andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[epinio] forward-port from v2.6 to v2.7

pull/2500/head
Mauren Berti 2023-03-22 16:40:02 -04:00
parent 59001ce0a5
commit 78557674a0
No known key found for this signature in database
GPG Key ID: 777EC11C23B91E1E
104 changed files with 7887 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/epinio/epinio-100.0.5+up1.6.2.tgz Normal file
View File

Binary file not shown.

15
charts/epinio/100.0.5+up1.6.2/Chart.lock Normal file
View File

@ -0,0 +1,15 @@
dependencies:
- name: dex
repository: https://charts.dexidp.io
version: 0.12.1
- name: minio
repository: https://charts.min.io/
version: 5.0.4
- name: kubed
repository: https://charts.appscode.com/stable/
version: v0.13.2
- name: epinio-ui
repository: https://epinio.github.io/helm-charts
version: 1.5.3
digest: sha256:edaf7fec6b9567423ca0175493c21a542afe293e3a48d853acf9eb0b3d36024a
generated: "2023-01-12T09:59:16.775081808+01:00"

50
charts/epinio/100.0.5+up1.6.2/Chart.yaml Normal file
View File

@ -0,0 +1,50 @@
annotations:
artifacthub.io/license: Apache-2.0
catalog.cattle.io/auto-install: epinio-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: Epinio
catalog.cattle.io/experimental: "true"
catalog.cattle.io/kube-version: '>= 1.20.0-0 < 1.25.0-0'
catalog.cattle.io/namespace: cattle-epinio-system
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0'
catalog.cattle.io/release-name: epinio
catalog.cattle.io/type: app
catalog.cattle.io/upstream-version: 1.6.2
apiVersion: v2
appVersion: v1.6.2
dependencies:
- condition: dex.enabled, global.dex.enabled
name: dex
repository: file://./charts/dex
tags:
- dex
- condition: epinio-ui.enabled
name: epinio-ui
repository: file://./charts/epinio-ui
tags:
- epinio-ui
- condition: kubed.enabled, global.kubed.enabled
name: kubed
repository: file://./charts/kubed
tags:
- kubed
- condition: minio.enabled, global.minio.enabled
name: minio
repository: file://./charts/minio
tags:
- minio
description: Epinio deploys Kubernetes applications directly from source code in one
step.
home: https://github.com/epinio/epinio
icon: https://charts.rancher.io/assets/logos/epinio.svg
keywords:
- epinio
- paas
maintainers:
- email: team@epinio.io
name: SUSE
name: epinio
sources:
- https://github.com/epinio/epinio
version: 100.0.5+up1.6.2

94
charts/epinio/100.0.5+up1.6.2/README.md Normal file
View File

@ -0,0 +1,94 @@
# Epinio Helm Chart
From app to URL in one command.
## Introduction
This chart deploys Epinio PaaS on a Kubernetes cluster. It also deploys some of
its dependencies as subcharts.
The documentation is centralized in the [doc website](https://docs.epinio.io).
## Prerequisites
Epinio needs a number of external components to be running on your cluster in order to
work. You may already have those deployed, otherwise follow the instructions here
to deploy them.
Important: Some of the namespaces of the components are hardcoded in the Epinio
code and thus are important to be the same as described here. In the future this
may be configurable on the Epinio Helm chart.
### Ingress Controller
Epinio creates Ingress resources for the API server, the applications and depending
on your setup, the internal container registry. Those resources won't work unless
an Ingress controller is running on your cluster.
If you don't have an Ingress controller already running, you can install Traefik with:
```
$ kubectl create namespace traefik
$ export LOAD_BALANCER_IP=$(LOAD_BALANCER_IP:-) # Set this to the IP of your load balancer if you know that
$ helm install traefik --namespace traefik "https://helm.traefik.io/traefik/traefik-10.3.4.tgz" \
--set globalArguments='' \
--set-string ports.web.redirectTo=websecure \
--set-string ingressClass.enabled=true \
--set-string ingressClass.isDefaultClass=true \
--set-string service.spec.loadBalancerIP=$LOAD_BALANCER_IP
```
### Cert Manager
Epinio needs [cert-manager](https://cert-manager.io/) in order to create TLS
certificates for the various Ingresses (see "Ingress controller" above).
If cert-manager is not already installed on the cluster, it can be installed like this:
```
$ kubectl create namespace cert-manager
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install cert-manager --namespace cert-manager jetstack/cert-manager \
--set installCRDs=true \
--set extraArgs[0]=--enable-certificate-owner-ref=true
```
### Kubed
Kubed is installed as a subchart when `.Values.kubed.enabled` is true (default).
If you already have kubed running, you can skip the installation by setting
the helm value "kubed.enabled" to "false".
### S3 storage
Epinio is using an S3 compatible storage to store the application source code.
This chart will install [Minio](https://min.io/) when `.Values.minio.enabled` is
true (default). Any S3 compatible solution can be used instead by setting this
value to `false` and using [the values under `s3`](https://github.com/epinio/helm-charts/blob/main/chart/epinio/values.yaml#L44)
to point to the desired S3 server.
### Container Registry
When Epinio builds a container image for an application from source, it needs
to store that image to a container registry. Epinio installs a container registry
on the cluster when `.Values.containerregistry.enabled` is `true` (default).
Any container registry that supports basic auth authentication can be used (e.g. gcr, dockerhub etc)
instead by setting this value to `false` and using
[the values under `registry`](https://github.com/epinio/helm-charts/blob/main/chart/epinio/values.yaml#L104-L107)
to point to the desired container registry.
## Install Epinio
If the above dependencies are available or going to be installed by this chart,
Epinio can be installed with the following:
```
$ helm repo add epinio https://epinio.github.io/helm-charts/
$ helm install epinio -n epinio --create-namespace epinio/epinio --values epinio-values.yaml --set global.domain=myepiniodomain.org
```
The only value that is mandatory is the `.Values.global.domain` which
should be a wildcard domain, pointing to the IP address of your running
Ingress controller.

8
charts/epinio/100.0.5+up1.6.2/app-readme.md Normal file
View File

@ -0,0 +1,8 @@
# Epinio PaaS
Opinionated platform that runs on Kubernetes to take you from Code to URL in one step.
__Attention__:
- Requires `cert-manager` as dependency.
- Requires `helm-controller` as dependency.

BIN
charts/epinio/100.0.5+up1.6.2/assets/epinio-application-0.1.24.tgz Normal file
View File

Binary file not shown.

25
charts/epinio/100.0.5+up1.6.2/charts/dex/.helmignore Normal file
View File

@ -0,0 +1,25 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
README.md.gotmpl

29
charts/epinio/100.0.5+up1.6.2/charts/dex/Chart.yaml Normal file
View File

@ -0,0 +1,29 @@
annotations:
artifacthub.io/changes: |
- kind: changed
description: "Update Dex to 2.35.3"
artifacthub.io/images: |
- name: dex
image: ghcr.io/dexidp/dex:v2.35.3
apiVersion: v2
appVersion: 2.35.3
description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable
connectors.
home: https://dexidp.io/
icon: https://dexidp.io/favicon.png
keywords:
- oidc
- oauth
- identity-provider
- saml
kubeVersion: '>=1.14.0-0'
maintainers:
- email: mark.sagikazar@gmail.com
name: sagikazarmark
url: https://sagikazarmark.hu
name: dex
sources:
- https://github.com/dexidp/dex
- https://github.com/dexidp/helm-charts/tree/master/charts/dex
type: application
version: 0.12.1

202
charts/epinio/100.0.5+up1.6.2/charts/dex/LICENSE Normal file
View File

@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

177
charts/epinio/100.0.5+up1.6.2/charts/dex/README.md Normal file
View File

@ -0,0 +1,177 @@
# dex
![version: 0.12.1](https://img.shields.io/badge/version-0.12.1-informational?style=flat-square) ![type: application](https://img.shields.io/badge/type-application-informational?style=flat-square) ![app version: 2.35.3](https://img.shields.io/badge/app%20version-2.35.3-informational?style=flat-square) ![kube version: >=1.14.0-0](https://img.shields.io/badge/kube%20version->=1.14.0--0-informational?style=flat-square) [![artifact hub](https://img.shields.io/badge/artifact%20hub-dex-informational?style=flat-square)](https://artifacthub.io/packages/helm/dex/dex)
OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors.
**Homepage:** <https://dexidp.io/>
## TL;DR;
```bash
helm repo add dex https://charts.dexidp.io
helm install --generate-name --wait dex/dex
```
## Getting started
### Minimal configuration
Dex requires a minimal configuration in order to work.
You can pass configuration to Dex using Helm values:
```yaml
config:
# Set it to a valid URL
issuer: http://my-issuer-url.com
# See https://dexidp.io/docs/storage/ for more options
storage:
type: memory
# Enable at least one connector
# See https://dexidp.io/docs/connectors/ for more options
enablePasswordDB: true
```
The above configuration won't make Dex automatically available on the configured URL.
One (and probably the easiest) way to achieve that is configuring ingress:
```yaml
ingress:
enabled: true
hosts:
- host: my-issuer-url.com
paths:
- path: /
```
### Minimal TLS configuration
HTTPS is basically mandatory these days, especially for authentication and authorization services.
There are several solutions for protecting services with TlS in Kubernetes,
but by far the most popular and portable is undoubtedly [Cert Manager](https://cert-manager.io).
Cert Manager can be [installed](https://cert-manager.io/docs/installation/kubernetes) with a few steps:
```shell
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl create namespace cert-manager
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--set installCRDs=true
```
The next step is setting up an [issuer](https://cert-manager.io/docs/concepts/issuer/) (eg. [Let's Encrypt](https://letsencrypt.org/)):
```shell
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: acme
spec:
acme:
email: YOUR@EMAIL_ADDRESS
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: acme-account-key
solvers:
- http01:
ingress:
class: YOUR_INGRESS_CLASS
EOF
```
Finally, change the ingress config to use TLS:
```yaml
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: acme
hosts:
- host: my-issuer-url.com
paths:
- path: /
tls:
- hosts:
- my-issuer-url.com
secretName: dex-cert
```
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| replicaCount | int | `1` | Number of replicas (pods) to launch. |
| image.repository | string | `"ghcr.io/dexidp/dex"` | Name of the image repository to pull the container image from. |
| image.pullPolicy | string | `"IfNotPresent"` | [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node. |
| image.tag | string | `""` | Image tag override for the default value (chart appVersion). |
| imagePullSecrets | list | `[]` | Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). |
| nameOverride | string | `""` | A name in place of the chart name for `app:` labels. |
| fullnameOverride | string | `""` | A name to substitute for the full names of resources. |
| hostAliases | list | `[]` | A list of hosts and IPs that will be injected into the pod's hosts file if specified. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) |
| https.enabled | bool | `false` | Enable the HTTPS endpoint. |
| grpc.enabled | bool | `false` | Enable the gRPC endpoint. Read more in the [documentation](https://dexidp.io/docs/api/). |
| configSecret.create | bool | `true` | Enable creating a secret from the values passed to `config`. If set to false, name must point to an existing secret. |
| configSecret.name | string | `""` | The name of the secret to mount as configuration in the pod. If not set and create is true, a name is generated using the fullname template. Must point to secret that contains at least a `config.yaml` key. |
| config | object | `{}` | Application configuration. See the [official documentation](https://dexidp.io/docs/). |
| volumes | list | `[]` | Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. |
| volumeMounts | list | `[]` | Additional [volume mounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. |
| envFrom | list | `[]` | Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. |
| env | object | `{}` | Additional environment variables passed directly to containers. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. |
| envVars | list | `[]` | Similar to env but with support for all possible configurations. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. |
| serviceAccount.create | bool | `true` | Enable service account creation. |
| serviceAccount.annotations | object | `{}` | Annotations to be added to the service account. |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| rbac.create | bool | `true` | Specifies whether RBAC resources should be created. If disabled, the operator is responsible for creating the necessary resources based on the templates. |
| rbac.createClusterScoped | bool | `true` | Specifies which RBAC resources should be created. If disabled, the operator is responsible for creating the necessary resources (ClusterRole and RoleBinding or CRD's) |
| podAnnotations | object | `{}` | Annotations to be added to pods. |
| podDisruptionBudget.enabled | bool | `false` | Enable a [pod distruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) to help dealing with [disruptions](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/). It is **highly recommended** for webhooks as disruptions can prevent launching new pods. |
| podDisruptionBudget.minAvailable | int/percentage | `nil` | Number or percentage of pods that must remain available. |
| podDisruptionBudget.maxUnavailable | int/percentage | `nil` | Number or percentage of pods that can be unavailable. |
| priorityClassName | string | `""` | Specify a priority class name to set [pod priority](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority). |
| podSecurityContext | object | `{}` | Pod [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) for details. |
| securityContext | object | `{}` | Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details. |
| service.annotations | object | `{}` | Annotations to be added to the service. |
| service.type | string | `"ClusterIP"` | Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). |
| service.clusterIP | string | `""` | Internal cluster service IP (when applicable) |
| service.ports.http.port | int | `5556` | HTTP service port |
| service.ports.http.nodePort | int | `nil` | HTTP node port (when applicable) |
| service.ports.https.port | int | `5554` | HTTPS service port |
| service.ports.https.nodePort | int | `nil` | HTTPS node port (when applicable) |
| service.ports.grpc.port | int | `5557` | gRPC service port |
| service.ports.grpc.nodePort | int | `nil` | gRPC node port (when applicable) |
| ingress.enabled | bool | `false` | Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). |
| ingress.className | string | `""` | Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). |
| ingress.annotations | object | `{}` | Annotations to be added to the ingress. |
| ingress.hosts | list | See [values.yaml](values.yaml). | Ingress host configuration. |
| ingress.tls | list | See [values.yaml](values.yaml). | Ingress TLS configuration. |
| serviceMonitor.enabled | bool | `false` | Enable Prometheus ServiceMonitor. See the [documentation](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/design.md#servicemonitor) and the [API reference](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor) for details. |
| serviceMonitor.namespace | string | Release namespace. | Namespace where the ServiceMonitor resource should be deployed. |
| serviceMonitor.interval | duration | `nil` | Prometheus scrape interval. |
| serviceMonitor.scrapeTimeout | duration | `nil` | Prometheus scrape timeout. |
| serviceMonitor.labels | object | `{}` | Labels to be added to the ServiceMonitor. |
| resources | object | No requests or limits. | Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details. |
| autoscaling | object | Disabled by default. | Autoscaling configuration (see [values.yaml](values.yaml) for details). |
| nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) configuration. |
| tolerations | list | `[]` | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for node taints. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. |
| affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) configuration. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. |
| topologySpreadConstraints | list | `[]` | [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. |
| strategy | object | `{}` | Deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) configuration. |
| networkPolicy.enabled | bool | `false` | Create [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) |
| networkPolicy.egressRules | list | `[]` | A list of network policy egress rules |
## Migrating from stable/dex (or banzaicloud-stable/dex) chart
This chart is not backwards compatible with the `stable/dex` (or `banzaicloud-stable/dex`) chart.
However, Dex itself remains backwards compatible, so you can easily install the new chart in place of the old one
and continue using Dex with a minimal downtime.

10
charts/epinio/100.0.5+up1.6.2/charts/dex/ci/config-secret-values.yaml Normal file
View File

@ -0,0 +1,10 @@
config:
issuer: https://my-issuer.com
storage:
type: memory
enablePasswordDB: true
configSecret:
name: my-super-special-dex-secret

10
charts/epinio/100.0.5+up1.6.2/charts/dex/ci/no-config-secret.yaml Normal file
View File

@ -0,0 +1,10 @@
config:
issuer: https://my-issuer.com
storage:
type: memory
enablePasswordDB: true
configSecret:
create: false

10
charts/epinio/100.0.5+up1.6.2/charts/dex/ci/pod-annotations-values.yaml Normal file
View File

@ -0,0 +1,10 @@
config:
issuer: https://my-issuer.com
storage:
type: memory
enablePasswordDB: true
podAnnotations:
vault.security.banzaicloud.io/vault-addr: "https://vault.vault:8200"

7
charts/epinio/100.0.5+up1.6.2/charts/dex/ci/test-values.yaml Normal file
View File

@ -0,0 +1,7 @@
config:
issuer: https://my-issuer.com
storage:
type: memory
enablePasswordDB: true

22
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/NOTES.txt Normal file
View File

@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "dex.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "dex.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "dex.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "dex.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

103
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,103 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "dex.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "dex.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "dex.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "dex.labels" -}}
helm.sh/chart: {{ include "dex.chart" . }}
{{ include "dex.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "dex.selectorLabels" -}}
app.kubernetes.io/name: {{ include "dex.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "dex.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "dex.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the secret containing the config file to use
*/}}
{{- define "dex.configSecretName" -}}
{{- if .Values.configSecret.create }}
{{- default (include "dex.fullname" .) .Values.configSecret.name }}
{{- else }}
{{- default "default" .Values.configSecret.name }}
{{- end }}
{{- end }}
{{/*
Windows cluster will add default taint for linux nodes, add below linux tolerations to
workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
beta.kubernetes.io/os: linux
{{- else -}}
kubernetes.io/os: linux
{{- end -}}
{{- end -}}
{{/*
URL prefix for container images to be compatible with Rancher
*/}}
{{- define "registry-url" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/
{{- else -}}
{{ .Values.operator.registry }}/
{{- end -}}
{{- end -}}

133
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/deployment.yaml Normal file
View File

@ -0,0 +1,133 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- with .Values.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "dex.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if .Values.configSecret.create }}
checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- end }}
labels:
{{- include "dex.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "dex.serviceAccountName" . }}
{{- with .Values.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- with .Values.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ template "registry-url" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- dex
- serve
- --web-http-addr
- 0.0.0.0:5556
{{- if .Values.https.enabled }}
- --web-https-addr
- 0.0.0.0:5554
{{- end }}
{{- if .Values.grpc.enabled }}
- --grpc-addr
- 0.0.0.0:5557
{{- end }}
- --telemetry-addr
- 0.0.0.0:5558
- /etc/dex/config.yaml
env:
{{- range $key, $value := .Values.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- with .Values.envVars }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.envFrom }}
envFrom:
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: 5556
protocol: TCP
{{- if .Values.https.enabled }}
- name: https
containerPort: 5554
protocol: TCP
{{- end }}
{{- if .Values.grpc.enabled }}
- name: grpc
containerPort: 5557
protocol: TCP
{{- end }}
- name: telemetry
containerPort: 5558
protocol: TCP
livenessProbe:
httpGet:
path: /healthz/live
port: telemetry
readinessProbe:
httpGet:
path: /healthz/ready
port: telemetry
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: config
mountPath: /etc/dex
readOnly: true
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: config
secret:
secretName: {{ include "dex.configSecretName" . }}
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
{{- with .Values.tolerations }}
{{ toYaml . | indent 8 }}
{{- end }}

28
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/hpa.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- if .Values.autoscaling.enabled }}
apiVersion: autoscaling/v2beta1
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "dex.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

61
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/ingress.yaml Normal file
View File

@ -0,0 +1,61 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "dex.fullname" . -}}
{{- $svcPort := .Values.service.ports.http.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "dex.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

35
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/networkpolicy.yaml Normal file
View File

@ -0,0 +1,35 @@
{{- if .Values.networkPolicy.enabled }}
{{- if semverCompare "<1.7-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: extensions/v1beta1
{{- else -}}
apiVersion: networking.k8s.io/v1
{{- end }}
kind: NetworkPolicy
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
spec:
policyTypes:
{{- if .Values.networkPolicy.egressRules }}
- Egress
{{- end }}
- Ingress
podSelector:
matchLabels:
{{- include "dex.selectorLabels" . | nindent 6 }}
ingress:
- ports:
- port: http
{{- if .Values.https.enabled }}
- port: https
{{- end }}
{{- if .Values.grpc.enabled }}
- port: grpc
{{- end }}
- port: telemetry
{{- with .Values.networkPolicy.egressRules }}
egress:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

22
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if .Values.podDisruptionBudget.enabled }}
{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: policy/v1
{{- else -}}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ template "dex.fullname" . }}
labels:
{{ include "dex.labels" . | indent 4 }}
spec:
{{- with .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- with .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
selector:
matchLabels:
{{- include "dex.selectorLabels" . | nindent 6 }}
{{- end }}

84
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/psp.yaml Normal file
View File

@ -0,0 +1,84 @@
{{- if .Values.serviceAccount.create -}}
{{- if .Values.global.rbac.pspEnabled }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }}
app: {{ .Values.serviceAccount.name | quote }}
{{- if .Values.global.rbac.pspAnnotations }}
annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }}
{{- end }}
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Permits the container to run with root privileges as well.
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
readOnlyRootFilesystem: false
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }}
app: {{ .Values.serviceAccount.name | quote }}
rules:
{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }}
- apiGroups: ['policy']
{{- else }}
- apiGroups: ['extensions']
{{- end }}
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }}
app: {{ .Values.serviceAccount.name | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount.name | quote }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end -}}

55
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/rbac.yaml Normal file
View File

@ -0,0 +1,55 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
rules:
- apiGroups: ["dex.coreos.com"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: {{ include "dex.fullname" . }}
subjects:
- kind: ServiceAccount
namespace: {{ .Release.Namespace }}
name: {{ include "dex.serviceAccountName" . }}
{{- if .Values.rbac.createClusterScoped }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "dex.fullname" . }}-cluster
labels:
{{- include "dex.labels" . | nindent 4 }}
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: {{ include "dex.fullname" . }}
subjects:
- kind: ServiceAccount
namespace: {{ .Release.Namespace }}
name: {{ include "dex.serviceAccountName" . }}
{{- end }}
{{- end }}

11
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/secret.yaml Normal file
View File

@ -0,0 +1,11 @@
{{- if .Values.configSecret.create -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "dex.configSecretName" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
type: Opaque
data:
config.yaml: {{ .Values.config | toYaml | b64enc | quote }}
{{- end }}

59
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/service.yaml Normal file
View File

@ -0,0 +1,59 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
{{- with .Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- with .Values.service.clusterIP }}
clusterIP: {{ . }}
{{- end }}
ports:
- name: http
port: {{ .Values.service.ports.http.port }}
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) .Values.service.ports.http.nodePort }}
nodePort: {{ .Values.service.ports.http.nodePort }}
{{- end }}
targetPort: http
protocol: TCP
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }}
appProtocol: http
{{- end }}
{{- if .Values.https.enabled }}
- name: https
port: {{ .Values.service.ports.https.port }}
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) .Values.service.ports.https.nodePort }}
nodePort: {{ .Values.service.ports.https.nodePort }}
{{- end }}
targetPort: https
protocol: TCP
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }}
appProtocol: https
{{- end }}
{{- end }}
{{- if .Values.grpc.enabled }}
- name: grpc
port: {{ .Values.service.ports.grpc.port }}
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) .Values.service.ports.grpc.nodePort }}
nodePort: {{ .Values.service.ports.grpc.nodePort }}
{{- end }}
targetPort: grpc
protocol: TCP
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }}
appProtocol: http
{{- end }}
{{- end }}
- name: telemetry
port: 5558
targetPort: telemetry
protocol: TCP
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }}
appProtocol: http
{{- end }}
selector:
{{- include "dex.selectorLabels" . | nindent 4 }}

12
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "dex.serviceAccountName" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

30
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,30 @@
{{- if .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ include "dex.fullname" . }}
{{- with .Values.serviceMonitor.namespace }}
namespace: {{ . }}
{{- end }}
labels:
{{- include "dex.labels" . | nindent 4 }}
{{- with .Values.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: telemetry
{{- with .Values.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
jobLabel: {{ include "dex.fullname" . }}
selector:
matchLabels:
{{- include "dex.selectorLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
{{- end }}

13
charts/epinio/100.0.5+up1.6.2/charts/dex/templates/tests/no-config-secret.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if not .Values.configSecret.create -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "dex.configSecretName" . }}-test-no-create
labels:
{{- include "dex.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
type: Opaque
data:
config.yaml: {{ .Values.config | toYaml | b64enc | quote }}
{{- end }}

275
charts/epinio/100.0.5+up1.6.2/charts/dex/values.yaml Normal file
View File

@ -0,0 +1,275 @@
# Default values for dex.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# -- Number of replicas (pods) to launch.
replicaCount: 1
image:
# -- Name of the image repository to pull the container image from.
repository: rancher/mirrored-dexidp-dex
tag: v2.35.3
# -- [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node.
pullPolicy: IfNotPresent
# -- Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries).
imagePullSecrets: []
# -- A name in place of the chart name for `app:` labels.
nameOverride: ""
# -- A name to substitute for the full names of resources.
fullnameOverride: ""
# -- A list of hosts and IPs that will be injected into the pod's hosts file if specified.
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution)
hostAliases: []
https:
# -- Enable the HTTPS endpoint.
enabled: false
grpc:
# -- Enable the gRPC endpoint.
# Read more in the [documentation](https://dexidp.io/docs/api/).
enabled: false
configSecret:
# -- Enable creating a secret from the values passed to `config`.
# If set to false, name must point to an existing secret.
create: true
# -- The name of the secret to mount as configuration in the pod.
# If not set and create is true, a name is generated using the fullname template.
# Must point to secret that contains at least a `config.yaml` key.
name: ""
# -- Application configuration.
# See the [official documentation](https://dexidp.io/docs/).
config: {}
# -- Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details.
volumes: []
# -- Additional [volume mounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details.
volumeMounts: []
# -- Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details.
envFrom: []
# -- Additional environment variables passed directly to containers.
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details.
env: {}
# -- Similar to env but with support for all possible configurations.
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details.
envVars: []
# - name: SOME_ENV_VAR
# value: value
# - name: SOME_ENV_VAR2
# valueFrom:
# secretKeyRef:
# name: secret-name
# key: secret-key
# - name: SOME_ENV_VAR3
# valueFrom:
# configMapKeyRef:
# name: config-map-name
# key: config-map-key
serviceAccount:
# -- Enable service account creation.
create: true
# -- Annotations to be added to the service account.
annotations: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: "dex-sa"
rbac:
# -- Specifies whether RBAC resources should be created.
# If disabled, the operator is responsible for creating the necessary resources based on the templates.
create: true
# -- Specifies which RBAC resources should be created.
# If disabled, the operator is responsible for creating the necessary resources (ClusterRole and RoleBinding or CRD's)
createClusterScoped: true
# -- Annotations to be added to pods.
podAnnotations: {}
podDisruptionBudget:
# -- Enable a [pod distruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) to help dealing with [disruptions](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/).
# It is **highly recommended** for webhooks as disruptions can prevent launching new pods.
enabled: false
# -- (int/percentage) Number or percentage of pods that must remain available.
minAvailable:
# -- (int/percentage) Number or percentage of pods that can be unavailable.
maxUnavailable:
# -- Specify a priority class name to set [pod priority](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority).
priorityClassName: ""
# -- Pod [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) for details.
podSecurityContext: {}
# fsGroup: 2000
# -- Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details.
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
# -- Annotations to be added to the service.
annotations: {}
# -- Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types).
type: ClusterIP
# -- Internal cluster service IP (when applicable)
clusterIP: ""
ports:
http:
# -- HTTP service port
port: 5556
# -- (int) HTTP node port (when applicable)
nodePort:
https:
# -- HTTPS service port
port: 5554
# -- (int) HTTPS node port (when applicable)
nodePort:
grpc:
# -- gRPC service port
port: 5557
# -- (int) gRPC node port (when applicable)
nodePort:
ingress:
# -- Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/).
enabled: false
# -- Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class).
className: ""
# -- Annotations to be added to the ingress.
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# -- Ingress host configuration.
# @default -- See [values.yaml](values.yaml).
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
# -- Ingress TLS configuration.
# @default -- See [values.yaml](values.yaml).
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
serviceMonitor:
# -- Enable Prometheus ServiceMonitor.
# See the [documentation](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/design.md#servicemonitor) and the [API reference](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor) for details.
enabled: false
# -- Namespace where the ServiceMonitor resource should be deployed.
# @default -- Release namespace.
namespace: ""
# -- (duration) Prometheus scrape interval.
interval:
# -- (duration) Prometheus scrape timeout.
scrapeTimeout:
# -- Labels to be added to the ServiceMonitor.
labels: {}
# -- Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details.
# @default -- No requests or limits.
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# -- Autoscaling configuration (see [values.yaml](values.yaml) for details).
# @default -- Disabled by default.
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# -- [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) configuration.
nodeSelector: {}
# -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for node taints.
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details.
tolerations: []
# -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) configuration.
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details.
affinity: {}
# -- [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration.
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details.
topologySpreadConstraints: []
# -- Deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) configuration.
strategy: {}
# rollingUpdate:
# maxUnavailable: 1
# type: RollingUpdate
networkPolicy:
# -- Create [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
enabled: false
# -- A list of network policy egress rules
egressRules: []
# Allow DNS egress traffic
# - ports:
# - port: 53
# protocol: UDP
# - port: 53
# protocol: TCP
# Example to allow LDAP connector to reach LDAPs port on 1.2.3.4 server
# - to:
# - ipBlock
# cidr: 1.2.3.4/32
# ports:
# - port: 636
# protocol: TCP

23
charts/epinio/100.0.5+up1.6.2/charts/epinio-ui/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

18
charts/epinio/100.0.5+up1.6.2/charts/epinio-ui/Chart.yaml Normal file
View File

@ -0,0 +1,18 @@
annotations:
artifacthub.io/license: Apache-2.0
apiVersion: v2
appVersion: v1.5.1-0.0.3
description: A Helm chart for the Epinio UI
home: https://github.com/epinio/epinio
icon: https://charts.rancher.io/assets/logos/epinio.svg
keywords:
- epinio
- paas
maintainers:
- email: team@epinio.io
name: SUSE
name: epinio-ui
sources:
- https://github.com/epinio/ui
type: application
version: 1.5.3

100
charts/epinio/100.0.5+up1.6.2/charts/epinio-ui/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,100 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "epinio-ui.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "epinio-ui.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "epinio-ui.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "epinio-ui.labels" -}}
helm.sh/chart: {{ include "epinio-ui.chart" . }}
{{ include "epinio-ui.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "epinio-ui.selectorLabels" -}}
app.kubernetes.io/name: {{ include "epinio-ui.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "epinio-ui.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "epinio-ui.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
URL registry prefix for container images (Rancher compatibility support)
*/}}
{{- define "epinio-ui.registry" -}}
{{- if .Values.global.cattle -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/
{{- else -}}
{{ if .Values.epinioUI.image.registry }}
{{ .Values.epinioUI.image.registry }}/
{{- end -}}
{{- end -}}
{{- else -}}
{{ if .Values.epinioUI.image.registry }}
{{ .Values.epinioUI.image.registry }}/
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes, add below linux tolerations to
workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
beta.kubernetes.io/os: linux
{{- else -}}
kubernetes.io/os: linux
{{- end -}}
{{- end -}}

14
charts/epinio/100.0.5+up1.6.2/charts/epinio-ui/templates/certificate.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.ingress.enabled }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: epinio-ui
namespace: {{ .Release.Namespace }}
spec:
dnsNames:
- {{ .Values.global.domain }}
issuerRef:
kind: ClusterIssuer
name: {{ .Values.global.tlsIssuer }}
secretName: epinio-ui-tls
{{- end }}

32
charts/epinio/100.0.5+up1.6.2/charts/epinio-ui/templates/ingress.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- if .Values.ingress.enabled }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
labels:
{{- include "epinio-ui.labels" . | nindent 4 }}
name: epinio-ui
namespace: {{ .Release.Namespace }}
spec:
{{- if .Values.ingress.ingressClassName }}
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
{{- end }}
rules:
- host: {{ .Values.global.domain }}
http:
paths:
- backend:
service:
name: epinio-ui
port:
number: 80
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- {{ .Values.global.domain }}
secretName: epinio-ui-tls
{{- end }}

88
charts/epinio/100.0.5+up1.6.2/charts/epinio-ui/templates/security.yaml Normal file
View File

@ -0,0 +1,88 @@
{{- if .Values.global.rbac.pspEnabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: epinio-ui
namespace: {{ .Release.Namespace }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: epinio-ui-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: epinio-ui
app: epinio-ui
{{- if .Values.global.rbac.pspAnnotations }}
annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }}
{{- end }}
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Permits the container to run with root privileges as well.
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
readOnlyRootFilesystem: false
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: epinio-ui-psp
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: epinio-ui
app: epinio-ui
rules:
{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }}
- apiGroups: ['policy']
{{- else }}
- apiGroups: ['extensions']
{{- end }}
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- epinio-ui-psp
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: epinio-ui-psp
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: epinio-ui
app: epinio-ui
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: epinio-ui-psp
subjects:
- kind: ServiceAccount
name: epinio-ui
namespace: {{ .Release.Namespace }}
{{- end }}

110
charts/epinio/100.0.5+up1.6.2/charts/epinio-ui/templates/server.yaml Normal file
View File

@ -0,0 +1,110 @@
{{- $secret := (lookup "v1" "Secret" .Release.Namespace "epinio-ui").data -}}
{{- $encryptionKey := empty $secret | ternary (printf "%x" (randAscii 32)) (b64dec (default "" $secret.encryptionKey)) -}}
{{- $sessionSecret := empty $secret | ternary (randAlphaNum 16) (b64dec (default "" $secret.sessionSecret)) -}}
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: epinio-ui
namespace: {{ .Release.Namespace }}
stringData:
encryptionKey: {{ $encryptionKey }}
sessionSecret: {{ $sessionSecret }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: epinio-ui
namespace: {{ .Release.Namespace }}
labels:
{{- include "epinio-ui.labels" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
{{- include "epinio-ui.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "epinio-ui.labels" . | nindent 8 }}
spec:
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.global.rbac.pspEnabled }}
serviceAccountName: epinio-ui
{{- end }}
containers:
- name: epinio-ui
image: {{ template "epinio-ui.registry" . }}{{ .Values.epinioUI.image.repository }}:{{ .Values.epinioUI.image.tag }}
imagePullPolicy: {{ .Values.epinioUI.imagePullPolicy }}
workingDir: /db
env:
- name: ALLOWED_ORIGINS
value: {{ default (printf "https://epinio.%s" .Values.global.domain) .Values.epinioAllowedOrigins }}
- name: EPINIO_API_URL
value: {{ default (printf "http://epinio-server.%s.svc.cluster.local" .Release.Namespace) .Values.epinioAPIURL }}
- name: EPINIO_WSS_URL
value: {{ default (printf "ws://epinio-server.%s.svc.cluster.local" .Release.Namespace) .Values.epinioWSSURL }}
- name: EPINIO_API_SKIP_SSL
value: {{ .Values.epinioAPISkipSSL | quote }}
- name: EPINIO_VERSION
value: {{ (default .Chart.Version .Values.epinioVersion) | quote}}
- name: EPINIO_THEME
value: {{ (default "light" .Values.epinioTheme) | quote }}
- name: HTTP_CLIENT_TIMEOUT_IN_SECS
value: "120"
- name: SESSION_STORE_SECRET
valueFrom:
secretKeyRef:
name: epinio-ui
key: sessionSecret
- name: SESSION_STORE_EXPIRY
value: "1440"
- name: UI_PATH
value: "/ui"
- name: AUTH_ENDPOINT_TYPE
value: epinio
- name: ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: epinio-ui
key: encryptionKey
- name: DATABASE_PROVIDER
value: sqlite
- name: HTTPS
value: "false"
- name: CONSOLE_PROXY_TLS_ADDRESS
value: 0.0.0.0:8000
- name: LOG_LEVEL
value: {{ .Values.logLevel | quote }}
{{- with .Values.volumeMounts }}
volumeMounts:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
runAsUser: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
livenessProbe:
tcpSocket:
port: 8000
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
tcpSocket:
port: 8000
initialDelaySeconds: 5
periodSeconds: 5
{{- with .Values.volumes }}
volumes:
{{- toYaml . | nindent 6 }}
{{- end }}

16
charts/epinio/100.0.5+up1.6.2/charts/epinio-ui/templates/service.yaml Normal file
View File

@ -0,0 +1,16 @@
---
apiVersion: v1
kind: Service
metadata:
name: epinio-ui
namespace: {{ .Release.Namespace }}
labels:
{{- include "epinio-ui.labels" . | nindent 4 }}
spec:
type: ClusterIP
selector:
{{- include "epinio-ui.selectorLabels" . | nindent 4 }}
ports:
- name: ui
port: 80
targetPort: 8000

44
charts/epinio/100.0.5+up1.6.2/charts/epinio-ui/values.yaml Normal file
View File

@ -0,0 +1,44 @@
epinioUI:
image:
repository: rancher/mirrored-epinio-epinio-ui
tag: v1.5.1-0.0.3
imagePullPolicy: IfNotPresent
ingress:
enabled: true
# The ingressClassName is used to select the ingress controller. If empty no class will be added to the ingresses.
ingressClassName: ""
global:
domain: ui.epinio.dev
tlsIssuer: selfsigned-issuer
logLevel: info
# API URL of epinio instance, for proxied connections, defaults to http://epinio-server.%s.svc.cluster.local"
epinioAPIURL: ""
epinioWSSURL: ""
# Domain that will serve the UI and be the origin of browser requests, used by CORS process
epinioAllowedOrigins: ""
# Skip checking for valid SSL cert when making requests to `EPINIO_API_URL`
# epinioAPISkipSSL: "true"
# This is the version that is displayed in the ui and should match that of the epinio it's targetting
# epinioVersion: "v0.8.0"
# Epinio standalone only supports a single theme, either light or dark
epinioTheme: "light"
volumeMounts:
- name: tmp
mountPath: /tmp
readOnly: false
- name: db
mountPath: /db
readOnly: false
# - name: ui
# mountPath: /ui
# subPath: dist
# readOnly: true
volumes:
- name: tmp
emptyDir: {}
- name: db
emptyDir: {}
# - name: ui
# persistentVolumeClaim:
# claimName: ui

23
charts/epinio/100.0.5+up1.6.2/charts/kubed/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# Helm files
OWNERS

12
charts/epinio/100.0.5+up1.6.2/charts/kubed/Chart.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
appVersion: v0.13.2
description: Config Syncer by AppsCode - Kubernetes daemon
home: https://github.com/kubeops/config-syncer
icon: https://cdn.appscode.com/images/products/kubed/icons/android-icon-192x192.png
maintainers:
- email: support@appscode.com
name: appscode
name: kubed
sources:
- https://github.com/kubeops/config-syncer
version: v0.13.2

94
charts/epinio/100.0.5+up1.6.2/charts/kubed/README.md Normal file
View File

@ -0,0 +1,94 @@
# Config Syncer
[Config Syncer by AppsCode](https://github.com/kubeops/config-syncer) - A Kubernetes cluster manager daemon
## TL;DR;
```console
$ helm repo add appscode https://charts.appscode.com/stable/
$ helm repo update
$ helm install kubed appscode/kubed -n kube-system
```
## Introduction
This chart deploys a Config Syncer operator on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Prerequisites
- Kubernetes 1.11+
## Installing the Chart
To install the chart with the release name `kubed`:
```console
$ helm install kubed appscode/kubed -n kube-system
```
The command deploys a Config Syncer operator on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `kubed`:
```console
$ helm delete kubed -n kube-system
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
The following table lists the configurable parameters of the `kubed` chart and their default values.
| Parameter | Description | Default |
|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
| nameOverride | Overrides name template | <code>""</code> |
| fullnameOverride | Overrides fullname template | <code>""</code> |
| replicaCount | Number of Config Syncer operator replicas to create (only 1 is supported) | <code>1</code> |
| operator.registry | Docker registry used to pull Config Syncer operator image | <code>appscode</code> |
| operator.repository | Config Syncer operator container image | <code>kubed</code> |
| operator.tag | Config Syncer operator container image tag | <code>v0.13.2</code> |
| operator.resources | Compute Resources required by the operator container | <code>{}</code> |
| operator.securityContext | Security options the operator container should run with | <code>{}</code> |
| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace. <br> Example: <br> `helm template charts/kubed \` <br> `--set imagePullSecrets[0].name=sec0 \` <br> `--set imagePullSecrets[1].name=sec1` | <code>[]</code> |
| imagePullPolicy | Container image pull policy | <code>IfNotPresent</code> |
| criticalAddon | If true, installs Config Syncer operator as critical addon | <code>false</code> |
| logLevel | Log level for operator | <code>3</code> |
| annotations | Annotations applied to operator deployment | <code>{}</code> |
| podAnnotations | Annotations passed to operator pod(s). | <code>{}</code> |
| nodeSelector | Node labels for pod assignment | <code>{}</code> |
| tolerations | Tolerations for pod assignment | <code>[]</code> |
| affinity | Affinity rules for pod assignment | <code>{}</code> |
| podSecurityContext | Security options the operator pod should run with. | <code>{"fsGroup":65535}</code> |
| serviceAccount.create | Specifies whether a service account should be created | <code>true</code> |
| serviceAccount.annotations | Annotations to add to the service account | <code>{}</code> |
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | <code>""</code> |
| apiserver.securePort | Port used by Config Syncer server | <code>"8443"</code> |
| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | <code>true</code> |
| apiserver.healthcheck.enabled | healthcheck configures the readiness and liveliness probes for the operator pod. | <code>false</code> |
| apiserver.servingCerts.generate | If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. | <code>true</code> |
| apiserver.servingCerts.caCrt | CA certficate used by serving certificate of Config Syncer server. | <code>""</code> |
| apiserver.servingCerts.serverCrt | Serving certficate used by Config Syncer server. | <code>""</code> |
| apiserver.servingCerts.serverKey | Private key for the serving certificate used by Config Syncer server. | <code>""</code> |
| enableAnalytics | If true, sends usage analytics | <code>true</code> |
| config.clusterName | Set cluster-name to something meaningful to you, say, prod, prod-us-east, qa, etc. so that you can distinguish notifications sent by kubed | <code>unicorn</code> |
| config.configSourceNamespace | If set, configmaps and secrets from only this namespace will be synced | <code>""</code> |
| config.kubeconfigContent | kubeconfig file content for configmap and secret syncer | <code>""</code> |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
```console
$ helm install kubed appscode/kubed -n kube-system --set replicaCount=1
```
Alternatively, a YAML file that specifies the values for the parameters can be provided while
installing the chart. For example:
```console
$ helm install kubed appscode/kubed -n kube-system --values values.yaml
```

18
charts/epinio/100.0.5+up1.6.2/charts/kubed/doc.yaml Normal file
View File

@ -0,0 +1,18 @@
project:
name: Config Syncer by AppsCode
shortName: Config Syncer
url: https://github.com/kubeops/config-syncer
description: A Kubernetes cluster manager daemon
app: a Config Syncer operator
repository:
url: https://charts.appscode.com/stable/
name: appscode
chart:
name: kubed
values: "-- generate from values file --"
valuesExample: "-- generate from values file --"
prerequisites:
- Kubernetes 1.11+
release:
name: kubed
namespace: kube-system

3
charts/epinio/100.0.5+up1.6.2/charts/kubed/templates/NOTES.txt Normal file
View File

@ -0,0 +1,3 @@
To verify that Config Syncer has started, run:
kubectl get deployment --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kubed.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"

93
charts/epinio/100.0.5+up1.6.2/charts/kubed/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,93 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "kubed.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kubed.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kubed.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kubed.labels" -}}
helm.sh/chart: {{ include "kubed.chart" . }}
{{ include "kubed.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kubed.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kubed.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "kubed.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "kubed.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Windows cluster will add default taint for linux nodes, add below linux tolerations to
workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
beta.kubernetes.io/os: linux
{{- else -}}
kubernetes.io/os: linux
{{- end -}}
{{- end -}}
{{/*
URL prefix for container images to be compatible with Rancher
*/}}
{{- define "registry-url" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/
{{- else -}}
{{ .Values.operator.registry }}/
{{- end -}}
{{- end -}}

58
charts/epinio/100.0.5+up1.6.2/charts/kubed/templates/apiregistration.yaml Normal file
View File

@ -0,0 +1,58 @@
{{- $serverCrt := "" }}
{{- $serverKey := "" }}
{{- if .Values.apiserver.servingCerts.generate }}
{{- $ca := genCA "ca" 3650 }}
{{- $cn := include "kubed.fullname" . -}}
{{- $altName1 := printf "%s.%s" $cn .Release.Namespace }}
{{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }}
{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }}
{{- $serverCrt = b64enc $server.Cert }}
{{- $serverKey = b64enc $server.Key }}
{{- else }}
{{- $serverCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverCrt }}
{{- $serverKey = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverKey }}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kubed.fullname" . }}-apiserver-cert
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
type: Opaque
data:
tls.crt: {{ $serverCrt }}
tls.key: {{ $serverKey }}
---
# to read the config for terminating authentication
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "kubed.fullname" . }}-apiserver-extension-server-authentication-reader
namespace: kube-system
labels:
{{- include "kubed.labels" . | nindent 4 }}
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: {{ template "kubed.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
# to delegate authentication and authorization
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "kubed.fullname" . }}-apiserver-auth-delegator
labels:
{{- include "kubed.labels" . | nindent 4 }}
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ template "kubed.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}

14
charts/epinio/100.0.5+up1.6.2/charts/kubed/templates/cluster-role-binding.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "kubed.fullname" . }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kubed.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kubed.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}

24
charts/epinio/100.0.5+up1.6.2/charts/kubed/templates/cluster-role.yaml Normal file
View File

@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kubed.fullname" . }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources:
- configmaps
- secrets
verbs: ["get", "create", "patch", "delete", "list", "watch"]
- apiGroups: [""]
resources:
- namespaces
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- nodes
verbs: ["list"]
- apiGroups: [""]
resources:
- events
verbs: ["create"]

119
charts/epinio/100.0.5+up1.6.2/charts/kubed/templates/deployment.yaml Normal file
View File

@ -0,0 +1,119 @@
{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }}
{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }}
{{- $criticalAddon := and .Values.criticalAddon (or (eq .Release.Namespace "kube-system") (and (ge $major 1) (ge $minor 17))) -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kubed.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "kubed.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "kubed.selectorLabels" . | nindent 8 }}
annotations:
checksum/apiregistration.yaml: {{ include (print $.Template.BasePath "/apiregistration.yaml") . | sha256sum }}
{{- if $criticalAddon }}
scheduler.alpha.kubernetes.io/critical-pod: ''
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "kubed.serviceAccountName" . }}
containers:
- name: kubed
securityContext:
{{- toYaml .Values.operator.securityContext | nindent 10 }}
image: {{ template "registry-url" . }}{{ .Values.operator.repository }}:{{ .Values.operator.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
args:
- run
- --v={{ .Values.logLevel }}
- --secure-port={{ default "8443" .Values.apiserver.securePort }}
- --audit-log-path=-
- --tls-cert-file=/var/serving-cert/tls.crt
- --tls-private-key-file=/var/serving-cert/tls.key
- --use-kubeapiserver-fqdn-for-aks={{ .Values.apiserver.useKubeapiserverFqdnForAks }}
- --enable-analytics={{ .Values.enableAnalytics }}
{{- with .Values.config.clusterName }}
- --cluster-name={{ . }}
{{- end }}
{{- with .Values.config.configSourceNamespace }}
- --config-source-namespace={{ . }}
{{- end }}
{{- if .Values.config.kubeconfigContent }}
- --kubeconfig-file=/srv/kubed/kubeconfig
{{- end }}
{{- range .Values.config.additionalOptions }}
- {{ . }}
{{- end }}
ports:
- containerPort: {{ default "8443" .Values.apiserver.securePort }}
{{- if .Values.apiserver.healthcheck.enabled }}
readinessProbe:
httpGet:
path: /healthz
port: {{ default "8443" .Values.apiserver.securePort }}
scheme: HTTPS
initialDelaySeconds: 5
livenessProbe:
httpGet:
path: /healthz
port: {{ default "8443" .Values.apiserver.securePort }}
scheme: HTTPS
initialDelaySeconds: 5
{{- end }}
resources:
{{- toYaml .Values.operator.resources | nindent 10 }}
volumeMounts:
- name: config
mountPath: /srv/kubed
- name: scratch
mountPath: /tmp
- mountPath: /var/serving-cert
name: serving-cert
volumes:
- name: config
secret:
secretName: {{ template "kubed.fullname" . }}
- name: scratch
emptyDir: {}
- name: serving-cert
secret:
defaultMode: 420
secretName: {{ template "kubed.fullname" . }}-apiserver-cert
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
{{- with .Values.tolerations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if $criticalAddon }}
- key: CriticalAddonsOnly
operator: Exists
{{- end -}}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
{{- if $criticalAddon }}
priorityClassName: system-cluster-critical
{{- end -}}

84
charts/epinio/100.0.5+up1.6.2/charts/kubed/templates/psp.yaml Normal file
View File

@ -0,0 +1,84 @@
{{- if .Values.serviceAccount.create -}}
{{- if .Values.global.rbac.pspEnabled }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "kubed.serviceAccountName" . }}-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ include "kubed.serviceAccountName" . }}
app: {{ include "kubed.serviceAccountName" . }}
{{- if .Values.global.rbac.pspAnnotations }}
annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }}
{{- end }}
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Permits the container to run with root privileges as well.
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
readOnlyRootFilesystem: false
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "kubed.serviceAccountName" . }}-psp
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ include "kubed.serviceAccountName" . }}
app: {{ include "kubed.serviceAccountName" . }}
rules:
{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }}
- apiGroups: ['policy']
{{- else }}
- apiGroups: ['extensions']
{{- end }}
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ include "kubed.serviceAccountName" . }}-psp
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "kubed.serviceAccountName" . }}-psp
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ include "kubed.serviceAccountName" . }}
app: {{ include "kubed.serviceAccountName" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kubed.serviceAccountName" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ include "kubed.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end -}}

11
charts/epinio/100.0.5+up1.6.2/charts/kubed/templates/secret.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kubed.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
data:
{{- if .Values.config.kubeconfigContent }}
kubeconfig: {{ .Values.config.kubeconfigContent | trim | b64enc | quote }}
{{- end }}

15
charts/epinio/100.0.5+up1.6.2/charts/kubed/templates/service.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "kubed.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
spec:
ports:
# Port used to expose admission webhook apiserver
- name: api
port: 443
targetPort: {{ default "8443" .Values.apiserver.securePort }}
selector:
{{- include "kubed.selectorLabels" . | nindent 4 }}

13
charts/epinio/100.0.5+up1.6.2/charts/kubed/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kubed.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

101
charts/epinio/100.0.5+up1.6.2/charts/kubed/values.yaml Normal file
View File

@ -0,0 +1,101 @@
# Default values for kubed.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# Overrides name template
nameOverride: ""
# Overrides fullname template
fullnameOverride: ""
# Number of Config Syncer operator replicas to create (only 1 is supported)
replicaCount: 1
operator:
# Config Syncer operator container image
repository: rancher/mirrored-appscode-kubed
# Config Syncer operator container image tag
tag: v0.13.2
# Compute Resources required by the operator container
resources: {}
# Security options the operator container should run with
securityContext: {}
# Specify an array of imagePullSecrets.
# Secrets must be manually created in the namespace.
#
# Example:
# helm template charts/kubed \
# --set imagePullSecrets[0].name=sec0 \
# --set imagePullSecrets[1].name=sec1
imagePullSecrets: []
# Container image pull policy
imagePullPolicy: IfNotPresent
# If true, installs Config Syncer operator as critical addon
criticalAddon: false
# Log level for operator
logLevel: 3
# Annotations applied to operator deployment
annotations: {}
# Annotations passed to operator pod(s).
podAnnotations: {}
# Node labels for pod assignment
nodeSelector: {}
# Tolerations for pod assignment
tolerations: []
# Affinity rules for pod assignment
affinity: {}
# Security options the operator pod should run with.
podSecurityContext: # +doc-gen:break
# ensure that s/a token is readable xref: https://issues.k8s.io/70679
fsGroup: 65535
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
apiserver:
# Port used by Config Syncer server
securePort: "8443"
# If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)
useKubeapiserverFqdnForAks: true
healthcheck:
# healthcheck configures the readiness and liveliness probes for the operator pod.
enabled: false
servingCerts:
# If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor)
# to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`.
generate: true
# CA certficate used by serving certificate of Config Syncer server.
caCrt: ""
# Serving certficate used by Config Syncer server.
serverCrt: ""
# Private key for the serving certificate used by Config Syncer server.
serverKey: ""
# If true, sends usage analytics
enableAnalytics: true
config:
# Set cluster-name to something meaningful to you, say, prod, prod-us-east, qa, etc.
# so that you can distinguish notifications sent by kubed
clusterName: unicorn
# If set, configmaps and secrets from only this namespace will be synced
configSourceNamespace: ""
# kubeconfig file content for configmap and secret syncer
kubeconfigContent: ""
# additionalOptions:
# - --authentication-skip-lookup

23
charts/epinio/100.0.5+up1.6.2/charts/minio/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# OWNERS file for Kubernetes
OWNERS

18
charts/epinio/100.0.5+up1.6.2/charts/minio/Chart.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
appVersion: RELEASE.2022-12-12T19-27-27Z
description: Multi-Cloud Object Storage
home: https://min.io
icon: https://min.io/resources/img/logo/MINIO_wordmark.png
keywords:
- minio
- storage
- object-storage
- s3
- cluster
maintainers:
- email: dev@minio.io
name: MinIO, Inc
name: minio
sources:
- https://github.com/minio/minio
version: 5.0.4

260
charts/epinio/100.0.5+up1.6.2/charts/minio/README.md Normal file
View File

@ -0,0 +1,260 @@
# MinIO Helm Chart
[![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io) [![license](https://img.shields.io/badge/license-AGPL%20V3-blue)](https://github.com/minio/minio/blob/master/LICENSE)
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. It is API compatible with Amazon S3 cloud storage service. Use MinIO to build high performance infrastructure for machine learning, analytics and application data workloads.
For more detailed documentation please visit [here](https://min.io/docs/minio/linux/index.html)
## Introduction
This chart bootstraps MinIO Cluster on [Kubernetes](http://kubernetes.io) using the [Helm](https://helm.sh) package manager.
## Prerequisites
- Helm cli with Kubernetes cluster configured.
- PV provisioner support in the underlying infrastructure. (We recommend using <https://github.com/minio/direct-csi>)
- Use Kubernetes version v1.19 and later for best experience.
## Configure MinIO Helm repo
```bash
helm repo add minio https://charts.min.io/
```
### Installing the Chart
Install this chart using:
```bash
helm install --namespace minio --set rootUser=rootuser,rootPassword=rootpass123 --generate-name minio/minio
```
The command deploys MinIO on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
### Installing the Chart (toy-setup)
Minimal toy setup for testing purposes can be deployed using:
```bash
helm install --set resources.requests.memory=512Mi --set replicas=1 --set persistence.enabled=false --set mode=standalone --set rootUser=rootuser,rootPassword=rootpass123 --generate-name minio/minio
```
### Upgrading the Chart
You can use Helm to update MinIO version in a live release. Assuming your release is named as `my-release`, get the values using the command:
```bash
helm get values my-release > old_values.yaml
```
Then change the field `image.tag` in `old_values.yaml` file with MinIO image tag you want to use. Now update the chart using
```bash
helm upgrade -f old_values.yaml my-release minio/minio
```
Default upgrade strategies are specified in the `values.yaml` file. Update these fields if you'd like to use a different strategy.
### Configuration
Refer the [Values file](./values.yaml) for all the possible config fields.
You can specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```bash
helm install --name my-release --set persistence.size=1Ti minio/minio
```
The above command deploys MinIO server with a 1Ti backing persistent volume.
Alternately, you can provide a YAML file that specifies parameter values while installing the chart. For example,
```bash
helm install --name my-release -f values.yaml minio/minio
```
### Persistence
This chart provisions a PersistentVolumeClaim and mounts corresponding persistent volume to default location `/export`. You'll need physical storage available in the Kubernetes cluster for this to work. If you'd rather use `emptyDir`, disable PersistentVolumeClaim by:
```bash
helm install --set persistence.enabled=false minio/minio
```
> *"An emptyDir volume is first created when a Pod is assigned to a Node, and exists as long as that Pod is running on that node. When a Pod is removed from a node for any reason, the data in the emptyDir is deleted forever."*
### Existing PersistentVolumeClaim
If a Persistent Volume Claim already exists, specify it during installation.
1. Create the PersistentVolume
2. Create the PersistentVolumeClaim
3. Install the chart
```bash
helm install --set persistence.existingClaim=PVC_NAME minio/minio
```
### NetworkPolicy
To enable network policy for MinIO,
install [a networking plugin that implements the Kubernetes
NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin),
and set `networkPolicy.enabled` to `true`.
For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting
the DefaultDeny namespace annotation. Note: this will enforce policy for *all* pods in the namespace:
```
kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
```
With NetworkPolicy enabled, traffic will be limited to just port 9000.
For more precise policy, set `networkPolicy.allowExternal=true`. This will
only allow pods with the generated client label to connect to MinIO.
This label will be displayed in the output of a successful install.
### Existing secret
Instead of having this chart create the secret for you, you can supply a preexisting secret, much
like an existing PersistentVolumeClaim.
First, create the secret:
```bash
kubectl create secret generic my-minio-secret --from-literal=rootUser=foobarbaz --from-literal=rootPassword=foobarbazqux
```
Then install the chart, specifying that you want to use an existing secret:
```bash
helm install --set existingSecret=my-minio-secret minio/minio
```
The following fields are expected in the secret:
| .data.\<key\> in Secret | Corresponding variable | Description | Required |
|:------------------------|:-----------------------|:---------------|:---------|
| `rootUser` | `rootUser` | Root user. | yes |
| `rootPassword` | `rootPassword` | Root password. | yes |
All corresponding variables will be ignored in values file.
### Configure TLS
To enable TLS for MinIO containers, acquire TLS certificates from a CA or create self-signed certificates. While creating / acquiring certificates ensure the corresponding domain names are set as per the standard [DNS naming conventions](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-identity) in a Kubernetes StatefulSet (for a distributed MinIO setup). Then create a secret using
```bash
kubectl create secret generic tls-ssl-minio --from-file=path/to/private.key --from-file=path/to/public.crt
```
Then install the chart, specifying that you want to use the TLS secret:
```bash
helm install --set tls.enabled=true,tls.certSecret=tls-ssl-minio minio/minio
```
### Installing certificates from third party CAs
MinIO can connect to other servers, including MinIO nodes or other server types such as NATs and Redis. If these servers use certificates that were not registered with a known CA, add trust for these certificates to MinIO Server by bundling these certificates into a Kubernetes secret and providing it to Helm via the `trustedCertsSecret` value. If `.Values.tls.enabled` is `true` and you're installing certificates for third party CAs, remember to include MinIO's own certificate with key `public.crt`, if it also needs to be trusted.
For instance, given that TLS is enabled and you need to add trust for MinIO's own CA and for the CA of a Keycloak server, a Kubernetes secret can be created from the certificate files using `kubectl`:
```
kubectl -n minio create secret generic minio-trusted-certs --from-file=public.crt --from-file=keycloak.crt
```
If TLS is not enabled, you would need only the third party CA:
```
kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt
```
The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter:
```
trustedCertsSecret: "minio-trusted-certs"
or
--set trustedCertsSecret=minio-trusted-certs
```
### Create buckets after install
Install the chart, specifying the buckets you want to create after install:
```bash
helm install --set buckets[0].name=bucket1,buckets[0].policy=none,buckets[0].purge=false minio/minio
```
Description of the configuration parameters used above -
- `buckets[].name` - name of the bucket to create, must be a string with length > 0
- `buckets[].policy` - can be one of none|download|upload|public
- `buckets[].purge` - purge if bucket exists already
### Create policies after install
Install the chart, specifying the policies you want to create after install:
```bash
helm install --set policies[0].name=mypolicy,policies[0].statements[0].resources[0]='arn:aws:s3:::bucket1',policies[0].statements[0].actions[0]='s3:ListBucket',policies[0].statements[0].actions[1]='s3:GetObject' minio/minio
```
Description of the configuration parameters used above -
- `policies[].name` - name of the policy to create, must be a string with length > 0
- `policies[].statements[]` - list of statements, includes actions and resources
- `policies[].statements[].resources[]` - list of resources that applies the statement
- `policies[].statements[].actions[]` - list of actions granted
### Create user after install
Install the chart, specifying the users you want to create after install:
```bash
helm install --set users[0].accessKey=accessKey,users[0].secretKey=secretKey,users[0].policy=none,users[1].accessKey=accessKey2,users[1].secretRef=existingSecret,users[1].secretKey=password,users[1].policy=none minio/minio
```
Description of the configuration parameters used above -
- `users[].accessKey` - accessKey of user
- `users[].secretKey` - secretKey of usersecretRef
- `users[].existingSecret` - secret name that contains the secretKey of user
- `users[].existingSecretKey` - data key in existingSecret secret containing the secretKey
- `users[].policy` - name of the policy to assign to user
### Create service account after install
Install the chart, specifying the service accounts you want to create after install:
```bash
helm install --set svcaccts[0].accessKey=accessKey,svcaccts[0].secretKey=secretKey,svcaccts[0].user=parentUser,svcaccts[1].accessKey=accessKey2,svcaccts[1].secretRef=existingSecret,svcaccts[1].secretKey=password,svcaccts[1].user=parentUser2 minio/minio
```
Description of the configuration parameters used above -
- `svcaccts[].accessKey` - accessKey of service account
- `svcaccts[].secretKey` - secretKey of svcacctsecretRef
- `svcaccts[].existingSecret` - secret name that contains the secretKey of service account
- `svcaccts[].existingSecretKey` - data key in existingSecret secret containing the secretKey
- `svcaccts[].user` - name of the parent user to assign to service account
## Uninstalling the Chart
Assuming your release is named as `my-release`, delete it using the command:
```bash
helm delete my-release
```
or
```bash
helm uninstall my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.

43
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/NOTES.txt Normal file
View File

@ -0,0 +1,43 @@
{{- if eq .Values.service.type "ClusterIP" "NodePort" }}
MinIO can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster:
{{ template "minio.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
To access MinIO from localhost, run the below commands:
1. export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
2. kubectl port-forward $POD_NAME 9000 --namespace {{ .Release.Namespace }}
Read more about port forwarding here: http://kubernetes.io/docs/user-guide/kubectl/kubectl_port-forward/
You can now access MinIO server on http://localhost:9000. Follow the below steps to connect to MinIO server with mc client:
1. Download the MinIO mc client - https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart
2. export MC_HOST_{{ template "minio.fullname" . }}-local=http://$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "minio.secretName" . }} -o jsonpath="{.data.rootUser}" | base64 --decode):$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "minio.secretName" . }} -o jsonpath="{.data.rootPassword}" | base64 --decode)@localhost:{{ .Values.service.port }}
3. mc ls {{ template "minio.fullname" . }}-local
{{- end }}
{{- if eq .Values.service.type "LoadBalancer" }}
MinIO can be accessed via port {{ .Values.service.port }} on an external IP address. Get the service external IP address by:
kubectl get svc --namespace {{ .Release.Namespace }} -l app={{ template "minio.fullname" . }}
Note that the public IP may take a couple of minutes to be available.
You can now access MinIO server on http://<External-IP>:9000. Follow the below steps to connect to MinIO server with mc client:
1. Download the MinIO mc client - https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart
2. export MC_HOST_{{ template "minio.fullname" . }}-local=http://$(kubectl get secret {{ template "minio.secretName" . }} --namespace {{ .Release.Namespace }} -o jsonpath="{.data.rootUser}" | base64 --decode):$(kubectl get secret {{ template "minio.secretName" . }} -o jsonpath="{.data.rootPassword}" | base64 --decode)@<External-IP>:{{ .Values.service.port }}
3. mc ls {{ template "minio.fullname" . }}
Alternately, you can use your browser or the MinIO SDK to access the server - https://min.io/docs/minio/linux/reference/minio-server/minio-server.html
{{- end }}
{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
Note: Since NetworkPolicy is enabled, only pods with label
{{ template "minio.fullname" . }}-client=true"
will be able to connect to this minio cluster.
{{- end }}

123
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/_helper_create_bucket.txt Normal file
View File

@ -0,0 +1,123 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 1 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# checkBucketExists ($bucket)
# Check if the bucket exists, by using the exit code of `mc ls`
checkBucketExists() {
BUCKET=$1
CMD=$(${MC} ls myminio/$BUCKET > /dev/null 2>&1)
return $?
}
# createBucket ($bucket, $policy, $purge)
# Ensure bucket exists, purging if asked to
createBucket() {
BUCKET=$1
POLICY=$2
PURGE=$3
VERSIONING=$4
OBJECTLOCKING=$5
# Purge the bucket, if set & exists
# Since PURGE is user input, check explicitly for `true`
if [ $PURGE = true ]; then
if checkBucketExists $BUCKET ; then
echo "Purging bucket '$BUCKET'."
set +e ; # don't exit if this fails
${MC} rm -r --force myminio/$BUCKET
set -e ; # reset `e` as active
else
echo "Bucket '$BUCKET' does not exist, skipping purge."
fi
fi
# Create the bucket if it does not exist and set objectlocking if enabled (NOTE: versioning will be not changed if OBJECTLOCKING is set because it enables versioning to the Buckets created)
if ! checkBucketExists $BUCKET ; then
if [ ! -z $OBJECTLOCKING ] ; then
if [ $OBJECTLOCKING = true ] ; then
echo "Creating bucket with OBJECTLOCKING '$BUCKET'"
${MC} mb --with-lock myminio/$BUCKET
elif [ $OBJECTLOCKING = false ] ; then
echo "Creating bucket '$BUCKET'"
${MC} mb myminio/$BUCKET
fi
elif [ -z $OBJECTLOCKING ] ; then
echo "Creating bucket '$BUCKET'"
${MC} mb myminio/$BUCKET
else
echo "Bucket '$BUCKET' already exists."
fi
fi
# set versioning for bucket if objectlocking is disabled or not set
if [ -z $OBJECTLOCKING ] ; then
if [ ! -z $VERSIONING ] ; then
if [ $VERSIONING = true ] ; then
echo "Enabling versioning for '$BUCKET'"
${MC} version enable myminio/$BUCKET
elif [ $VERSIONING = false ] ; then
echo "Suspending versioning for '$BUCKET'"
${MC} version suspend myminio/$BUCKET
fi
fi
else
echo "Bucket '$BUCKET' versioning unchanged."
fi
# At this point, the bucket should exist, skip checking for existence
# Set policy on the bucket
echo "Setting policy of bucket '$BUCKET' to '$POLICY'."
${MC} anonymous set $POLICY myminio/$BUCKET
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.buckets }}
{{ $global := . }}
# Create the buckets
{{- range .Values.buckets }}
createBucket {{ tpl .name $global }} {{ .policy | default "none" | quote }} {{ .purge | default false }} {{ .versioning | default false }} {{ .objectlocking | default false }}
{{- end }}
{{- end }}

75
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/_helper_create_policy.txt Normal file
View File

@ -0,0 +1,75 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 1 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# checkPolicyExists ($policy)
# Check if the policy exists, by using the exit code of `mc admin policy info`
checkPolicyExists() {
POLICY=$1
CMD=$(${MC} admin policy info myminio $POLICY > /dev/null 2>&1)
return $?
}
# createPolicy($name, $filename)
createPolicy () {
NAME=$1
FILENAME=$2
# Create the name if it does not exist
echo "Checking policy: $NAME (in /config/$FILENAME.json)"
if ! checkPolicyExists $NAME ; then
echo "Creating policy '$NAME'"
else
echo "Policy '$NAME' already exists."
fi
${MC} admin policy add myminio $NAME /config/$FILENAME.json
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.policies }}
# Create the policies
{{- range $idx, $policy := .Values.policies }}
createPolicy {{ $policy.name }} policy_{{ $idx }}
{{- end }}
{{- end }}

106
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/_helper_create_svcacct.txt Normal file
View File

@ -0,0 +1,106 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# AccessKey and secretkey credentials file are added to prevent shell execution errors caused by special characters.
# Special characters for example : ',",<,>,{,}
MINIO_ACCESSKEY_SECRETKEY_TMP="/tmp/accessKey_and_secretKey_svcacct_tmp"
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 2 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# checkSvcacctExists ()
# Check if the svcacct exists, by using the exit code of `mc admin user svcacct info`
checkSvcacctExists() {
CMD=$(${MC} admin user svcacct info myminio $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) > /dev/null 2>&1)
return $?
}
# createSvcacct ($user)
createSvcacct () {
USER=$1
FILENAME=$2
#check accessKey_and_secretKey_tmp file
if [[ ! -f $MINIO_ACCESSKEY_SECRETKEY_TMP ]];then
echo "credentials file does not exist"
return 1
fi
if [[ $(cat $MINIO_ACCESSKEY_SECRETKEY_TMP|wc -l) -ne 2 ]];then
echo "credentials file is invalid"
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
return 1
fi
SVCACCT=$(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP)
# Create the svcacct if it does not exist
if ! checkSvcacctExists ; then
echo "Creating svcacct '$SVCACCT'"
# Check if policy file is define
if [ -z $FILENAME ]; then
${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) myminio $USER
else
${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --policy /config/$FILENAME.json myminio $USER
fi
else
echo "Svcacct '$SVCACCT' already exists."
fi
#clean up credentials files.
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.svcaccts }}
{{ $global := . }}
# Create the svcaccts
{{- range $idx, $svc := .Values.svcaccts }}
echo {{ tpl .accessKey $global }} > $MINIO_ACCESSKEY_SECRETKEY_TMP
{{- if .existingSecret }}
cat /config/secrets/{{ tpl .existingSecret $global }}/{{ tpl .existingSecretKey $global }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
# Add a new line if it doesn't exist
sed -i '$a\' $MINIO_ACCESSKEY_SECRETKEY_TMP
{{ else }}
echo {{ .secretKey }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
{{- end }}
{{- if $svc.policy}}
createSvcacct {{ .user }} svc_policy_{{ $idx }}
{{ else }}
createSvcacct {{ .user }}
{{- end }}
{{- end }}
{{- end }}

105
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/_helper_create_user.txt Normal file
View File

@ -0,0 +1,105 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# AccessKey and secretkey credentials file are added to prevent shell execution errors caused by special characters.
# Special characters for example : ',",<,>,{,}
MINIO_ACCESSKEY_SECRETKEY_TMP="/tmp/accessKey_and_secretKey_tmp"
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 1 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# checkUserExists ()
# Check if the user exists, by using the exit code of `mc admin user info`
checkUserExists() {
CMD=$(${MC} admin user info myminio $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) > /dev/null 2>&1)
return $?
}
# createUser ($policy)
createUser() {
POLICY=$1
#check accessKey_and_secretKey_tmp file
if [[ ! -f $MINIO_ACCESSKEY_SECRETKEY_TMP ]];then
echo "credentials file does not exist"
return 1
fi
if [[ $(cat $MINIO_ACCESSKEY_SECRETKEY_TMP|wc -l) -ne 2 ]];then
echo "credentials file is invalid"
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
return 1
fi
USER=$(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP)
# Create the user if it does not exist
if ! checkUserExists ; then
echo "Creating user '$USER'"
cat $MINIO_ACCESSKEY_SECRETKEY_TMP | ${MC} admin user add myminio
else
echo "User '$USER' already exists."
fi
#clean up credentials files.
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
# set policy for user
if [ ! -z $POLICY -a $POLICY != " " ] ; then
echo "Adding policy '$POLICY' for '$USER'"
${MC} admin policy set myminio $POLICY user=$USER
else
echo "User '$USER' has no policy attached."
fi
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.users }}
{{ $global := . }}
# Create the users
{{- range .Values.users }}
echo {{ tpl .accessKey $global }} > $MINIO_ACCESSKEY_SECRETKEY_TMP
{{- if .existingSecret }}
cat /config/secrets/{{ tpl .existingSecretKey $global }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
# Add a new line if it doesn't exist
sed -i '$a\' $MINIO_ACCESSKEY_SECRETKEY_TMP
createUser {{ .policy }}
{{ else }}
echo {{ .secretKey }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
createUser {{ .policy }}
{{- end }}
{{- end }}
{{- end }}

58
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/_helper_custom_command.txt Normal file
View File

@ -0,0 +1,58 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 1 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# runCommand ($@)
# Run custom mc command
runCommand() {
${MC} "$@"
return $?
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.customCommands }}
# Run custom commands
{{- range .Values.customCommands }}
runCommand {{ .command }}
{{- end }}
{{- end }}

28
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/_helper_policy.tpl Normal file
View File

@ -0,0 +1,28 @@
{{- $statements_length := len .statements -}}
{{- $statements_length := sub $statements_length 1 -}}
{
"Version": "2012-10-17",
"Statement": [
{{- range $i, $statement := .statements }}
{
"Effect": "Allow",
"Action": [
"{{ $statement.actions | join "\",\n\"" }}"
]{{ if $statement.resources }},
"Resource": [
"{{ $statement.resources | join "\",\n\"" }}"
]{{ end }}
{{- if $statement.conditions }}
{{- $condition_len := len $statement.conditions }}
{{- $condition_len := sub $condition_len 1 }}
,
"Condition": {
{{- range $k,$v := $statement.conditions }}
{{- range $operator,$object := $v }}
"{{ $operator }}": { {{ $object }} }{{- if lt $k $condition_len }},{{- end }}
{{- end }}{{- end }}
}{{- end }}
}{{ if lt $i $statements_length }},{{end }}
{{- end }}
]
}

246
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,246 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "minio.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "minio.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "minio.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "minio.networkPolicy.apiVersion" -}}
{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.Version -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare ">=1.7-0, <1.16-0" .Capabilities.KubeVersion.Version -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else if semverCompare "^1.16-0" .Capabilities.KubeVersion.Version -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "minio.deployment.apiVersion" -}}
{{- if semverCompare "<1.9-0" .Capabilities.KubeVersion.Version -}}
{{- print "apps/v1beta2" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "minio.statefulset.apiVersion" -}}
{{- if semverCompare "<1.16-0" .Capabilities.KubeVersion.Version -}}
{{- print "apps/v1beta2" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "minio.ingress.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for console ingress.
*/}}
{{- define "minio.consoleIngress.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Determine secret name.
*/}}
{{- define "minio.secretName" -}}
{{- if .Values.existingSecret -}}
{{- .Values.existingSecret }}
{{- else -}}
{{- include "minio.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Determine name for scc role and rolebinding
*/}}
{{- define "minio.sccRoleName" -}}
{{- printf "%s-%s" "scc" (include "minio.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Properly format optional additional arguments to MinIO binary
*/}}
{{- define "minio.extraArgs" -}}
{{- range .Values.extraArgs -}}
{{ " " }}{{ . }}
{{- end -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "minio.imagePullSecrets" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
Also, we can not use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- else if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets }}
{{- end -}}
{{- else if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets }}
{{- end -}}
{{- end -}}
{{/*
Formats volumeMount for MinIO TLS keys and trusted certs
*/}}
{{- define "minio.tlsKeysVolumeMount" -}}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume
mountPath: {{ .Values.certsPath }}
{{- end }}
{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
{{- $casPath := printf "%s/CAs" .Values.certsPath | clean }}
- name: trusted-cert-secret-volume
mountPath: {{ $casPath }}
{{- end }}
{{- end -}}
{{/*
Formats volume for MinIO TLS keys and trusted certs
*/}}
{{- define "minio.tlsKeysVolume" -}}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume
secret:
secretName: {{ tpl .Values.tls.certSecret $ }}
items:
- key: {{ .Values.tls.publicCrt }}
path: public.crt
- key: {{ .Values.tls.privateKey }}
path: private.key
{{- end }}
{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
{{- $certSecret := eq .Values.trustedCertsSecret "" | ternary .Values.tls.certSecret .Values.trustedCertsSecret }}
{{- $publicCrt := eq .Values.trustedCertsSecret "" | ternary .Values.tls.publicCrt "" }}
- name: trusted-cert-secret-volume
secret:
secretName: {{ $certSecret }}
{{- if ne $publicCrt "" }}
items:
- key: {{ $publicCrt }}
path: public.crt
{{- end }}
{{- end }}
{{- end -}}
{{/*
Returns the available value for certain key in an existing secret (if it exists),
otherwise it generates a random value.
*/}}
{{- define "minio.getValueFromSecret" }}
{{- $len := (default 16 .Length) | int -}}
{{- $obj := (lookup "v1" "Secret" .Namespace .Name).data -}}
{{- if $obj }}
{{- index $obj .Key | b64dec -}}
{{- else -}}
{{- randAlphaNum $len -}}
{{- end -}}
{{- end }}
{{- define "minio.root.username" -}}
{{- if .Values.rootUser }}
{{- .Values.rootUser | toString }}
{{- else }}
{{- include "minio.getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "minio.fullname" .) "Length" 20 "Key" "rootUser") }}
{{- end }}
{{- end -}}
{{- define "minio.root.password" -}}
{{- if .Values.rootPassword }}
{{- .Values.rootPassword | toString }}
{{- else }}
{{- include "minio.getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "minio.fullname" .) "Length" 40 "Key" "rootPassword") }}
{{- end }}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes, add below linux tolerations to
workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
beta.kubernetes.io/os: linux
{{- else -}}
kubernetes.io/os: linux
{{- end -}}
{{- end -}}
{{/*
URL prefix for container images to be compatible with Rancher
*/}}
{{- define "registry-url" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/
{{- end -}}
{{- end -}}

33
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/configmap.yaml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "minio.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
initialize: |-
{{ include (print $.Template.BasePath "/_helper_create_bucket.txt") . | indent 4 }}
add-user: |-
{{ include (print $.Template.BasePath "/_helper_create_user.txt") . | indent 4 }}
add-policy: |-
{{ include (print $.Template.BasePath "/_helper_create_policy.txt") . | indent 4 }}
{{- range $idx, $policy := .Values.policies }}
# Policy: {{ $policy.name }}
policy_{{ $idx }}.json: |-
{{ include (print $.Template.BasePath "/_helper_policy.tpl") . | indent 4 }}
{{ end }}
{{- range $idx, $svc := .Values.svcaccts }}
{{- if $svc.policy }}
# SVC: {{ $svc.accessKey }}
svc_policy_{{ $idx }}.json: |-
{{ include (print $.Template.BasePath "/_helper_policy.tpl") .policy | indent 4 }}
{{- end }}
{{ end }}
add-svcacct: |-
{{ include (print $.Template.BasePath "/_helper_create_svcacct.txt") . | indent 4 }}
custom-command: |-
{{ include (print $.Template.BasePath "/_helper_custom_command.txt") . | indent 4 }}

58
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/console-ingress.yaml Normal file
View File

@ -0,0 +1,58 @@
{{- if .Values.consoleIngress.enabled -}}
{{- $fullName := printf "%s-console" (include "minio.fullname" .) -}}
{{- $servicePort := .Values.consoleService.port -}}
{{- $ingressPath := .Values.consoleIngress.path -}}
apiVersion: {{ template "minio.consoleIngress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.consoleIngress.labels }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- with .Values.consoleIngress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- if .Values.consoleIngress.ingressClassName }}
ingressClassName: {{ .Values.consoleIngress.ingressClassName }}
{{- end }}
{{- if .Values.consoleIngress.tls }}
tls:
{{- range .Values.consoleIngress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.consoleIngress.hosts }}
- http:
paths:
- path: {{ $ingressPath }}
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
pathType: Prefix
backend:
service:
name: {{ $fullName }}
port:
number: {{ $servicePort }}
{{- else }}
backend:
serviceName: {{ $fullName }}
servicePort: {{ $servicePort }}
{{- end }}
{{- if . }}
host: {{ . | quote }}
{{- end }}
{{- end }}
{{- end }}

48
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/console-service.yaml Normal file
View File

@ -0,0 +1,48 @@
{{ $scheme := "http" }}
{{- if .Values.tls.enabled }}
{{ $scheme = "https" }}
{{ end }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "minio.fullname" . }}-console
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.consoleService.annotations }}
annotations:
{{ toYaml .Values.consoleService.annotations | indent 4 }}
{{- end }}
spec:
{{- if (or (eq .Values.consoleService.type "ClusterIP" "") (empty .Values.consoleService.type)) }}
type: ClusterIP
{{- if not (empty .Values.consoleService.clusterIP) }}
clusterIP: {{ .Values.consoleService.clusterIP }}
{{end}}
{{- else if eq .Values.consoleService.type "LoadBalancer" }}
type: {{ .Values.consoleService.type }}
loadBalancerIP: {{ default "" .Values.consoleService.loadBalancerIP }}
{{- else }}
type: {{ .Values.consoleService.type }}
{{- end }}
ports:
- name: {{ $scheme }}
port: {{ .Values.consoleService.port }}
protocol: TCP
{{- if (and (eq .Values.consoleService.type "NodePort") ( .Values.consoleService.nodePort)) }}
nodePort: {{ .Values.consoleService.nodePort }}
{{- else }}
targetPort: {{ .Values.minioConsolePort }}
{{- end}}
{{- if .Values.consoleService.externalIPs }}
externalIPs:
{{- range $i , $ip := .Values.consoleService.externalIPs }}
- {{ $ip }}
{{- end }}
{{- end }}
selector:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}

205
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/deployment.yaml Normal file
View File

@ -0,0 +1,205 @@
{{- if eq .Values.mode "standalone" }}
{{ $scheme := "http" }}
{{- if .Values.tls.enabled }}
{{ $scheme = "https" }}
{{ end }}
{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }}
apiVersion: {{ template "minio.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ template "minio.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | trimSuffix "\n" | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | trimSuffix "\n" | indent 4 }}
{{- end }}
spec:
strategy:
type: {{ .Values.DeploymentUpdate.type }}
{{- if eq .Values.DeploymentUpdate.type "RollingUpdate" }}
rollingUpdate:
maxSurge: {{ .Values.DeploymentUpdate.maxSurge }}
maxUnavailable: {{ .Values.DeploymentUpdate.maxUnavailable }}
{{- end}}
replicas: 1
selector:
matchLabels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
template:
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
annotations:
{{- if not .Values.ignoreChartChecksums }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | trimSuffix "\n" | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if .Values.runtimeClassName }}
runtimeClassName: "{{ .Values.runtimeClassName }}"
{{- end }}
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
runAsGroup: {{ .Values.securityContext.runAsGroup }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }}
fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
{{- end }}
{{- end }}
{{ if .Values.serviceAccount.create }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ default .Values.image.registry (include "registry-url" .) }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- "/bin/sh"
- "-ce"
- "/usr/bin/docker-entrypoint.sh minio server {{ $bucketRoot }} -S {{ .Values.certsPath }} --address :{{ .Values.minioAPIPort }} --console-address :{{ .Values.minioConsolePort }} {{- template "minio.extraArgs" . }}"
volumeMounts:
- name: minio-user
mountPath: "/tmp/credentials"
readOnly: true
- name: export
mountPath: {{ .Values.mountPath }}
{{- if and .Values.persistence.enabled .Values.persistence.subPath }}
subPath: "{{ .Values.persistence.subPath }}"
{{- end }}
{{- if .Values.extraSecret }}
- name: extra-secret
mountPath: "/tmp/minio-config-env"
{{- end }}
{{- include "minio.tlsKeysVolumeMount" . | indent 12 }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
ports:
- name: {{ $scheme }}
containerPort: {{ .Values.minioAPIPort }}
- name: {{ $scheme }}-console
containerPort: {{ .Values.minioConsolePort }}
env:
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: {{ template "minio.secretName" . }}
key: rootUser
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "minio.secretName" . }}
key: rootPassword
{{- if .Values.extraSecret }}
- name: MINIO_CONFIG_ENV_FILE
value: "/tmp/minio-config-env/config.env"
{{- end}}
{{- if .Values.metrics.serviceMonitor.public }}
- name: MINIO_PROMETHEUS_AUTH_TYPE
value: "public"
{{- end}}
{{- if .Values.oidc.enabled }}
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
value: {{ .Values.oidc.configUrl }}
- name: MINIO_IDENTITY_OPENID_CLIENT_ID
value: {{ .Values.oidc.clientId }}
- name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
value: {{ .Values.oidc.clientSecret }}
- name: MINIO_IDENTITY_OPENID_CLAIM_NAME
value: {{ .Values.oidc.claimName }}
- name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX
value: {{ .Values.oidc.claimPrefix }}
- name: MINIO_IDENTITY_OPENID_SCOPES
value: {{ .Values.oidc.scopes }}
- name: MINIO_IDENTITY_OPENID_REDIRECT_URI
value: {{ .Values.oidc.redirectUri }}
- name: MINIO_IDENTITY_OPENID_COMMENT
value: {{ .Values.oidc.comment }}
{{- end}}
{{- if .Values.etcd.endpoints }}
- name: MINIO_ETCD_ENDPOINTS
value: {{ join "," .Values.etcd.endpoints | quote }}
{{- if .Values.etcd.clientCert }}
- name: MINIO_ETCD_CLIENT_CERT
value: "/tmp/credentials/etcd_client_cert.pem"
{{- end }}
{{- if .Values.etcd.clientCertKey }}
- name: MINIO_ETCD_CLIENT_CERT_KEY
value: "/tmp/credentials/etcd_client_cert_key.pem"
{{- end }}
{{- if .Values.etcd.pathPrefix }}
- name: MINIO_ETCD_PATH_PREFIX
value: {{ .Values.etcd.pathPrefix }}
{{- end }}
{{- if .Values.etcd.corednsPathPrefix }}
- name: MINIO_ETCD_COREDNS_PATH
value: {{ .Values.etcd.corednsPathPrefix }}
{{- end }}
{{- end }}
{{- range $key, $val := .Values.environment }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end}}
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- with .Values.extraContainers }}
{{- if eq (typeOf .) "string" }}
{{- tpl . $ | nindent 8 }}
{{- else }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
{{- include "minio.imagePullSecrets" . | indent 6 }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
{{- with .Values.tolerations }}
{{ toYaml . | indent 8 }}
{{- end }}
volumes:
- name: export
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "minio.fullname" .) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.extraSecret }}
- name: extra-secret
secret:
secretName: {{ .Values.extraSecret }}
{{- end }}
- name: minio-user
secret:
secretName: {{ template "minio.secretName" . }}
{{- include "minio.tlsKeysVolume" . | indent 8 }}
{{- if .Values.extraVolumes }}
{{ toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}

58
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/ingress.yaml Normal file
View File

@ -0,0 +1,58 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "minio.fullname" . -}}
{{- $servicePort := .Values.service.port -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: {{ template "minio.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ $fullName }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.ingress.labels }}
{{ toYaml . | indent 4 }}
{{- end }}
{{- with .Values.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.ingressClassName }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- http:
paths:
- path: {{ $ingressPath }}
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
pathType: Prefix
backend:
service:
name: {{ $fullName }}
port:
number: {{ $servicePort }}
{{- else }}
backend:
serviceName: {{ $fullName }}
servicePort: {{ $servicePort }}
{{- end }}
{{- if . }}
host: {{ . | quote }}
{{- end }}
{{- end }}
{{- end }}

27
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/networkpolicy.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ template "minio.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "minio.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
podSelector:
matchLabels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
ingress:
- ports:
- port: {{ .Values.minioAPIPort }}
- port: {{ .Values.minioConsolePort }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "minio.name" . }}-client: "true"
{{- end }}
{{- end }}

14
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.podDisruptionBudget.enabled }}
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: minio
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}
spec:
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
selector:
matchLabels:
app: {{ template "minio.name" . }}
{{- end }}

230
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/post-job.yaml Normal file
View File

@ -0,0 +1,230 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "minio.fullname" . }}-post-job
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}-post-job
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
{{- with .Values.postJob.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
labels:
app: {{ template "minio.name" . }}-job
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
{{- if .Values.postJob.podAnnotations }}
annotations:
{{- toYaml .Values.postJob.podAnnotations | nindent 8 }}
{{- end }}
spec:
restartPolicy: OnFailure
{{- include "minio.imagePullSecrets" . | nindent 6 }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
{{- with .Values.postJob.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
{{- with .Values.postJob.tolerations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.postJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.postJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.postJob.securityContext.runAsGroup }}
fsGroup: {{ .Values.postJob.securityContext.fsGroup }}
{{- end }}
volumes:
- name: minio-configuration
projected:
sources:
- configMap:
name: {{ template "minio.fullname" . }}
- secret:
name: {{ template "minio.secretName" . }}
{{- range .Values.users }}
{{- if .existingSecret }}
- secret:
name: {{ tpl .existingSecret $ }}
items:
- key: {{ .existingSecretKey }}
path: secrets/{{ tpl .existingSecretKey $ }}
{{- end }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
secret:
secretName: {{ .Values.tls.certSecret }}
items:
- key: {{ .Values.tls.publicCrt }}
path: CAs/public.crt
{{ end }}
containers:
{{- if .Values.buckets }}
- name: minio-make-bucket
image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.makeBucketJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.makeBucketJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.makeBucketJob.securityContext.runAsGroup }}
fsGroup: {{ .Values.makeBucketJob.securityContext.fsGroup }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makeBucketJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: [ "/bin/sh /config/initialize; EV=$?; {{ .Values.makeBucketJob.exitCommand }} && exit $EV" ]
{{- else }}
command: [ "/bin/sh", "/config/initialize" ]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{ end }}
resources:
{{- toYaml .Values.makeBucketJob.resources | nindent 12 }}
{{- end }}
{{- if .Values.users }}
- name: minio-make-user
image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.makeUserJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.makeUserJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.makeUserJob.securityContext.runAsGroup }}
fsGroup: {{ .Values.makeUserJob.securityContext.fsGroup }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makeUserJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: [ "/bin/sh /config/add-user; EV=$?; {{ .Values.makeUserJob.exitCommand }} && exit $EV" ]
{{- else }}
command: [ "/bin/sh", "/config/add-user" ]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{ end }}
resources:
{{- toYaml .Values.makeUserJob.resources | nindent 12 }}
{{- end }}
{{- if .Values.policies }}
- name: minio-make-policy
image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.makePolicyJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.makePolicyJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.makePolicyJob.securityContext.runAsGroup }}
fsGroup: {{ .Values.makePolicyJob.securityContext.fsGroup }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makePolicyJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: [ "/bin/sh /config/add-policy; EV=$?; {{ .Values.makePolicyJob.exitCommand }} && exit $EV" ]
{{- else }}
command: [ "/bin/sh", "/config/add-policy" ]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{ end }}
resources:
{{- toYaml .Values.makePolicyJob.resources | nindent 12 }}
{{- end }}
{{- if .Values.customCommands }}
- name: minio-custom-command
image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.customCommandJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.customCommandJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.customCommandJob.securityContext.runAsGroup }}
fsGroup: {{ .Values.customCommandJob.securityContext.fsGroup }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.customCommandJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: [ "/bin/sh /config/custom-command; EV=$?; {{ .Values.customCommandJob.exitCommand }} && exit $EV" ]
{{- else }}
command: [ "/bin/sh", "/config/custom-command" ]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{ end }}
resources:
{{- toYaml .Values.customCommandJob.resources | nindent 12 }}
{{- end }}
{{- if .Values.svcaccts }}
- name: minio-make-svcacct
image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.makeServiceAccountJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.makeServiceAccountJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.makeServiceAccountJob.securityContext.runAsGroup }}
fsGroup: {{ .Values.makeServiceAccountJob.securityContext.fsGroup }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makeServiceAccountJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: ["/bin/sh /config/add-svcacct; EV=$?; {{ .Values.makeServiceAccountJob.exitCommand }} && exit $EV" ]
{{- else }}
command: ["/bin/sh", "/config/add-svcacct"]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{ end }}
resources:
{{- toYaml .Values.makeServiceAccountJob.resources | nindent 12 }}
{{- end }}

84
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/psp.yaml Normal file
View File

@ -0,0 +1,84 @@
{{- if .Values.serviceAccount.create -}}
{{- if .Values.global.rbac.pspEnabled }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }}
app: {{ .Values.serviceAccount.name | quote }}
{{- if .Values.global.rbac.pspAnnotations }}
annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }}
{{- end }}
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Permits the container to run with root privileges as well.
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
readOnlyRootFilesystem: false
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }}
app: {{ .Values.serviceAccount.name | quote }}
rules:
{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }}
- apiGroups: ['policy']
{{- else }}
- apiGroups: ['extensions']
{{- end }}
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }}
app: {{ .Values.serviceAccount.name | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount.name | quote }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end -}}

35
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/pvc.yaml Normal file
View File

@ -0,0 +1,35 @@
{{- if eq .Values.mode "standalone" }}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ template "minio.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.persistence.annotations }}
annotations:
{{ toYaml .Values.persistence.annotations | trimSuffix "\n" | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- if .Values.persistence.VolumeName }}
volumeName: "{{ .Values.persistence.VolumeName }}"
{{- end }}
{{- end }}
{{- end }}

22
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/secrets.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if not .Values.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "minio.secretName" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
type: Opaque
data:
rootUser: {{ include "minio.root.username" . | b64enc | quote }}
rootPassword: {{ include "minio.root.password" . | b64enc | quote }}
{{- if .Values.etcd.clientCert }}
etcd_client.crt: {{ .Values.etcd.clientCert | toString | b64enc | quote }}
{{- end }}
{{- if .Values.etcd.clientCertKey }}
etcd_client.key: {{ .Values.etcd.clientCertKey | toString | b64enc | quote }}
{{- end }}
{{- end }}

45
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/securitycontextconstraints.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- if and .Values.securityContext.enabled .Values.persistence.enabled (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: []
readOnlyRootFilesystem: false
defaultAddCapabilities: []
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
fsGroup:
type: MustRunAs
ranges:
- max: {{ .Values.securityContext.fsGroup }}
min: {{ .Values.securityContext.fsGroup }}
runAsUser:
type: MustRunAs
uid: {{ .Values.securityContext.runAsUser }}
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
{{- end }}

49
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/service.yaml Normal file
View File

@ -0,0 +1,49 @@
{{ $scheme := "http" }}
{{- if .Values.tls.enabled }}
{{ $scheme = "https" }}
{{ end }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "minio.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
monitoring: "true"
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
{{- if (or (eq .Values.service.type "ClusterIP" "") (empty .Values.service.type)) }}
type: ClusterIP
{{- if not (empty .Values.service.clusterIP) }}
clusterIP: {{ .Values.service.clusterIP }}
{{end}}
{{- else if eq .Values.service.type "LoadBalancer" }}
type: {{ .Values.service.type }}
loadBalancerIP: {{ default "" .Values.service.loadBalancerIP }}
{{- else }}
type: {{ .Values.service.type }}
{{- end }}
ports:
- name: {{ $scheme }}
port: {{ .Values.service.port }}
protocol: TCP
{{- if (and (eq .Values.service.type "NodePort") ( .Values.service.nodePort)) }}
nodePort: {{ .Values.service.nodePort }}
{{- else }}
targetPort: {{ .Values.minioAPIPort }}
{{- end}}
{{- if .Values.service.externalIPs }}
externalIPs:
{{- range $i , $ip := .Values.service.externalIPs }}
- {{ $ip }}
{{- end }}
{{- end }}
selector:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}

7
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,7 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccount.name | quote }}
namespace: {{ .Release.Namespace | quote }}
{{- end -}}

117
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/servicemonitor.yaml Normal file
View File

@ -0,0 +1,117 @@
{{- if and .Values.metrics.serviceMonitor.enabled .Values.metrics.serviceMonitor.includeNode}}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "minio.fullname" . }}
{{- if .Values.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{ else }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.annotations }}
annotations:
{{ toYaml .Values.metrics.serviceMonitor.annotations | trimSuffix "\n" | indent 4 }}
{{- end }}
spec:
endpoints:
{{- if .Values.tls.enabled }}
- port: https
scheme: https
tlsConfig:
ca:
secret:
name: {{ .Values.tls.certSecret }}
key: {{ .Values.tls.publicCrt }}
serverName: {{ template "minio.fullname" . }}
{{ else }}
- port: http
scheme: http
{{- end }}
path: /minio/v2/metrics/node
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelConfigs }}
{{ toYaml .Values.metrics.serviceMonitor.relabelConfigs | indent 6 }}
{{- end }}
{{- if not .Values.metrics.serviceMonitor.public }}
bearerTokenSecret:
name: {{ template "minio.fullname" . }}-prometheus
key: token
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
selector:
matchLabels:
app: {{ include "minio.name" . }}
release: {{ .Release.Name }}
monitoring: "true"
{{- end }}
{{- if .Values.metrics.serviceMonitor.enabled }}
---
apiVersion: monitoring.coreos.com/v1
kind: Probe
metadata:
name: {{ template "minio.fullname" . }}-cluster
{{- if .Values.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{ else }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{ toYaml .Values.metrics.serviceMonitor.additionalLabels | indent 4 }}
{{- end }}
spec:
jobName: {{ template "minio.fullname" . }}
{{- if .Values.tls.enabled }}
tlsConfig:
ca:
secret:
name: {{ .Values.tls.certSecret }}
key: {{ .Values.tls.publicCrt }}
serverName: {{ template "minio.fullname" . }}
{{- end }}
prober:
url: {{ template "minio.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.port }}
path: /minio/v2/metrics/cluster
{{- if .Values.tls.enabled }}
scheme: https
{{ else }}
scheme: http
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelConfigsCluster }}
{{ toYaml .Values.metrics.serviceMonitor.relabelConfigsCluster | indent 2 }}
{{- end }}
targets:
staticConfig:
static:
- {{ template "minio.fullname" . }}.{{ .Release.Namespace }}
{{- if not .Values.metrics.serviceMonitor.public }}
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
bearerTokenSecret:
name: {{ template "minio.fullname" . }}-prometheus
key: token
{{- end }}
{{- end }}

258
charts/epinio/100.0.5+up1.6.2/charts/minio/templates/statefulset.yaml Normal file
View File

@ -0,0 +1,258 @@
{{- if eq .Values.mode "distributed" }}
{{ $poolCount := .Values.pools | int }}
{{ $nodeCount := .Values.replicas | int }}
{{ $replicas := mul $poolCount $nodeCount }}
{{ $drivesPerNode := .Values.drivesPerNode | int }}
{{ $scheme := "http" }}
{{- if .Values.tls.enabled }}
{{ $scheme = "https" }}
{{ end }}
{{ $mountPath := .Values.mountPath }}
{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }}
{{ $subPath := .Values.persistence.subPath }}
{{ $penabled := .Values.persistence.enabled }}
{{ $accessMode := .Values.persistence.accessMode }}
{{ $storageClass := .Values.persistence.storageClass }}
{{ $psize := .Values.persistence.size }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "minio.fullname" . }}-svc
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
spec:
publishNotReadyAddresses: true
clusterIP: None
ports:
- name: {{ $scheme }}
port: {{ .Values.service.port }}
protocol: TCP
targetPort: {{ .Values.minioAPIPort }}
selector:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
---
apiVersion: {{ template "minio.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ template "minio.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.additionalLabels }}
{{ toYaml .Values.additionalLabels | trimSuffix "\n" | indent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations:
{{ toYaml .Values.additionalAnnotations | trimSuffix "\n" | indent 4 }}
{{- end }}
spec:
updateStrategy:
type: {{ .Values.StatefulSetUpdate.updateStrategy }}
podManagementPolicy: "Parallel"
serviceName: {{ template "minio.fullname" . }}-svc
replicas: {{ $replicas }}
selector:
matchLabels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
template:
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{ toYaml .Values.podLabels | indent 8 }}
{{- end }}
annotations:
{{- if not .Values.ignoreChartChecksums }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{ toYaml .Values.podAnnotations | trimSuffix "\n" | indent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if .Values.runtimeClassName }}
runtimeClassName: "{{ .Values.runtimeClassName }}"
{{- end }}
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
runAsGroup: {{ .Values.securityContext.runAsGroup }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }}
fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
{{- end }}
{{- end }}
{{ if .Values.serviceAccount.create }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ default .Values.image.registry (include "registry-url" .) }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: [ "/bin/sh",
"-ce",
"/usr/bin/docker-entrypoint.sh minio server {{- range $i := until $poolCount }}{{ $factor := mul $i $nodeCount }}{{ $endIndex := add $factor $nodeCount }}{{ $beginIndex := mul $i $nodeCount }} {{ $scheme }}://{{ template `minio.fullname` $ }}-{{ `{` }}{{ $beginIndex }}...{{ sub $endIndex 1 }}{{ `}`}}.{{ template `minio.fullname` $ }}-svc.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}{{if (gt $drivesPerNode 1)}}{{ $bucketRoot }}-{{ `{` }}0...{{ sub $drivesPerNode 1 }}{{ `}` }}{{else}}{{ $bucketRoot }}{{end}}{{- end}} -S {{ .Values.certsPath }} --address :{{ .Values.minioAPIPort }} --console-address :{{ .Values.minioConsolePort }} {{- template `minio.extraArgs` . }}" ]
volumeMounts:
{{- if $penabled }}
{{- if (gt $drivesPerNode 1) }}
{{- range $i := until $drivesPerNode }}
- name: export-{{ $i }}
mountPath: {{ $mountPath }}-{{ $i }}
{{- if and $penabled $subPath }}
subPath: {{ $subPath }}
{{- end }}
{{- end }}
{{- else }}
- name: export
mountPath: {{ $mountPath }}
{{- if and $penabled $subPath }}
subPath: {{ $subPath }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.extraSecret }}
- name: extra-secret
mountPath: "/tmp/minio-config-env"
{{- end }}
{{- include "minio.tlsKeysVolumeMount" . | indent 12 }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
ports:
- name: {{ $scheme }}
containerPort: {{ .Values.minioAPIPort }}
- name: {{ $scheme }}-console
containerPort: {{ .Values.minioConsolePort }}
env:
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: {{ template "minio.secretName" . }}
key: rootUser
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "minio.secretName" . }}
key: rootPassword
{{- if .Values.extraSecret }}
- name: MINIO_CONFIG_ENV_FILE
value: "/tmp/minio-config-env/config.env"
{{- end}}
{{- if .Values.metrics.serviceMonitor.public }}
- name: MINIO_PROMETHEUS_AUTH_TYPE
value: "public"
{{- end}}
{{- if .Values.oidc.enabled }}
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
value: {{ .Values.oidc.configUrl }}
- name: MINIO_IDENTITY_OPENID_CLIENT_ID
value: {{ .Values.oidc.clientId }}
- name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
value: {{ .Values.oidc.clientSecret }}
- name: MINIO_IDENTITY_OPENID_CLAIM_NAME
value: {{ .Values.oidc.claimName }}
- name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX
value: {{ .Values.oidc.claimPrefix }}
- name: MINIO_IDENTITY_OPENID_SCOPES
value: {{ .Values.oidc.scopes }}
- name: MINIO_IDENTITY_OPENID_REDIRECT_URI
value: {{ .Values.oidc.redirectUri }}
- name: MINIO_IDENTITY_OPENID_COMMENT
value: {{ .Values.oidc.comment }}
{{- end}}
{{- range $key, $val := .Values.environment }}
- name: {{ $key }}
value: {{ $val | quote }}
{{- end}}
resources:
{{ toYaml .Values.resources | indent 12 }}
{{- with .Values.extraContainers }}
{{- if eq (typeOf .) "string" }}
{{- tpl . $ | nindent 8 }}
{{- else }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
{{- include "minio.imagePullSecrets" . | indent 6 }}
{{- with .Values.affinity }}
affinity:
{{ toYaml . | indent 8 }}
{{- end }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
{{- with .Values.tolerations }}
{{ toYaml . | indent 8 }}
{{- end }}
{{- if and (gt $replicas 1) (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "19") }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{ toYaml . | indent 8 }}
{{- end }}
{{- end }}
volumes:
- name: minio-user
secret:
secretName: {{ template "minio.secretName" . }}
{{- if .Values.extraSecret }}
- name: extra-secret
secret:
secretName: {{ .Values.extraSecret }}
{{- end }}
{{- include "minio.tlsKeysVolume" . | indent 8 }}
{{- if .Values.extraVolumes }}
{{ toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
{{- if gt $drivesPerNode 1 }}
{{- range $diskId := until $drivesPerNode}}
- metadata:
name: export-{{ $diskId }}
{{- if $.Values.persistence.annotations }}
annotations:
{{ toYaml $.Values.persistence.annotations | trimSuffix "\n" | indent 10 }}
{{- end }}
spec:
accessModes: [ {{ $accessMode | quote }} ]
{{- if $storageClass }}
storageClassName: {{ $storageClass }}
{{- end }}
resources:
requests:
storage: {{ $psize }}
{{- end }}
{{- else }}
- metadata:
name: export
{{- if $.Values.persistence.annotations }}
annotations:
{{ toYaml $.Values.persistence.annotations | trimSuffix "\n" | indent 10 }}
{{- end }}
spec:
accessModes: [ {{ $accessMode | quote }} ]
{{- if $storageClass }}
storageClassName: {{ $storageClass }}
{{- end }}
resources:
requests:
storage: {{ $psize }}
{{- end }}
{{- end }}
{{- end }}

540
charts/epinio/100.0.5+up1.6.2/charts/minio/values.yaml Normal file
View File

@ -0,0 +1,540 @@
## Provide a name in place of minio for `app:` labels
##
nameOverride: ""
## Provide a name to substitute for the full names of resources
##
fullnameOverride: ""
## set kubernetes cluster domain where minio is running
##
clusterDomain: cluster.local
## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the
##
image:
repository: rancher/mirrored-minio-minio
tag: RELEASE.2022-12-12T19-27-27Z
pullPolicy: IfNotPresent
imagePullSecrets: []
# - name: "image-pull-secret"
## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio
## client used to create a default bucket).
##
mcImage:
repository: rancher/mirrored-minio-mc
tag: RELEASE.2022-12-13T00-23-28Z
pullPolicy: IfNotPresent
## minio mode, i.e. standalone or distributed
mode: distributed ## other supported values are "standalone"
## Additional labels to include with deployment or statefulset
additionalLabels: {}
## Additional annotations to include with deployment or statefulset
additionalAnnotations: {}
## Typically the deployment/statefulset includes checksums of secrets/config,
## So that when these change on a subsequent helm install, the deployment/statefulset
## is restarted. This can result in unnecessary restarts under GitOps tooling such as
## flux, so set to "true" to disable this behaviour.
ignoreChartChecksums: false
## Additional arguments to pass to minio binary
extraArgs: []
## Additional volumes to minio container
extraVolumes: []
## Additional volumeMounts to minio container
extraVolumeMounts: []
## Additional sidecar containers
extraContainers: []
## Internal port number for MinIO S3 API container
## Change service.port to change external port number
minioAPIPort: "9000"
## Internal port number for MinIO Browser Console container
## Change consoleService.port to change external port number
minioConsolePort: "9001"
## Update strategy for Deployments
DeploymentUpdate:
type: RollingUpdate
maxUnavailable: 0
maxSurge: 100%
## Update strategy for StatefulSets
StatefulSetUpdate:
updateStrategy: RollingUpdate
## Pod priority settings
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
##
priorityClassName: ""
## Pod runtime class name
## ref https://kubernetes.io/docs/concepts/containers/runtime-class/
##
runtimeClassName: ""
## Set default rootUser, rootPassword
## AccessKey and secretKey is generated when not set
## Distributed MinIO ref: https://min.io/docs/minio/linux/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.html
##
rootUser: ""
rootPassword: ""
## Use existing Secret that store following variables:
##
## | Chart var | .data.<key> in Secret |
## |:----------------------|:-------------------------|
## | rootUser | rootUser |
## | rootPassword | rootPassword |
##
## All mentioned variables will be ignored in values file.
## .data.rootUser and .data.rootPassword are mandatory,
## others depend on enabled status of corresponding sections.
existingSecret: ""
## Directory on the MinIO pof
certsPath: "/etc/minio/certs/"
configPathmc: "/etc/minio/mc/"
## Path where PV would be mounted on the MinIO Pod
mountPath: "/export"
## Override the root directory which the minio server should serve from.
## If left empty, it defaults to the value of {{ .Values.mountPath }}
## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }}
##
bucketRoot: ""
# Number of drives attached to a node
drivesPerNode: 1
# Number of MinIO containers running
replicas: 16
# Number of expanded MinIO clusters
pools: 1
## TLS Settings for MinIO
tls:
enabled: false
## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
certSecret: ""
publicCrt: public.crt
privateKey: private.key
## Trusted Certificates Settings for MinIO. Ref: https://min.io/docs/minio/linux/operations/network-encryption.html#third-party-certificate-authorities
## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
## When using self-signed certificates, remember to include MinIO's own certificate in the bundle with key public.crt.
## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret.
trustedCertsSecret: ""
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
persistence:
enabled: true
annotations: {}
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
existingClaim: ""
## minio data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
## Storage class of PV to bind. By default it looks for standard storage class.
## If the PV uses a different storage class, specify that here.
storageClass: ""
VolumeName: ""
accessMode: ReadWriteOnce
size: 500Gi
## If subPath is set mount a sub folder of a volume instead of the root of the volume.
## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs).
##
subPath: ""
## Expose the MinIO service to be accessed from outside the cluster (LoadBalancer service).
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
## ref: http://kubernetes.io/docs/user-guide/services/
##
service:
type: ClusterIP
clusterIP: ~
port: "9000"
nodePort: 32000
## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
ingress:
enabled: false
# ingressClassName: ""
labels: {}
# node-role.kubernetes.io/ingress: platform
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# kubernetes.io/ingress.allow-http: "false"
# kubernetes.io/ingress.global-static-ip-name: ""
# nginx.ingress.kubernetes.io/secure-backends: "true"
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
path: /
hosts:
- minio-example.local
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
consoleService:
type: ClusterIP
clusterIP: ~
port: "9001"
nodePort: 32001
consoleIngress:
enabled: false
# ingressClassName: ""
labels: {}
# node-role.kubernetes.io/ingress: platform
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# kubernetes.io/ingress.allow-http: "false"
# kubernetes.io/ingress.global-static-ip-name: ""
# nginx.ingress.kubernetes.io/secure-backends: "true"
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
path: /
hosts:
- console.minio-example.local
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
## Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
## Add stateful containers to have security context, if enabled MinIO will run as this
## user and group NOTE: securityContext is only enabled if persistence.enabled=true
securityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
# Additational pod annotations
podAnnotations: {}
# Additional pod labels
podLabels: {}
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
requests:
memory: 16Gi
## List of policies to be created after minio install
##
## In addition to default policies [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
## you can define additional policies with custom supported actions and resources
policies: []
## writeexamplepolicy policy grants creation or deletion of buckets with name
## starting with example. In addition, grants objects write permissions on buckets starting with
## example.
# - name: writeexamplepolicy
# statements:
# - resources:
# - 'arn:aws:s3:::example*/*'
# actions:
# - "s3:AbortMultipartUpload"
# - "s3:GetObject"
# - "s3:DeleteObject"
# - "s3:PutObject"
# - "s3:ListMultipartUploadParts"
# - resources:
# - 'arn:aws:s3:::example*'
# actions:
# - "s3:CreateBucket"
# - "s3:DeleteBucket"
# - "s3:GetBucketLocation"
# - "s3:ListBucket"
# - "s3:ListBucketMultipartUploads"
## readonlyexamplepolicy policy grants access to buckets with name starting with example.
## In addition, grants objects read permissions on buckets starting with example.
# - name: readonlyexamplepolicy
# statements:
# - resources:
# - 'arn:aws:s3:::example*/*'
# actions:
# - "s3:GetObject"
# - resources:
# - 'arn:aws:s3:::example*'
# actions:
# - "s3:GetBucketLocation"
# - "s3:ListBucket"
# - "s3:ListBucketMultipartUploads"
## conditionsexample policy creates all access to example bucket with aws:username="johndoe" and source ip range 10.0.0.0/8 and 192.168.0.0/24 only
# - name: conditionsexample
# statements:
# - resources:
# - 'arn:aws:s3:::example/*'
# actions:
# - 's3:*'
# conditions:
# - StringEquals: '"aws:username": "johndoe"'
# - IpAddress: |
# "aws:SourceIp": [
# "10.0.0.0/8",
# "192.168.0.0/24"
# ]
#
## Additional Annotations for the Kubernetes Job makePolicyJob
makePolicyJob:
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
resources:
requests:
memory: 128Mi
# Command to run after the main command on exit
exitCommand: ""
## List of users to be created after minio install
##
users:
## Username, password and policy to be assigned to the user
## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
## Add new policies as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html#access-management
## NOTE: this will fail if LDAP is enabled in your MinIO deployment
## make sure to disable this if you are using LDAP.
- accessKey: console
secretKey: console123
policy: consoleAdmin
# Or you can refer to specific secret
#- accessKey: externalSecret
# existingSecret: my-secret
# existingSecretKey: password
# policy: readonly
## Additional Annotations for the Kubernetes Job makeUserJob
makeUserJob:
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
resources:
requests:
memory: 128Mi
# Command to run after the main command on exit
exitCommand: ""
## List of service accounts to be created after minio install
##
# svcaccts:
## accessKey, secretKey and parent user to be assigned to the service accounts
## Add new service accounts as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/minio-user-management.html#service-accounts
# - accessKey: console-svcacct
# secretKey: console123
# user: console
## Or you can refer to specific secret
# - accessKey: externalSecret
# existingSecret: my-secret
# existingSecretKey: password
# user: console
## You also can pass custom policy
# - accessKey: console-svcacct
# secretKey: console123
# user: console
# policy:
# statements:
# - resources:
# - 'arn:aws:s3:::example*/*'
# actions:
# - "s3:AbortMultipartUpload"
# - "s3:GetObject"
# - "s3:DeleteObject"
# - "s3:PutObject"
# - "s3:ListMultipartUploadParts"
makeServiceAccountJob:
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
resources:
requests:
memory: 128Mi
# Command to run after the main command on exit
exitCommand: ""
## List of buckets to be created after minio install
##
buckets:
# # Name of the bucket
# - name: bucket1
# # Policy to be set on the
# # bucket [none|download|upload|public]
# policy: none
# # Purge if bucket exists already
# purge: false
# # set versioning for
# # bucket [true|false]
# versioning: false
# # set objectlocking for
# # bucket [true|false] NOTE: versioning is enabled by default if you use locking
# objectlocking: false
# - name: bucket2
# policy: none
# purge: false
# versioning: true
# # set objectlocking for
# # bucket [true|false] NOTE: versioning is enabled by default if you use locking
# objectlocking: false
## Additional Annotations for the Kubernetes Job makeBucketJob
makeBucketJob:
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
resources:
requests:
memory: 128Mi
# Command to run after the main command on exit
exitCommand: ""
## List of command to run after minio install
## NOTE: the mc command TARGET is always "myminio"
customCommands:
# - command: "admin policy set myminio consoleAdmin group='cn=ops,cn=groups,dc=example,dc=com'"
## Additional Annotations for the Kubernetes Job customCommandJob
customCommandJob:
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
resources:
requests:
memory: 128Mi
# Command to run after the main command on exit
exitCommand: ""
## Merge jobs
postJob:
podAnnotations: {}
annotations: {}
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
nodeSelector: {}
tolerations: []
affinity: {}
## Use this field to add environment variables relevant to MinIO server. These fields will be passed on to MinIO container(s)
## when Chart is deployed
environment:
## Please refer for comprehensive list https://min.io/docs/minio/linux/reference/minio-server/minio-server.html
## MINIO_SUBNET_LICENSE: "License key obtained from https://subnet.min.io"
## MINIO_BROWSER: "off"
## The name of a secret in the same kubernetes namespace which contain secret values
## This can be useful for LDAP password, etc
## The key in the secret must be 'config.env'
##
# extraSecret: minio-extraenv
## OpenID Identity Management
## The following section documents environment variables for enabling external identity management using an OpenID Connect (OIDC)-compatible provider.
## See https://min.io/docs/minio/linux/operations/external-iam/configure-openid-external-identity-management.html for a tutorial on using these variables.
oidc:
enabled: false
configUrl: "https://identity-provider-url/.well-known/openid-configuration"
clientId: "minio"
clientSecret: ""
claimName: "policy"
scopes: "openid,profile,email"
redirectUri: "https://console-endpoint-url/oauth_callback"
# Can leave empty
claimPrefix: ""
comment: ""
networkPolicy:
enabled: false
allowExternal: true
## PodDisruptionBudget settings
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
##
podDisruptionBudget:
enabled: false
maxUnavailable: 1
## Specify the service account to use for the MinIO pods. If 'create' is set to 'false'
## and 'name' is left unspecified, the account 'default' will be used.
serviceAccount:
create: true
## The name of the service account to use. If 'create' is 'true', a service account with that name
## will be created.
name: "minio-sa"
metrics:
serviceMonitor:
enabled: false
# scrape each node/pod individually for additional metrics
includeNode: false
public: true
additionalLabels: {}
# for node metrics
relabelConfigs: {}
# for cluster metrics
relabelConfigsCluster: {}
# metricRelabelings:
# - regex: (server|pod)
# action: labeldrop
# namespace: monitoring
# interval: 30s
# scrapeTimeout: 10s
## ETCD settings: https://github.com/minio/minio/blob/master/docs/sts/etcd.md
## Define endpoints to enable this section.
etcd:
endpoints: []
pathPrefix: ""
corednsPathPrefix: ""
clientCert: ""
clientCertKey: ""

165
charts/epinio/100.0.5+up1.6.2/questions.yml Normal file
View File

@ -0,0 +1,165 @@
questions:
- variable: email
label: Email
description: "Email to use for getting notifications about your certificates"
type: string
required: false
group: "General settings"
- variable: certManagerNamespace
label: Cert-manager namespace
description: "Namespace where cert-manager is installed in"
type: string
required: false
group: "Advanced settings"
- variable: ingress.ingressClassName
label: Ingress class name for the server
description: "Set a class name to select the ingress controller you want to use for the server"
type: string
group: "Advanced settings"
- variable: server.ingressClassName
label: Ingress class name for apps
description: "Set a class name to select the ingress controller you want to use for your apps"
type: string
group: "Advanced settings"
- variable: server.disableTracking
label: Disable tracking
description: "Disable tracking of the running Epinio and Kubernetes versions"
type: boolean
group: "Advanced settings"
- variable: serviceCatalog.enableDevServices
label: Enable catalog services for development
default: "true"
description: "Enables services in the Epinio service catalog, meant to be used in development (because they are running in-cluster)"
type: boolean
group: "Advanced settings"
- variable: useCustomTlsIssuer
label: Use your own TLS issuer
default: "false"
description: "Use your own TLS issuer"
type: boolean
group: "General settings"
show_subquestion_if: true
subquestions:
- variable: customTlsIssuer
label: TLS issuer
description: "Name of the cluster issuer to use"
type: string
required: false
- variable: global.tlsIssuer
show_if: "useCustomTlsIssuer=false"
label: TLS issuer
description: "Name of the predefined cluster issuer to use"
type: enum
required: false
group: "General settings"
options:
- "epinio-ca"
- "selfsigned-issuer"
- "letsencrypt-production"
- variable: api.username
label: API username
description: "The user name for authenticating all API requests"
type: string
required: false
group: "General settings"
- variable: api.passwordBcrypt
label: API password
description: "The password for authenticating all API requests (hashed with Bcrypt)"
type: password
required: false
group: "General settings"
- variable: global.domain
label: Domain
description: "Domain for the application"
type: string
required: true
group: "General settings"
- variable: server.accessControlAllowOrigin
label: Access control allow origin
description: "Domain which serves the Rancher UI (to access the API)"
type: string
required: false
group: "General settings"
- variable: kubed.enabled
label: Install kubed
description: "Deploy kubed or skip it if you get it installed already"
type: boolean
group: "Advanced settings"
- variable: containerregistry.enabled
description: "Disable local container registry to configure an external registry."
label: Install local container registry
type: boolean
show_subquestion_if: false
group: "External registry"
subquestions:
- variable: global.registryURL
label: External registry url
description: "URL of your external registry"
type: string
required: false
- variable: global.registryUsername
label: External registry username
description: "Username to authenticate to the external registry"
type: string
required: false
- variable: global.registryPassword
label: External registry password
description: "Password to authenticate to the external registry"
type: password
required: false
- variable: global.registryNamespace
label: External registry namespace
description: "The organization part of the registry path for an external registry where you have push access"
type: string
required: false
- variable: minio.enabled
label: Install Minio
description: "Disable Minio to configure an external s3 storage."
type: boolean
show_subquestion_if: false
group: "External S3 storage"
subquestions:
- variable: s3.endpoint
label: S3 endpoint
description: "Endpoint of your S3 storage"
type: string
required: false
- variable: s3.accessKeyID
label: S3 access key id
description: "Access key id to authenticate to your S3 storage"
type: string
required: false
- variable: s3.secretAccessKey
label: S3 access key secret
description: "Secret access key to authenticate to your S3 storage"
type: password
required: false
- variable: s3.bucket
label: S3 bucket
description: "Bucket of your S3 storage"
type: string
required: false
- variable: s3.region
label: S3 region
description: "Region of your S3 storage"
type: string
required: false
- variable: s3.useSSL
label: S3 use SSL
type: boolean
required: false
- variable: s3.certificateSecret
label: Self signed certificate for S3
description: Set it to an existing secret if s3 is using a self signed certificate
type: string
required: false
- variable: server.traceLevel
label: Epinio API Log Level
required: false
type: string
group: "Debugging"
- variable: server.timeoutMultiplier
label: Timeout Multiplier
required: false
type: string
group: "Debugging"

12
charts/epinio/100.0.5+up1.6.2/templates/NOTES.txt Normal file
View File

@ -0,0 +1,12 @@
To interact with your Epinio installation download the latest epinio binary from https://github.com/epinio/epinio/releases/latest.
Login to the cluster with any of
{{ range .Values.api.users }}
`epinio login -u {{ .username }} https://epinio.{{ $.Values.global.domain }}`
{{- end }}
or go to the dashboard at: https://epinio.{{ .Values.global.domain }}
If you didn't specify a password the default one is `password`.
For more information about Epinio, feel free to checkout https://epinio.io/ and https://docs.epinio.io/.

179
charts/epinio/100.0.5+up1.6.2/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,179 @@
{{/*
URL prefix for container images to be compatible with Rancher
*/}}
{{- define "registry-url" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/
{{- end -}}
{{- end -}}
{{/*
URL of the registry epinio uses to store workload images
*/}}
{{- define "epinio.registry-url" -}}
{{- if .Values.containerregistry.enabled -}}
{{- printf "registry.%s.svc.cluster.local:5000" .Release.Namespace }}
{{- else -}}
{{- .Values.global.registryURL }}
{{- end -}}
{{- end -}}
{{/*
URL of the minio epinio installed
*/}}
{{- define "epinio.minio-url" -}}
{{- if .Values.minio.enabled -}}
{{- printf "%s.%s.svc.cluster.local:9000" .Values.minio.fullnameOverride .Release.Namespace }}
{{- else -}}
{{- .Values.s3.endpoint }}
{{- end -}}
{{- end -}}
{{/*
Host name of the minio epinio installed
*/}}
{{- define "epinio.minio-hostname" -}}
{{- printf "%s.%s.svc.cluster.local" .Values.minio.fullnameOverride .Release.Namespace }}
{{- end -}}
{{/*
PVC cleanup hooks for bitnami helm chart based catalog services
# https://github.com/epinio/epinio/issues/1386
# https://docs.bitnami.com/kubernetes/apps/aspnet-core/administration/deploy-extra-resources/
*/}}
{{- define "epinio.catalog-service-values" -}}
{{ printf `
extraDeploy:
- |
# Create a service account, role and binding to allow to list, get and
# delete PVCs. It should be used by the job below.
# To ensure the resources are deleted, use this annotation:
#
# annotations:
# "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
# https://helm.sh/docs/topics/charts_hooks/#hook-resources-are-not-managed-with-corresponding-releases
# https://helm.sh/docs/topics/charts_hooks/#hook-deletion-policies
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: "pvc-deleter-{{ .Release.Name }}"
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "-6"
---
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
kind: Role
metadata:
name: "pvc-deleter-{{ .Release.Name }}"
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "-6"
rules:
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- delete
- list
---
kind: RoleBinding
apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
metadata:
name: "pvc-deleter-{{ .Release.Name }}"
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "-5"
subjects:
- kind: ServiceAccount
name: "pvc-deleter-{{ .Release.Name }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "pvc-deleter-{{ .Release.Name }}"
---
apiVersion: batch/v1
kind: Job
metadata:
name: "pvc-deleter-{{ .Release.Name }}"
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "-4"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
metadata:
name: "pvc-deleter-{{ .Release.Name }}"
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
helm.sh/chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
spec:
restartPolicy: Never
serviceAccountName: "pvc-deleter-{{ .Release.Name }}"
containers:
- name: post-install-job
image: "%s"
command: ["kubectl", "delete", "pvc", "-n", "{{ .Release.Namespace }}", "-l", "app.kubernetes.io/instance={{ .Release.Name }}"]
` (print (include "registry-url" .) .Values.image.kubectl.repository ":" .Values.image.kubectl.tag) | indent 4}}
{{- end -}}
{{/*
Removes characters that are invalid for kubernetes resource names from the
given string
*/}}
{{- define "epinio-name-sanitize" -}}
{{ regexReplaceAll "[^-a-z0-9]*" . "" }}
{{- end }}
{{/*
Resource name sanitization and truncation.
- Always suffix the sha1sum (40 characters long)
- Always add an "r" prefix to make sure we don't have leading digits
- The rest of the characters up to 63 are the original string with invalid
character removed.
*/}}
{{- define "epinio-truncate" -}}
{{ print "r" (trunc 21 (include "epinio-name-sanitize" .)) "-" (sha1sum .) }}
{{- end }}
{{/*
Windows cluster will add default taint for linux nodes, add below linux tolerations to
workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
beta.kubernetes.io/os: linux
{{- else -}}
kubernetes.io/os: linux
{{- end -}}
{{- end -}}

13
charts/epinio/100.0.5+up1.6.2/templates/assets.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Secret
metadata:
namespace: {{ .Release.Namespace }}
name: epinio-assets
labels:
app.kubernetes.io/component: epinio
app.kubernetes.io/name: epinio-assets
app.kubernetes.io/part-of: epinio
app.kubernetes.io/version: {{ .Chart.AppVersion }}
type: Opaque
data:
{{ (.Files.Glob "assets/*").AsSecrets | indent 2 }}

50
charts/epinio/100.0.5+up1.6.2/templates/certificate.yaml Normal file
View File

@ -0,0 +1,50 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: epinio
namespace: {{ .Release.Namespace }}
spec:
dnsNames:
- epinio.{{ .Values.global.domain }}
issuerRef:
kind: ClusterIssuer
name: {{ default .Values.global.tlsIssuer .Values.global.customTlsIssuer | quote }}
secretName: epinio-tls
{{- if .Values.minio.enabled }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: minio-cert
namespace: {{ .Release.Namespace }}
spec:
dnsNames:
- {{ include "epinio.minio-hostname" . }}
issuerRef:
kind: ClusterIssuer
# We always trust the CA for minio so we can always use selfsigned certs
# Because Letsencrypt doesn't create certs for non public domains
name: epinio-ca
secretName: minio-tls
secretTemplate:
annotations:
kubed.appscode.com/sync: "kubed-s3-tls-from={{ .Release.Namespace }}"
{{- end }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: epinio-ca
namespace: {{ .Values.certManagerNamespace }}
spec:
commonName: epinio-ca
isCA: true
issuerRef:
kind: ClusterIssuer
name: selfsigned-issuer
privateKey:
algorithm: ECDSA
size: 256
secretName: epinio-ca-root

44
charts/epinio/100.0.5+up1.6.2/templates/cluster-issuers.yaml Normal file
View File

@ -0,0 +1,44 @@
---
# Self-signed issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
# Let's encrypt production issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
email: {{ .Values.email }}
preferredChain: ""
privateKeySecretRef:
name: letsencrypt-production
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
{{- if .Values.ingress.ingressClassName }}
class: "{{ .Values.ingress.ingressClassName }}"
{{- end }}
ingressTemplate:
metadata:
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
---
# Private CA (epinio-ca) issuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: epinio-ca
spec:
ca:
secretName: epinio-ca-root

191
charts/epinio/100.0.5+up1.6.2/templates/container-registry.yaml Normal file
View File

@ -0,0 +1,191 @@
{{- if .Values.containerregistry.enabled }}
---
apiVersion: v1
kind: Secret
metadata:
name: auth
namespace: {{ .Release.Namespace }}
stringData:
# The only supported password format is bcrypt
htpasswd: {{ htpasswd .Values.global.registryUsername .Values.global.registryPassword | quote }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: epinio-registry
namespace: {{ .Release.Namespace }}
spec:
dnsNames:
- registry.{{ .Release.Namespace }}.svc.cluster.local
ipAddresses:
- 127.0.0.1
issuerRef:
kind: ClusterIssuer
name: epinio-ca
secretName: epinio-registry-tls
---
apiVersion: v1
kind: Service
metadata:
name: registry
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
ports:
- name: registry
port: 5000
targetPort: 5000
{{ if .Values.containerregistry.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: registry-node
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
spec:
type: NodePort
selector:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
ports:
- name: registry-sidecar
port: 30500
targetPort: 30500
nodePort: 30500
---
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-conf
namespace: {{ .Release.Namespace }}
data:
nginx.conf: |
server {
listen 30500 default_server;
server_name 127.0.0.1;
location / {
proxy_pass https://localhost:5000/;
}
}
{{- end }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
template:
metadata:
labels:
app.kubernetes.io/name: "epinio-registry"
app.kubernetes.io/instance: "epinio-registry"
spec:
containers:
{{ if .Values.containerregistry.enabled }}
- name: nginx
image: "{{ template "registry-url" . }}{{ .Values.containerregistry.image.nginx.repository}}:{{ .Values.containerregistry.image.nginx.tag }}"
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
livenessProbe:
tcpSocket:
port: 5000
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
tcpSocket:
port: 5000
volumeMounts:
- mountPath: /etc/nginx/conf.d
name: nginx-conf
- mountPath: /var/cache/nginx/
name: nginx-run
- mountPath: /var/run/
name: nginx-run
{{- end }}
- name: registry
image: "{{ template "registry-url" . }}{{ .Values.containerregistry.image.registry.repository}}:{{ .Values.containerregistry.image.registry.tag }}"
imagePullPolicy: {{ .Values.containerregistry.imagePullPolicy }}
env:
- name: REGISTRY_AUTH
value: htpasswd
- name: REGISTRY_AUTH_HTPASSWD_REALM
value: Registry Realm
- name: REGISTRY_AUTH_HTPASSWD_PATH
value: /etc/registry/auth/htpasswd
- name: REGISTRY_HTTP_TLS_CERTIFICATE
value: "/certs/tls.crt"
- name: REGISTRY_HTTP_TLS_KEY
value: "/certs/tls.key"
volumeMounts:
- name: registry
mountPath: /var/lib/registry
readOnly: false
- name: auth
mountPath: /etc/registry/auth
readOnly: true
- name: certs
mountPath: /certs
readOnly: true
securityContext:
runAsUser: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
livenessProbe:
httpGet:
port: 5000
scheme: HTTPS
initialDelaySeconds: 15
periodSeconds: 20
readinessProbe:
httpGet:
port: 5000
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 5
volumes:
- name: registry
emptyDir: {}
- name: auth
secret:
secretName: auth
- name: certs
secret:
secretName: epinio-registry-tls
{{ if .Values.containerregistry.enabled }}
- name: nginx-conf
configMap:
name: nginx-conf
- name: nginx-cache
emptyDir: {}
- name: nginx-run
emptyDir: {}
{{- end }}
{{- end }}

15
charts/epinio/100.0.5+up1.6.2/templates/default-app-chart.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: application.epinio.io/v1
kind: AppChart
metadata:
namespace: {{ .Release.Namespace }}
name: standard
labels:
app.kubernetes.io/component: epinio
app.kubernetes.io/instance: default
app.kubernetes.io/name: epinio-standard-app-chart
app.kubernetes.io/part-of: epinio
app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }}
spec:
shortDescription: Epinio standard deployment
description: Epinio standard support chart for application deployment
helmChart: /assets/epinio-application-0.1.24.tgz

17
charts/epinio/100.0.5+up1.6.2/templates/default-user.yaml Normal file
View File

@ -0,0 +1,17 @@
{{- range .Values.api.users }}
---
apiVersion: v1
kind: Secret
type: BasicAuth
metadata:
labels:
epinio.io/api-user-credentials: "true"
epinio.io/role: {{ .role }}
name: {{ include "epinio-truncate" (print "user-" .username) }}
namespace: {{ $.Release.Namespace }}
stringData:
username: {{ .username | quote }}
password: {{ .passwordBcrypt | quote }}
namespaces: |
{{ join "\n" .workspaces -}}
{{- end }}

90
charts/epinio/100.0.5+up1.6.2/templates/dex.yaml Normal file
View File

@ -0,0 +1,90 @@
{{- if .Values.dex.enabled -}}
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
annotations:
name: dex-config
namespace: {{ .Release.Namespace }}
stringData:
issuer: "https://auth.{{ .Values.global.domain }}"
endpoint: {{ printf "http://%s.%s.svc.cluster.local:5556" .Values.dex.fullnameOverride .Release.Namespace }}
config.yaml: |-
issuer: "https://auth.{{ .Values.global.domain }}"
storage:
type: kubernetes
config:
inCluster: true
enablePasswordDB: true
staticPasswords:
- email: "admin@epinio.io"
# bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
username: "admin"
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
- email: "epinio@epinio.io"
hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
userID: "08a8684b-db88-4b73-90a9-3cd1661f5467"
staticClients:
- id: epinio-api
name: 'Epinio API'
public: true
# The 'Epinio API' lets the 'Epinio cli' issue ID tokens on its behalf.
# https://dexidp.io/docs/custom-scopes-claims-clients/#cross-client-trust-and-authorized-party
trustedPeers:
- epinio-cli
- id: epinio-cli
name: 'Epinio cli'
public: true
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
labels:
epinio.io/api-user-credentials: "true"
epinio.io/role: "admin"
name: {{ include "epinio-truncate" (print "user-" "admin@epinio.io") }}
namespace: {{ .Release.Namespace }}
stringData:
username: "admin@epinio.io"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dex
namespace: {{ .Release.Namespace }}
annotations:
cert-manager.io/cluster-issuer: {{ default .Values.global.tlsIssuer .Values.global.customTlsIssuer | quote }}
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
spec:
{{- if .Values.ingress.ingressClassName }}
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
{{- end }}
rules:
- host: "auth.{{ .Values.global.domain }}"
http:
paths:
- backend:
service:
name: dex
port:
number: 5556
path: /
pathType: Prefix
tls:
- hosts:
- "auth.{{ .Values.global.domain }}"
secretName: dex-tls
{{- end }}

57
charts/epinio/100.0.5+up1.6.2/templates/ingress.yaml Normal file
View File

@ -0,0 +1,57 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
nginx.ingress.kubernetes.io/ssl-redirect: {{ .Values.ingress.nginxSSLRedirect | quote }}
nginx.ingress.kubernetes.io/proxy-body-size: 100m
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
labels:
app.kubernetes.io/name: epinio
name: epinio
namespace: {{ .Release.Namespace }}
spec:
{{- if .Values.ingress.ingressClassName }}
ingressClassName: "{{ .Values.ingress.ingressClassName }}"
{{- end }}
rules:
- host: "epinio.{{ .Values.global.domain }}"
http:
paths:
- backend:
service:
name: epinio-server
port:
number: 80
path: /api
pathType: Prefix
- backend:
service:
name: epinio-server
port:
number: 80
path: /wapi
pathType: Prefix
- backend:
service:
name: epinio-server
port:
number: 80
path: /ready
pathType: Exact
{{- if ".Values.epinio-ui.enabled" }}
- backend:
service:
name: epinio-ui
port:
number: 80
path: /
pathType: Prefix
{{- end }}
tls:
- hosts:
- "epinio.{{ .Values.global.domain }}"
secretName: epinio-tls

81
charts/epinio/100.0.5+up1.6.2/templates/psp.yaml Normal file
View File

@ -0,0 +1,81 @@
{{- if .Values.global.rbac.pspEnabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: epinio-server-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: epinio-server
app: epinio-server
{{- if .Values.global.rbac.pspAnnotations }}
annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }}
{{- end }}
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Permits the container to run with root privileges as well.
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
readOnlyRootFilesystem: false
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: epinio-server-psp
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: epinio-server
app: epinio-server
rules:
{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }}
- apiGroups: ['policy']
{{- else }}
- apiGroups: ['extensions']
{{- end }}
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- epinio-server-psp
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: epinio-server-psp
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: epinio-server
app: epinio-server
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: epinio-server-psp
subjects:
- kind: ServiceAccount
name: epinio-server
namespace: {{ .Release.Namespace }}
{{- end }}

27
charts/epinio/100.0.5+up1.6.2/templates/registry-secret.yaml Normal file
View File

@ -0,0 +1,27 @@
---
apiVersion: v1
kind: Secret
type: kubernetes.io/dockerconfigjson
metadata:
annotations:
epinio.io/registry-namespace: {{ .Values.global.registryNamespace }}
kubed.appscode.com/sync: kubed-sync=registry-creds
name: registry-creds
namespace: {{ .Release.Namespace }}
stringData:
.dockerconfigjson: |-
{
"auths": {
"{{ template "epinio.registry-url" . }}": {
"auth":"{{ printf "%s:%s" .Values.global.registryUsername .Values.global.registryPassword | b64enc }}",
"username":"{{ .Values.global.registryUsername }}",
"password":"{{ .Values.global.registryPassword }}"
} {{- if .Values.containerregistry.enabled }} ,
"127.0.0.1:30500": {
"auth":"{{ printf "%s:%s" .Values.global.registryUsername .Values.global.registryPassword | b64enc }}",
"username":"{{ .Values.global.registryUsername }}",
"password":"{{ .Values.global.registryPassword }}"
}
{{- end -}}
}
}

49
charts/epinio/100.0.5+up1.6.2/templates/s3-secret.yaml Normal file
View File

@ -0,0 +1,49 @@
# Generated credentials for minio. Used only if minio is enabled.
{{- $oldkeys := (lookup "v1" "Secret" .Release.Namespace "minio-creds").data -}}
{{- $accessKey := empty $oldkeys | ternary (randAlphaNum 16) (b64dec (default "" $oldkeys.accesskey)) -}}
{{- $secretKey := empty $oldkeys | ternary (randAlphaNum 16) (b64dec (default "" $oldkeys.secretkey)) -}}
# Minio values if minio is enabled, otherwise the user provided values
{{- $s3Endpoint := include "epinio.minio-url" . -}}
{{- $s3AccessKey := .Values.minio.enabled | ternary $accessKey .Values.s3.accessKeyID -}}
{{- $s3SecretKey := .Values.minio.enabled | ternary $secretKey .Values.s3.secretAccessKey -}}
{{- $s3Bucket := .Values.minio.enabled | ternary "epinio" .Values.s3.bucket -}}
{{- $s3UseSSL := .Values.minio.enabled | ternary true .Values.s3.useSSL -}}
{{- $s3Region := .Values.minio.enabled | ternary "" .Values.s3.region -}}
---
# The S3 connection details as required by the staging Job (in "ini" format)
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: epinio-s3-connection-details
namespace: {{ .Release.Namespace }}
stringData:
bucket: {{ $s3Bucket }}
config: |-
[default]
region={{ $s3Region }}
credentials: |-
[default]
aws_access_key_id={{ $s3AccessKey }}
aws_secret_access_key={{ $s3SecretKey }}
endpoint: {{ $s3Endpoint | quote }}
useSSL: {{ $s3UseSSL | quote }}
# The S3 connection details as required by minio deployment
# https://github.com/minio/minio/blob/8ae46bce937567e682d14f7fe845b8ff67e549d2/helm/minio/values.yaml#L81
# Secrets get created first so Minio should find it there when it needs it.
# https://github.com/helm/helm/blob/release-3.0/pkg/releaseutil/kind_sorter.go
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: minio-creds
namespace: {{ .Release.Namespace }}
stringData:
rootUser: {{ $s3AccessKey | quote }}
rootPassword: {{ $s3SecretKey | quote }}
accesskey: {{ $s3AccessKey | quote }}
secretkey: {{ $s3SecretKey | quote }}

387
charts/epinio/100.0.5+up1.6.2/templates/server.yaml Normal file
View File

@ -0,0 +1,387 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: epinio-server
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: epinio-server-cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: epinio-server
namespace: {{ .Release.Namespace }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: epinio-server
rules:
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- create
- delete
- list
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- apiGroups:
- ""
resources:
- services
verbs:
- create
- get
- update
- delete
- apiGroups:
- ""
resources:
- pods/exec
verbs:
- create
- get
- post
- apiGroups:
- ""
resources:
- pods/portforward
verbs:
- get
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- list
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- create
- update
- delete
- get
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- update
- patch
- apiGroups:
- servicecatalog.k8s.io
resources:
- servicebindings
verbs:
- create
- get
- delete
- list
- apiGroups:
- servicecatalog.k8s.io
resources:
- serviceinstances
verbs:
- create
- delete
- get
- list
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- create
- delete
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- create
- delete
- apiGroups:
- "cert-manager.io"
resources:
- certificates
verbs:
- create
- apiGroups:
- application.epinio.io
resources:
- apps
verbs:
- get
- list
- create
- delete
- patch
- update
- apiGroups:
- "metrics.k8s.io"
resources:
- pods
verbs:
- list
- apiGroups:
- apps
resources:
- replicasets
verbs:
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: epinio-server-cluster-role
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: epinio-server
subjects:
- kind: ServiceAccount
name: epinio-server
namespace: {{ .Release.Namespace }}
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: epinio-server
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- create
- delete
- list
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: epinio-server-role
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: epinio-server
subjects:
- kind: ServiceAccount
name: epinio-server
namespace: {{ .Release.Namespace }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/component: epinio
app.kubernetes.io/instance: default
app.kubernetes.io/name: epinio-server
app.kubernetes.io/part-of: epinio
app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }}
name: epinio-server
namespace: {{ .Release.Namespace }}
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/component: epinio-server
app.kubernetes.io/instance: default
app.kubernetes.io/name: epinio-server
app.kubernetes.io/part-of: epinio
template:
metadata:
labels:
app.kubernetes.io/component: epinio-server
app.kubernetes.io/instance: default
app.kubernetes.io/name: epinio-server
app.kubernetes.io/part-of: epinio
app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }}
name: epinio-server
spec:
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
serviceAccountName: epinio-server
volumes:
- name: asset-volume
secret:
secretName: epinio-assets
- name: tmp-volume
emptyDir: {}
- name: image-export-volume
persistentVolumeClaim:
claimName: image-export-pvc
{{- if .Values.dex.enabled }}
- name: dex-tls
secret:
secretName: dex-tls
optional: false
{{- end }}
containers:
- command: ["/epinio", "server"]
args: ["--port", "8030"]
env:
- name: EPINIO_SETTINGS
value: /tmp/settings.yaml
- name: NAMESPACE
value: "{{ .Release.Namespace }}"
- name: ACCESS_CONTROL_ALLOW_ORIGIN
value: "{{ .Values.server.accessControlAllowOrigin }}"
- name: EPINIO_TIMEOUT_MULTIPLIER
value: "{{ .Values.server.timeoutMultiplier }}"
- name: TLS_ISSUER
value: "{{ .Values.global.tlsIssuer }}"
- name: TRACE_LEVEL
value: "{{ .Values.server.traceLevel }}"
- name: CHART_VERSION
value: "{{ .Chart.Version }}"
{{- $imageSkopeo := .Values.image.skopeo -}}
{{- if $imageSkopeo }}
- name: APP_IMAGE_EXPORTER
value: "{{ default $imageSkopeo.registry (include "registry-url" .) }}{{ $imageSkopeo.repository}}:{{ $imageSkopeo.tag }}"
{{- end }}
{{- if .Values.server.disableTracking }}
- name: DISABLE_TRACKING
value: "true"
{{- end }}
{{- if or .Values.s3.certificateSecret .Values.minio.enabled }}
- name: S3_CERTIFICATE_SECRET
value: {{ default "minio-tls" .Values.s3.certificateSecret }}
{{- end }}
{{- if .Values.containerregistry.enabled }}
- name: REGISTRY_CERTIFICATE_SECRET
value: "epinio-registry-tls"
{{- end }}
{{- if .Values.server.ingressClassName }}
- name: INGRESS_CLASS_NAME
value: "{{ .Values.server.ingressClassName }}"
{{- else if .Values.ingress.ingressClassName }}
- name: INGRESS_CLASS_NAME
value: "{{ .Values.ingress.ingressClassName }}"
{{- end }}
{{- if .Values.extraEnv }}
{{- toYaml .Values.extraEnv | nindent 12 -}}
{{- end }}
image: "{{ default .Values.image.epinio.registry (include "registry-url" .) }}{{ .Values.image.epinio.repository }}:{{ default .Chart.AppVersion .Values.image.epinio.tag }}"
livenessProbe:
httpGet:
path: /ready
port: 8030
name: epinio-server
ports:
- containerPort: 8030
volumeMounts:
- name: asset-volume
mountPath: /assets
- name: tmp-volume
mountPath: /tmp
- name: image-export-volume
mountPath: /image-export
{{- if .Values.dex.enabled }}
- name: dex-tls
mountPath: /etc/ssl/certs/dex-tls.pem
subPath: tls.crt
{{- end }}
readinessProbe:
httpGet:
path: /ready
port: 8030
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 3000
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: image-export-pvc
namespace: {{ .Release.Namespace }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: epinio
app.kubernetes.io/instance: default
app.kubernetes.io/name: epinio-server
app.kubernetes.io/part-of: epinio
app.kubernetes.io/version: {{ default .Chart.AppVersion .Values.image.epinio.tag }}
name: epinio-server
namespace: {{ .Release.Namespace }}
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8030
selector:
app.kubernetes.io/name: epinio-server

118
charts/epinio/100.0.5+up1.6.2/templates/service-catalog.yaml Normal file
View File

@ -0,0 +1,118 @@
# These are three simple Services to fill the Service Catalog
{{ if .Values.serviceCatalog.enableDevServices }}
---
apiVersion: application.epinio.io/v1
kind: Service
metadata:
name: postgresql-dev
namespace: {{ .Release.Namespace }}
spec:
name: postgresql-dev
shortDescription: A PostgreSQL service that can be used during development
description: |
This service is going to deploy a simple default Bitnami PostreSQL db instance.
You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/postgresql/.
This database is running inside the cluster so it's probably not a good choice for production
environments, at least with this default configuration.
chart: postgresql
chartVersion: 12.1.6
serviceIcon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png
appVersion: 15.1.0
helmRepo:
name: bitnami
url: "https://charts.bitnami.com/bitnami"
values: |-
{{- template "epinio.catalog-service-values" . }}
---
apiVersion: application.epinio.io/v1
kind: Service
metadata:
name: mysql-dev
namespace: {{ .Release.Namespace }}
spec:
name: mysql-dev
shortDescription: A MySQL service that can be used during development
description: |
This service is going to deploy a simple default Bitnami MySQL db instance.
You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/mysql/.
This database is running inside the cluster so it's probably not a good choice for production
environments, at least with this default configuration.
chart: mysql
chartVersion: 9.4.5
serviceIcon: https://bitnami.com/assets/stacks/mysql/img/mysql-stack-220x234.png
appVersion: 8.0.31
helmRepo:
name: bitnami
url: "https://charts.bitnami.com/bitnami"
values: |-
{{- template "epinio.catalog-service-values" . }}
---
apiVersion: application.epinio.io/v1
kind: Service
metadata:
name: redis-dev
namespace: {{ .Release.Namespace }}
spec:
name: redis-dev
shortDescription: A Redis service that can be used during development
description: |
This service is going to deploy a simple default Bitnami Redis instance.
You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/redis/.
This database is running inside the cluster so it's probably not a good choice for production
environments, at least with this default configuration.
chart: redis
chartVersion: 17.3.17
serviceIcon: https://bitnami.com/assets/stacks/redis/img/redis-stack-220x234.png
appVersion: 7.0.7
helmRepo:
name: bitnami
url: "https://charts.bitnami.com/bitnami"
values: |-
{{- template "epinio.catalog-service-values" . }}
---
apiVersion: application.epinio.io/v1
kind: Service
metadata:
name: rabbitmq-dev
namespace: {{ .Release.Namespace }}
spec:
name: rabbitmq-dev
shortDescription: A RabbitMQ service that can be used during development
description: |
This service is going to deploy a simple default Bitnami RabbitMQ instance.
You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/rabbitmq/.
This instance is running inside the cluster so it's probably not a good choice for production
environments, at least with this default configuration.
chart: rabbitmq
chartVersion: 11.2.2
serviceIcon: https://bitnami.com/assets/stacks/rabbitmq/img/rabbitmq-stack-220x234.png
appVersion: 3.11.5
helmRepo:
name: bitnami
url: https://charts.bitnami.com/bitnami
values: |-
{{- template "epinio.catalog-service-values" . }}
---
apiVersion: application.epinio.io/v1
kind: Service
metadata:
name: mongodb-dev
namespace: {{ .Release.Namespace }}
spec:
name: mongodb-dev
shortDescription: A MongoDB service that can be used during development
description: |
This service is going to deploy a simple default Bitnami MongoDB instance.
You can find more info at https://github.com/bitnami/charts/tree/master/bitnami/mongodb/.
This instance is running inside the cluster so it's probably not a good choice for production
environments, at least with this default configuration.
chart: mongodb
chartVersion: 13.6.2
serviceIcon: https://bitnami.com/assets/stacks/mongodb/img/mongodb-stack-220x234.png
appVersion: 6.0.3
helmRepo:
name: bitnami
url: https://charts.bitnami.com/bitnami
values: |-
{{- template "epinio.catalog-service-values" . }}
{{- end }}

95
charts/epinio/100.0.5+up1.6.2/templates/stage-scripts.yaml Normal file
View File

@ -0,0 +1,95 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: epinio-stage-scripts
namespace: {{ .Release.Namespace }}
data:
builderImage: "{{ default .Values.image.builder.registry (include "registry-url" .) }}{{ .Values.image.builder.repository}}:{{ .Values.image.builder.tag }}"
downloadImage: "{{ default .Values.image.awscli.registry (include "registry-url" .) }}{{ .Values.image.awscli.repository}}:{{ .Values.image.awscli.tag }}"
unpackImage: "{{ default .Values.image.bash.registry (include "registry-url" .) }}{{ .Values.image.bash.repository}}:{{ default .Chart.AppVersion .Values.image.bash.tag }}"
download: |-
# Parameters
# - PROTOCOL # s3 protocol
# - ENDPOINT # s3 endpoint
# - BUCKET # s3 bucket
# - BLOBID # blob id / file name for source archive
#
# This data is set in the chart only for an external s3. For
# internal s3 the chart has no information. Therefore we cannot
# use helm templating to insert these.
echo By _ _ __ ___ _____ $(whoami) $(pwd)
cat /etc/ssl/certs/ca-bundle.crt > /tmp/ca-bundle.pem
test -f /certs/ca.crt && cat /certs/ca.crt >> /tmp/ca-bundle.pem
test -f /certs/tls.crt && cat /certs/tls.crt >> /tmp/ca-bundle.pem
aws --ca-bundle /tmp/ca-bundle.pem --endpoint-url "${PROTOCOL}://${ENDPOINT}" s3 cp "s3://${BUCKET}/${BLOBID}" "/workspace/source/${BLOBID}"
echo _ _ __ ___ _____ Done
unpack: |-
# Parameters
# - BLOBID # blob id / file name for source archive
#
# Attempting to unpack the sources as, in order:
# .tar - epinio cli
# .zip - epinio UI
# -z .tar.gz
# -j .tar.bz2
# -J .tar.xz
#
# __Note__: While it would have been nicer, IMNSHO, to use `file` to determine the
# type of the file and then directly dispatch to the proper unpacker, the `file`
# command is not available in the `bash` image. The code as written now relies on each
# unpacker to recognize/reject input properly.
#
echo By _ _ __ ___ _____ $(whoami) $(pwd)
if test ! -f "/workspace/source/${BLOBID}" ; then
echo Nothing to unpack
exit
fi
mkdir /workspace/source/app
( cd /workspace/source/app
( echo Tar? ; tar -xvf "../${BLOBID}" ) || \
( echo Zip? ; unzip "../${BLOBID}" ) || \
( echo Tgz? ; tar -xvzf "../${BLOBID}" ) || \
( echo Tbz? ; tar -xvjf "../${BLOBID}" ) || \
( echo Txz? ; tar -xvJf "../${BLOBID}" ) || \
( echo "Unable to unpack. No supported archive file format found" ; exit 1 )
echo OK
)
rm "/workspace/source/${BLOBID}"
mkdir -p /workspace/source/env
cp -vL /workspace/source/appenv/* /workspace/source/env
chown -R 1000:1000 /workspace 2> /dev/null
find /workspace
echo _ _ __ ___ _____ Done
build: |-
# Parameters
# - PREIMAGE # url of previous image
# - APPIMAGE # url of application image
#
# ATTENTION: The `curl localhost:4191` command is used to stop the linkerd proxy
# container gracefully. We use `|| true` in case linkerd is not deployed. Further, it
# is placed into a trap to ensure that it will always run, even for a staging failure.
# Error output generated when linkerd is not present/up is squashed (dev/null).
# These messages are irrelevant, the situation is not an error, and allowing them through
# would confuse users (readers of app staging logs).
set -e
trap "curl -X POST http://localhost:4191/shutdown 2> /dev/null || true" EXIT
echo By _ _ __ ___ _____ $(whoami) $(pwd)
if test ! -d "/workspace/source/app" ; then
echo Nothing to build
sleep 60 # linkerd is a pain - If we exit to quickly, with the sidecar not ready our curl to shut it down does nothing, and then the sidecar comes up and prevents the pod from ending
exit 1
fi
find /workspace
/cnb/lifecycle/creator \
-app=/workspace/source/app \
-cache-dir=/workspace/cache \
-uid=1000 \
-gid=1000 \
-layers=/layers \
-platform=/workspace/source \
-report=/layers/report.toml \
-process-type=web \
-skip-restore=false \
"-previous-image=${PREIMAGE}" \
"${APPIMAGE}"
echo _ _ __ ___ _____ Done

19
charts/epinio/100.0.5+up1.6.2/templates/validate-cert-manager-crd.yaml Normal file
View File

@ -0,0 +1,19 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "acme.cert-manager.io/v1/Challenge" false -}}
# {{- set $found "acme.cert-manager.io/v1/Order" false -}}
# {{- set $found "cert-manager.io/v1/CertificateRequest" false -}}
# {{- set $found "cert-manager.io/v1/Certificate" false -}}
# {{- set $found "cert-manager.io/v1/ClusterIssuer" false -}}
# {{- set $found "cert-manager.io/v1/Issuer" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

16
charts/epinio/100.0.5+up1.6.2/templates/validate-install-crd.yaml Normal file
View File

@ -0,0 +1,16 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "application.epinio.io/v1/App" false -}}
# {{- set $found "application.epinio.io/v1/AppChart" false -}}
# {{- set $found "application.epinio.io/v1/Service" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

Some files were not shown because too many files have changed in this diff Show More