties:
bucketName:
nullable: true
type: string
credentialSecretName:
nullable: true
type: string
credentialSecretNamespace:
nullable: true
type: string
endpoint:
nullable: true
type: string
endpointCA:
nullable: true
type: string
folder:
nullable: true
type: string
insecureTLSSkipVerify:
type: boolean
region:
nullable: true
type: string
type: object
type: object
required:
- backupFilename
type: object
status:
properties:
backupSource:
nullable: true
type: string
conditions:
items:
properties:
lastTransitionTime:
nullable: true
type: string
lastUpdateTime:
nullable: true
type: string
message:
nullable: true
type: string
reason:
nullable: true
type: string
status:
nullable: true
type: string
type:
nullable: true
type: string
type: object
nullable: true
type: array
observedGeneration:
type: integer
restoreCompletionTs:
nullable: true
type: string
summary:
nullable: true
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}

11
charts/rancher-backup-crd/103.0.0+up4.0.0/Chart.yaml Normal file
View File

@ -0,0 +1,11 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-resources-system
catalog.cattle.io/release-name: rancher-backup-crd
apiVersion: v2
appVersion: 4.0.0
description: Installs the CRDs for rancher-backup.
name: rancher-backup-crd
type: application
version: 103.0.0+up4.0.0

3
charts/rancher-backup-crd/103.0.0+up4.0.0/README.md Normal file
View File

@ -0,0 +1,3 @@
# Rancher Backup CRD
A Rancher chart that installs the CRDs used by `rancher-backup`.

141
charts/rancher-backup-crd/103.0.0+up4.0.0/templates/backup.yaml Normal file
View File

@ -0,0 +1,141 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: backups.resources.cattle.io
spec:
group: resources.cattle.io
names:
kind: Backup
plural: backups
singular: backup
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .status.storageLocation
name: Location
type: string
- jsonPath: .status.backupType
name: Type
type: string
- jsonPath: .status.filename
name: Latest-Backup
type: string
- jsonPath: .spec.resourceSetName
name: ResourceSet
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
type: string
name: v1
schema:
openAPIV3Schema:
properties:
spec:
properties:
encryptionConfigSecretName:
description: Name of the Secret containing the encryption config
nullable: true
type: string
resourceSetName:
description: Name of the ResourceSet CR to use for backup
nullable: true
type: string
retentionCount:
minimum: 1
type: integer
schedule:
description: Cron schedule for recurring backups
example:
Descriptors: '@midnight'
Standard crontab specs: 0 0 * * *
nullable: true
type: string
storageLocation:
nullable: true
properties:
s3:
nullable: true
properties:
bucketName:
nullable: true
type: string
credentialSecretName:
nullable: true
type: string
credentialSecretNamespace:
nullable: true
type: string
endpoint:
nullable: true
type: string
endpointCA:
nullable: true
type: string
folder:
nullable: true
type: string
insecureTLSSkipVerify:
type: boolean
region:
nullable: true
type: string
type: object
type: object
required:
- resourceSetName
type: object
status:
properties:
backupType:
nullable: true
type: string
conditions:
items:
properties:
lastTransitionTime:
nullable: true
type: string
lastUpdateTime:
nullable: true
type: string
message:
nullable: true
type: string
reason:
nullable: true
type: string
status:
nullable: true
type: string
type:
nullable: true
type: string
type: object
nullable: true
type: array
filename:
nullable: true
type: string
lastSnapshotTs:
nullable: true
type: string
nextSnapshotAt:
nullable: true
type: string
observedGeneration:
type: integer
storageLocation:
nullable: true
type: string
summary:
nullable: true
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}

118
charts/rancher-backup-crd/103.0.0+up4.0.0/templates/resourceset.yaml Normal file
View File

@ -0,0 +1,118 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: resourcesets.resources.cattle.io
spec:
group: resources.cattle.io
names:
kind: ResourceSet
plural: resourcesets
singular: resourceset
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
properties:
controllerReferences:
items:
properties:
apiVersion:
nullable: true
type: string
name:
nullable: true
type: string
namespace:
nullable: true
type: string
replicas:
type: integer
resource:
nullable: true
type: string
type: object
nullable: true
type: array
resourceSelectors:
items:
properties:
apiVersion:
nullable: true
type: string
excludeKinds:
items:
nullable: true
type: string
nullable: true
type: array
excludeResourceNameRegexp:
nullable: true
type: string
kinds:
items:
nullable: true
type: string
nullable: true
type: array
kindsRegexp:
nullable: true
type: string
labelSelectors:
nullable: true
properties:
matchExpressions:
items:
properties:
key:
nullable: true
type: string
operator:
nullable: true
type: string
values:
items:
nullable: true
type: string
nullable: true
type: array
type: object
nullable: true
type: array
matchLabels:
additionalProperties:
nullable: true
type: string
nullable: true
type: object
type: object
namespaceRegexp:
nullable: true
type: string
namespaces:
items:
nullable: true
type: string
nullable: true
type: array
resourceNameRegexp:
nullable: true
type: string
resourceNames:
items:
nullable: true
type: string
nullable: true
type: array
type: object
nullable: true
required:
- apiVersion
type: array
required:
- resourceSelectors
type: object
served: true
storage: true
subresources:
status: {}

122
charts/rancher-backup-crd/103.0.0+up4.0.0/templates/restore.yaml Normal file
View File

@ -0,0 +1,122 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: restores.resources.cattle.io
spec:
group: resources.cattle.io
names:
kind: Restore
plural: restores
singular: restore
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .status.backupSource
name: Backup-Source
type: string
- jsonPath: .spec.backupFilename
name: Backup-File
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
- jsonPath: .status.conditions[?(@.type=="Ready")].message
name: Status
type: string
name: v1
schema:
openAPIV3Schema:
properties:
spec:
properties:
backupFilename:
nullable: true
type: string
deleteTimeoutSeconds:
maximum: 10
type: integer
encryptionConfigSecretName:
nullable: true
type: string
ignoreErrors:
type: boolean
prune:
nullable: true
type: boolean
storageLocation:
nullable: true
properties:
s3:
nullable: true
properties:
bucketName:
nullable: true
type: string
credentialSecretName:
nullable: true
type: string
credentialSecretNamespace:
nullable: true
type: string
endpoint:
nullable: true
type: string
endpointCA:
nullable: true
type: string
folder:
nullable: true
type: string
insecureTLSSkipVerify:
type: boolean
region:
nullable: true
type: string
type: object
type: object
required:
- backupFilename
type: object
status:
properties:
backupSource:
nullable: true
type: string
conditions:
items:
properties:
lastTransitionTime:
nullable: true
type: string
lastUpdateTime:
nullable: true
type: string
message:
nullable: true
type: string
reason:
nullable: true
type: string
status:
nullable: true
type: string
type:
nullable: true
type: string
type: object
nullable: true
type: array
observedGeneration:
type: integer
restoreCompletionTs:
nullable: true
type: string
summary:
nullable: true
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}

26
charts/rancher-backup/102.0.2+up3.1.2/Chart.yaml Normal file
View File

@ -0,0 +1,26 @@
annotations:
catalog.cattle.io/auto-install: rancher-backup-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: Rancher Backups
catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0'
catalog.cattle.io/namespace: cattle-resources-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: rancher-backup
catalog.cattle.io/scope: management
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: rancher-backup
catalog.cattle.io/upstream-version: 2.1.1
apiVersion: v2
appVersion: 3.1.2
description: Provides ability to back up and restore the Rancher application running
on any Kubernetes cluster
icon: https://charts.rancher.io/assets/logos/backup-restore.svg
keywords:
- applications
- infrastructure
kubeVersion: '>= 1.16.0-0'
name: rancher-backup
version: 102.0.2+up3.1.2

79
charts/rancher-backup/102.0.2+up3.1.2/README.md Normal file
View File

@ -0,0 +1,79 @@
# Rancher Backup
This chart provides ability to back up and restore the Rancher application running on any Kubernetes cluster.
Refer [this](https://github.com/rancher/backup-restore-operator) repository for implementation details.
-----
### Get Repo Info
```bash
helm repo add rancher-chart https://charts.rancher.io
helm repo update
```
-----
### Install Chart
```bash
helm install rancher-backup-crd rancher-chart/rancher-backup-crd -n cattle-resources-system --create-namespace
helm install rancher-backup rancher-chart/rancher-backup -n cattle-resources-system
```
-----
### Configuration
The following table lists the configurable parameters of the rancher-backup chart and their default values:
| Parameter | Description | Default |
|----------|---------------|-------|
| image.repository | Container image repository | rancher/backup-restore-operator |
| image.tag | Container image tag | v0.1.0-rc1 |
| s3.enabled | Configure S3 compatible default storage location. Current version supports S3 and MinIO | false |
| s3.credentialSecretName | Name of the Secret containing S3 credentials. This is an optional field. Skip this field in order to use IAM Role authentication. The Secret must contain following two keys, `accessKey` and `secretKey` | "" |
| s3.credentialSecretNamespace | Namespace of the Secret containing S3 credentials. This can be any namespace. | "" |
| s3.region | Region of the S3 Bucket (Required for S3, not valid for MinIO) | "" |
| s3.bucketName | Name of the Bucket | "" |
| s3.folder | Base folder within the Bucket (optional) | "" |
| s3.endpoint | Endpoint for the S3 storage provider | "" |
| s3.endpointCA | Base64 encoded CA cert for the S3 storage provider (optional) | "" |
| s3.insecureTLSSkipVerify | Skip SSL verification | false |
| persistence.enabled | Configure a Persistent Volume as the default storage location. It accepts either a StorageClass name to create a PVC, or directly accepts the PV to use. The Persistent Volume is mounted at `/var/lib/backups` in the operator pod | false |
| persistence.storageClass | StorageClass to use for dynamically provisioning the Persistent Volume, which will be used for storing backups | "" |
| persistence.volumeName | Persistent Volume to use for storing backups | "" |
| persistence.size | Requested size of the Persistent Volume (Applicable when using dynamic provisioning) | "" |
| debug | Set debug flag for backup-restore deployment | false |
| trace | Set trace flag for backup-restore deployment | false |
| nodeSelector | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | {} |
| tolerations | https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration | [] |
| affinity | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | {} |
| serviceAccount.annotations | Annotations to apply to created service account | {} |
| global.cattle.psp.enabled | Enable or disable PSPs in the chart | false |
-----
### PSPs
We have added a configuration to the chart `values.yaml` which allows you to enable or disable PSPs to align with the PSP deprecation in Kubernetes `v1.25` and above.
-----
### CRDs
Refer [this](https://github.com/rancher/backup-restore-operator#crds) section for information on CRDs that this chart installs. Also refer [this](https://github.com/rancher/backup-restore-operator/tree/master/examples) folder containing sample manifests for the CRDs.
-----
### Upgrading Chart
```bash
helm upgrade rancher-backup-crd -n cattle-resources-system
helm upgrade rancher-backup -n cattle-resources-system
```
-----
### Uninstall Chart
```bash
helm uninstall rancher-backup -n cattle-resources-system
helm uninstall rancher-backup-crd -n cattle-resources-system
```

33
charts/rancher-backup/102.0.2+up3.1.2/app-readme.md Normal file
View File

@ -0,0 +1,33 @@
# Rancher Backup
This chart enables ability to capture backups of the Rancher application and restore from these backups. This chart can be used to migrate Rancher from one Kubernetes cluster to a different Kubernetes cluster.
For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/pages-for-subheaders/backup-restore-and-disaster-recovery).
This chart installs the following components:
- [backup-restore-operator](https://github.com/rancher/backup-restore-operator)
- The operator handles backing up all Kubernetes resources and CRDs that Rancher creates and manages from the local cluster. It gathers these resources by querying the Kubernetes API server, packages all the resources to create a tarball file and saves it in the configured backup storage location.
- The operator can be configured to store backups in S3-compatible object stores such as AWS S3 and MinIO, and in persistent volumes. During deployment, you can create a default storage location, but there is always the option to override the default storage location with each backup, but will be limited to using an S3-compatible object store.
- It preserves the ownerReferences on all resources, hence maintaining dependencies between objects.
- This operator provides encryption support, to encrypt user specified resources before saving them in the backup file. It uses the same encryption configuration that is used to enable [Kubernetes Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
- Backup - A backup is a CRD (`Backup`) that defines when to take backups, where to store the backup and what encryption to use (optional). Backups can be taken ad hoc or scheduled to be taken in intervals.
- Restore - A restore is a CRD (`Restore`) that defines which backup to use to restore the Rancher application to.
## Upgrading to Kubernetes v1.25+
Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
> **Note:**
> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
> **Note:**
> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
>
> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.

25
charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/aks.yaml Normal file
View File

@ -0,0 +1,25 @@
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "aks.cattle.io$"
- apiVersion: "aks.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
namespaces:
- "cattle-system"
resourceNames:
- "aks-config-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "aks-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "aks-operator"
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaces:
- "cattle-system"
resourceNames:
- "aks-operator"

17
charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/eks.yaml Normal file
View File

@ -0,0 +1,17 @@
- apiVersion: "eks.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
resourceNames:
- "eks-config-operator"
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "eks.cattle.io$"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "eks-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "eks-operator"

49
charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/elemental.yaml Normal file
View File

@ -0,0 +1,49 @@
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "elemental.cattle.io$"
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
namespaces:
- "cattle-elemental-system"
resourceNames:
- "elemental-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "elemental-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "elemental-operator"
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaces:
- "cattle-elemental-system"
resourceNames:
- "elemental-operator"
- apiVersion: "management.cattle.io/v3"
kindsRegexp: "^globalrole$"
resourceNames:
- "elemental-operator"
- apiVersion: "management.cattle.io/v3"
kindsRegexp: "^apiservice$"
resourceNameRegexp: "elemental.cattle.io$"
- apiVersion: "elemental.cattle.io/v1beta1"
kindsRegexp: "."
namespaceRegexp: "^cattle-fleet-|^fleet-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^roles$|^rolebindings$"
labelSelectors:
matchExpressions:
- key: "elemental.cattle.io/managed"
operator: "In"
values: ["true"]
namespaceRegexp: "^cattle-fleet-|^fleet-"
- apiVersion: "v1"
kindsRegexp: "^secrets$|^serviceaccounts$"
labelSelectors:
matchExpressions:
- key: "elemental.cattle.io/managed"
operator: "In"
values: ["true"]
namespaceRegexp: "^cattle-fleet-|^fleet-"

53
charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/fleet.yaml Normal file
View File

@ -0,0 +1,53 @@
- apiVersion: "v1"
kindsRegexp: "^namespaces$"
resourceNameRegexp: "^fleet-"
- apiVersion: "v1"
kindsRegexp: "^secrets$"
namespaceRegexp: "^cattle-fleet-|^fleet-"
excludeResourceNameRegexp: "^import-token"
labelSelectors:
matchExpressions:
- key: "owner"
operator: "NotIn"
values: ["helm"]
- key: "fleet.cattle.io/managed"
operator: "In"
values: ["true"]
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaceRegexp: "^cattle-fleet-|^fleet-"
excludeResourceNameRegexp: "^default$"
- apiVersion: "v1"
kindsRegexp: "^configmaps$"
namespaceRegexp: "^cattle-fleet-|^fleet-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^roles$|^rolebindings$"
namespaceRegexp: "^cattle-fleet-|^fleet-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNameRegexp: "^fleet-|^gitjob-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNameRegexp: "^fleet-"
resourceNames:
- "gitjob"
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$"
- apiVersion: "fleet.cattle.io/v1alpha1"
kindsRegexp: "."
excludeKinds:
- "bundledeployments"
- apiVersion: "gitjob.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
namespaceRegexp: "^cattle-fleet-|^fleet-"
resourceNameRegexp: "^fleet-"
resourceNames:
- "gitjob"
- apiVersion: "apps/v1"
kindsRegexp: "^services$"
namespaceRegexp: "^cattle-fleet-|^fleet-"
resourceNames:
- "gitjob"

17
charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/gke.yaml Normal file
View File

@ -0,0 +1,17 @@
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "gke.cattle.io$"
- apiVersion: "gke.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
resourceNames:
- "gke-config-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "gke-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "gke-operator"

23
charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/provisioningv2.yaml Normal file
View File

@ -0,0 +1,23 @@
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "provisioning.cattle.io$|rke-machine-config.cattle.io$|rke-machine.cattle.io$|rke.cattle.io$|cluster.x-k8s.io$"
- apiVersion: "provisioning.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "rke-machine-config.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "rke-machine.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "rke.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "cluster.x-k8s.io/v1beta1"
kindsRegexp: "."
- apiVersion: "v1"
kindsRegexp: "^secrets$"
resourceNameRegexp: "machine-plan$|rke-state$|machine-state$|machine-driver-secret$|machine-provision$|^harvesterconfig"
namespaces:
- "fleet-default"
- apiVersion: "v1"
kindsRegexp: "^configmaps$"
resourceNames:
- "provisioning-log"
namespaceRegexp: "^c-m-"

28
charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/rancher-operator.yaml Normal file
View File

@ -0,0 +1,28 @@
- apiVersion: "rancher.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
resourceNames:
- "rancher-operator"
namespaces:
- "rancher-operator-system"
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaces:
- "rancher-operator-system"
excludeResourceNameRegexp: "^default$"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "rancher-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "rancher-operator"
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "rancher.cattle.io$"
- apiVersion: "v1"
kindsRegexp: "^namespaces$"
resourceNames:
- "rancher-operator-system"

65
charts/rancher-backup/102.0.2+up3.1.2/files/default-resourceset-contents/rancher.yaml Normal file
View File

@ -0,0 +1,65 @@
- apiVersion: "v1"
kindsRegexp: "^namespaces$"
resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-"
resourceNames:
- "local"
- apiVersion: "v1"
kindsRegexp: "^secrets$"
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
labelSelectors:
matchExpressions:
- key: "owner"
operator: "NotIn"
values: ["helm"]
excludeResourceNameRegexp: "^bootstrap-secret$|^rancher-csp-adapter|^csp-adapter-cache$"
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
excludeResourceNameRegexp: "^default$|^rancher-csp-adapter$"
- apiVersion: "v1"
kindsRegexp: "^configmaps$"
namespaces:
- "cattle-system"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^roles$|^rolebindings$"
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
excludeResourceNameRegexp: "^rancher-csp-adapter"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$"
excludeResourceNameRegexp: "^rancher-csp-adapter-"
- apiVersion: "scheduling.k8s.io/v1"
kindsRegexp: "^priorityclasses$"
resourceNameRegexp: "^rancher-critical$"
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$"
- apiVersion: "management.cattle.io/v3"
kindsRegexp: "."
excludeKinds:
- "tokens"
- "rancherusernotifications"
- apiVersion: "management.cattle.io/v3"
kindsRegexp: "^tokens$"
labelSelectors:
matchExpressions:
- key: "authn.management.cattle.io/kind"
operator: "NotIn"
values: [ "provisioning" ]
- apiVersion: "project.cattle.io/v3"
kindsRegexp: "."
- apiVersion: "catalog.cattle.io/v1"
kindsRegexp: "^clusterrepos$"
- apiVersion: "resources.cattle.io/v1"
kindsRegexp: "^ResourceSet$"
- apiVersion: "v1"
kindsRegexp: "^secrets$"
namespaceRegexp: "^.*$"
labelSelectors:
matchExpressions:
- key: "resources.cattle.io/backup"
operator: "In"
values: ["true"]

87
charts/rancher-backup/102.0.2+up3.1.2/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,87 @@
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
beta.kubernetes.io/os: linux
{{- else -}}
kubernetes.io/os: linux
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "backupRestore.fullname" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "backupRestore.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "backupRestore.labels" -}}
helm.sh/chart: {{ include "backupRestore.chart" . }}
{{ include "backupRestore.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "backupRestore.selectorLabels" -}}
app.kubernetes.io/name: {{ include "backupRestore.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
resources.cattle.io/operator: backup-restore
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "backupRestore.serviceAccountName" -}}
{{ include "backupRestore.fullname" . }}
{{- end }}
{{- define "backupRestore.s3SecretName" -}}
{{- printf "%s-%s" .Chart.Name "s3" | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create PVC name using release and revision number, unless a volumeName is given.
*/}}
{{- define "backupRestore.pvcName" -}}
{{- if and .Values.persistence.volumeName }}
{{- printf "%s" .Values.persistence.volumeName }}
{{- else -}}
{{- printf "%s-%d" .Release.Name .Release.Revision }}
{{- end }}
{{- end }}

14
charts/rancher-backup/102.0.2+up3.1.2/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,14 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "backupRestore.fullname" . }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ include "backupRestore.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

79
charts/rancher-backup/102.0.2+up3.1.2/templates/deployment.yaml Normal file
View File

@ -0,0 +1,79 @@
{{- if and .Values.s3.enabled .Values.persistence.enabled }}
{{- fail "\n\nCannot configure both s3 and PV for storing backups" }}
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "backupRestore.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "backupRestore.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "backupRestore.selectorLabels" . | nindent 8 }}
annotations:
checksum/s3: {{ include (print $.Template.BasePath "/s3-secret.yaml") . | sha256sum }}
checksum/pvc: {{ include (print $.Template.BasePath "/pvc.yaml") . | sha256sum }}
spec:
serviceAccountName: {{ include "backupRestore.serviceAccountName" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 6 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }}
args:
{{- if .Values.debug }}
- "--debug"
{{- end }}
{{- if .Values.trace }}
- "--trace"
{{- end }}
env:
- name: CHART_NAMESPACE
value: {{ .Release.Namespace }}
{{- if .Values.s3.enabled }}
- name: DEFAULT_S3_BACKUP_STORAGE_LOCATION
value: {{ include "backupRestore.s3SecretName" . }}
{{- end }}
{{- if .Values.proxy }}
- name: HTTP_PROXY
value: {{ .Values.proxy }}
- name: HTTPS_PROXY
value: {{ .Values.proxy }}
- name: NO_PROXY
value: {{ .Values.noProxy }}
{{- end }}
{{- if .Values.persistence.enabled }}
- name: DEFAULT_PERSISTENCE_ENABLED
value: "persistence-enabled"
volumeMounts:
- mountPath: "/var/lib/backups"
name: pv-storage
volumes:
- name: pv-storage
persistentVolumeClaim:
claimName: {{ include "backupRestore.pvcName" . }}
{{- end }}
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}

124
charts/rancher-backup/102.0.2+up3.1.2/templates/hardened.yaml Normal file
View File

@ -0,0 +1,124 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
namespace: {{ .Release.Namespace }}
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
spec:
backoffLimit: 1
template:
spec:
serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa
securityContext:
runAsNonRoot: true
runAsUser: 1000
restartPolicy: Never
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
containers:
- name: {{ include "backupRestore.fullname" . }}-patch-sa
image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}
imagePullPolicy: IfNotPresent
command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
namespace: {{ .Release.Namespace }}
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "patch"]
{{- if .Values.global.cattle.psp.enabled}}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- {{ include "backupRestore.fullname" . }}-patch-sa
{{- end}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "backupRestore.fullname" . }}-patch-sa
subjects:
- kind: ServiceAccount
name: {{ include "backupRestore.fullname" . }}-patch-sa
namespace: {{ .Release.Namespace }}
---
{{- if .Values.global.cattle.psp.enabled}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'secret'
{{- end}}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "backupRestore.fullname" . }}-default-allow-all
namespace: {{ .Release.Namespace }}
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Ingress
- Egress

31
charts/rancher-backup/102.0.2+up3.1.2/templates/psp.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if .Values.global.cattle.psp.enabled -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "backupRestore.fullname" . }}-psp
labels: {{ include "backupRestore.labels" . | nindent 4 }}
spec:
privileged: false
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'persistentVolumeClaim'
- 'secret'
{{- end -}}

27
charts/rancher-backup/102.0.2+up3.1.2/templates/pvc.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if and .Values.persistence.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "backupRestore.pvcName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
spec:
accessModes:
- ReadWriteOnce
resources:
{{- with .Values.persistence }}
requests:
storage: {{ .size | quote }}
{{- if .storageClass }}
{{- if (eq "-" .storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: {{ .storageClass | quote }}
{{- end }}
{{- end }}
{{- if .volumeName }}
volumeName: {{ .volumeName | quote }}
{{- end }}
{{- end }}
{{- end }}

13
charts/rancher-backup/102.0.2+up3.1.2/templates/rancher-resourceset.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: resources.cattle.io/v1
kind: ResourceSet
metadata:
name: rancher-resource-set
controllerReferences:
- apiVersion: "apps/v1"
resource: "deployments"
name: "rancher"
namespace: "cattle-system"
resourceSelectors:
{{- range $path, $_ := .Files.Glob "files/default-resourceset-contents/*.yaml" -}}
{{- $.Files.Get $path | nindent 2 -}}
{{- end -}}

31
charts/rancher-backup/102.0.2+up3.1.2/templates/s3-secret.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if .Values.s3.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "backupRestore.s3SecretName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
type: Opaque
stringData:
{{- with .Values.s3 }}
{{- if .credentialSecretName }}
credentialSecretName: {{ .credentialSecretName }}
credentialSecretNamespace: {{ required "When providing a Secret containing S3 credentials, a valid .Values.credentialSecretNamespace must be provided" .credentialSecretNamespace }}
{{- end }}
{{- if .region }}
region: {{ .region | quote }}
{{- end }}
bucketName: {{ required "A valid .Values.bucketName is required for configuring S3 compatible storage as the default backup storage location" .bucketName | quote }}
{{- if .folder }}
folder: {{ .folder | quote }}
{{- end }}
endpoint: {{ required "A valid .Values.endpoint is required for configuring S3 compatible storage as the default backup storage location" .endpoint | quote }}
{{- if .endpointCA }}
endpointCA: {{ .endpointCA }}
{{- end }}
{{- if .insecureTLSSkipVerify }}
insecureTLSSkipVerify: {{ .insecureTLSSkipVerify | quote }}
{{- end }}
{{- end }}
{{ end }}

11
charts/rancher-backup/102.0.2+up3.1.2/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "backupRestore.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
{{- if .Values.serviceAccount.annotations }}
annotations:
{{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- end }}

16
charts/rancher-backup/102.0.2+up3.1.2/templates/validate-install-crd.yaml Normal file
View File

@ -0,0 +1,16 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "resources.cattle.io/v1/Backup" false -}}
# {{- set $found "resources.cattle.io/v1/ResourceSet" false -}}
# {{- set $found "resources.cattle.io/v1/Restore" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

7
charts/rancher-backup/102.0.2+up3.1.2/templates/validate-psp-install.yaml Normal file
View File

@ -0,0 +1,7 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
#{{- if .Values.global.cattle.psp.enabled }}
#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
#{{- end }}
#{{- end }}
#{{- end }}

216
charts/rancher-backup/102.0.2+up3.1.2/tests/deployment_test.yaml Normal file
View File

@ -0,0 +1,216 @@
suite: Test Deployment
templates:
- deployment.yaml
- s3-secret.yaml
- pvc.yaml
- _helpers.tpl
tests:
- it: should set name
template: deployment.yaml
asserts:
- equal:
path: metadata.name
value: "rancher-backup"
- it: should set namespace
template: deployment.yaml
asserts:
- equal:
path: metadata.namespace
value: "NAMESPACE"
- it: should set priorityClassName
set:
priorityClassName: "testClass"
template: deployment.yaml
asserts:
- equal:
path: spec.template.spec.priorityClassName
value: "testClass"
- it: should set default imagePullPolicy
template: deployment.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: "Always"
- it: should set imagePullPolicy
set:
imagePullPolicy: "IfNotPresent"
template: deployment.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: "IfNotPresent"
- it: should set debug loglevel
set:
debug: true
template: deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--debug"
- it: should set trace loglevel
set:
trace: true
template: deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--trace"
- it: should set proxy environment variables
set:
proxy: "https://127.0.0.1:3128"
template: deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: HTTP_PROXY
value: "https://127.0.0.1:3128"
- contains:
path: spec.template.spec.containers[0].env
content:
name: HTTPS_PROXY
value: "https://127.0.0.1:3128"
- contains:
path: spec.template.spec.containers[0].env
content:
name: NO_PROXY
value: "127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local"
- it: should set proxy environment variables with modified noproxy
set:
proxy: "https://127.0.0.1:3128"
noProxy: "192.168.0.0/24"
template: deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: NO_PROXY
value: "192.168.0.0/24"
- it: should set persistence variables
set:
persistence.enabled: true
template: deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: DEFAULT_PERSISTENCE_ENABLED
value: "persistence-enabled"
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: "/var/lib/backups"
name: "pv-storage"
- equal:
path: spec.template.spec.volumes[0].name
value: "pv-storage"
- equal:
path: spec.template.spec.volumes[0].persistentVolumeClaim
value:
claimName: RELEASE-NAME-0
- it: should set claim from custom static volumeName
set:
persistence.enabled: true
persistence.volumeName: "PREDEFINED-VOLUME"
persistence.storageClass: "PREDEFINED-STORAGECLASS"
persistence.size: "PREDIFINED-SAMEAS-PVSIZE"
template: deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: DEFAULT_PERSISTENCE_ENABLED
value: "persistence-enabled"
- equal:
path: spec.template.spec.volumes[0].persistentVolumeClaim
value:
claimName: PREDEFINED-VOLUME
- it: should set private registry
template: deployment.yaml
set:
global.cattle.systemDefaultRegistry: "my.registry.local:3000"
asserts:
- matchRegex:
path: spec.template.spec.containers[0].image
pattern: ^my.registry.local:3000/rancher/backup-restore-operator:.*$
- it: should set nodeselector
template: deployment.yaml
asserts:
- equal:
path: spec.template.spec.nodeSelector
value:
kubernetes.io/os: linux
- it: should not set default affinity
template: deployment.yaml
asserts:
- isNull:
path: spec.template.spec.affinity
- it: should set custom affinity
template: deployment.yaml
set:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: disktype
operator: In
values:
- ssd
asserts:
- equal:
path: spec.template.spec.affinity
value:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: disktype
operator: In
values:
- ssd
- it: should set tolerations
template: deployment.yaml
asserts:
- equal:
path: spec.template.spec.tolerations[0]
value:
key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
- it: should set custom tolerations
template: deployment.yaml
set:
tolerations:
- key: "example-key"
operator: "Exists"
effect: "NoSchedule"
asserts:
- equal:
path: spec.template.spec.tolerations[0]
value:
key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
- equal:
path: spec.template.spec.tolerations[1]
value:
key: "example-key"
operator: "Exists"
effect: "NoSchedule"
- it: should not set default imagePullSecrets
template: deployment.yaml
asserts:
- isNull:
path: spec.template.spec.imagePullSecrets
- it: should set imagePullSecrets
set:
imagePullSecrets:
- name: "pull-secret"
template: deployment.yaml
asserts:
- equal:
path: spec.template.spec.imagePullSecrets[0].name
value: "pull-secret"

102
charts/rancher-backup/102.0.2+up3.1.2/tests/pvc_test.yaml Normal file
View File

@ -0,0 +1,102 @@
suite: Test PVC
templates:
- pvc.yaml
- _helpers.tpl
tests:
- it: should set name
template: pvc.yaml
set:
persistence:
enabled: true
asserts:
- equal:
path: metadata.name
value: "RELEASE-NAME-0"
- it: should set namespace
template: pvc.yaml
set:
persistence:
enabled: true
asserts:
- equal:
path: metadata.namespace
value: "NAMESPACE"
- it: should set accessModes
template: pvc.yaml
set:
persistence:
enabled: true
asserts:
- equal:
path: spec.accessModes[0]
value: "ReadWriteOnce"
- it: should set size
template: pvc.yaml
set:
persistence:
enabled: true
asserts:
- equal:
path: spec.resources.requests.storage
value: "2Gi"
- it: should set size
template: pvc.yaml
set:
persistence:
enabled: true
size: "10Gi"
asserts:
- equal:
path: spec.resources.requests.storage
value: "10Gi"
- it: should not set volumeName
template: pvc.yaml
set:
persistence:
enabled: true
asserts:
- isNull:
path: spec.volumeName
- it: should set default storageClass
template: pvc.yaml
set:
persistence:
enabled: true
asserts:
- equal:
path: spec.storageClassName
value: ""
- it: should set custom storageClass
template: pvc.yaml
set:
persistence:
enabled: true
storageClass: "storage-class"
asserts:
- equal:
path: spec.storageClassName
value: "storage-class"
- it: should set custom volumeName
template: pvc.yaml
set:
persistence:
enabled: true
volumeName: "volume-name"
asserts:
- equal:
path: spec.volumeName
value: "volume-name"
- it: should set claim from custom static volumeName
set:
persistence.enabled: true
persistence.volumeName: "PREDEFINED-VOLUME"
persistence.storageClass: "PREDEFINED-STORAGECLASS"
persistence.size: "PREDEFINED-SAMEAS-PVSIZE"
template: pvc.yaml
asserts:
- equal:
path: spec.resources.requests.storage
value: "PREDEFINED-SAMEAS-PVSIZE"
- equal:
path: spec.storageClassName
value: "PREDEFINED-STORAGECLASS"

141
charts/rancher-backup/102.0.2+up3.1.2/tests/s3-secret_test.yaml Normal file
View File

@ -0,0 +1,141 @@
suite: Test S3 Secret
templates:
- s3-secret.yaml
- _helpers.tpl
tests:
- it: should set name
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- equal:
path: metadata.name
value: "rancher-backup-s3"
- it: should set namespace
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- equal:
path: metadata.namespace
value: "NAMESPACE"
- it: should not set credentialSecretName
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- isNull:
path: stringData.credentialSecretName
- it: should set credentialSecretName
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
credentialSecretName: "credential-secret-name"
credentialSecretNamespace: "credential-secret-namespace"
asserts:
- equal:
path: stringData.credentialSecretName
value: "credential-secret-name"
- equal:
path: stringData.credentialSecretNamespace
value: "credential-secret-namespace"
- it: should not set folder
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- isNull:
path: stringData.folder
- it: should set folder
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
folder: "myfolder"
asserts:
- equal:
path: stringData.folder
value: "myfolder"
- it: should not set region
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- isNull:
path: stringData.region
- it: should set region
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
region: "us-west-1"
asserts:
- equal:
path: stringData.region
value: "us-west-1"
- it: should not set endpointCA
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- isNull:
path: stringData.endpointCA
- it: should set endpointCA
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
endpointCA: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t"
asserts:
- equal:
path: stringData.endpointCA
value: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t"
- it: should not set insecureTLSSkipVerify
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- isNull:
path: stringData.insecureTLSSkipVerify
- it: should set insecureTLSSkipVerify
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
insecureTLSSkipVerify: "true"
asserts:
- equal:
path: stringData.insecureTLSSkipVerify
value: "true"

81
charts/rancher-backup/102.0.2+up3.1.2/values.yaml Normal file
View File

@ -0,0 +1,81 @@
image:
repository: rancher/backup-restore-operator
tag: v3.1.2
## Default s3 bucket for storing all backup files created by the backup-restore-operator
s3:
enabled: false
## credentialSecretName if set, should be the name of the Secret containing AWS credentials.
## To use IAM Role, don't set this field
credentialSecretName: ""
credentialSecretNamespace: ""
region: ""
bucketName: ""
folder: ""
endpoint: ""
endpointCA: ""
insecureTLSSkipVerify: false
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
## If persistence is enabled, operator will create a PVC with mountPath /var/lib/backups
persistence:
enabled: false
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack).
## Refer https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1
##
storageClass: "-"
## If you want to disable dynamic provisioning by setting storageClass to "-" above,
## and want to target a particular PV, provide name of the target volume
volumeName: ""
## Only certain StorageClasses allow resizing PVs; Refer https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/
size: 2Gi
# Add log level flags to backup-restore
debug: false
trace: false
# http[s] proxy server passed to backup client
# proxy: http://<username>@<password>:<url>:<port>
# comma separated list of domains or ip addresses that will not use the proxy
noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local
global:
cattle:
systemDefaultRegistry: ""
psp:
enabled: false # PSP enablement should default to false
kubectl:
repository: rancher/kubectl
tag: v1.21.9
## Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## List of node taints to tolerate (requires Kubernetes >= 1.6)
tolerations: []
affinity: {}
serviceAccount:
annotations: {}
priorityClassName: ""
# Override imagePullPolicy for image
# options: Always, Never, IfNotPresent
# Defaults to Always
imagePullPolicy: "Always"
## Optional array of imagePullSecrets containing private registry credentials
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []

26
charts/rancher-backup/103.0.0+up4.0.0/Chart.yaml Normal file
View File

@ -0,0 +1,26 @@
annotations:
catalog.cattle.io/auto-install: rancher-backup-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: Rancher Backups
catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0'
catalog.cattle.io/namespace: cattle-resources-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1
catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
catalog.cattle.io/release-name: rancher-backup
catalog.cattle.io/scope: management
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: rancher-backup
catalog.cattle.io/upstream-version: 2.1.1
apiVersion: v2
appVersion: 4.0.0
description: Provides ability to back up and restore the Rancher application running
on any Kubernetes cluster
icon: https://charts.rancher.io/assets/logos/backup-restore.svg
keywords:
- applications
- infrastructure
kubeVersion: '>= 1.23.0-0'
name: rancher-backup
version: 103.0.0+up4.0.0

79
charts/rancher-backup/103.0.0+up4.0.0/README.md Normal file
View File

@ -0,0 +1,79 @@
# Rancher Backup
This chart provides ability to back up and restore the Rancher application running on any Kubernetes cluster.
Refer [this](https://github.com/rancher/backup-restore-operator) repository for implementation details.
-----
### Get Repo Info
```bash
helm repo add rancher-chart https://charts.rancher.io
helm repo update
```
-----
### Install Chart
```bash
helm install rancher-backup-crd rancher-chart/rancher-backup-crd -n cattle-resources-system --create-namespace
helm install rancher-backup rancher-chart/rancher-backup -n cattle-resources-system
```
-----
### Configuration
The following table lists the configurable parameters of the rancher-backup chart and their default values:
| Parameter | Description | Default |
|----------|---------------|-------|
| image.repository | Container image repository | rancher/backup-restore-operator |
| image.tag | Container image tag | v0.1.0-rc1 |
| s3.enabled | Configure S3 compatible default storage location. Current version supports S3 and MinIO | false |
| s3.credentialSecretName | Name of the Secret containing S3 credentials. This is an optional field. Skip this field in order to use IAM Role authentication. The Secret must contain following two keys, `accessKey` and `secretKey` | "" |
| s3.credentialSecretNamespace | Namespace of the Secret containing S3 credentials. This can be any namespace. | "" |
| s3.region | Region of the S3 Bucket (Required for S3, not valid for MinIO) | "" |
| s3.bucketName | Name of the Bucket | "" |
| s3.folder | Base folder within the Bucket (optional) | "" |
| s3.endpoint | Endpoint for the S3 storage provider | "" |
| s3.endpointCA | Base64 encoded CA cert for the S3 storage provider (optional) | "" |
| s3.insecureTLSSkipVerify | Skip SSL verification | false |
| persistence.enabled | Configure a Persistent Volume as the default storage location. It accepts either a StorageClass name to create a PVC, or directly accepts the PV to use. The Persistent Volume is mounted at `/var/lib/backups` in the operator pod | false |
| persistence.storageClass | StorageClass to use for dynamically provisioning the Persistent Volume, which will be used for storing backups | "" |
| persistence.volumeName | Persistent Volume to use for storing backups | "" |
| persistence.size | Requested size of the Persistent Volume (Applicable when using dynamic provisioning) | "" |
| debug | Set debug flag for backup-restore deployment | false |
| trace | Set trace flag for backup-restore deployment | false |
| nodeSelector | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | {} |
| tolerations | https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration | [] |
| affinity | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | {} |
| serviceAccount.annotations | Annotations to apply to created service account | {} |
| global.cattle.psp.enabled | Enable or disable PSPs in the chart | false |
-----
### PSPs
We have added a configuration to the chart `values.yaml` which allows you to enable or disable PSPs to align with the PSP deprecation in Kubernetes `v1.25` and above.
-----
### CRDs
Refer [this](https://github.com/rancher/backup-restore-operator#crds) section for information on CRDs that this chart installs. Also refer [this](https://github.com/rancher/backup-restore-operator/tree/master/examples) folder containing sample manifests for the CRDs.
-----
### Upgrading Chart
```bash
helm upgrade rancher-backup-crd -n cattle-resources-system
helm upgrade rancher-backup -n cattle-resources-system
```
-----
### Uninstall Chart
```bash
helm uninstall rancher-backup -n cattle-resources-system
helm uninstall rancher-backup-crd -n cattle-resources-system
```

33
charts/rancher-backup/103.0.0+up4.0.0/app-readme.md Normal file
View File

@ -0,0 +1,33 @@
# Rancher Backup
This chart enables ability to capture backups of the Rancher application and restore from these backups. This chart can be used to migrate Rancher from one Kubernetes cluster to a different Kubernetes cluster.
For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/pages-for-subheaders/backup-restore-and-disaster-recovery).
This chart installs the following components:
- [backup-restore-operator](https://github.com/rancher/backup-restore-operator)
- The operator handles backing up all Kubernetes resources and CRDs that Rancher creates and manages from the local cluster. It gathers these resources by querying the Kubernetes API server, packages all the resources to create a tarball file and saves it in the configured backup storage location.
- The operator can be configured to store backups in S3-compatible object stores such as AWS S3 and MinIO, and in persistent volumes. During deployment, you can create a default storage location, but there is always the option to override the default storage location with each backup, but will be limited to using an S3-compatible object store.
- It preserves the ownerReferences on all resources, hence maintaining dependencies between objects.
- This operator provides encryption support, to encrypt user specified resources before saving them in the backup file. It uses the same encryption configuration that is used to enable [Kubernetes Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
- Backup - A backup is a CRD (`Backup`) that defines when to take backups, where to store the backup and what encryption to use (optional). Backups can be taken ad hoc or scheduled to be taken in intervals.
- Restore - A restore is a CRD (`Restore`) that defines which backup to use to restore the Rancher application to.
## Upgrading to Kubernetes v1.25+
Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
> **Note:**
> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
> **Note:**
> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
>
> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.

25
charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/aks.yaml Normal file
View File

@ -0,0 +1,25 @@
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "aks.cattle.io$"
- apiVersion: "aks.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
namespaces:
- "cattle-system"
resourceNames:
- "aks-config-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "aks-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "aks-operator"
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaces:
- "cattle-system"
resourceNames:
- "aks-operator"

17
charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/eks.yaml Normal file
View File

@ -0,0 +1,17 @@
- apiVersion: "eks.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
resourceNames:
- "eks-config-operator"
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "eks.cattle.io$"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "eks-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "eks-operator"

49
charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/elemental.yaml Normal file
View File

@ -0,0 +1,49 @@
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "elemental.cattle.io$"
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
namespaces:
- "cattle-elemental-system"
resourceNames:
- "elemental-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "elemental-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "elemental-operator"
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaces:
- "cattle-elemental-system"
resourceNames:
- "elemental-operator"
- apiVersion: "management.cattle.io/v3"
kindsRegexp: "^globalrole$"
resourceNames:
- "elemental-operator"
- apiVersion: "management.cattle.io/v3"
kindsRegexp: "^apiservice$"
resourceNameRegexp: "elemental.cattle.io$"
- apiVersion: "elemental.cattle.io/v1beta1"
kindsRegexp: "."
namespaceRegexp: "^cattle-fleet-|^fleet-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^roles$|^rolebindings$"
labelSelectors:
matchExpressions:
- key: "elemental.cattle.io/managed"
operator: "In"
values: ["true"]
namespaceRegexp: "^cattle-fleet-|^fleet-"
- apiVersion: "v1"
kindsRegexp: "^secrets$|^serviceaccounts$"
labelSelectors:
matchExpressions:
- key: "elemental.cattle.io/managed"
operator: "In"
values: ["true"]
namespaceRegexp: "^cattle-fleet-|^fleet-"

53
charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/fleet.yaml Normal file
View File

@ -0,0 +1,53 @@
- apiVersion: "v1"
kindsRegexp: "^namespaces$"
resourceNameRegexp: "^fleet-"
- apiVersion: "v1"
kindsRegexp: "^secrets$"
namespaceRegexp: "^cattle-fleet-|^fleet-"
excludeResourceNameRegexp: "^import-token"
labelSelectors:
matchExpressions:
- key: "owner"
operator: "NotIn"
values: ["helm"]
- key: "fleet.cattle.io/managed"
operator: "In"
values: ["true"]
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaceRegexp: "^cattle-fleet-|^fleet-"
excludeResourceNameRegexp: "^default$"
- apiVersion: "v1"
kindsRegexp: "^configmaps$"
namespaceRegexp: "^cattle-fleet-|^fleet-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^roles$|^rolebindings$"
namespaceRegexp: "^cattle-fleet-|^fleet-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNameRegexp: "^fleet-|^gitjob-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNameRegexp: "^fleet-"
resourceNames:
- "gitjob"
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$"
- apiVersion: "fleet.cattle.io/v1alpha1"
kindsRegexp: "."
excludeKinds:
- "bundledeployments"
- apiVersion: "gitjob.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
namespaceRegexp: "^cattle-fleet-|^fleet-"
resourceNameRegexp: "^fleet-"
resourceNames:
- "gitjob"
- apiVersion: "apps/v1"
kindsRegexp: "^services$"
namespaceRegexp: "^cattle-fleet-|^fleet-"
resourceNames:
- "gitjob"

17
charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/gke.yaml Normal file
View File

@ -0,0 +1,17 @@
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "gke.cattle.io$"
- apiVersion: "gke.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
resourceNames:
- "gke-config-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "gke-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "gke-operator"

23
charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/provisioningv2.yaml Normal file
View File

@ -0,0 +1,23 @@
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "provisioning.cattle.io$|rke-machine-config.cattle.io$|rke-machine.cattle.io$|rke.cattle.io$|cluster.x-k8s.io$"
- apiVersion: "provisioning.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "rke-machine-config.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "rke-machine.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "rke.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "cluster.x-k8s.io/v1beta1"
kindsRegexp: "."
- apiVersion: "v1"
kindsRegexp: "^secrets$"
resourceNameRegexp: "machine-plan$|rke-state$|machine-state$|machine-driver-secret$|machine-provision$|^harvesterconfig"
namespaces:
- "fleet-default"
- apiVersion: "v1"
kindsRegexp: "^configmaps$"
resourceNames:
- "provisioning-log"
namespaceRegexp: "^c-m-"

28
charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/rancher-operator.yaml Normal file
View File

@ -0,0 +1,28 @@
- apiVersion: "rancher.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
resourceNames:
- "rancher-operator"
namespaces:
- "rancher-operator-system"
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaces:
- "rancher-operator-system"
excludeResourceNameRegexp: "^default$"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "rancher-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "rancher-operator"
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "rancher.cattle.io$"
- apiVersion: "v1"
kindsRegexp: "^namespaces$"
resourceNames:
- "rancher-operator-system"

65
charts/rancher-backup/103.0.0+up4.0.0/files/default-resourceset-contents/rancher.yaml Normal file
View File

@ -0,0 +1,65 @@
- apiVersion: "v1"
kindsRegexp: "^namespaces$"
resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-"
resourceNames:
- "local"
- apiVersion: "v1"
kindsRegexp: "^secrets$"
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
labelSelectors:
matchExpressions:
- key: "owner"
operator: "NotIn"
values: ["helm"]
excludeResourceNameRegexp: "^bootstrap-secret$|^rancher-csp-adapter|^csp-adapter-cache$"
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
excludeResourceNameRegexp: "^default$|^rancher-csp-adapter$"
- apiVersion: "v1"
kindsRegexp: "^configmaps$"
namespaces:
- "cattle-system"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^roles$|^rolebindings$"
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
excludeResourceNameRegexp: "^rancher-csp-adapter"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$"
excludeResourceNameRegexp: "^rancher-csp-adapter-"
- apiVersion: "scheduling.k8s.io/v1"
kindsRegexp: "^priorityclasses$"
resourceNameRegexp: "^rancher-critical$"
- apiVersion: "apiextensions.k8s.io/v1"
kindsRegexp: "."
resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$"
- apiVersion: "management.cattle.io/v3"
kindsRegexp: "."
excludeKinds:
- "tokens"
- "rancherusernotifications"
- apiVersion: "management.cattle.io/v3"
kindsRegexp: "^tokens$"
labelSelectors:
matchExpressions:
- key: "authn.management.cattle.io/kind"
operator: "NotIn"
values: [ "provisioning" ]
- apiVersion: "project.cattle.io/v3"
kindsRegexp: "."
- apiVersion: "catalog.cattle.io/v1"
kindsRegexp: "^clusterrepos$"
- apiVersion: "resources.cattle.io/v1"
kindsRegexp: "^ResourceSet$"
- apiVersion: "v1"
kindsRegexp: "^secrets$"
namespaceRegexp: "^.*$"
labelSelectors:
matchExpressions:
- key: "resources.cattle.io/backup"
operator: "In"
values: ["true"]

87
charts/rancher-backup/103.0.0+up4.0.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,87 @@
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
beta.kubernetes.io/os: linux
{{- else -}}
kubernetes.io/os: linux
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "backupRestore.fullname" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "backupRestore.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "backupRestore.labels" -}}
helm.sh/chart: {{ include "backupRestore.chart" . }}
{{ include "backupRestore.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "backupRestore.selectorLabels" -}}
app.kubernetes.io/name: {{ include "backupRestore.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
resources.cattle.io/operator: backup-restore
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "backupRestore.serviceAccountName" -}}
{{ include "backupRestore.fullname" . }}
{{- end }}
{{- define "backupRestore.s3SecretName" -}}
{{- printf "%s-%s" .Chart.Name "s3" | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create PVC name using release and revision number, unless a volumeName is given.
*/}}
{{- define "backupRestore.pvcName" -}}
{{- if and .Values.persistence.volumeName }}
{{- printf "%s" .Values.persistence.volumeName }}
{{- else -}}
{{- printf "%s-%d" .Release.Name .Release.Revision }}
{{- end }}
{{- end }}

14
charts/rancher-backup/103.0.0+up4.0.0/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,14 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "backupRestore.fullname" . }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ include "backupRestore.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

79
charts/rancher-backup/103.0.0+up4.0.0/templates/deployment.yaml Normal file
View File

@ -0,0 +1,79 @@
{{- if and .Values.s3.enabled .Values.persistence.enabled }}
{{- fail "\n\nCannot configure both s3 and PV for storing backups" }}
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "backupRestore.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "backupRestore.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "backupRestore.selectorLabels" . | nindent 8 }}
annotations:
checksum/s3: {{ include (print $.Template.BasePath "/s3-secret.yaml") . | sha256sum }}
checksum/pvc: {{ include (print $.Template.BasePath "/pvc.yaml") . | sha256sum }}
spec:
serviceAccountName: {{ include "backupRestore.serviceAccountName" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 6 }}
{{- end }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ default "Always" .Values.imagePullPolicy }}
args:
{{- if .Values.debug }}
- "--debug"
{{- end }}
{{- if .Values.trace }}
- "--trace"
{{- end }}
env:
- name: CHART_NAMESPACE
value: {{ .Release.Namespace }}
{{- if .Values.s3.enabled }}
- name: DEFAULT_S3_BACKUP_STORAGE_LOCATION
value: {{ include "backupRestore.s3SecretName" . }}
{{- end }}
{{- if .Values.proxy }}
- name: HTTP_PROXY
value: {{ .Values.proxy }}
- name: HTTPS_PROXY
value: {{ .Values.proxy }}
- name: NO_PROXY
value: {{ .Values.noProxy }}
{{- end }}
{{- if .Values.persistence.enabled }}
- name: DEFAULT_PERSISTENCE_ENABLED
value: "persistence-enabled"
volumeMounts:
- mountPath: "/var/lib/backups"
name: pv-storage
volumes:
- name: pv-storage
persistentVolumeClaim:
claimName: {{ include "backupRestore.pvcName" . }}
{{- end }}
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}

124
charts/rancher-backup/103.0.0+up4.0.0/templates/hardened.yaml Normal file
View File

@ -0,0 +1,124 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
namespace: {{ .Release.Namespace }}
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
spec:
backoffLimit: 1
template:
spec:
serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa
securityContext:
runAsNonRoot: true
runAsUser: 1000
restartPolicy: Never
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
containers:
- name: {{ include "backupRestore.fullname" . }}-patch-sa
image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}
imagePullPolicy: IfNotPresent
command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
namespace: {{ .Release.Namespace }}
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "patch"]
{{- if .Values.global.cattle.psp.enabled}}
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- {{ include "backupRestore.fullname" . }}-patch-sa
{{- end}}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "backupRestore.fullname" . }}-patch-sa
subjects:
- kind: ServiceAccount
name: {{ include "backupRestore.fullname" . }}-patch-sa
namespace: {{ .Release.Namespace }}
---
{{- if .Values.global.cattle.psp.enabled}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'secret'
{{- end}}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "backupRestore.fullname" . }}-default-allow-all
namespace: {{ .Release.Namespace }}
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Ingress
- Egress

31
charts/rancher-backup/103.0.0+up4.0.0/templates/psp.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if .Values.global.cattle.psp.enabled -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "backupRestore.fullname" . }}-psp
labels: {{ include "backupRestore.labels" . | nindent 4 }}
spec:
privileged: false
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'persistentVolumeClaim'
- 'secret'
{{- end -}}

27
charts/rancher-backup/103.0.0+up4.0.0/templates/pvc.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if and .Values.persistence.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "backupRestore.pvcName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
spec:
accessModes:
- ReadWriteOnce
resources:
{{- with .Values.persistence }}
requests:
storage: {{ .size | quote }}
{{- if .storageClass }}
{{- if (eq "-" .storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: {{ .storageClass | quote }}
{{- end }}
{{- end }}
{{- if .volumeName }}
volumeName: {{ .volumeName | quote }}
{{- end }}
{{- end }}
{{- end }}

13
charts/rancher-backup/103.0.0+up4.0.0/templates/rancher-resourceset.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: resources.cattle.io/v1
kind: ResourceSet
metadata:
name: rancher-resource-set
controllerReferences:
- apiVersion: "apps/v1"
resource: "deployments"
name: "rancher"
namespace: "cattle-system"
resourceSelectors:
{{- range $path, $_ := .Files.Glob "files/default-resourceset-contents/*.yaml" -}}
{{- $.Files.Get $path | nindent 2 -}}
{{- end -}}

31
charts/rancher-backup/103.0.0+up4.0.0/templates/s3-secret.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if .Values.s3.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "backupRestore.s3SecretName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
type: Opaque
stringData:
{{- with .Values.s3 }}
{{- if .credentialSecretName }}
credentialSecretName: {{ .credentialSecretName }}
credentialSecretNamespace: {{ required "When providing a Secret containing S3 credentials, a valid .Values.credentialSecretNamespace must be provided" .credentialSecretNamespace }}
{{- end }}
{{- if .region }}
region: {{ .region | quote }}
{{- end }}
bucketName: {{ required "A valid .Values.bucketName is required for configuring S3 compatible storage as the default backup storage location" .bucketName | quote }}
{{- if .folder }}
folder: {{ .folder | quote }}
{{- end }}
endpoint: {{ required "A valid .Values.endpoint is required for configuring S3 compatible storage as the default backup storage location" .endpoint | quote }}
{{- if .endpointCA }}
endpointCA: {{ .endpointCA }}
{{- end }}
{{- if .insecureTLSSkipVerify }}
insecureTLSSkipVerify: {{ .insecureTLSSkipVerify | quote }}
{{- end }}
{{- end }}
{{ end }}

11
charts/rancher-backup/103.0.0+up4.0.0/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "backupRestore.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
{{- if .Values.serviceAccount.annotations }}
annotations:
{{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- end }}

16
charts/rancher-backup/103.0.0+up4.0.0/templates/validate-install-crd.yaml Normal file
View File

@ -0,0 +1,16 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "resources.cattle.io/v1/Backup" false -}}
# {{- set $found "resources.cattle.io/v1/ResourceSet" false -}}
# {{- set $found "resources.cattle.io/v1/Restore" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

7
charts/rancher-backup/103.0.0+up4.0.0/templates/validate-psp-install.yaml Normal file
View File

@ -0,0 +1,7 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
#{{- if .Values.global.cattle.psp.enabled }}
#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
#{{- end }}
#{{- end }}
#{{- end }}

216
charts/rancher-backup/103.0.0+up4.0.0/tests/deployment_test.yaml Normal file
View File

@ -0,0 +1,216 @@
suite: Test Deployment
templates:
- deployment.yaml
- s3-secret.yaml
- pvc.yaml
- _helpers.tpl
tests:
- it: should set name
template: deployment.yaml
asserts:
- equal:
path: metadata.name
value: "rancher-backup"
- it: should set namespace
template: deployment.yaml
asserts:
- equal:
path: metadata.namespace
value: "NAMESPACE"
- it: should set priorityClassName
set:
priorityClassName: "testClass"
template: deployment.yaml
asserts:
- equal:
path: spec.template.spec.priorityClassName
value: "testClass"
- it: should set default imagePullPolicy
template: deployment.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: "Always"
- it: should set imagePullPolicy
set:
imagePullPolicy: "IfNotPresent"
template: deployment.yaml
asserts:
- equal:
path: spec.template.spec.containers[0].imagePullPolicy
value: "IfNotPresent"
- it: should set debug loglevel
set:
debug: true
template: deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--debug"
- it: should set trace loglevel
set:
trace: true
template: deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].args
content: "--trace"
- it: should set proxy environment variables
set:
proxy: "https://127.0.0.1:3128"
template: deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: HTTP_PROXY
value: "https://127.0.0.1:3128"
- contains:
path: spec.template.spec.containers[0].env
content:
name: HTTPS_PROXY
value: "https://127.0.0.1:3128"
- contains:
path: spec.template.spec.containers[0].env
content:
name: NO_PROXY
value: "127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local"
- it: should set proxy environment variables with modified noproxy
set:
proxy: "https://127.0.0.1:3128"
noProxy: "192.168.0.0/24"
template: deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: NO_PROXY
value: "192.168.0.0/24"
- it: should set persistence variables
set:
persistence.enabled: true
template: deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: DEFAULT_PERSISTENCE_ENABLED
value: "persistence-enabled"
- contains:
path: spec.template.spec.containers[0].volumeMounts
content:
mountPath: "/var/lib/backups"
name: "pv-storage"
- equal:
path: spec.template.spec.volumes[0].name
value: "pv-storage"
- equal:
path: spec.template.spec.volumes[0].persistentVolumeClaim
value:
claimName: RELEASE-NAME-0
- it: should set claim from custom static volumeName
set:
persistence.enabled: true
persistence.volumeName: "PREDEFINED-VOLUME"
persistence.storageClass: "PREDEFINED-STORAGECLASS"
persistence.size: "PREDIFINED-SAMEAS-PVSIZE"
template: deployment.yaml
asserts:
- contains:
path: spec.template.spec.containers[0].env
content:
name: DEFAULT_PERSISTENCE_ENABLED
value: "persistence-enabled"
- equal:
path: spec.template.spec.volumes[0].persistentVolumeClaim
value:
claimName: PREDEFINED-VOLUME
- it: should set private registry
template: deployment.yaml
set:
global.cattle.systemDefaultRegistry: "my.registry.local:3000"
asserts:
- matchRegex:
path: spec.template.spec.containers[0].image
pattern: ^my.registry.local:3000/rancher/backup-restore-operator:.*$
- it: should set nodeselector
template: deployment.yaml
asserts:
- equal:
path: spec.template.spec.nodeSelector
value:
kubernetes.io/os: linux
- it: should not set default affinity
template: deployment.yaml
asserts:
- isNull:
path: spec.template.spec.affinity
- it: should set custom affinity
template: deployment.yaml
set:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: disktype
operator: In
values:
- ssd
asserts:
- equal:
path: spec.template.spec.affinity
value:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: disktype
operator: In
values:
- ssd
- it: should set tolerations
template: deployment.yaml
asserts:
- equal:
path: spec.template.spec.tolerations[0]
value:
key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
- it: should set custom tolerations
template: deployment.yaml
set:
tolerations:
- key: "example-key"
operator: "Exists"
effect: "NoSchedule"
asserts:
- equal:
path: spec.template.spec.tolerations[0]
value:
key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
- equal:
path: spec.template.spec.tolerations[1]
value:
key: "example-key"
operator: "Exists"
effect: "NoSchedule"
- it: should not set default imagePullSecrets
template: deployment.yaml
asserts:
- isNull:
path: spec.template.spec.imagePullSecrets
- it: should set imagePullSecrets
set:
imagePullSecrets:
- name: "pull-secret"
template: deployment.yaml
asserts:
- equal:
path: spec.template.spec.imagePullSecrets[0].name
value: "pull-secret"

102
charts/rancher-backup/103.0.0+up4.0.0/tests/pvc_test.yaml Normal file
View File

@ -0,0 +1,102 @@
suite: Test PVC
templates:
- pvc.yaml
- _helpers.tpl
tests:
- it: should set name
template: pvc.yaml
set:
persistence:
enabled: true
asserts:
- equal:
path: metadata.name
value: "RELEASE-NAME-0"
- it: should set namespace
template: pvc.yaml
set:
persistence:
enabled: true
asserts:
- equal:
path: metadata.namespace
value: "NAMESPACE"
- it: should set accessModes
template: pvc.yaml
set:
persistence:
enabled: true
asserts:
- equal:
path: spec.accessModes[0]
value: "ReadWriteOnce"
- it: should set size
template: pvc.yaml
set:
persistence:
enabled: true
asserts:
- equal:
path: spec.resources.requests.storage
value: "2Gi"
- it: should set size
template: pvc.yaml
set:
persistence:
enabled: true
size: "10Gi"
asserts:
- equal:
path: spec.resources.requests.storage
value: "10Gi"
- it: should not set volumeName
template: pvc.yaml
set:
persistence:
enabled: true
asserts:
- isNull:
path: spec.volumeName
- it: should set default storageClass
template: pvc.yaml
set:
persistence:
enabled: true
asserts:
- equal:
path: spec.storageClassName
value: ""
- it: should set custom storageClass
template: pvc.yaml
set:
persistence:
enabled: true
storageClass: "storage-class"
asserts:
- equal:
path: spec.storageClassName
value: "storage-class"
- it: should set custom volumeName
template: pvc.yaml
set:
persistence:
enabled: true
volumeName: "volume-name"
asserts:
- equal:
path: spec.volumeName
value: "volume-name"
- it: should set claim from custom static volumeName
set:
persistence.enabled: true
persistence.volumeName: "PREDEFINED-VOLUME"
persistence.storageClass: "PREDEFINED-STORAGECLASS"
persistence.size: "PREDEFINED-SAMEAS-PVSIZE"
template: pvc.yaml
asserts:
- equal:
path: spec.resources.requests.storage
value: "PREDEFINED-SAMEAS-PVSIZE"
- equal:
path: spec.storageClassName
value: "PREDEFINED-STORAGECLASS"

141
charts/rancher-backup/103.0.0+up4.0.0/tests/s3-secret_test.yaml Normal file
View File

@ -0,0 +1,141 @@
suite: Test S3 Secret
templates:
- s3-secret.yaml
- _helpers.tpl
tests:
- it: should set name
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- equal:
path: metadata.name
value: "rancher-backup-s3"
- it: should set namespace
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- equal:
path: metadata.namespace
value: "NAMESPACE"
- it: should not set credentialSecretName
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- isNull:
path: stringData.credentialSecretName
- it: should set credentialSecretName
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
credentialSecretName: "credential-secret-name"
credentialSecretNamespace: "credential-secret-namespace"
asserts:
- equal:
path: stringData.credentialSecretName
value: "credential-secret-name"
- equal:
path: stringData.credentialSecretNamespace
value: "credential-secret-namespace"
- it: should not set folder
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- isNull:
path: stringData.folder
- it: should set folder
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
folder: "myfolder"
asserts:
- equal:
path: stringData.folder
value: "myfolder"
- it: should not set region
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- isNull:
path: stringData.region
- it: should set region
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
region: "us-west-1"
asserts:
- equal:
path: stringData.region
value: "us-west-1"
- it: should not set endpointCA
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- isNull:
path: stringData.endpointCA
- it: should set endpointCA
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
endpointCA: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t"
asserts:
- equal:
path: stringData.endpointCA
value: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURHakNDQWdLZ0F3SUJBZ0lKQUtpWFZpNEpBb0J5TUEwR0NTcUdTSWIzRFFFQkN3VUFNQkl4RURBT0JnTlYKQkFNTUIzUmxjM1F0WTJFd0hoY05NakF3T0RNd01UZ3lOVFE1V2hjTk1qQXhNREk1TVRneU5UUTVXakFTTVJBdwpEZ1lEVlFRRERBZDBaWE4wTFdOaE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBCjA4dnV3Q2Y0SEhtR2Q2azVNTmozRW5NOG00T2RpS3czSGszd1NlOUlXQkwyVzY5WDZxenBhN2I2M3U2L05mMnkKSnZWNDVqeXplRFB6bFJycjlpbEpWaVZ1NFNqWlFjdG9jWmFCaVNsL0xDbEFDdkFaUlYvKzN0TFVTZSs1ZDY0QQpWcUhDQlZObU5xM3E3aVY0TE1aSVpRc3N6K0FxaU1Sd0pOMVVKQTZ6V0tUc2Yzc3ByQ0J2dWxJWmZsVXVETVAyCnRCTCt6cXZEc0pDdWlhNEEvU2JNT29tVmM2WnNtTGkwMjdub3dGRld3MnRpSkM5d0xMRE14NnJoVHQ4a3VvVHYKQXJpUjB4WktiRU45L1Uzb011eUVKbHZyck9YS2ZuUDUwbk8ycGNaQnZCb3pUTStYZnRvQ1d5UnhKUmI5cFNTRApKQjlmUEFtLzNZcFpMMGRKY2sxR1h3SURBUUFCbzNNd2NUQWRCZ05WSFE0RUZnUVU5NHU4WXlMdmE2MTJnT1pyCm44QnlFQ2NucVFjd1FnWURWUjBqQkRzd09ZQVU5NHU4WXlMdmE2MTJnT1pybjhCeUVDY25xUWVoRnFRVU1CSXgKRURBT0JnTlZCQU1NQjNSbGMzUXRZMkdDQ1FDb2wxWXVDUUtBY2pBTUJnTlZIUk1FQlRBREFRSC9NQTBHQ1NxRwpTSWIzRFFFQkN3VUFBNElCQVFER1JRZ1RtdzdVNXRQRHA5Q2psOXlLRW9Vd2pYWWM2UlAwdm1GSHpubXJ3dUVLCjFrTkVJNzhBTUw1MEpuS29CY0ljVDNEeGQ3TGdIbTNCRE5mVVh2anArNnZqaXhJYXR2UWhsSFNVaWIyZjJsSTkKVEMxNzVyNCtROFkzelc1RlFXSDdLK08vY3pJTGh5ei93aHRDUlFkQ29lS1dXZkFiby8wd0VSejZzNkhkVFJzNwpHcWlGNWZtWGp6S0lOcTBjMHRyZ0xtalNKd1hwSnU0ZnNGOEcyZUh4b2pOKzdJQ1FuSkg5cGRIRVpUQUtOL2ppCnIvem04RlZtd1kvdTBndEZneWVQY1ZWbXBqRm03Y0ZOSkc4Y2ZYd0QzcEFwVjhVOGNocTZGeFBHTkVvWFZnclMKY1VRMklaU0RJd1FFY3FvSzFKSGdCUWw2RXBaUVpWMW1DRklrdFBwSQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t"
- it: should not set insecureTLSSkipVerify
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
asserts:
- isNull:
path: stringData.insecureTLSSkipVerify
- it: should set insecureTLSSkipVerify
template: s3-secret.yaml
set:
s3:
enabled: true
bucketName: "yourbucket"
endpoint: "https://s3.amazonaws.com"
insecureTLSSkipVerify: "true"
asserts:
- equal:
path: stringData.insecureTLSSkipVerify
value: "true"

81
charts/rancher-backup/103.0.0+up4.0.0/values.yaml Normal file
View File

@ -0,0 +1,81 @@
image:
repository: rancher/backup-restore-operator
tag: v4.0.0
## Default s3 bucket for storing all backup files created by the backup-restore-operator
s3:
enabled: false
## credentialSecretName if set, should be the name of the Secret containing AWS credentials.
## To use IAM Role, don't set this field
credentialSecretName: ""
credentialSecretNamespace: ""
region: ""
bucketName: ""
folder: ""
endpoint: ""
endpointCA: ""
insecureTLSSkipVerify: false
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
## If persistence is enabled, operator will create a PVC with mountPath /var/lib/backups
persistence:
enabled: false
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack).
## Refer https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1
##
storageClass: "-"
## If you want to disable dynamic provisioning by setting storageClass to "-" above,
## and want to target a particular PV, provide name of the target volume
volumeName: ""
## Only certain StorageClasses allow resizing PVs; Refer https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/
size: 2Gi
# Add log level flags to backup-restore
debug: false
trace: false
# http[s] proxy server passed to backup client
# proxy: http://<username>@<password>:<url>:<port>
# comma separated list of domains or ip addresses that will not use the proxy
noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local
global:
cattle:
systemDefaultRegistry: ""
psp:
enabled: false # PSP enablement should default to false
kubectl:
repository: rancher/kubectl
tag: v1.21.9
## Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## List of node taints to tolerate (requires Kubernetes >= 1.6)
tolerations: []
affinity: {}
serviceAccount:
annotations: {}
priorityClassName: ""
# Override imagePullPolicy for image
# options: Always, Never, IfNotPresent
# Defaults to Always
imagePullPolicy: "Always"
## Optional array of imagePullSecrets containing private registry credentials
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []

10
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/Chart.yaml Normal file
View File

@ -0,0 +1,10 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/release-name: rancher-gatekeeper-crd
apiVersion: v1
description: Installs the CRDs for rancher-gatekeeper.
name: rancher-gatekeeper-crd
type: application
version: 103.1.0+up3.13.0

2
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/README.md Normal file
View File

@ -0,0 +1,2 @@
# rancher-gatekeeper-crd
A Rancher chart that installs the CRDs used by rancher-gatekeeper.

757
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assign-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,757 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: assign.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: Assign
listKind: AssignList
plural: assign
singular: assign
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: Assign is the Schema for the assign API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
properties:
name:
maxLength: 63
type: string
type: object
spec:
description: AssignSpec defines the desired state of Assign.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.'
type: string
match:
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
source:
description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
enum:
- All
- Generated
- Original
type: string
type: object
parameters:
description: Parameters define the behavior of the mutator.
properties:
assign:
description: Assign.value holds the value to be assigned
properties:
externalData:
description: ExternalData describes the external data provider to be used for mutation.
properties:
dataSource:
default: ValueAtLocation
description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
enum:
- ValueAtLocation
- Username
type: string
default:
description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
type: string
failurePolicy:
default: Fail
description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
enum:
- UseDefault
- Ignore
- Fail
type: string
provider:
description: Provider is the name of the external data provider.
type: string
type: object
fromMetadata:
description: FromMetadata assigns a value from the specified metadata field.
properties:
field:
description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
type: string
type: object
value:
description: Value is a constant value that will be assigned to `location`
x-kubernetes-preserve-unknown-fields: true
type: object
pathTests:
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
type: object
type: object
status:
description: AssignStatus defines the observed state of Assign.
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
- name: v1alpha1
schema:
openAPIV3Schema:
description: Assign is the Schema for the assign API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AssignSpec defines the desired state of Assign.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.'
type: string
match:
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
source:
description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
enum:
- All
- Generated
- Original
type: string
type: object
parameters:
description: Parameters define the behavior of the mutator.
properties:
assign:
description: Assign.value holds the value to be assigned
properties:
externalData:
description: ExternalData describes the external data provider to be used for mutation.
properties:
dataSource:
default: ValueAtLocation
description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
enum:
- ValueAtLocation
- Username
type: string
default:
description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
type: string
failurePolicy:
default: Fail
description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
enum:
- UseDefault
- Ignore
- Fail
type: string
provider:
description: Provider is the name of the external data provider.
type: string
type: object
fromMetadata:
description: FromMetadata assigns a value from the specified metadata field.
properties:
field:
description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
type: string
type: object
value:
description: Value is a constant value that will be assigned to `location`
x-kubernetes-preserve-unknown-fields: true
type: object
pathTests:
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
type: object
type: object
status:
description: AssignStatus defines the observed state of Assign.
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: false
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: Assign is the Schema for the assign API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AssignSpec defines the desired state of Assign.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main]`.'
type: string
match:
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
source:
description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
enum:
- All
- Generated
- Original
type: string
type: object
parameters:
description: Parameters define the behavior of the mutator.
properties:
assign:
description: Assign.value holds the value to be assigned
properties:
externalData:
description: ExternalData describes the external data provider to be used for mutation.
properties:
dataSource:
default: ValueAtLocation
description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
enum:
- ValueAtLocation
- Username
type: string
default:
description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
type: string
failurePolicy:
default: Fail
description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
enum:
- UseDefault
- Ignore
- Fail
type: string
provider:
description: Provider is the name of the external data provider.
type: string
type: object
fromMetadata:
description: FromMetadata assigns a value from the specified metadata field.
properties:
field:
description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
type: string
type: object
value:
description: Value is a constant value that will be assigned to `location`
x-kubernetes-preserve-unknown-fields: true
type: object
pathTests:
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
type: object
type: object
status:
description: AssignStatus defines the observed state of Assign.
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: false
subresources:
status: {}

237
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignimage-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,237 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: assignimage.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: AssignImage
listKind: AssignImageList
plural: assignimage
singular: assignimage
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: AssignImage is the Schema for the assignimage API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
properties:
name:
maxLength: 63
type: string
type: object
spec:
description: AssignImageSpec defines the desired state of AssignImage.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].image`.'
type: string
match:
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
source:
description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
enum:
- All
- Generated
- Original
type: string
type: object
parameters:
description: Parameters define the behavior of the mutator.
properties:
assignDomain:
description: AssignDomain sets the domain component on an image string. The trailing slash should not be included.
type: string
assignPath:
description: AssignPath sets the domain component on an image string.
type: string
assignTag:
description: AssignImage sets the image component on an image string. It must start with a `:` or `@`.
type: string
pathTests:
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
type: object
type: object
status:
description: AssignImageStatus defines the observed state of AssignImage.
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}

655
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/assignmetadata-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,655 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: assignmetadata.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: AssignMetadata
listKind: AssignMetadataList
plural: assignmetadata
singular: assignmetadata
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: AssignMetadata is the Schema for the assignmetadata API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
properties:
name:
maxLength: 63
type: string
type: object
spec:
description: AssignMetadataSpec defines the desired state of AssignMetadata.
properties:
location:
type: string
match:
description: Match selects which objects are in scope.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
source:
description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
enum:
- All
- Generated
- Original
type: string
type: object
parameters:
properties:
assign:
description: Assign.value holds the value to be assigned
properties:
externalData:
description: ExternalData describes the external data provider to be used for mutation.
properties:
dataSource:
default: ValueAtLocation
description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
enum:
- ValueAtLocation
- Username
type: string
default:
description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
type: string
failurePolicy:
default: Fail
description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
enum:
- UseDefault
- Ignore
- Fail
type: string
provider:
description: Provider is the name of the external data provider.
type: string
type: object
fromMetadata:
description: FromMetadata assigns a value from the specified metadata field.
properties:
field:
description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
type: string
type: object
value:
description: Value is a constant value that will be assigned to `location`
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
status:
description: AssignMetadataStatus defines the observed state of AssignMetadata.
properties:
byPod:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
- name: v1alpha1
schema:
openAPIV3Schema:
description: AssignMetadata is the Schema for the assignmetadata API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AssignMetadataSpec defines the desired state of AssignMetadata.
properties:
location:
type: string
match:
description: Match selects which objects are in scope.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
source:
description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
enum:
- All
- Generated
- Original
type: string
type: object
parameters:
properties:
assign:
description: Assign.value holds the value to be assigned
properties:
externalData:
description: ExternalData describes the external data provider to be used for mutation.
properties:
dataSource:
default: ValueAtLocation
description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
enum:
- ValueAtLocation
- Username
type: string
default:
description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
type: string
failurePolicy:
default: Fail
description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
enum:
- UseDefault
- Ignore
- Fail
type: string
provider:
description: Provider is the name of the external data provider.
type: string
type: object
fromMetadata:
description: FromMetadata assigns a value from the specified metadata field.
properties:
field:
description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
type: string
type: object
value:
description: Value is a constant value that will be assigned to `location`
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
status:
description: AssignMetadataStatus defines the observed state of AssignMetadata.
properties:
byPod:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: false
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: AssignMetadata is the Schema for the assignmetadata API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AssignMetadataSpec defines the desired state of AssignMetadata.
properties:
location:
type: string
match:
description: Match selects which objects are in scope.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
source:
description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
enum:
- All
- Generated
- Original
type: string
type: object
parameters:
properties:
assign:
description: Assign.value holds the value to be assigned
properties:
externalData:
description: ExternalData describes the external data provider to be used for mutation.
properties:
dataSource:
default: ValueAtLocation
description: DataSource specifies where to extract the data that will be sent to the external data provider as parameters.
enum:
- ValueAtLocation
- Username
type: string
default:
description: Default specifies the default value to use when the external data provider returns an error and the failure policy is set to "UseDefault".
type: string
failurePolicy:
default: Fail
description: FailurePolicy specifies the policy to apply when the external data provider returns an error.
enum:
- UseDefault
- Ignore
- Fail
type: string
provider:
description: Provider is the name of the external data provider.
type: string
type: object
fromMetadata:
description: FromMetadata assigns a value from the specified metadata field.
properties:
field:
description: Field specifies which metadata field provides the assigned value. Valid fields are `namespace` and `name`.
type: string
type: object
value:
description: Value is a constant value that will be assigned to `location`
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
status:
description: AssignMetadataStatus defines the observed state of AssignMetadata.
properties:
byPod:
description: 'INSERT ADDITIONAL STATUS FIELD - define observed state of cluster Important: Run "make" to regenerate code after modifying this file'
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: false
subresources:
status: {}

105
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/config-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,105 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: configs.config.gatekeeper.sh
spec:
group: config.gatekeeper.sh
names:
kind: Config
listKind: ConfigList
plural: configs
singular: config
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: Config is the Schema for the configs API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConfigSpec defines the desired state of Config.
properties:
match:
description: Configuration for namespace exclusion
items:
properties:
excludedNamespaces:
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
processes:
items:
type: string
type: array
type: object
type: array
readiness:
description: Configuration for readiness tracker
properties:
statsEnabled:
type: boolean
type: object
sync:
description: Configuration for syncing k8s objects
properties:
syncOnly:
description: If non-empty, only entries on this list will be replicated into OPA
items:
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
type: array
type: object
validation:
description: Configuration for validation
properties:
traces:
description: List of requests to trace. Both "user" and "kinds" must be specified
items:
properties:
dump:
description: Also dump the state of OPA with the trace. Set to `All` to dump everything.
type: string
kind:
description: Only trace requests of the following GroupVersionKind
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
user:
description: Only trace requests from the specified user
type: string
type: object
type: array
type: object
type: object
status:
description: ConfigStatus defines the observed state of Config.
type: object
type: object
served: true
storage: true

67
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constraintpodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,67 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: constraintpodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: ConstraintPodStatus
listKind: ConstraintPodStatusList
plural: constraintpodstatuses
singular: constraintpodstatus
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintPodStatus is the Schema for the constraintpodstatuses API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: ConstraintPodStatusStatus defines the observed state of ConstraintPodStatus.
properties:
constraintUID:
description: Storing the constraint UID allows us to detect drift, such as when a constraint has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
enforced:
type: boolean
errors:
items:
description: Error represents a single error caught while adding a constraint to OPA.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: object
served: true
storage: true

357
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplate-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,357 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
labels:
gatekeeper.sh/system: "yes"
name: constrainttemplates.templates.gatekeeper.sh
spec:
group: templates.gatekeeper.sh
names:
kind: ConstraintTemplate
listKind: ConstraintTemplateList
plural: constrainttemplates
singular: constrainttemplate
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
properties:
crd:
properties:
spec:
properties:
names:
properties:
kind:
type: string
shortNames:
items:
type: string
type: array
type: object
validation:
default:
legacySchema: false
properties:
legacySchema:
default: false
type: boolean
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
targets:
items:
properties:
code:
description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field)
items:
properties:
engine:
description: 'The engine used to evaluate the code. Example: "Rego". Required.'
type: string
source:
description: The source code for the template. Required.
x-kubernetes-preserve-unknown-fields: true
required:
- engine
- source
type: object
type: array
x-kubernetes-list-map-keys:
- engine
x-kubernetes-list-type: map
libs:
items:
type: string
type: array
rego:
type: string
target:
type: string
type: object
type: array
type: object
status:
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
properties:
byPod:
items:
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
type: integer
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
created:
type: boolean
type: object
type: object
served: true
storage: true
subresources:
status: {}
- name: v1alpha1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
properties:
crd:
properties:
spec:
properties:
names:
properties:
kind:
type: string
shortNames:
items:
type: string
type: array
type: object
validation:
default:
legacySchema: true
properties:
legacySchema:
default: true
type: boolean
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
targets:
items:
properties:
code:
description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field)
items:
properties:
engine:
description: 'The engine used to evaluate the code. Example: "Rego". Required.'
type: string
source:
description: The source code for the template. Required.
x-kubernetes-preserve-unknown-fields: true
required:
- engine
- source
type: object
type: array
x-kubernetes-list-map-keys:
- engine
x-kubernetes-list-type: map
libs:
items:
type: string
type: array
rego:
type: string
target:
type: string
type: object
type: array
type: object
status:
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
properties:
byPod:
items:
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
type: integer
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
created:
type: boolean
type: object
type: object
served: true
storage: false
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintTemplate is the Schema for the constrainttemplates API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ConstraintTemplateSpec defines the desired state of ConstraintTemplate.
properties:
crd:
properties:
spec:
properties:
names:
properties:
kind:
type: string
shortNames:
items:
type: string
type: array
type: object
validation:
default:
legacySchema: true
properties:
legacySchema:
default: true
type: boolean
openAPIV3Schema:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
type: object
targets:
items:
properties:
code:
description: The source code options for the constraint template. "Rego" can only be specified in one place (either here or in the "rego" field)
items:
properties:
engine:
description: 'The engine used to evaluate the code. Example: "Rego". Required.'
type: string
source:
description: The source code for the template. Required.
x-kubernetes-preserve-unknown-fields: true
required:
- engine
- source
type: object
type: array
x-kubernetes-list-map-keys:
- engine
x-kubernetes-list-type: map
libs:
items:
type: string
type: array
rego:
type: string
target:
type: string
type: object
type: array
type: object
status:
description: ConstraintTemplateStatus defines the observed state of ConstraintTemplate.
properties:
byPod:
items:
description: ByPodStatus defines the observed state of ConstraintTemplate as seen by an individual controller
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: a unique identifier for the pod that wrote the status
type: string
observedGeneration:
format: int64
type: integer
type: object
x-kubernetes-preserve-unknown-fields: true
type: array
created:
type: boolean
type: object
type: object
served: true
storage: false
subresources:
status: {}

66
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/constrainttemplatepodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,66 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: constrainttemplatepodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: ConstraintTemplatePodStatus
listKind: ConstraintTemplatePodStatusList
plural: constrainttemplatepodstatuses
singular: constrainttemplatepodstatus
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: ConstraintTemplatePodStatus is the Schema for the constrainttemplatepodstatuses API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: ConstraintTemplatePodStatusStatus defines the observed state of ConstraintTemplatePodStatus.
properties:
errors:
items:
description: CreateCRDError represents a single error caught during parsing, compiling, etc.
properties:
code:
type: string
location:
type: string
message:
type: string
required:
- code
- message
type: object
type: array
id:
description: 'Important: Run "make" to regenerate code after modifying this file'
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
templateUID:
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
type: string
type: object
type: object
served: true
storage: true

200
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplate-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,200 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: expansiontemplate.expansion.gatekeeper.sh
spec:
group: expansion.gatekeeper.sh
names:
kind: ExpansionTemplate
listKind: ExpansionTemplateList
plural: expansiontemplate
singular: expansiontemplate
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ExpansionTemplate is the Schema for the ExpansionTemplate API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
enforcementAction:
description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation.
type: string
generatedGVK:
description: GeneratedGVK specifies the GVK of the resources which the generator resource creates.
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
templateSource:
description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template
type: string
type: object
status:
description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate.
properties:
byPod:
items:
description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus.
properties:
errors:
items:
properties:
message:
type: string
type:
type: string
required:
- message
type: object
type: array
id:
description: 'Important: Run "make" to regenerate code after modifying this file'
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
templateUID:
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
type: string
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: ExpansionTemplate is the Schema for the ExpansionTemplate API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ExpansionTemplateSpec defines the desired state of ExpansionTemplate.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds of generator resources which will be expanded.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
enforcementAction:
description: EnforcementAction specifies the enforcement action to be used for resources matching the ExpansionTemplate. Specifying an empty value will use the enforcement action specified by the Constraint in violation.
type: string
generatedGVK:
description: GeneratedGVK specifies the GVK of the resources which the generator resource creates.
properties:
group:
type: string
kind:
type: string
version:
type: string
type: object
templateSource:
description: TemplateSource specifies the source field on the generator resource to use as the base for expanded resource. For Pod-creating generators, this is usually spec.template
type: string
type: object
status:
description: ExpansionTemplateStatus defines the observed state of ExpansionTemplate.
properties:
byPod:
items:
description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus.
properties:
errors:
items:
properties:
message:
type: string
type:
type: string
required:
- message
type: object
type: array
id:
description: 'Important: Run "make" to regenerate code after modifying this file'
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
templateUID:
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
type: string
type: object
type: array
type: object
type: object
served: true
storage: false
subresources:
status: {}

62
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/expansiontemplatepodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,62 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: expansiontemplatepodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: ExpansionTemplatePodStatus
listKind: ExpansionTemplatePodStatusList
plural: expansiontemplatepodstatuses
singular: expansiontemplatepodstatus
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: ExpansionTemplatePodStatus is the Schema for the expansiontemplatepodstatuses API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: ExpansionTemplatePodStatusStatus defines the observed state of ExpansionTemplatePodStatus.
properties:
errors:
items:
properties:
message:
type: string
type:
type: string
required:
- message
type: object
type: array
id:
description: 'Important: Run "make" to regenerate code after modifying this file'
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
templateUID:
description: UID is a type that holds unique ID values, including UUIDs. Because we don't ONLY use UUIDs, this is an alias to string. Being a type captures intent and helps make sure that UIDs and names do not get conflated.
type: string
type: object
type: object
served: true
storage: true

676
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/modifyset-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,676 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: modifyset.mutations.gatekeeper.sh
spec:
group: mutations.gatekeeper.sh
names:
kind: ModifySet
listKind: ModifySetList
plural: modifyset
singular: modifyset
preserveUnknownFields: false
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
properties:
name:
maxLength: 63
type: string
type: object
spec:
description: ModifySetSpec defines the desired state of ModifySet.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.'
type: string
match:
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
source:
description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
enum:
- All
- Generated
- Original
type: string
type: object
parameters:
description: Parameters define the behavior of the mutator.
properties:
operation:
default: merge
description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge"
enum:
- merge
- prune
type: string
pathTests:
description: PathTests are a series of existence tests that can be checked before a mutation is applied
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
values:
description: Values describes the values provided to the operation as `values.fromList`.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
status:
description: ModifySetStatus defines the observed state of ModifySet.
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
- name: v1alpha1
schema:
openAPIV3Schema:
description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ModifySetSpec defines the desired state of ModifySet.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.'
type: string
match:
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
source:
description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
enum:
- All
- Generated
- Original
type: string
type: object
parameters:
description: Parameters define the behavior of the mutator.
properties:
operation:
default: merge
description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge"
enum:
- merge
- prune
type: string
pathTests:
description: PathTests are a series of existence tests that can be checked before a mutation is applied
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
values:
description: Values describes the values provided to the operation as `values.fromList`.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
status:
description: ModifySetStatus defines the observed state of ModifySet.
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: false
subresources:
status: {}
- name: v1beta1
schema:
openAPIV3Schema:
description: ModifySet allows the user to modify non-keyed lists, such as the list of arguments to a container.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ModifySetSpec defines the desired state of ModifySet.
properties:
applyTo:
description: ApplyTo lists the specific groups, versions and kinds a mutation will be applied to. This is necessary because every mutation implies part of an object schema and object schemas are associated with specific GVKs.
items:
description: ApplyTo determines what GVKs items the mutation should apply to. Globs are not allowed.
properties:
groups:
items:
type: string
type: array
kinds:
items:
type: string
type: array
versions:
items:
type: string
type: array
type: object
type: array
location:
description: 'Location describes the path to be mutated, for example: `spec.containers[name: main].args`.'
type: string
match:
description: Match allows the user to limit which resources get mutated. Individual match criteria are AND-ed together. An undefined match criteria matches everything.
properties:
excludedNamespaces:
description: 'ExcludedNamespaces is a list of namespace names. If defined, a constraint only applies to resources not in a listed namespace. ExcludedNamespaces also supports a prefix or suffix based glob. For example, `excludedNamespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
kinds:
items:
description: Kinds accepts a list of objects with apiGroups and kinds fields that list the groups/kinds of objects to which the mutation will apply. If multiple groups/kinds objects are specified, only one match is needed for the resource to be in scope.
properties:
apiGroups:
description: APIGroups is the API groups the resources belong to. '*' is all groups. If '*' is present, the length of the slice must be one. Required.
items:
type: string
type: array
kinds:
items:
type: string
type: array
type: object
type: array
labelSelector:
description: 'LabelSelector is the combination of two optional fields: `matchLabels` and `matchExpressions`. These two fields provide different methods of selecting or excluding k8s objects based on the label keys and values included in object metadata. All selection expressions from both sections are ANDed to determine if an object meets the cumulative requirements of the selector.'
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
name:
description: 'Name is the name of an object. If defined, it will match against objects with the specified name. Name also supports a prefix or suffix glob. For example, `name: pod-*` would match both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` and `b-pod`.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
namespaceSelector:
description: NamespaceSelector is a label selector against an object's containing namespace or the object itself, if the object is a namespace.
properties:
matchExpressions:
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
items:
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
properties:
key:
description: key is the label key that the selector applies to.
type: string
operator:
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
namespaces:
description: 'Namespaces is a list of namespace names. If defined, a constraint only applies to resources in a listed namespace. Namespaces also supports a prefix or suffix based glob. For example, `namespaces: [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: [*-system]` matches both `kube-system` and `gatekeeper-system`.'
items:
description: 'A string that supports globbing at its front or end. Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" will match "kube-system" or "gatekeeper-system". The asterisk is required for wildcard matching.'
pattern: ^(\*|\*-)?[a-z0-9]([-:a-z0-9]*[a-z0-9])?(\*|-\*)?$
type: string
type: array
scope:
description: Scope determines if cluster-scoped and/or namespaced-scoped resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. (defaults to `*`)
type: string
source:
description: Source determines whether generated or original resources are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). A value of `Generated` will only match generated resources, while `Original` will only match regular resources.
enum:
- All
- Generated
- Original
type: string
type: object
parameters:
description: Parameters define the behavior of the mutator.
properties:
operation:
default: merge
description: Operation describes whether values should be merged in ("merge"), or pruned ("prune"). Default value is "merge"
enum:
- merge
- prune
type: string
pathTests:
description: PathTests are a series of existence tests that can be checked before a mutation is applied
items:
description: "PathTest allows the user to customize how the mutation works if parent paths are missing. It traverses the list in order. All sub paths are tested against the provided condition, if the test fails, the mutation is not applied. All `subPath` entries must be a prefix of `location`. Any glob characters will take on the same value as was used to expand the matching glob in `location`. \n Available Tests: * MustExist - the path must exist or do not mutate * MustNotExist - the path must not exist or do not mutate."
properties:
condition:
description: Condition describes whether the path either MustExist or MustNotExist in the original object
enum:
- MustExist
- MustNotExist
type: string
subPath:
type: string
type: object
type: array
values:
description: Values describes the values provided to the operation as `values.fromList`.
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
status:
description: ModifySetStatus defines the observed state of ModifySet.
properties:
byPod:
items:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: array
type: object
type: object
served: true
storage: false
subresources:
status: {}

65
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/mutatorpodstatus-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,65 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.10.0
labels:
gatekeeper.sh/system: "yes"
name: mutatorpodstatuses.status.gatekeeper.sh
spec:
group: status.gatekeeper.sh
names:
kind: MutatorPodStatus
listKind: MutatorPodStatusList
plural: mutatorpodstatuses
singular: mutatorpodstatus
preserveUnknownFields: false
scope: Namespaced
versions:
- name: v1beta1
schema:
openAPIV3Schema:
description: MutatorPodStatus is the Schema for the mutationpodstatuses API.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
status:
description: MutatorPodStatusStatus defines the observed state of MutatorPodStatus.
properties:
enforced:
type: boolean
errors:
items:
description: MutatorError represents a single error caught while adding a mutator to a system.
properties:
message:
type: string
type:
description: Type indicates a specific class of error for use by controller code. If not present, the error should be treated as not matching any known type.
type: string
required:
- message
type: object
type: array
id:
type: string
mutatorUID:
description: Storing the mutator UID allows us to detect drift, such as when a mutator has been recreated after its CRD was deleted out from under it, interrupting the watch
type: string
observedGeneration:
format: int64
type: integer
operations:
items:
type: string
type: array
type: object
type: object
served: true
storage: true

78
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/crd-manifest/provider-customresourcedefinition.yaml Normal file
View File

@ -0,0 +1,78 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.11.3
labels:
gatekeeper.sh/system: "yes"
name: providers.externaldata.gatekeeper.sh
spec:
group: externaldata.gatekeeper.sh
names:
kind: Provider
listKind: ProviderList
plural: providers
singular: provider
preserveUnknownFields: false
scope: Cluster
versions:
- deprecated: true
deprecationWarning: externaldata.gatekeeper.sh/v1alpha1 is deprecated. Use externaldata.gatekeeper.sh/v1beta1 instead.
name: v1alpha1
schema:
openAPIV3Schema:
description: Provider is the Schema for the Provider API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the Provider specifications.
properties:
caBundle:
description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate.
type: string
timeout:
description: Timeout is the timeout when querying the provider.
type: integer
url:
description: URL is the url for the provider. URL is prefixed with https://.
type: string
type: object
type: object
served: true
storage: false
- name: v1beta1
schema:
openAPIV3Schema:
description: Provider is the Schema for the providers API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: Spec defines the Provider specifications.
properties:
caBundle:
description: CABundle is a base64-encoded string that contains the TLS CA bundle in PEM format. It is used to verify the signature of the provider's certificate.
type: string
timeout:
description: Timeout is the timeout when querying the provider.
type: integer
url:
description: URL is the url for the provider. URL is prefixed with https://.
type: string
type: object
type: object
served: true
storage: true

22
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,22 @@
# Rancher
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
kubernetes.io/os: linux
{{- end -}}

126
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/jobs.yaml Normal file
View File

@ -0,0 +1,126 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Chart.Name }}-create
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}
annotations:
"helm.sh/hook": post-install, post-upgrade, post-rollback
"helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
spec:
template:
metadata:
name: {{ .Chart.Name }}-create
labels:
app: {{ .Chart.Name }}
spec:
serviceAccountName: {{ .Chart.Name }}-manager
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
containers:
- name: create-crds
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/kubectl
- apply
- -f
- /etc/config/crd-manifest.yaml
volumeMounts:
- name: crd-manifest
readOnly: true
mountPath: /etc/config
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.securityContext | nindent 12 }}
restartPolicy: OnFailure
volumes:
- name: crd-manifest
configMap:
name: {{ .Chart.Name }}-manifest
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Chart.Name }}-delete
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: {{ .Chart.Name }}-delete
labels:
app: {{ .Chart.Name }}
spec:
serviceAccountName: {{ .Chart.Name }}-manager
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
securityContext:
runAsNonRoot: true
runAsUser: 1000
initContainers:
- name: remove-finalizers
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/kubectl
- apply
- -f
- /etc/config/crd-manifest.yaml
volumeMounts:
- name: crd-manifest
readOnly: true
mountPath: /etc/config
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.securityContext | nindent 12 }}
containers:
- name: delete-crds
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: IfNotPresent
command:
- /bin/kubectl
- delete
- -f
- /etc/config/crd-manifest.yaml
volumeMounts:
- name: crd-manifest
readOnly: true
mountPath: /etc/config
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.securityContext | nindent 12 }}
restartPolicy: OnFailure
volumes:
- name: crd-manifest
configMap:
name: {{ .Chart.Name }}-manifest

14
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/manifest.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Chart.Name }}-manifest
namespace: {{ .Release.Namespace }}
data:
crd-manifest.yaml: |
{{- $currentScope := . -}}
{{- $crds := (.Files.Glob "crd-manifest/**.yaml") -}}
{{- range $path, $_ := $crds -}}
{{- with $currentScope -}}
{{ .Files.Get $path | nindent 4 }}
---
{{- end -}}{{- end -}}

76
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/rbac.yaml Normal file
View File

@ -0,0 +1,76 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ .Chart.Name }}-manager
labels:
app: {{ .Chart.Name }}-manager
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs: ['create', 'get', 'patch', 'delete']
{{- if .Values.global.cattle.psp.enabled }}
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ .Chart.Name }}-manager
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ .Chart.Name }}-manager
labels:
app: {{ .Chart.Name }}-manager
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ .Chart.Name }}-manager
subjects:
- kind: ServiceAccount
name: {{ .Chart.Name }}-manager
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Chart.Name }}-manager
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}-manager
---
{{- if .Values.global.cattle.psp.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ .Chart.Name }}-manager
namespace: {{ .Release.Namespace }}
labels:
app: {{ .Chart.Name }}-manager
spec:
privileged: false
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'configMap'
- 'secret'
{{- end }}

7
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/templates/validate-psp-install.yaml Normal file
View File

@ -0,0 +1,7 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
#{{- if .Values.global.cattle.psp.enabled }}
#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
#{{- end }}
#{{- end }}
#{{- end }}

21
charts/rancher-gatekeeper-crd/103.1.0+up3.13.0/values.yaml Normal file
View File

@ -0,0 +1,21 @@
# Default values for rancher-gatekeeper-crd.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
cattle:
systemDefaultRegistry: ""
psp:
enabled: false
image:
repository: rancher/kubectl
tag: v1.20.2
enableRuntimeDefaultSeccompProfile: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL

21
charts/rancher-gatekeeper/103.1.0+up3.13.0/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

15
charts/rancher-gatekeeper/103.1.0+up3.13.0/CHANGELOG.md Normal file
View File

@ -0,0 +1,15 @@
# Changelog
All notable changes from the upstream OPA Gatekeeper chart will be added to this file
## [Package Version 00] - 2020-09-10
### Added
- Enabled the CRD chart generator in `package.yaml`
### Modified
- Updated namespace to `cattle-gatekeeper-system`
- Updated for Helm 3 compatibility
- Moved crds to `crds` directory
- Removed `crd-install` hooks and templates from crds
### Removed
- Removed `gatekeeper-system-namespace.yaml` as Rancher handles namespaces for chart installation

26
charts/rancher-gatekeeper/103.1.0+up3.13.0/Chart.yaml Normal file
View File

@ -0,0 +1,26 @@
annotations:
catalog.cattle.io/auto-install: rancher-gatekeeper-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: OPA Gatekeeper
catalog.cattle.io/kube-version: '>= 1.20.0-0'
catalog.cattle.io/namespace: cattle-gatekeeper-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/provides-gvr: config.gatekeeper.sh.config/v1alpha1
catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
catalog.cattle.io/release-name: rancher-gatekeeper
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: gatekeeper
apiVersion: v2
appVersion: v3.13.0
description: Modifies Open Policy Agent's upstream gatekeeper chart that provides
policy-based control for cloud native environments
home: https://github.com/open-policy-agent/gatekeeper
icon: https://charts.rancher.io/assets/logos/gatekeeper.svg
keywords:
- open policy agent
- security
name: rancher-gatekeeper
sources:
- https://github.com/open-policy-agent/gatekeeper.git
version: 103.1.0+up3.13.0

226
charts/rancher-gatekeeper/103.1.0+up3.13.0/README.md Normal file
View File

@ -0,0 +1,226 @@
# Gatekeeper Helm Chart
## Get Repo Info
```console
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm repo update
```
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
## Install Chart
```console
# Helm install with gatekeeper-system namespace already created
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
# Helm install and create namespace
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
```
_See [parameters](#parameters) below._
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
## Upgrade Chart
**Upgrading from < v3.4.0**
Chart 3.4.0 deprecates support for Helm 2 and also removes the creation of the `gatekeeper-system` Namespace from within
the chart. This follows Helm 3 Best Practices.
Option 1:
A simple way to upgrade is to uninstall first and re-install with 3.4.0 or greater.
```console
$ helm uninstall gatekeeper
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace
```
Option 2:
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the
original release, while keeping all of the resources. It then updates the annotations of the resources so that the new
chart can import and manage them.
```console
$ helm_migrate.sh
$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper
```
**Upgrading from >= v3.4.0**
```console
$ helm upgrade -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper
```
_See [helm 2 to 3](https://helm.sh/docs/topics/v2_v3_migration/) for Helm 2 migration documentation._
## Exempting Namespace
The Helm chart automatically sets the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt
the namespace where the chart is installed, and adds the `admission.gatekeeper.sh/ignore` label to the namespace during
a post-install hook.
_See [Exempting Namespaces](https://open-policy-agent.github.io/gatekeeper/website/docs/exempt-namespaces) for more
information._
## Parameters
| Parameter | Description | Default |
|:-----------------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| postInstall.labelNamespace.enabled | Add labels to the namespace during post install hooks | `true` |
| postInstall.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post install hooks | `[]` |
| postInstall.labelNamespace.extraAnnotations | Extra annotations added to the post install Job | `{}` |
| postInstall.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` |
| postInstall.labelNamespace.image.tag | Image tag | Current release version: `v3.13.0` |
| postInstall.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postInstall.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
| postInstall.labelNamespace.extraRules | Extra rules for the gatekeeper-update-namespace-label Role | `[]` |
| postInstall.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label Job | `` |
| postInstall.probeWebhook.enabled | Probe webhook API post install. When enabled along with `postInstall.labelNamespace.enabled`, this probe will run as part of `postInstall.labelNamespace` Job as an initContainer | `true` |
| postInstall.probeWebhook.image.repository | Image with curl to probe the webhook API | `curlimages/curl` |
| postInstall.probeWebhook.image.tag | Image tag | `7.83.1` |
| postInstall.probeWebhook.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postInstall.probeWebhook.image.pullSecrets | Image pullSecrets | `[]` |
| postInstall.probeWebhook.waitTimeout | Total time to wait for the webhook API to become available | `60` |
| postInstall.probeWebhook.httpTimeout | HTTP client timeout | `2` |
| postInstall.probeWebhook.insecureHTTPS | Ignore server SSL certificate | `false` |
| postInstall.probeWebhook.priorityClassName | Priority class name for gatekeeper-probe-webhook-post-install Job | `` |
| postInstall.affinity | The affinity to use for pod scheduling in postInstall hook jobs | `{}` |
| postInstall.tolerations | The tolerations to use for pod scheduling in postInstall hook jobs | `[]` |
| postInstall.nodeSelector | The node selector to use for pod scheduling in postInstall hook jobs | `kubernetes.io/os: linux` |
| postInstall.resources | The resource request/limits for the container image in postInstall hook jobs | `{}` |
| postInstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| postUpgrade.labelNamespace.enabled | Add labels to the namespace during post upgrade hooks | `false` |
| postUpgrade.labelNamespace.extraNamespaces | The extra namespaces that need to have the label during post upgrade hooks | `[]` |
| postUpgrade.labelNamespace.extraAnnotations | Extra annotations added to the post upgrade Job | `{}` |
| postUpgrade.labelNamespace.image.repository | Image with kubectl to label the namespace | `openpolicyagent/gatekeeper-crds` |
| postUpgrade.labelNamespace.image.tag | Image tag | Current release version: `v3.13.0` |
| postUpgrade.labelNamespace.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| postUpgrade.labelNamespace.image.pullSecrets | Image pullSecrets | `[]` |
| postUpgrade.labelNamespace.priorityClassName | Priority class name for gatekeeper-update-namespace-label-post-upgrade Job | `` |
| postUpgrade.affinity | The affinity to use for pod scheduling in postUpgrade hook jobs | `{}` |
| postUpgrade.tolerations | The tolerations to use for pod scheduling in postUpgrade hook jobs | `[]` |
| postUpgrade.nodeSelector | The node selector to use for pod scheduling in postUpgrade hook jobs | `kubernetes.io/os: linux` |
| postUpgrade.resources | The resource request/limits for the container image in postUpgrade hook jobs | `{}` |
| postUpgrade.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| preInstall.crdRepository.image.repository | Image with kubectl to update the CRDs. If not set, the `image.crdRepository` is used instead. | `null` |
| preInstall.crdRepository.image.tag | Image tag | Current release version: `v3.13.0` |
| preUninstall.deleteWebhookConfigurations.enabled | Delete webhooks before gatekeeper itself is uninstalled | `false` |
| preUninstall.deleteWebhookConfigurations.image.repository | Image with kubectl to delete the webhooks | `openpolicyagent/gatekeeper-crds` |
| preUninstall.deleteWebhookConfigurations.image.tag | Image tag | Current release version: `v3.13.0` |
| preUninstall.deleteWebhookConfigurations.image.pullPolicy | Image pullPolicy | `IfNotPresent` |
| preUninstall.deleteWebhookConfigurations.image.pullSecrets | Image pullSecrets | `[]` |
| preUninstall.deleteWebhookConfigurations.extraRules | Extra rules for the gatekeeper-delete-webhook-configs Role | `[]` |
| preUninstall.deleteWebhookConfigurations.priorityClassName | Priority class name for gatekeeper-delete-webhook-configs Job | `` |
| preUninstall.affinity | The affinity to use for pod scheduling in preUninstall hook jobs | `{}` |
| preUninstall.tolerations | The tolerations to use for pod scheduling in preUninstall hook jobs | `[]` |
| preUninstall.nodeSelector | The node selector to use for pod scheduling in preUninstall hook jobs | `kubernetes.io/os: linux` |
| preUninstall.resources | The resource request/limits for the container image in preUninstall hook jobs | `{}` |
| preUninstall.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| psp.enabled | Enabled PodSecurityPolicy | `true` |
| upgradeCRDs.enabled | Upgrade CRDs using pre-install/pre-upgrade hooks | `true` |
| upgradeCRDs.extraRules | Extra rules for the gatekeeper-admin-upgrade-crds ClusterRole | `[]` |
| upgradeCRDs.priorityClassName | Priority class name for gatekeeper-update-crds-hook Job | `` |
| crds.affinity | The affinity to use for pod scheduling in crds hook jobs | `{}` |
| crds.tolerations | The tolerations to use for pod scheduling in crds hook jobs | `[]` |
| crds.nodeSelector | The node selector to use for pod scheduling in crds hook jobs | `kubernetes.io/os: linux` |
| crds.resources | The resource request/limits for the container image in crds hook jobs | `{}` |
| crds.securityContext | Security context applied to the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 65532, "runAsNonRoot": true, "runAsUser": 65532 }` |
| auditInterval | The frequency with which audit is run | `300` |
| constraintViolationsLimit | The maximum # of audit violations reported on a constraint | `20` |
| auditFromCache | Take the roster of resources to audit from the audit cache | `false` |
| auditChunkSize | Chunk size for listing cluster resources for audit (alpha feature) | `500` |
| auditMatchKindOnly | Only check resources of the kinds specified in all constraints defined in the cluster. | `false` |
| disableValidatingWebhook | Disable the validating webhook | `false` |
| disableMutation | Disable mutation | `false` |
| validatingWebhookName | The name of the `ValidatingWebhookConfiguration` | `gatekeeper-validating-webhook-configuration` |
| validatingWebhookTimeoutSeconds | The timeout for the validating webhook in seconds | `3` |
| validatingWebhookFailurePolicy | The failurePolicy for the validating webhook | `Ignore` |
| validatingWebhookAnnotations | The annotations to add to the ValidatingWebhookConfiguration | `{}` |
| validatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's validation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| validatingWebhookCheckIgnoreFailurePolicy | The failurePolicy for the check-ignore-label validating webhook | `Fail` |
| validatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the validating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| validatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. Mutually exclusive with `enableDeleteOperations`. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| validatingWebhookURL | Custom URL for Kubernetes API server to use to reach the validating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
| enableDeleteOperations | Enable validating webhook for delete operations. Does not work with `validatingWebhookCustomRules` | `false` |
| enableExternalData | Enable external data | `true` |
| enableGeneratorResourceExpansion | Enable generator resource expansion (beta feature) | `true` |
| enableTLSHealthcheck | Enable probing webhook API with certificate stored in certDir | `false` |
| maxServingThreads | Limit the number of concurrent calls the validation backend made by the validation webhook. -1 limits this value to GOMAXPROCS. Configuring this value may lower max RAM usage and limit CPU throttling, Tuning it can optimize serving capacity. | `-1` |
| metricsBackends | Metrics exporters to use. Valid exporters are: `prometheus`, `stackdriver`, and `opencensus` | `["prometheus"]` |
| mutatingWebhookName | The name of the `MutatingWebhookConfiguration` | `gatekeeper-mutating-webhook-configuration` |
| mutatingWebhookFailurePolicy | The failurePolicy for the mutating webhook | `Ignore` |
| mutatingWebhookReinvocationPolicy | The reinvocationPolicy for the mutating webhook | `Never` |
| mutatingWebhookAnnotations | The annotations to add to the MutatingWebhookConfiguration | `{}` |
| mutatingWebhookExemptNamespacesLabels | Additional namespace labels that will be exempt from the mutating webhook. Please note that anyone in the cluster capable to manage namespaces will be able to skip all Gatekeeper validation by setting one of these labels for their namespace. | `{}` |
| mutatingWebhookObjectSelector | The label selector to further refine which namespaced resources will be selected by the webhook. Please note that an exemption label means users can circumvent Gatekeeper's mutation webhook unless measures are taken to control how exemption labels can be set. | `{}` |
| mutatingWebhookTimeoutSeconds | The timeout for the mutating webhook in seconds | `3` |
| mutatingWebhookCustomRules | Custom rules for selecting which API resources trigger the webhook. NOTE: If you change this, ensure all your constraints are still being enforced. | `{}` |
| mutatingWebhookURL | Custom URL for Kubernetes API server to use to reach the mutating webhook pod. If not set, the default of connecting via the kubernetes service endpoint is used. | `null` |
| emitAdmissionEvents | Emit K8s events in configurable namespace for admission violations (alpha feature) | `false` |
| emitAuditEvents | Emit K8s events in configurable namespace for audit violations (alpha feature) | `false` |
| auditEventsInvolvedNamespace | Emit audit events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Audit events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| admissionEventsInvolvedNamespace | Emit admission events for each violation in the involved objects namespace, the default (false) generates events in the namespace Gatekeeper is installed in. Admission events from cluster-scoped resources will continue to generate events in the namespace that Gatekeeper is installed in | `false` |
| logDenies | Log detailed info on each deny | `false` |
| logLevel | Minimum log level | `INFO` |
| image.pullPolicy | The image pull policy | `IfNotPresent` |
| image.repository | Image repository | `openpolicyagent/gatekeeper` |
| image.release | The image release tag to use | Current release version: `v3.13.0` |
| image.pullSecrets | Specify an array of imagePullSecrets | `[]` |
| resources | The resource request/limits for the container image | limits: 1 CPU, 512Mi, requests: 100mCPU, 256Mi |
| nodeSelector | The node selector to use for pod scheduling | `kubernetes.io/os: linux` |
| controllerManager.affinity | The node affinity to use for controller manager pod scheduling | `{}` |
| controllerManager.topologySpreadConstraints | The topology spread constraints to use for controller manager pod scheduling | `[]` |
| controllerManager.tolerations | The tolerations to use for controller manager pod scheduling | `[]` |
| controllerManager.healthPort | Health port for controller manager | `9090` |
| controllerManager.port | Webhook-server port for controller manager | `8443` |
| controllerManager.metricsPort | Metrics port for controller manager | `8888` |
| controllerManager.readinessTimeout | Timeout in seconds for the controller manager's readiness probe | `1` |
| controllerManager.livenessTimeout | Timeout in seconds for the controller manager's liveness probe | `1` |
| controllerManager.logLevel | The minimum log level for the controller manager, takes precedence over `logLevel` when specified | `null` |
| controllerManager.priorityClassName | Priority class name for controller manager | `system-cluster-critical` |
| controllerManager.podSecurityContext | Security context on pod level for controller manager | {fsGroup: 999, suplementalGroups: [999]} |
| controllerManager.exemptNamespaces | The exact namespaces to exempt by the admission webhook | `[]` |
| controllerManager.exemptNamespacePrefixes | The namespace prefixes to exempt by the admission webhook | `[]` |
| controllerManager.hostNetwork | Enables controllerManager to be deployed on hostNetwork | `false` |
| controllerManager.dnsPolicy | Set the dnsPolicy for controllerManager pods | `ClusterFirst` |
| controllerManager.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| controllerManager.tlsMinVersion | Set the minimum supported TLS version for validating and mutating webhook servers | `1.3` |
| controllerManager.extraRules | Extra rules for the gatekeeper-manager-role Role | `[]` |
| controllerManager.networkPolicy.enabled | Should a network policy for the controller manager be created | `false` |
| controllerManager.networkPolicy.ingress | Additional ingress rules to be added to the controller manager network policy | `{}` |
| controllerManager.strategyType | The strategy type to use for Controller Manager deployment | `RollingUpdate` |
| audit.affinity | The node affinity to use for audit pod scheduling | `{}` |
| audit.topologySpreadConstraints | The topology spread constraints to use for audit pod scheduling | `[]` |
| audit.tolerations | The tolerations to use for audit pod scheduling | `[]` |
| audit.priorityClassName | Priority class name for audit controller | `system-cluster-critical` |
| audit.podSecurityContext | Security context for audit on pod level | {fsGroup: 999, suplementalGroups: [999]} |
| audit.hostNetwork | Enables audit to be deployed on hostNetwork | `false` |
| audit.dnsPolicy | Set the dnsPolicy for audit pods | `ClusterFirst` |
| audit.securityContext | Security context applied on the container | `{ "allowPrivilegeEscalation": false, "capabilities": "drop": [all], "readOnlyRootFilesystem": true, "runAsGroup": 999, "runAsNonRoot": true, "runAsUser": 1000 }` |
| audit.healthPort | Health port for audit | `9090` |
| audit.metricsPort | Metrics port for audit | `8888` |
| audit.readinessTimeout | Timeout in seconds for audit's readiness probe | `1` |
| audit.livenessTimeout | Timeout in seconds for the audit's liveness probe | `1` |
| audit.logLevel | The minimum log level for audit, takes precedence over `logLevel` when specified | `null` |
| replicas | The number of Gatekeeper replicas to deploy for the webhook | `3` |
| podAnnotations | The annotations to add to the Gatekeeper pods | `container.seccomp.security.alpha.kubernetes.io/manager: runtime/default` |
| podLabels | The labels to add to the Gatekeeper pods | `{}` |
| podCountLimit | The maximum number of Gatekeeper pods to run | `100` |
| secretAnnotations | The annotations to add to the Gatekeeper secrets | `{}` |
| pdb.controllerManager.minAvailable | The number of controller manager pods that must still be available after an eviction | `1` |
| service.type | Service type | `ClusterIP` |
| service.loadBalancerIP | The IP address of LoadBalancer service | `` |
| service.healthzPort | Service port to gatekeeper Webhook health port | `9090` |
| rbac.create | Enable the creation of RBAC resources | `true` |
| externalCertInjection.enabled | Enable the injection of an external certificate. This disables automatic certificate generation and rotation | `false` |
| externalCertInjection.secretName | Name of secret for injected certificate | `gatekeeper-webhook-server-cert` |
## Contributing Changes
Please refer
to [Contributing to Helm Chart](https://open-policy-agent.github.io/gatekeeper/website/docs/help#contributing-to-helm-chart)
for modifying the Helm chart.

32
charts/rancher-gatekeeper/103.1.0+up3.13.0/app-readme.md Normal file
View File

@ -0,0 +1,32 @@
# Rancher OPA Gatekeeper
This chart is based off of the upstream [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper/tree/master/charts/gatekeeper) chart.
For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/opa-gatekeper/).
The chart installs the following components:
- OPA Gatekeeper Controller-Manager - OPA Gatekeeper is a policy engine for providing policy based governance for Kubernetes clusters. The controller installs as a [validating admission controller webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#validatingadmissionwebhook) on the cluster and intercepts all admission requests that create, update or delete a resource in the cluster.
- [Audit](https://github.com/open-policy-agent/gatekeeper#audit) - A periodic audit of the cluster resources against the enforced policies. Any existing resource that violates a policy will be recorded as violations.
- [Constraint Template](https://github.com/open-policy-agent/gatekeeper#constraint-templates) - A template is a CRD (`ConstraintTemplate`) that defines the schema and Rego logic of a policy to be applied to the cluster by Gatekeeper's admission controller webhook. This chart installs a few default `ConstraintTemplate` custom resources.
- [Constraint](https://github.com/open-policy-agent/gatekeeper#constraints) - A constraint is a custom resource that defines the scope of resources which a specific constraint template should apply to. The complete policy is defined by a combination of `ConstraintTemplates` (i.e. what the policy is) and `Constraints` (i.e. what resource to apply the policy to).
For more information on how to configure the Helm chart, refer to the Helm README.
## Upgrading to Kubernetes v1.25+
Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
> **Note:**
> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
> **Note:**
> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
>
> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.

114
charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,114 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "gatekeeper.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "gatekeeper.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "gatekeeper.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Adds additional pod labels to the common ones
*/}}
{{- define "gatekeeper.podLabels" -}}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
kubernetes.io/os: linux
{{- end -}}
{{/*
Output post install webhook probe container entry
*/}}
{{- define "gatekeeper.postInstallWebhookProbeContainer" -}}
- name: webhook-probe-post
image: "{{ template "system_default_registry" . }}{{ .Values.postInstall.probeWebhook.image.repository }}:{{ .Values.postInstall.probeWebhook.image.tag }}"
imagePullPolicy: {{ .Values.postInstall.probeWebhook.image.pullPolicy }}
command:
- "curl"
args:
- "--retry"
- "99999"
- "--retry-connrefused"
- "--retry-max-time"
- "{{ .Values.postInstall.probeWebhook.waitTimeout }}"
- "--retry-delay"
- "1"
- "--max-time"
- "{{ .Values.postInstall.probeWebhook.httpTimeout }}"
{{- if .Values.postInstall.probeWebhook.insecureHTTPS }}
- "--insecure"
{{- else }}
- "--cacert"
- /certs/ca.crt
{{- end }}
- "-v"
- "https://gatekeeper-webhook-service.{{ .Release.Namespace }}.svc/v1/admitlabel?timeout=2s"
resources:
{{- toYaml .Values.postInstall.resources | nindent 4 }}
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.postInstall.securityContext | nindent 4 }}
volumeMounts:
- mountPath: /certs
name: cert
readOnly: true
{{- end -}}
{{/*
Output post install webhook probe volume entry
*/}}
{{- define "gatekeeper.postInstallWebhookProbeVolume" -}}
- name: cert
secret:
secretName: {{ .Values.externalCertInjection.secretName }}
{{- end -}}

35
charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/allowedrepos.yaml Normal file
View File

@ -0,0 +1,35 @@
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
name: k8sallowedrepos
spec:
crd:
spec:
names:
kind: K8sAllowedRepos
validation:
# Schema for the `parameters` field
openAPIV3Schema:
properties:
repos:
type: array
items:
type: string
targets:
- target: admission.k8s.gatekeeper.sh
rego: |
package k8sallowedrepos
violation[{"msg": msg}] {
container := input.review.object.spec.containers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}
violation[{"msg": msg}] {
container := input.review.object.spec.initContainers[_]
satisfied := [good | repo = input.parameters.repos[_] ; good = startswith(container.image, repo)]
not any(satisfied)
msg := sprintf("container <%v> has an invalid image repo <%v>, allowed repos are %v", [container.name, container.image, input.parameters.repos])
}

38
charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-podsecuritypolicy.yaml Normal file
View File

@ -0,0 +1,38 @@
{{- if .Values.global.cattle.psp.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-admin
spec:
allowPrivilegeEscalation: false
fsGroup:
ranges:
- max: 65535
min: 1
rule: MustRunAs
requiredDropCapabilities:
- ALL
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
ranges:
- max: 65535
min: 1
rule: MustRunAs
volumes:
- configMap
- projected
- secret
- downwardAPI
- emptyDir
{{- end }}

11
charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-admin-serviceaccount.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-admin
namespace: '{{ .Release.Namespace }}'

164
charts/rancher-gatekeeper/103.1.0+up3.13.0/templates/gatekeeper-audit-deployment.yaml Normal file
View File

@ -0,0 +1,164 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: audit-controller
gatekeeper.sh/operation: audit
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
name: gatekeeper-audit
namespace: '{{ .Release.Namespace }}'
spec:
replicas: 1
selector:
matchLabels:
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: audit-controller
gatekeeper.sh/operation: audit
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
template:
metadata:
annotations:
{{- if .Values.podAnnotations }}
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
{{- end }}
{{- if .Values.auditPodAnnotations }}
{{- toYaml .Values.auditPodAnnotations | trim | nindent 8 }}
{{- end }}
labels:
{{- include "gatekeeper.podLabels" . }}
app: '{{ template "gatekeeper.name" . }}'
chart: '{{ template "gatekeeper.name" . }}'
control-plane: audit-controller
gatekeeper.sh/operation: audit
gatekeeper.sh/system: "yes"
heritage: '{{ .Release.Service }}'
release: '{{ .Release.Name }}'
spec:
affinity:
{{- toYaml .Values.audit.affinity | nindent 8 }}
automountServiceAccountToken: true
containers:
- image: '{{ template "system_default_registry" . }}{{ .Values.images.gatekeeper.repository }}:{{ .Values.images.gatekeeper.tag }}'
args:
- --audit-interval={{ .Values.auditInterval }}
- --log-level={{ (.Values.audit.logLevel | empty | not) | ternary .Values.audit.logLevel .Values.logLevel }}
- --constraint-violations-limit={{ .Values.constraintViolationsLimit }}
- --validating-webhook-configuration-name={{ .Values.validatingWebhookName }}
- --mutating-webhook-configuration-name={{ .Values.mutatingWebhookName }}
- --audit-from-cache={{ .Values.auditFromCache }}
- --audit-chunk-size={{ .Values.auditChunkSize }}
- --audit-match-kind-only={{ .Values.auditMatchKindOnly }}
- --emit-audit-events={{ .Values.emitAuditEvents }}
- --audit-events-involved-namespace={{ .Values.auditEventsInvolvedNamespace }}
- --operation=audit
- --operation=status
{{ if .Values.audit.enablePubsub}}
- --enable-pub-sub={{ .Values.audit.enablePubsub }}
- --audit-connection={{ .Values.audit.connection }}
- --audit-channel={{ .Values.audit.channel }}
{{- end }}
{{ if not .Values.disableMutation}}- --operation=mutation-status{{- end }}
- --logtostderr
- --health-addr=:{{ .Values.audit.healthPort }}
- --prometheus-port={{ .Values.audit.metricsPort }}
- --enable-external-data={{ .Values.enableExternalData }}
- --enable-generator-resource-expansion={{ .Values.enableGeneratorResourceExpansion }}
{{- range .Values.metricsBackends}}
- --metrics-backend={{ . }}
{{- end }}
{{- if .Values.audit.logFile}}
- --log-file={{ .Values.audit.logFile }}
{{- end }}
- --disable-cert-rotation={{ or .Values.audit.disableCertRotation .Values.externalCertInjection.enabled }}
command:
- /manager
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: CONTAINER_NAME
value: manager
imagePullPolicy: '{{ .Values.images.pullPolicy }}'
livenessProbe:
httpGet:
path: /healthz
port: {{ .Values.audit.healthPort }}
timeoutSeconds: {{ .Values.audit.livenessTimeout }}
name: manager
ports:
- containerPort: {{ .Values.audit.metricsPort }}
name: metrics
protocol: TCP
- containerPort: {{ .Values.audit.healthPort }}
name: healthz
protocol: TCP
readinessProbe:
httpGet:
path: /readyz
port: {{ .Values.audit.healthPort }}
timeoutSeconds: {{ .Values.audit.readinessTimeout }}
resources:
{{- toYaml .Values.audit.resources | nindent 10 }}
securityContext:
{{- if .Values.enableRuntimeDefaultSeccompProfile }}
seccompProfile:
type: RuntimeDefault
{{- end }}
{{- toYaml .Values.audit.securityContext | nindent 10}}
volumeMounts:
- mountPath: /certs
name: cert
readOnly: true
- mountPath: /tmp/audit
name: tmp-volume
dnsPolicy: {{ .Values.audit.dnsPolicy }}
hostNetwork: {{ .Values.audit.hostNetwork }}
imagePullSecrets:
{{- toYaml .Values.images.pullSecrets | nindent 8 }}
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.audit.nodeSelector }}
{{ toYaml .Values.audit.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.audit.priorityClassName }}
priorityClassName: {{ .Values.audit.priorityClassName }}
{{- end }}
securityContext:
{{- toYaml .Values.audit.podSecurityContext | nindent 8 }}
serviceAccountName: gatekeeper-admin
terminationGracePeriodSeconds: 60
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.audit.tolerations }}
{{ toYaml .Values.audit.tolerations | indent 8 }}
{{- end }}
volumes:
- name: cert
secret:
defaultMode: 420
secretName: gatekeeper-webhook-server-cert
{{- if .Values.audit.writeToRAMDisk }}
- emptyDir:
medium: Memory
{{ else }}
- emptyDir: {}
{{- end }}
name: tmp-volume

Some files were not shown because too many files have changed in this diff Show More