Merge branch 'dev-v2.8' into project_moni

pull/3021/head
Sakala Venkata Krishna Rohit 2023-09-21 15:25:47 -07:00 committed by GitHub
commit 822c5f0caf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
202 changed files with 23505 additions and 0 deletions

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

Binary file not shown.

View File

@ -0,0 +1,10 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-epinio-system
catalog.cattle.io/release-name: epinio-crd
apiVersion: v2
description: Installs the CRDs for Epinio.
name: epinio-crd
type: application
version: 102.0.4+up1.9.0

View File

@ -0,0 +1,2 @@
# epinio-crd
A Rancher chart that installs the CRDs used by epinio.

View File

@ -0,0 +1,118 @@
# Copied from here:
# https://github.com/epinio/application/blob/main/config/crd/bases/application.epinio.io_apps.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: apps.application.epinio.io
spec:
group: application.epinio.io
names:
kind: App
listKind: AppList
plural: apps
singular: app
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: App is the Schema for the apps API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AppSpec defines the desired state of App
properties:
blobuid:
description: BlobUID stores the blob uid that was used when the application
was last staged (from code). It can be empty if the application
was never staged (e.g. pushed with container image). Epinio will
use the value set by the user explicitly but if one is not set,
it will try to use the previously set blobUID from the application
CRD.
type: string
builderimage:
description: This field stores the builder image that was used when
the application was last staged (from code). It can be empty if
the application was never staged (e.g. pushed with container image).
Epinio will use the builder image set by the user explicitly but
if one is not set, it will try to use the previously set image.
type: string
chartname:
description: ChartName stores the name of the application support
chart used to deploy the currently running application. This is
set on deployment, for use in updates. The name references an epinio
AppCharts resource.
type: string
imageurl:
description: ImageURL stores the image reference of the currently
running application. This is set on deployment, for use in updates.
type: string
origin:
properties:
archive:
type: boolean
container:
type: string
git:
properties:
branch:
type: string
provider:
type: string
repository:
type: string
revision:
type: string
required:
- repository
type: object
path:
type: string
type: object
routes:
items:
type: string
type: array
settings:
additionalProperties:
type: string
description: Settings stores the fields and values set by the user
to configure the application chart. See ChartName.
type: object
stageid:
description: StageID stores the id of the latest attempt to stage
the application, regardless of outcome. This enables access to the
staging logs of an application which never staged successfully.
type: string
required:
- origin
type: object
status:
description: AppStatus defines the observed state of App
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,108 @@
# Copied from here:
# https://github.com/epinio/application/blob/main/config/crd/bases/application.epinio.io_appcharts.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: appcharts.application.epinio.io
spec:
group: application.epinio.io
names:
kind: AppChart
listKind: AppChartList
plural: appcharts
singular: appchart
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: AppChart is the Schema for the appcharts API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: AppChartSpec defines the desired state of AppChart
properties:
description:
description: Description of the chart. Long form to be used in detailed
displays
type: string
helmChart:
description: HelmChart is the name of the Helm chart used to deploy
an application.
type: string
helmRepo:
description: HelmRepo is the URL to the Helm repository where to fetch
the helm chart. This can be empty. In that case the HelmChart field
has to reference the chart as full URL instead of as a simple name.
type: string
settings:
additionalProperties:
description: AppChartSetting is an older name for ChartSetting.
Created to keep backward compatibility. Should also reduce misunderstandings
of what kind of settings are handled in a particular context.
properties:
enum:
description: Enumeration of allowed values, for types string,
number, integer
items:
type: string
type: array
maximum:
description: Maximal allowed value, for number, integer
type: string
minimum:
description: Minimal allowed value, for number, integer
type: string
type:
description: Type of the setting (string, bool, number, or integer)
type: string
required:
- type
type: object
description: Settings declares the fields underneath `userValues`
the user is allowed to customize when deploying an application with
the helm chart referenced by this app chart.
type: object
shortDescription:
description: ShortDescription of the chart. To be used in list displays
type: string
values:
additionalProperties:
type: string
description: Values provides settings, i.e. field names and values
to customize the referenced helm chart when deploying an application
with this app chart. Note that user-configurable settings are declared
with `Settings` instead. While nothing checks against exposing a
field set here to the user this is strongly discouraged, to avoid
confusion.
type: object
type: object
status:
description: AppChartStatus defines the observed state of AppChart
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,120 @@
# Copied from here:
# https://github.com/epinio/application/blob/main/config/crd/bases/application.epinio.io_services.yaml
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.4.1
creationTimestamp: null
name: services.application.epinio.io
spec:
group: application.epinio.io
names:
kind: Service
listKind: ServiceList
plural: services
singular: service
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
description: Service is the Schema for the services API
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: ServiceSpec defines the desired state of Service
properties:
appVersion:
description: AppVersion is the version of the service deployed by
the referenced chart
type: string
chart:
description: HelmChart is the name of the Helm chart used to deploy
the service
type: string
chartVersion:
description: ChartVersion is the version of the Helm chart used to
deploy the service
type: string
description:
description: Description of the service to be used when the service
is described
type: string
helmRepo:
description: HelmRepo is the Helm repository where to fetch the helm
chart
properties:
name:
type: string
url:
type: string
type: object
name:
description: Name of the service (i.e. redis-small)
type: string
serviceIcon:
description: ServiceIcon is an image associated with this service
type: string
settings:
additionalProperties:
description: ServiceSetting is an alias to ChartSetting. Should
reduce misunderstandings of what kind of settings are handled
in a particular context.
properties:
enum:
description: Enumeration of allowed values, for types string,
number, integer
items:
type: string
type: array
maximum:
description: Maximal allowed value, for number, integer
type: string
minimum:
description: Minimal allowed value, for number, integer
type: string
type:
description: Type of the setting (string, bool, number, or integer)
type: string
required:
- type
type: object
description: Settings declares the fields the user is allowed to customize
when deploying a service with the helm chart referenced by this
service class.
type: object
shortDescription:
description: ShortDescription of the service to be used in lists
type: string
values:
description: Values are the values provided by the operator. They
are used to customize the deployment of the service.
type: string
type: object
status:
description: ServiceStatus defines the observed state of Service
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

View File

@ -0,0 +1,15 @@
dependencies:
- name: dex
repository: https://charts.dexidp.io
version: 0.14.3
- name: minio
repository: https://charts.min.io/
version: 5.0.13
- name: kubed
repository: https://charts.appscode.com/stable/
version: v0.13.2
- name: s3gw
repository: https://aquarist-labs.github.io/s3gw-charts
version: 0.14.0
digest: sha256:bb126710c2f9a5b3d92dcb6186b97747881fd323fbfe0a53cda5194dc9f1000d
generated: "2023-07-18T14:35:31.781489759+02:00"

View File

@ -0,0 +1,51 @@
annotations:
artifacthub.io/license: Apache-2.0
artifacthub.io/prerelease: "false"
catalog.cattle.io/auto-install: epinio-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: Epinio
catalog.cattle.io/experimental: "true"
catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0'
catalog.cattle.io/namespace: cattle-epinio-system
catalog.cattle.io/permits-os: linux
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: epinio
catalog.cattle.io/type: app
catalog.cattle.io/upstream-version: 1.9.0
apiVersion: v2
appVersion: v1.9.0
dependencies:
- condition: global.dex.enabled
name: dex
repository: file://./charts/dex
tags:
- dex
- condition: kubed.enabled, global.kubed.enabled
name: kubed
repository: file://./charts/kubed
tags:
- kubed
- condition: minio.enabled, global.minio.enabled
name: minio
repository: file://./charts/minio
tags:
- minio
- condition: s3gw.enabled, global.s3gw.enabled
name: s3gw
repository: file://./charts/s3gw
tags:
- s3gw
description: Epinio deploys Kubernetes applications directly from source code in one
step.
home: https://github.com/epinio/epinio
icon: https://charts.rancher.io/assets/logos/epinio.svg
keywords:
- epinio
- paas
maintainers:
- email: team@epinio.io
name: SUSE
name: epinio
sources:
- https://github.com/epinio/epinio
version: 102.0.4+up1.9.0

View File

@ -0,0 +1,100 @@
# Epinio Helm Chart
From app to URL in one command.
## Introduction
This chart deploys Epinio PaaS on a Kubernetes cluster. It also deploys some of
its dependencies as subcharts.
The documentation is centralized in the [doc website](https://docs.epinio.io).
## Prerequisites
Epinio needs a number of external components to be running on your cluster in order to
work. You may already have those deployed, otherwise follow the instructions here
to deploy them.
Important: Some of the namespaces of the components are hardcoded in the Epinio
code and thus are important to be the same as described here. In the future this
may be configurable on the Epinio Helm chart.
### Ingress Controller
Epinio creates Ingress resources for the API server, the applications and depending
on your setup, the internal container registry. Those resources won't work unless
an Ingress controller is running on your cluster.
If you don't have an Ingress controller already running, you can install Traefik with:
```
$ kubectl create namespace traefik
$ export LOAD_BALANCER_IP=$(LOAD_BALANCER_IP:-) # Set this to the IP of your load balancer if you know that
$ helm install traefik --namespace traefik "https://helm.traefik.io/traefik/traefik-10.3.4.tgz" \
--set globalArguments='' \
--set-string ports.web.redirectTo=websecure \
--set-string ingressClass.enabled=true \
--set-string ingressClass.isDefaultClass=true \
--set-string service.spec.loadBalancerIP=$LOAD_BALANCER_IP
```
### Cert Manager
Epinio needs [cert-manager](https://cert-manager.io/) in order to create TLS
certificates for the various Ingresses (see "Ingress controller" above).
If cert-manager is not already installed on the cluster, it can be installed like this:
```
$ kubectl create namespace cert-manager
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ helm install cert-manager --namespace cert-manager jetstack/cert-manager \
--set installCRDs=true \
--set extraArgs[0]=--enable-certificate-owner-ref=true
```
### Kubed
Kubed is installed as a subchart when `.Values.kubed.enabled` is true (default).
If you already have kubed running, you can skip the installation by setting
the helm value "kubed.enabled" to "false".
### S3 storage
Epinio is using an S3 compatible storage to store the application source code.
This chart will install [Minio](https://min.io/) when `.Values.minio.enabled` is
true (default).
This chart will install [s3gw](https://s3gw.io/) when `.Values.s3gw.enabled` is
true.
Any S3 compatible solution can be used instead by setting the aforementioned values
to `false` and using [the values under `s3`](https://github.com/epinio/helm-charts/blob/main/chart/epinio/values.yaml#L44)
to point to the desired S3 server.
### Container Registry
When Epinio builds a container image for an application from source, it needs
to store that image to a container registry. Epinio installs a container registry
on the cluster when `.Values.containerregistry.enabled` is `true` (default).
Any container registry that supports basic auth authentication can be used (e.g. gcr, dockerhub etc)
instead by setting this value to `false` and using
[the values under `registry`](https://github.com/epinio/helm-charts/blob/main/chart/epinio/values.yaml#L104-L107)
to point to the desired container registry.
## Install Epinio
If the above dependencies are available or going to be installed by this chart,
Epinio can be installed with the following:
```
$ helm repo add epinio https://epinio.github.io/helm-charts/
$ helm install epinio -n epinio --create-namespace epinio/epinio --values epinio-values.yaml --set global.domain=myepiniodomain.org
```
The only value that is mandatory is the `.Values.global.domain` which
should be a wildcard domain, pointing to the IP address of your running
Ingress controller.

View File

@ -0,0 +1,37 @@
# Epinio PaaS
Opinionated platform that runs on Kubernetes to take you from Code to URL in one step.
__Attention__:
- Requires `cert-manager` as dependency.
- Requires `helm-controller` as dependency.
## Upgrading to Kubernetes v1.25+
Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/)
have been removed from the Kubernetes API.
As a result, __before upgrading to Kubernetes v1.25__ (or on a fresh install in a Kubernetes v1.25+
cluster), users are expected to perform an in-place upgrade of this chart with
`global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
> __Note:__
> In this chart release, any previous field that was associated with any PSP resources have been
> removed in favor of a single global field: `global.cattle.psp.enabled`.
> __Note:__
> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even
> if you manually clean up resources), __it will leave the Helm release in a broken state within the
> cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`,
> etc.).__
>
> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your
> Helm release secrets.
Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed
on its behalf from the cluster. This is the default setting for this chart.
As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/)
should be used. Please consult the Rancher docs for more details on how to configure your chart
release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.

View File

@ -0,0 +1,25 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
README.md.gotmpl

View File

@ -0,0 +1,29 @@
annotations:
artifacthub.io/changes: |
- kind: added
description: "Use updated HorizontalPodAutoscaler API Version which is no longer served in K8s >=1.25"
artifacthub.io/images: |
- name: dex
image: ghcr.io/dexidp/dex:v2.36.0
apiVersion: v2
appVersion: 2.36.0
description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable
connectors.
home: https://dexidp.io/
icon: https://dexidp.io/favicon.png
keywords:
- oidc
- oauth
- identity-provider
- saml
kubeVersion: '>=1.14.0-0'
maintainers:
- email: mark.sagikazar@gmail.com
name: sagikazarmark
url: https://sagikazarmark.hu
name: dex
sources:
- https://github.com/dexidp/dex
- https://github.com/dexidp/helm-charts/tree/master/charts/dex
type: application
version: 0.14.3

View File

@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

View File

@ -0,0 +1,187 @@
# dex
![version: 0.14.3](https://img.shields.io/badge/version-0.14.3-informational?style=flat-square) ![type: application](https://img.shields.io/badge/type-application-informational?style=flat-square) ![app version: 2.36.0](https://img.shields.io/badge/app%20version-2.36.0-informational?style=flat-square) ![kube version: >=1.14.0-0](https://img.shields.io/badge/kube%20version->=1.14.0--0-informational?style=flat-square) [![artifact hub](https://img.shields.io/badge/artifact%20hub-dex-informational?style=flat-square)](https://artifacthub.io/packages/helm/dex/dex)
OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors.
**Homepage:** <https://dexidp.io/>
## TL;DR;
```bash
helm repo add dex https://charts.dexidp.io
helm install --generate-name --wait dex/dex
```
## Getting started
### Minimal configuration
Dex requires a minimal configuration in order to work.
You can pass configuration to Dex using Helm values:
```yaml
config:
# Set it to a valid URL
issuer: http://my-issuer-url.com
# See https://dexidp.io/docs/storage/ for more options
storage:
type: memory
# Enable at least one connector
# See https://dexidp.io/docs/connectors/ for more options
enablePasswordDB: true
```
The above configuration won't make Dex automatically available on the configured URL.
One (and probably the easiest) way to achieve that is configuring ingress:
```yaml
ingress:
enabled: true
hosts:
- host: my-issuer-url.com
paths:
- path: /
```
### Minimal TLS configuration
HTTPS is basically mandatory these days, especially for authentication and authorization services.
There are several solutions for protecting services with TlS in Kubernetes,
but by far the most popular and portable is undoubtedly [Cert Manager](https://cert-manager.io).
Cert Manager can be [installed](https://cert-manager.io/docs/installation/kubernetes) with a few steps:
```shell
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl create namespace cert-manager
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--set installCRDs=true
```
The next step is setting up an [issuer](https://cert-manager.io/docs/concepts/issuer/) (eg. [Let's Encrypt](https://letsencrypt.org/)):
```shell
cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: acme
spec:
acme:
email: YOUR@EMAIL_ADDRESS
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: acme-account-key
solvers:
- http01:
ingress:
class: YOUR_INGRESS_CLASS
EOF
```
Finally, change the ingress config to use TLS:
```yaml
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: acme
hosts:
- host: my-issuer-url.com
paths:
- path: /
tls:
- hosts:
- my-issuer-url.com
secretName: dex-cert
```
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| replicaCount | int | `1` | Number of replicas (pods) to launch. |
| commonLabels | object | `{}` | Labels to apply to all resources and selectors. |
| image.repository | string | `"ghcr.io/dexidp/dex"` | Name of the image repository to pull the container image from. |
| image.pullPolicy | string | `"IfNotPresent"` | [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node. |
| image.tag | string | `""` | Image tag override for the default value (chart appVersion). |
| imagePullSecrets | list | `[]` | Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). |
| nameOverride | string | `""` | A name in place of the chart name for `app:` labels. |
| fullnameOverride | string | `""` | A name to substitute for the full names of resources. |
| hostAliases | list | `[]` | A list of hosts and IPs that will be injected into the pod's hosts file if specified. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) |
| https.enabled | bool | `false` | Enable the HTTPS endpoint. |
| grpc.enabled | bool | `false` | Enable the gRPC endpoint. Read more in the [documentation](https://dexidp.io/docs/api/). |
| configSecret.create | bool | `true` | Enable creating a secret from the values passed to `config`. If set to false, name must point to an existing secret. |
| configSecret.name | string | `""` | The name of the secret to mount as configuration in the pod. If not set and create is true, a name is generated using the fullname template. Must point to secret that contains at least a `config.yaml` key. |
| config | object | `{}` | Application configuration. See the [official documentation](https://dexidp.io/docs/). |
| volumes | list | `[]` | Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. |
| volumeMounts | list | `[]` | Additional [volume mounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. |
| envFrom | list | `[]` | Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. |
| env | object | `{}` | Additional environment variables passed directly to containers. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. |
| envVars | list | `[]` | Similar to env but with support for all possible configurations. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. |
| serviceAccount.create | bool | `true` | Enable service account creation. |
| serviceAccount.annotations | object | `{}` | Annotations to be added to the service account. |
| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
| rbac.create | bool | `true` | Specifies whether RBAC resources should be created. If disabled, the operator is responsible for creating the necessary resources based on the templates. |
| rbac.createClusterScoped | bool | `true` | Specifies which RBAC resources should be created. If disabled, the operator is responsible for creating the necessary resources (ClusterRole and RoleBinding or CRD's) |
| deploymentAnnotations | object | `{}` | Annotations to be added to deployment. |
| deploymentLabels | object | `{}` | Labels to be added to deployment. |
| podAnnotations | object | `{}` | Annotations to be added to pods. |
| podLabels | object | `{}` | Labels to be added to pods. |
| podDisruptionBudget.enabled | bool | `false` | Enable a [pod distruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) to help dealing with [disruptions](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/). It is **highly recommended** for webhooks as disruptions can prevent launching new pods. |
| podDisruptionBudget.minAvailable | int/percentage | `nil` | Number or percentage of pods that must remain available. |
| podDisruptionBudget.maxUnavailable | int/percentage | `nil` | Number or percentage of pods that can be unavailable. |
| priorityClassName | string | `""` | Specify a priority class name to set [pod priority](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority). |
| podSecurityContext | object | `{}` | Pod [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) for details. |
| securityContext | object | `{}` | Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details. |
| service.annotations | object | `{}` | Annotations to be added to the service. |
| service.type | string | `"ClusterIP"` | Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). |
| service.clusterIP | string | `""` | Internal cluster service IP (when applicable) |
| service.ports.http.port | int | `5556` | HTTP service port |
| service.ports.http.nodePort | int | `nil` | HTTP node port (when applicable) |
| service.ports.https.port | int | `5554` | HTTPS service port |
| service.ports.https.nodePort | int | `nil` | HTTPS node port (when applicable) |
| service.ports.grpc.port | int | `5557` | gRPC service port |
| service.ports.grpc.nodePort | int | `nil` | gRPC node port (when applicable) |
| ingress.enabled | bool | `false` | Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). |
| ingress.className | string | `""` | Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). |
| ingress.annotations | object | `{}` | Annotations to be added to the ingress. |
| ingress.hosts | list | See [values.yaml](values.yaml). | Ingress host configuration. |
| ingress.tls | list | See [values.yaml](values.yaml). | Ingress TLS configuration. |
| serviceMonitor.enabled | bool | `false` | Enable Prometheus ServiceMonitor. See the [documentation](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/design.md#servicemonitor) and the [API reference](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor) for details. |
| serviceMonitor.namespace | string | Release namespace. | Namespace where the ServiceMonitor resource should be deployed. |
| serviceMonitor.interval | duration | `nil` | Prometheus scrape interval. |
| serviceMonitor.scrapeTimeout | duration | `nil` | Prometheus scrape timeout. |
| serviceMonitor.labels | object | `{}` | Labels to be added to the ServiceMonitor. |
| serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
| serviceMonitor.scheme | string | `""` | HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. |
| serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint. For example if using istio mTLS. |
| serviceMonitor.bearerTokenFile | string | `nil` | Prometheus scrape bearerTokenFile |
| serviceMonitor.metricRelabelings | list | `[]` | Prometheus scrape metric relabel configs to apply to samples before ingestion. |
| serviceMonitor.relabelings | list | `[]` | Relabel configs to apply to samples before ingestion. |
| resources | object | No requests or limits. | Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details. |
| autoscaling | object | Disabled by default. | Autoscaling configuration (see [values.yaml](values.yaml) for details). |
| nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) configuration. |
| tolerations | list | `[]` | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for node taints. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. |
| affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) configuration. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. |
| topologySpreadConstraints | list | `[]` | [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. |
| strategy | object | `{}` | Deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) configuration. |
| networkPolicy.enabled | bool | `false` | Create [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) |
| networkPolicy.egressRules | list | `[]` | A list of network policy egress rules |
## Migrating from stable/dex (or banzaicloud-stable/dex) chart
This chart is not backwards compatible with the `stable/dex` (or `banzaicloud-stable/dex`) chart.
However, Dex itself remains backwards compatible, so you can easily install the new chart in place of the old one
and continue using Dex with a minimal downtime.

View File

@ -0,0 +1,10 @@
config:
issuer: https://my-issuer.com
storage:
type: memory
enablePasswordDB: true
configSecret:
name: my-super-special-dex-secret

View File

@ -0,0 +1,19 @@
config:
issuer: https://my-issuer.com
storage:
type: memory
enablePasswordDB: true
deploymentAnnotations:
reloader.stakater.com/auto: "true"
podAnnotations:
vault.security.banzaicloud.io/vault-addr: "https://vault.vault:8200"
deploymentLabels:
hello: world
podLabels:
hello: world

View File

@ -0,0 +1,10 @@
config:
issuer: https://my-issuer.com
storage:
type: memory
enablePasswordDB: true
configSecret:
create: false

View File

@ -0,0 +1,7 @@
config:
issuer: https://my-issuer.com
storage:
type: memory
enablePasswordDB: true

View File

@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "dex.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "dex.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "dex.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "dex.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

View File

@ -0,0 +1,106 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "dex.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "dex.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "dex.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "dex.labels" -}}
helm.sh/chart: {{ include "dex.chart" . }}
{{ include "dex.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- if .Values.commonLabels}}
{{ toYaml .Values.commonLabels }}
{{- end }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "dex.selectorLabels" -}}
app.kubernetes.io/name: {{ include "dex.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "dex.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "dex.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Create the name of the secret containing the config file to use
*/}}
{{- define "dex.configSecretName" -}}
{{- if .Values.configSecret.create }}
{{- default (include "dex.fullname" .) .Values.configSecret.name }}
{{- else }}
{{- default "default" .Values.configSecret.name }}
{{- end }}
{{- end }}
{{/*
Windows cluster will add default taint for linux nodes, add below linux tolerations to
workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
beta.kubernetes.io/os: linux
{{- else -}}
kubernetes.io/os: linux
{{- end -}}
{{- end -}}
{{/*
URL prefix for container images to be compatible with Rancher
*/}}
{{- define "registry-url" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/
{{- else -}}
{{ .Values.operator.registry }}/
{{- end -}}
{{- end -}}

View File

@ -0,0 +1,143 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
{{ with .Values.deploymentLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{ with .Values.deploymentAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
{{- with .Values.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{- include "dex.selectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{ if .Values.configSecret.create }}
checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- end }}
labels:
{{- include "dex.selectorLabels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "dex.serviceAccountName" . }}
{{- with .Values.priorityClassName }}
priorityClassName: {{ . | quote }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- with .Values.hostAliases }}
hostAliases:
{{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ template "registry-url" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
args:
- dex
- serve
- --web-http-addr
- 0.0.0.0:5556
{{- if .Values.https.enabled }}
- --web-https-addr
- 0.0.0.0:5554
{{- end }}
{{- if .Values.grpc.enabled }}
- --grpc-addr
- 0.0.0.0:5557
{{- end }}
- --telemetry-addr
- 0.0.0.0:5558
- /etc/dex/config.yaml
env:
{{- range $key, $value := .Values.env }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- with .Values.envVars }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.envFrom }}
envFrom:
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: http
containerPort: 5556
protocol: TCP
{{- if .Values.https.enabled }}
- name: https
containerPort: 5554
protocol: TCP
{{- end }}
{{- if .Values.grpc.enabled }}
- name: grpc
containerPort: 5557
protocol: TCP
{{- end }}
- name: telemetry
containerPort: 5558
protocol: TCP
livenessProbe:
httpGet:
path: /healthz/live
port: telemetry
readinessProbe:
httpGet:
path: /healthz/ready
port: telemetry
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- name: config
mountPath: /etc/dex
readOnly: true
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: config
secret:
secretName: {{ include "dex.configSecretName" . }}
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
{{- with .Values.tolerations }}
{{ toYaml . | indent 8 }}
{{- end }}

View File

@ -0,0 +1,32 @@
{{- if .Values.autoscaling.enabled }}
{{- if semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: autoscaling/v2
{{- else -}}
apiVersion: autoscaling/v2beta1
{{- end }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "dex.fullname" . }}
minReplicas: {{ .Values.autoscaling.minReplicas }}
maxReplicas: {{ .Values.autoscaling.maxReplicas }}
metrics:
{{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
- type: Resource
resource:
name: cpu
targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
- type: Resource
resource:
name: memory
targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,61 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "dex.fullname" . -}}
{{- $svcPort := .Values.service.ports.http.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "dex.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ tpl . $ | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ tpl .host $ | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,35 @@
{{- if .Values.networkPolicy.enabled }}
{{- if semverCompare "<1.7-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: extensions/v1beta1
{{- else -}}
apiVersion: networking.k8s.io/v1
{{- end }}
kind: NetworkPolicy
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
spec:
policyTypes:
{{- if .Values.networkPolicy.egressRules }}
- Egress
{{- end }}
- Ingress
podSelector:
matchLabels:
{{- include "dex.selectorLabels" . | nindent 6 }}
ingress:
- ports:
- port: http
{{- if .Values.https.enabled }}
- port: https
{{- end }}
{{- if .Values.grpc.enabled }}
- port: grpc
{{- end }}
- port: telemetry
{{- with .Values.networkPolicy.egressRules }}
egress:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,22 @@
{{- if .Values.podDisruptionBudget.enabled }}
{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: policy/v1
{{- else -}}
apiVersion: policy/v1beta1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: {{ template "dex.fullname" . }}
labels:
{{ include "dex.labels" . | indent 4 }}
spec:
{{- with .Values.podDisruptionBudget.minAvailable }}
minAvailable: {{ . }}
{{- end }}
{{- with .Values.podDisruptionBudget.maxUnavailable }}
maxUnavailable: {{ . }}
{{- end }}
selector:
matchLabels:
{{- include "dex.selectorLabels" . | nindent 6 }}
{{- end }}

View File

@ -0,0 +1,86 @@
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}}
{{- if .Values.serviceAccount.create }}
{{- if .Values.global.rbac.pspEnabled }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }}
app: {{ .Values.serviceAccount.name | quote }}
{{- if .Values.global.rbac.pspAnnotations }}
annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }}
{{- end }}
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Permits the container to run with root privileges as well.
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
readOnlyRootFilesystem: false
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }}
app: {{ .Values.serviceAccount.name | quote }}
rules:
{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }}
- apiGroups: ['policy']
{{- else }}
- apiGroups: ['extensions']
{{- end }}
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }}
app: {{ .Values.serviceAccount.name | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount.name | quote }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,55 @@
{{- if .Values.rbac.create }}
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
rules:
- apiGroups: ["dex.coreos.com"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: {{ include "dex.fullname" . }}
subjects:
- kind: ServiceAccount
namespace: {{ .Release.Namespace }}
name: {{ include "dex.serviceAccountName" . }}
{{- if .Values.rbac.createClusterScoped }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
rules:
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "dex.fullname" . }}-cluster
labels:
{{- include "dex.labels" . | nindent 4 }}
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: {{ include "dex.fullname" . }}
subjects:
- kind: ServiceAccount
namespace: {{ .Release.Namespace }}
name: {{ include "dex.serviceAccountName" . }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,11 @@
{{- if .Values.configSecret.create -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "dex.configSecretName" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
type: Opaque
data:
config.yaml: {{ .Values.config | toYaml | b64enc | quote }}
{{- end }}

View File

@ -0,0 +1,59 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "dex.fullname" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
{{- with .Values.service.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- with .Values.service.clusterIP }}
clusterIP: {{ . }}
{{- end }}
ports:
- name: http
port: {{ .Values.service.ports.http.port }}
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) .Values.service.ports.http.nodePort }}
nodePort: {{ .Values.service.ports.http.nodePort }}
{{- end }}
targetPort: http
protocol: TCP
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }}
appProtocol: http
{{- end }}
{{- if .Values.https.enabled }}
- name: https
port: {{ .Values.service.ports.https.port }}
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) .Values.service.ports.https.nodePort }}
nodePort: {{ .Values.service.ports.https.nodePort }}
{{- end }}
targetPort: https
protocol: TCP
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }}
appProtocol: https
{{- end }}
{{- end }}
{{- if .Values.grpc.enabled }}
- name: grpc
port: {{ .Values.service.ports.grpc.port }}
{{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) .Values.service.ports.grpc.nodePort }}
nodePort: {{ .Values.service.ports.grpc.nodePort }}
{{- end }}
targetPort: grpc
protocol: TCP
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }}
appProtocol: http
{{- end }}
{{- end }}
- name: telemetry
port: 5558
targetPort: telemetry
protocol: TCP
{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }}
appProtocol: http
{{- end }}
selector:
{{- include "dex.selectorLabels" . | nindent 4 }}

View File

@ -0,0 +1,12 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "dex.serviceAccountName" . }}
labels:
{{- include "dex.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,54 @@
{{- if .Values.serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
{{- with .Values.serviceMonitor.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
name: {{ include "dex.fullname" . }}
{{- with .Values.serviceMonitor.namespace }}
namespace: {{ . }}
{{- end }}
labels:
{{- include "dex.labels" . | nindent 4 }}
{{- with .Values.serviceMonitor.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
endpoints:
- port: telemetry
{{- with .Values.serviceMonitor.interval }}
interval: {{ . }}
{{- end }}
{{- with .Values.serviceMonitor.scheme }}
scheme: {{ . }}
{{- end }}
{{- with .Values.serviceMonitor.bearerTokenFile }}
bearerTokenFile: {{ . }}
{{- end }}
{{- with .Values.serviceMonitor.tlsConfig }}
tlsConfig:
{{- toYaml .| nindent 6 }}
{{- end }}
{{- with .Values.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ . }}
{{- end }}
path: {{ .Values.serviceMonitor.path }}
honorLabels: {{ .Values.serviceMonitor.honorLabels }}
{{- with .Values.serviceMonitor.metricRelabelings }}
metricRelabelings:
{{- tpl (toYaml . | nindent 6) $ }}
{{- end }}
{{- with .Values.serviceMonitor.relabelings }}
relabelings:
{{- toYaml . | nindent 6 }}
{{- end }}
jobLabel: {{ include "dex.fullname" . }}
selector:
matchLabels:
{{- include "dex.selectorLabels" . | nindent 6 }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace }}
{{- end }}

View File

@ -0,0 +1,13 @@
{{- if not .Values.configSecret.create -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "dex.configSecretName" . }}-test-no-create
labels:
{{- include "dex.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
type: Opaque
data:
config.yaml: {{ .Values.config | toYaml | b64enc | quote }}
{{- end }}

View File

@ -0,0 +1,324 @@
# Default values for dex.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# -- Number of replicas (pods) to launch.
replicaCount: 1
# -- Labels to apply to all resources and selectors.
commonLabels: {}
# team_name: dev
image:
# -- Name of the image repository to pull the container image from.
repository: rancher/mirrored-dexidp-dex
tag: v2.36.0
# -- [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node.
pullPolicy: IfNotPresent
# -- Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries).
imagePullSecrets: []
# -- A name in place of the chart name for `app:` labels.
nameOverride: ""
# -- A name to substitute for the full names of resources.
fullnameOverride: ""
# -- A list of hosts and IPs that will be injected into the pod's hosts file if specified.
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution)
hostAliases: []
https:
# -- Enable the HTTPS endpoint.
enabled: false
grpc:
# -- Enable the gRPC endpoint.
# Read more in the [documentation](https://dexidp.io/docs/api/).
enabled: false
configSecret:
# -- Enable creating a secret from the values passed to `config`.
# If set to false, name must point to an existing secret.
create: true
# -- The name of the secret to mount as configuration in the pod.
# If not set and create is true, a name is generated using the fullname template.
# Must point to secret that contains at least a `config.yaml` key.
name: ""
# -- Application configuration.
# See the [official documentation](https://dexidp.io/docs/).
config: {}
# -- Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details.
volumes: []
# -- Additional [volume mounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details.
volumeMounts: []
# -- Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details.
envFrom: []
# -- Additional environment variables passed directly to containers.
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details.
env: {}
# -- Similar to env but with support for all possible configurations.
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details.
envVars: []
# - name: SOME_ENV_VAR
# value: value
# - name: SOME_ENV_VAR2
# valueFrom:
# secretKeyRef:
# name: secret-name
# key: secret-key
# - name: SOME_ENV_VAR3
# valueFrom:
# configMapKeyRef:
# name: config-map-name
# key: config-map-key
serviceAccount:
# -- Enable service account creation.
create: true
# -- Annotations to be added to the service account.
annotations: {}
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
name: "dex-sa"
rbac:
# -- Specifies whether RBAC resources should be created.
# If disabled, the operator is responsible for creating the necessary resources based on the templates.
create: true
# -- Specifies which RBAC resources should be created.
# If disabled, the operator is responsible for creating the necessary resources (ClusterRole and RoleBinding or CRD's)
createClusterScoped: true
# -- Annotations to be added to deployment.
deploymentAnnotations: {}
# -- Labels to be added to deployment.
deploymentLabels: {}
# -- Annotations to be added to pods.
podAnnotations: {}
# -- Labels to be added to pods.
podLabels: {}
podDisruptionBudget:
# -- Enable a [pod distruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) to help dealing with [disruptions](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/).
# It is **highly recommended** for webhooks as disruptions can prevent launching new pods.
enabled: false
# -- (int/percentage) Number or percentage of pods that must remain available.
minAvailable:
# -- (int/percentage) Number or percentage of pods that can be unavailable.
maxUnavailable:
# -- Specify a priority class name to set [pod priority](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority).
priorityClassName: ""
# -- Pod [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) for details.
podSecurityContext: {}
# fsGroup: 2000
# -- Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details.
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
# -- Annotations to be added to the service.
annotations: {}
# -- Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types).
type: ClusterIP
# -- Internal cluster service IP (when applicable)
clusterIP: ""
ports:
http:
# -- HTTP service port
port: 5556
# -- (int) HTTP node port (when applicable)
nodePort:
https:
# -- HTTPS service port
port: 5554
# -- (int) HTTPS node port (when applicable)
nodePort:
grpc:
# -- gRPC service port
port: 5557
# -- (int) gRPC node port (when applicable)
nodePort:
ingress:
# -- Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/).
enabled: false
# -- Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class).
className: ""
# -- Annotations to be added to the ingress.
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# -- Ingress host configuration.
# @default -- See [values.yaml](values.yaml).
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
# -- Ingress TLS configuration.
# @default -- See [values.yaml](values.yaml).
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
serviceMonitor:
# -- Enable Prometheus ServiceMonitor.
# See the [documentation](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/design.md#servicemonitor) and the [API reference](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor) for details.
enabled: false
# -- Namespace where the ServiceMonitor resource should be deployed.
# @default -- Release namespace.
namespace: ""
# -- (duration) Prometheus scrape interval.
interval:
# -- (duration) Prometheus scrape timeout.
scrapeTimeout:
# -- Labels to be added to the ServiceMonitor.
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
labels: {}
# -- Annotations to be added to the ServiceMonitor.
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
annotations: {}
# -- HTTP scheme to use for scraping.
# Can be used with `tlsConfig` for example if using istio mTLS.
scheme: ""
# -- TLS configuration to use when scraping the endpoint.
# For example if using istio mTLS.
## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig
tlsConfig: {}
# -- Prometheus scrape bearerTokenFile
bearerTokenFile:
# -- Prometheus scrape metric relabel configs
# to apply to samples before ingestion.
## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
metricRelabelings: []
# - action: keep
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
# sourceLabels: [__name__]
# -- Relabel configs to apply
# to samples before ingestion.
## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
relabelings: []
# - sourceLabels: [__meta_kubernetes_pod_node_name]
# separator: ;
# regex: ^(.*)$
# targetLabel: nodename
# replacement: $1
# action: replace
# -- Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details.
# @default -- No requests or limits.
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# -- Autoscaling configuration (see [values.yaml](values.yaml) for details).
# @default -- Disabled by default.
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
# -- [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) configuration.
nodeSelector: {}
# -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for node taints.
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details.
tolerations: []
# -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) configuration.
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details.
affinity: {}
# -- [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration.
# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details.
topologySpreadConstraints: []
# -- Deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) configuration.
strategy: {}
# rollingUpdate:
# maxUnavailable: 1
# type: RollingUpdate
networkPolicy:
# -- Create [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
enabled: false
# -- A list of network policy egress rules
egressRules: []
# Allow DNS egress traffic
# - ports:
# - port: 53
# protocol: UDP
# - port: 53
# protocol: TCP
# Example to allow LDAP connector to reach LDAPs port on 1.2.3.4 server
# - to:
# - ipBlock
# cidr: 1.2.3.4/32
# ports:
# - port: 636
# protocol: TCP

View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# Helm files
OWNERS

View File

@ -0,0 +1,12 @@
apiVersion: v1
appVersion: v0.13.2
description: Config Syncer by AppsCode - Kubernetes daemon
home: https://github.com/kubeops/config-syncer
icon: https://cdn.appscode.com/images/products/kubed/icons/android-icon-192x192.png
maintainers:
- email: support@appscode.com
name: appscode
name: kubed
sources:
- https://github.com/kubeops/config-syncer
version: v0.13.2

View File

@ -0,0 +1,94 @@
# Config Syncer
[Config Syncer by AppsCode](https://github.com/kubeops/config-syncer) - A Kubernetes cluster manager daemon
## TL;DR;
```console
$ helm repo add appscode https://charts.appscode.com/stable/
$ helm repo update
$ helm install kubed appscode/kubed -n kube-system
```
## Introduction
This chart deploys a Config Syncer operator on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
## Prerequisites
- Kubernetes 1.11+
## Installing the Chart
To install the chart with the release name `kubed`:
```console
$ helm install kubed appscode/kubed -n kube-system
```
The command deploys a Config Syncer operator on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `kubed`:
```console
$ helm delete kubed -n kube-system
```
The command removes all the Kubernetes components associated with the chart and deletes the release.
## Configuration
The following table lists the configurable parameters of the `kubed` chart and their default values.
| Parameter | Description | Default |
|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
| nameOverride | Overrides name template | <code>""</code> |
| fullnameOverride | Overrides fullname template | <code>""</code> |
| replicaCount | Number of Config Syncer operator replicas to create (only 1 is supported) | <code>1</code> |
| operator.registry | Docker registry used to pull Config Syncer operator image | <code>appscode</code> |
| operator.repository | Config Syncer operator container image | <code>kubed</code> |
| operator.tag | Config Syncer operator container image tag | <code>v0.13.2</code> |
| operator.resources | Compute Resources required by the operator container | <code>{}</code> |
| operator.securityContext | Security options the operator container should run with | <code>{}</code> |
| imagePullSecrets | Specify an array of imagePullSecrets. Secrets must be manually created in the namespace. <br> Example: <br> `helm template charts/kubed \` <br> `--set imagePullSecrets[0].name=sec0 \` <br> `--set imagePullSecrets[1].name=sec1` | <code>[]</code> |
| imagePullPolicy | Container image pull policy | <code>IfNotPresent</code> |
| criticalAddon | If true, installs Config Syncer operator as critical addon | <code>false</code> |
| logLevel | Log level for operator | <code>3</code> |
| annotations | Annotations applied to operator deployment | <code>{}</code> |
| podAnnotations | Annotations passed to operator pod(s). | <code>{}</code> |
| nodeSelector | Node labels for pod assignment | <code>{}</code> |
| tolerations | Tolerations for pod assignment | <code>[]</code> |
| affinity | Affinity rules for pod assignment | <code>{}</code> |
| podSecurityContext | Security options the operator pod should run with. | <code>{"fsGroup":65535}</code> |
| serviceAccount.create | Specifies whether a service account should be created | <code>true</code> |
| serviceAccount.annotations | Annotations to add to the service account | <code>{}</code> |
| serviceAccount.name | The name of the service account to use. If not set and create is true, a name is generated using the fullname template | <code>""</code> |
| apiserver.securePort | Port used by Config Syncer server | <code>"8443"</code> |
| apiserver.useKubeapiserverFqdnForAks | If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true) | <code>true</code> |
| apiserver.healthcheck.enabled | healthcheck configures the readiness and liveliness probes for the operator pod. | <code>false</code> |
| apiserver.servingCerts.generate | If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor) to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`. | <code>true</code> |
| apiserver.servingCerts.caCrt | CA certficate used by serving certificate of Config Syncer server. | <code>""</code> |
| apiserver.servingCerts.serverCrt | Serving certficate used by Config Syncer server. | <code>""</code> |
| apiserver.servingCerts.serverKey | Private key for the serving certificate used by Config Syncer server. | <code>""</code> |
| enableAnalytics | If true, sends usage analytics | <code>true</code> |
| config.clusterName | Set cluster-name to something meaningful to you, say, prod, prod-us-east, qa, etc. so that you can distinguish notifications sent by kubed | <code>unicorn</code> |
| config.configSourceNamespace | If set, configmaps and secrets from only this namespace will be synced | <code>""</code> |
| config.kubeconfigContent | kubeconfig file content for configmap and secret syncer | <code>""</code> |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example:
```console
$ helm install kubed appscode/kubed -n kube-system --set replicaCount=1
```
Alternatively, a YAML file that specifies the values for the parameters can be provided while
installing the chart. For example:
```console
$ helm install kubed appscode/kubed -n kube-system --values values.yaml
```

View File

@ -0,0 +1,18 @@
project:
name: Config Syncer by AppsCode
shortName: Config Syncer
url: https://github.com/kubeops/config-syncer
description: A Kubernetes cluster manager daemon
app: a Config Syncer operator
repository:
url: https://charts.appscode.com/stable/
name: appscode
chart:
name: kubed
values: "-- generate from values file --"
valuesExample: "-- generate from values file --"
prerequisites:
- Kubernetes 1.11+
release:
name: kubed
namespace: kube-system

View File

@ -0,0 +1,3 @@
To verify that Config Syncer has started, run:
kubectl get deployment --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kubed.name" . }},app.kubernetes.io/instance={{ .Release.Name }}"

View File

@ -0,0 +1,93 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "kubed.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kubed.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kubed.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kubed.labels" -}}
helm.sh/chart: {{ include "kubed.chart" . }}
{{ include "kubed.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kubed.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kubed.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "kubed.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "kubed.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Windows cluster will add default taint for linux nodes, add below linux tolerations to
workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
beta.kubernetes.io/os: linux
{{- else -}}
kubernetes.io/os: linux
{{- end -}}
{{- end -}}
{{/*
URL prefix for container images to be compatible with Rancher
*/}}
{{- define "registry-url" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/
{{- else -}}
{{ .Values.operator.registry }}/
{{- end -}}
{{- end -}}

View File

@ -0,0 +1,58 @@
{{- $serverCrt := "" }}
{{- $serverKey := "" }}
{{- if .Values.apiserver.servingCerts.generate }}
{{- $ca := genCA "ca" 3650 }}
{{- $cn := include "kubed.fullname" . -}}
{{- $altName1 := printf "%s.%s" $cn .Release.Namespace }}
{{- $altName2 := printf "%s.%s.svc" $cn .Release.Namespace }}
{{- $server := genSignedCert $cn nil (list $altName1 $altName2) 3650 $ca }}
{{- $serverCrt = b64enc $server.Cert }}
{{- $serverKey = b64enc $server.Key }}
{{- else }}
{{- $serverCrt = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverCrt }}
{{- $serverKey = required "Required when apiserver.servingCerts.generate is false" .Values.apiserver.servingCerts.serverKey }}
{{- end }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kubed.fullname" . }}-apiserver-cert
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
type: Opaque
data:
tls.crt: {{ $serverCrt }}
tls.key: {{ $serverKey }}
---
# to read the config for terminating authentication
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ template "kubed.fullname" . }}-apiserver-extension-server-authentication-reader
namespace: kube-system
labels:
{{- include "kubed.labels" . | nindent 4 }}
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: extension-apiserver-authentication-reader
subjects:
- kind: ServiceAccount
name: {{ template "kubed.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
---
# to delegate authentication and authorization
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "kubed.fullname" . }}-apiserver-auth-delegator
labels:
{{- include "kubed.labels" . | nindent 4 }}
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: {{ template "kubed.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}

View File

@ -0,0 +1,14 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "kubed.fullname" . }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "kubed.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "kubed.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}

View File

@ -0,0 +1,24 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ template "kubed.fullname" . }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources:
- configmaps
- secrets
verbs: ["get", "create", "patch", "delete", "list", "watch"]
- apiGroups: [""]
resources:
- namespaces
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources:
- nodes
verbs: ["list"]
- apiGroups: [""]
resources:
- events
verbs: ["create"]

View File

@ -0,0 +1,119 @@
{{- $major := default "0" .Capabilities.KubeVersion.Major | trimSuffix "+" | int64 }}
{{- $minor := default "0" .Capabilities.KubeVersion.Minor | trimSuffix "+" | int64 }}
{{- $criticalAddon := and .Values.criticalAddon (or (eq .Release.Namespace "kube-system") (and (ge $major 1) (ge $minor 17))) -}}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kubed.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
{{- with .Values.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
selector:
matchLabels:
{{- include "kubed.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "kubed.selectorLabels" . | nindent 8 }}
annotations:
checksum/apiregistration.yaml: {{ include (print $.Template.BasePath "/apiregistration.yaml") . | sha256sum }}
{{- if $criticalAddon }}
scheduler.alpha.kubernetes.io/critical-pod: ''
{{- end }}
{{- with .Values.podAnnotations }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "kubed.serviceAccountName" . }}
containers:
- name: kubed
securityContext:
{{- toYaml .Values.operator.securityContext | nindent 10 }}
image: {{ template "registry-url" . }}{{ .Values.operator.repository }}:{{ .Values.operator.tag }}
imagePullPolicy: {{ .Values.imagePullPolicy }}
args:
- run
- --v={{ .Values.logLevel }}
- --secure-port={{ default "8443" .Values.apiserver.securePort }}
- --audit-log-path=-
- --tls-cert-file=/var/serving-cert/tls.crt
- --tls-private-key-file=/var/serving-cert/tls.key
- --use-kubeapiserver-fqdn-for-aks={{ .Values.apiserver.useKubeapiserverFqdnForAks }}
- --enable-analytics={{ .Values.enableAnalytics }}
{{- with .Values.config.clusterName }}
- --cluster-name={{ . }}
{{- end }}
{{- with .Values.config.configSourceNamespace }}
- --config-source-namespace={{ . }}
{{- end }}
{{- if .Values.config.kubeconfigContent }}
- --kubeconfig-file=/srv/kubed/kubeconfig
{{- end }}
{{- range .Values.config.additionalOptions }}
- {{ . }}
{{- end }}
ports:
- containerPort: {{ default "8443" .Values.apiserver.securePort }}
{{- if .Values.apiserver.healthcheck.enabled }}
readinessProbe:
httpGet:
path: /healthz
port: {{ default "8443" .Values.apiserver.securePort }}
scheme: HTTPS
initialDelaySeconds: 5
livenessProbe:
httpGet:
path: /healthz
port: {{ default "8443" .Values.apiserver.securePort }}
scheme: HTTPS
initialDelaySeconds: 5
{{- end }}
resources:
{{- toYaml .Values.operator.resources | nindent 10 }}
volumeMounts:
- name: config
mountPath: /srv/kubed
- name: scratch
mountPath: /tmp
- mountPath: /var/serving-cert
name: serving-cert
volumes:
- name: config
secret:
secretName: {{ template "kubed.fullname" . }}
- name: scratch
emptyDir: {}
- name: serving-cert
secret:
defaultMode: 420
secretName: {{ template "kubed.fullname" . }}-apiserver-cert
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
{{- with .Values.tolerations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if $criticalAddon }}
- key: CriticalAddonsOnly
operator: Exists
{{- end -}}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
{{- if $criticalAddon }}
priorityClassName: system-cluster-critical
{{- end -}}

View File

@ -0,0 +1,86 @@
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}}
{{- if .Values.serviceAccount.create }}
{{- if .Values.global.rbac.pspEnabled }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "kubed.serviceAccountName" . }}-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ include "kubed.serviceAccountName" . }}
app: {{ include "kubed.serviceAccountName" . }}
{{- if .Values.global.rbac.pspAnnotations }}
annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }}
{{- end }}
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Permits the container to run with root privileges as well.
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
readOnlyRootFilesystem: false
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "kubed.serviceAccountName" . }}-psp
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ include "kubed.serviceAccountName" . }}
app: {{ include "kubed.serviceAccountName" . }}
rules:
{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }}
- apiGroups: ['policy']
{{- else }}
- apiGroups: ['extensions']
{{- end }}
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ include "kubed.serviceAccountName" . }}-psp
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "kubed.serviceAccountName" . }}-psp
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ include "kubed.serviceAccountName" . }}
app: {{ include "kubed.serviceAccountName" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kubed.serviceAccountName" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ include "kubed.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ template "kubed.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
data:
{{- if .Values.config.kubeconfigContent }}
kubeconfig: {{ .Values.config.kubeconfigContent | trim | b64enc | quote }}
{{- end }}

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ template "kubed.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
spec:
ports:
# Port used to expose admission webhook apiserver
- name: api
port: 443
targetPort: {{ default "8443" .Values.apiserver.securePort }}
selector:
{{- include "kubed.selectorLabels" . | nindent 4 }}

View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kubed.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "kubed.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,101 @@
# Default values for kubed.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# Overrides name template
nameOverride: ""
# Overrides fullname template
fullnameOverride: ""
# Number of Config Syncer operator replicas to create (only 1 is supported)
replicaCount: 1
operator:
# Config Syncer operator container image
repository: rancher/mirrored-appscode-kubed
# Config Syncer operator container image tag
tag: v0.13.2
# Compute Resources required by the operator container
resources: {}
# Security options the operator container should run with
securityContext: {}
# Specify an array of imagePullSecrets.
# Secrets must be manually created in the namespace.
#
# Example:
# helm template charts/kubed \
# --set imagePullSecrets[0].name=sec0 \
# --set imagePullSecrets[1].name=sec1
imagePullSecrets: []
# Container image pull policy
imagePullPolicy: IfNotPresent
# If true, installs Config Syncer operator as critical addon
criticalAddon: false
# Log level for operator
logLevel: 3
# Annotations applied to operator deployment
annotations: {}
# Annotations passed to operator pod(s).
podAnnotations: {}
# Node labels for pod assignment
nodeSelector: {}
# Tolerations for pod assignment
tolerations: []
# Affinity rules for pod assignment
affinity: {}
# Security options the operator pod should run with.
podSecurityContext: # +doc-gen:break
# ensure that s/a token is readable xref: https://issues.k8s.io/70679
fsGroup: 65535
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
apiserver:
# Port used by Config Syncer server
securePort: "8443"
# If true, uses kube-apiserver FQDN for AKS cluster to workaround https://github.com/Azure/AKS/issues/522 (default true)
useKubeapiserverFqdnForAks: true
healthcheck:
# healthcheck configures the readiness and liveliness probes for the operator pod.
enabled: false
servingCerts:
# If true, generates on install/upgrade the certs that allow the kube-apiserver (and potentially ServiceMonitor)
# to authenticate operators pods. Otherwise specify certs in `apiserver.servingCerts.{caCrt, serverCrt, serverKey}`.
generate: true
# CA certficate used by serving certificate of Config Syncer server.
caCrt: ""
# Serving certficate used by Config Syncer server.
serverCrt: ""
# Private key for the serving certificate used by Config Syncer server.
serverKey: ""
# If true, sends usage analytics
enableAnalytics: true
config:
# Set cluster-name to something meaningful to you, say, prod, prod-us-east, qa, etc.
# so that you can distinguish notifications sent by kubed
clusterName: unicorn
# If set, configmaps and secrets from only this namespace will be synced
configSourceNamespace: ""
# kubeconfig file content for configmap and secret syncer
kubeconfigContent: ""
# additionalOptions:
# - --authentication-skip-lookup

View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
# OWNERS file for Kubernetes
OWNERS

View File

@ -0,0 +1,18 @@
apiVersion: v1
appVersion: RELEASE.2023-07-07T07-13-57Z
description: Multi-Cloud Object Storage
home: https://min.io
icon: https://min.io/resources/img/logo/MINIO_wordmark.png
keywords:
- minio
- storage
- object-storage
- s3
- cluster
maintainers:
- email: dev@minio.io
name: MinIO, Inc
name: minio
sources:
- https://github.com/minio/minio
version: 5.0.13

View File

@ -0,0 +1,260 @@
# MinIO Helm Chart
[![Slack](https://slack.min.io/slack?type=svg)](https://slack.min.io) [![license](https://img.shields.io/badge/license-AGPL%20V3-blue)](https://github.com/minio/minio/blob/master/LICENSE)
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. It is API compatible with Amazon S3 cloud storage service. Use MinIO to build high performance infrastructure for machine learning, analytics and application data workloads.
For more detailed documentation please visit [here](https://min.io/docs/minio/linux/index.html)
## Introduction
This chart bootstraps MinIO Cluster on [Kubernetes](http://kubernetes.io) using the [Helm](https://helm.sh) package manager.
## Prerequisites
- Helm cli with Kubernetes cluster configured.
- PV provisioner support in the underlying infrastructure. (We recommend using <https://github.com/minio/direct-csi>)
- Use Kubernetes version v1.19 and later for best experience.
## Configure MinIO Helm repo
```bash
helm repo add minio https://charts.min.io/
```
### Installing the Chart
Install this chart using:
```bash
helm install --namespace minio --set rootUser=rootuser,rootPassword=rootpass123 --generate-name minio/minio
```
The command deploys MinIO on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
### Installing the Chart (toy-setup)
Minimal toy setup for testing purposes can be deployed using:
```bash
helm install --set resources.requests.memory=512Mi --set replicas=1 --set persistence.enabled=false --set mode=standalone --set rootUser=rootuser,rootPassword=rootpass123 --generate-name minio/minio
```
### Upgrading the Chart
You can use Helm to update MinIO version in a live release. Assuming your release is named as `my-release`, get the values using the command:
```bash
helm get values my-release > old_values.yaml
```
Then change the field `image.tag` in `old_values.yaml` file with MinIO image tag you want to use. Now update the chart using
```bash
helm upgrade -f old_values.yaml my-release minio/minio
```
Default upgrade strategies are specified in the `values.yaml` file. Update these fields if you'd like to use a different strategy.
### Configuration
Refer the [Values file](./values.yaml) for all the possible config fields.
You can specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```bash
helm install --name my-release --set persistence.size=1Ti minio/minio
```
The above command deploys MinIO server with a 1Ti backing persistent volume.
Alternately, you can provide a YAML file that specifies parameter values while installing the chart. For example,
```bash
helm install --name my-release -f values.yaml minio/minio
```
### Persistence
This chart provisions a PersistentVolumeClaim and mounts corresponding persistent volume to default location `/export`. You'll need physical storage available in the Kubernetes cluster for this to work. If you'd rather use `emptyDir`, disable PersistentVolumeClaim by:
```bash
helm install --set persistence.enabled=false minio/minio
```
> *"An emptyDir volume is first created when a Pod is assigned to a Node, and exists as long as that Pod is running on that node. When a Pod is removed from a node for any reason, the data in the emptyDir is deleted forever."*
### Existing PersistentVolumeClaim
If a Persistent Volume Claim already exists, specify it during installation.
1. Create the PersistentVolume
2. Create the PersistentVolumeClaim
3. Install the chart
```bash
helm install --set persistence.existingClaim=PVC_NAME minio/minio
```
### NetworkPolicy
To enable network policy for MinIO,
install [a networking plugin that implements the Kubernetes
NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin),
and set `networkPolicy.enabled` to `true`.
For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting
the DefaultDeny namespace annotation. Note: this will enforce policy for *all* pods in the namespace:
```
kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
```
With NetworkPolicy enabled, traffic will be limited to just port 9000.
For more precise policy, set `networkPolicy.allowExternal=true`. This will
only allow pods with the generated client label to connect to MinIO.
This label will be displayed in the output of a successful install.
### Existing secret
Instead of having this chart create the secret for you, you can supply a preexisting secret, much
like an existing PersistentVolumeClaim.
First, create the secret:
```bash
kubectl create secret generic my-minio-secret --from-literal=rootUser=foobarbaz --from-literal=rootPassword=foobarbazqux
```
Then install the chart, specifying that you want to use an existing secret:
```bash
helm install --set existingSecret=my-minio-secret minio/minio
```
The following fields are expected in the secret:
| .data.\<key\> in Secret | Corresponding variable | Description | Required |
|:------------------------|:-----------------------|:---------------|:---------|
| `rootUser` | `rootUser` | Root user. | yes |
| `rootPassword` | `rootPassword` | Root password. | yes |
All corresponding variables will be ignored in values file.
### Configure TLS
To enable TLS for MinIO containers, acquire TLS certificates from a CA or create self-signed certificates. While creating / acquiring certificates ensure the corresponding domain names are set as per the standard [DNS naming conventions](https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-identity) in a Kubernetes StatefulSet (for a distributed MinIO setup). Then create a secret using
```bash
kubectl create secret generic tls-ssl-minio --from-file=path/to/private.key --from-file=path/to/public.crt
```
Then install the chart, specifying that you want to use the TLS secret:
```bash
helm install --set tls.enabled=true,tls.certSecret=tls-ssl-minio minio/minio
```
### Installing certificates from third party CAs
MinIO can connect to other servers, including MinIO nodes or other server types such as NATs and Redis. If these servers use certificates that were not registered with a known CA, add trust for these certificates to MinIO Server by bundling these certificates into a Kubernetes secret and providing it to Helm via the `trustedCertsSecret` value. If `.Values.tls.enabled` is `true` and you're installing certificates for third party CAs, remember to include MinIO's own certificate with key `public.crt`, if it also needs to be trusted.
For instance, given that TLS is enabled and you need to add trust for MinIO's own CA and for the CA of a Keycloak server, a Kubernetes secret can be created from the certificate files using `kubectl`:
```
kubectl -n minio create secret generic minio-trusted-certs --from-file=public.crt --from-file=keycloak.crt
```
If TLS is not enabled, you would need only the third party CA:
```
kubectl -n minio create secret generic minio-trusted-certs --from-file=keycloak.crt
```
The name of the generated secret can then be passed to Helm using a values file or the `--set` parameter:
```
trustedCertsSecret: "minio-trusted-certs"
or
--set trustedCertsSecret=minio-trusted-certs
```
### Create buckets after install
Install the chart, specifying the buckets you want to create after install:
```bash
helm install --set buckets[0].name=bucket1,buckets[0].policy=none,buckets[0].purge=false minio/minio
```
Description of the configuration parameters used above -
- `buckets[].name` - name of the bucket to create, must be a string with length > 0
- `buckets[].policy` - can be one of none|download|upload|public
- `buckets[].purge` - purge if bucket exists already
### Create policies after install
Install the chart, specifying the policies you want to create after install:
```bash
helm install --set policies[0].name=mypolicy,policies[0].statements[0].resources[0]='arn:aws:s3:::bucket1',policies[0].statements[0].actions[0]='s3:ListBucket',policies[0].statements[0].actions[1]='s3:GetObject' minio/minio
```
Description of the configuration parameters used above -
- `policies[].name` - name of the policy to create, must be a string with length > 0
- `policies[].statements[]` - list of statements, includes actions and resources
- `policies[].statements[].resources[]` - list of resources that applies the statement
- `policies[].statements[].actions[]` - list of actions granted
### Create user after install
Install the chart, specifying the users you want to create after install:
```bash
helm install --set users[0].accessKey=accessKey,users[0].secretKey=secretKey,users[0].policy=none,users[1].accessKey=accessKey2,users[1].secretRef=existingSecret,users[1].secretKey=password,users[1].policy=none minio/minio
```
Description of the configuration parameters used above -
- `users[].accessKey` - accessKey of user
- `users[].secretKey` - secretKey of usersecretRef
- `users[].existingSecret` - secret name that contains the secretKey of user
- `users[].existingSecretKey` - data key in existingSecret secret containing the secretKey
- `users[].policy` - name of the policy to assign to user
### Create service account after install
Install the chart, specifying the service accounts you want to create after install:
```bash
helm install --set svcaccts[0].accessKey=accessKey,svcaccts[0].secretKey=secretKey,svcaccts[0].user=parentUser,svcaccts[1].accessKey=accessKey2,svcaccts[1].secretRef=existingSecret,svcaccts[1].secretKey=password,svcaccts[1].user=parentUser2 minio/minio
```
Description of the configuration parameters used above -
- `svcaccts[].accessKey` - accessKey of service account
- `svcaccts[].secretKey` - secretKey of svcacctsecretRef
- `svcaccts[].existingSecret` - secret name that contains the secretKey of service account
- `svcaccts[].existingSecretKey` - data key in existingSecret secret containing the secretKey
- `svcaccts[].user` - name of the parent user to assign to service account
## Uninstalling the Chart
Assuming your release is named as `my-release`, delete it using the command:
```bash
helm delete my-release
```
or
```bash
helm uninstall my-release
```
The command removes all the Kubernetes components associated with the chart and deletes the release.

View File

@ -0,0 +1,43 @@
{{- if eq .Values.service.type "ClusterIP" "NodePort" }}
MinIO can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster:
{{ template "minio.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
To access MinIO from localhost, run the below commands:
1. export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
2. kubectl port-forward $POD_NAME 9000 --namespace {{ .Release.Namespace }}
Read more about port forwarding here: http://kubernetes.io/docs/user-guide/kubectl/kubectl_port-forward/
You can now access MinIO server on http://localhost:9000. Follow the below steps to connect to MinIO server with mc client:
1. Download the MinIO mc client - https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart
2. export MC_HOST_{{ template "minio.fullname" . }}-local=http://$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "minio.secretName" . }} -o jsonpath="{.data.rootUser}" | base64 --decode):$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "minio.secretName" . }} -o jsonpath="{.data.rootPassword}" | base64 --decode)@localhost:{{ .Values.service.port }}
3. mc ls {{ template "minio.fullname" . }}-local
{{- end }}
{{- if eq .Values.service.type "LoadBalancer" }}
MinIO can be accessed via port {{ .Values.service.port }} on an external IP address. Get the service external IP address by:
kubectl get svc --namespace {{ .Release.Namespace }} -l app={{ template "minio.fullname" . }}
Note that the public IP may take a couple of minutes to be available.
You can now access MinIO server on http://<External-IP>:9000. Follow the below steps to connect to MinIO server with mc client:
1. Download the MinIO mc client - https://min.io/docs/minio/linux/reference/minio-mc.html#quickstart
2. export MC_HOST_{{ template "minio.fullname" . }}-local=http://$(kubectl get secret {{ template "minio.secretName" . }} --namespace {{ .Release.Namespace }} -o jsonpath="{.data.rootUser}" | base64 --decode):$(kubectl get secret {{ template "minio.secretName" . }} -o jsonpath="{.data.rootPassword}" | base64 --decode)@<External-IP>:{{ .Values.service.port }}
3. mc ls {{ template "minio.fullname" . }}
Alternately, you can use your browser or the MinIO SDK to access the server - https://min.io/docs/minio/linux/reference/minio-server/minio-server.html
{{- end }}
{{ if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}
Note: Since NetworkPolicy is enabled, only pods with label
{{ template "minio.fullname" . }}-client=true"
will be able to connect to this minio cluster.
{{- end }}

View File

@ -0,0 +1,123 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 1 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# checkBucketExists ($bucket)
# Check if the bucket exists, by using the exit code of `mc ls`
checkBucketExists() {
BUCKET=$1
CMD=$(${MC} stat myminio/$BUCKET > /dev/null 2>&1)
return $?
}
# createBucket ($bucket, $policy, $purge)
# Ensure bucket exists, purging if asked to
createBucket() {
BUCKET=$1
POLICY=$2
PURGE=$3
VERSIONING=$4
OBJECTLOCKING=$5
# Purge the bucket, if set & exists
# Since PURGE is user input, check explicitly for `true`
if [ $PURGE = true ]; then
if checkBucketExists $BUCKET ; then
echo "Purging bucket '$BUCKET'."
set +e ; # don't exit if this fails
${MC} rm -r --force myminio/$BUCKET
set -e ; # reset `e` as active
else
echo "Bucket '$BUCKET' does not exist, skipping purge."
fi
fi
# Create the bucket if it does not exist and set objectlocking if enabled (NOTE: versioning will be not changed if OBJECTLOCKING is set because it enables versioning to the Buckets created)
if ! checkBucketExists $BUCKET ; then
if [ ! -z $OBJECTLOCKING ] ; then
if [ $OBJECTLOCKING = true ] ; then
echo "Creating bucket with OBJECTLOCKING '$BUCKET'"
${MC} mb --with-lock myminio/$BUCKET
elif [ $OBJECTLOCKING = false ] ; then
echo "Creating bucket '$BUCKET'"
${MC} mb myminio/$BUCKET
fi
elif [ -z $OBJECTLOCKING ] ; then
echo "Creating bucket '$BUCKET'"
${MC} mb myminio/$BUCKET
else
echo "Bucket '$BUCKET' already exists."
fi
fi
# set versioning for bucket if objectlocking is disabled or not set
if [ -z $OBJECTLOCKING ] ; then
if [ ! -z $VERSIONING ] ; then
if [ $VERSIONING = true ] ; then
echo "Enabling versioning for '$BUCKET'"
${MC} version enable myminio/$BUCKET
elif [ $VERSIONING = false ] ; then
echo "Suspending versioning for '$BUCKET'"
${MC} version suspend myminio/$BUCKET
fi
fi
else
echo "Bucket '$BUCKET' versioning unchanged."
fi
# At this point, the bucket should exist, skip checking for existence
# Set policy on the bucket
echo "Setting policy of bucket '$BUCKET' to '$POLICY'."
${MC} anonymous set $POLICY myminio/$BUCKET
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.buckets }}
{{ $global := . }}
# Create the buckets
{{- range .Values.buckets }}
createBucket {{ tpl .name $global }} {{ .policy | default "none" | quote }} {{ .purge | default false }} {{ .versioning | default false }} {{ .objectlocking | default false }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,75 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 1 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# checkPolicyExists ($policy)
# Check if the policy exists, by using the exit code of `mc admin policy info`
checkPolicyExists() {
POLICY=$1
CMD=$(${MC} admin policy info myminio $POLICY > /dev/null 2>&1)
return $?
}
# createPolicy($name, $filename)
createPolicy () {
NAME=$1
FILENAME=$2
# Create the name if it does not exist
echo "Checking policy: $NAME (in /config/$FILENAME.json)"
if ! checkPolicyExists $NAME ; then
echo "Creating policy '$NAME'"
else
echo "Policy '$NAME' already exists."
fi
${MC} admin policy create myminio $NAME /config/$FILENAME.json
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.policies }}
# Create the policies
{{- range $idx, $policy := .Values.policies }}
createPolicy {{ $policy.name }} policy_{{ $idx }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,106 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# AccessKey and secretkey credentials file are added to prevent shell execution errors caused by special characters.
# Special characters for example : ',",<,>,{,}
MINIO_ACCESSKEY_SECRETKEY_TMP="/tmp/accessKey_and_secretKey_svcacct_tmp"
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 2 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# checkSvcacctExists ()
# Check if the svcacct exists, by using the exit code of `mc admin user svcacct info`
checkSvcacctExists() {
CMD=$(${MC} admin user svcacct info myminio $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) > /dev/null 2>&1)
return $?
}
# createSvcacct ($user)
createSvcacct () {
USER=$1
FILENAME=$2
#check accessKey_and_secretKey_tmp file
if [[ ! -f $MINIO_ACCESSKEY_SECRETKEY_TMP ]];then
echo "credentials file does not exist"
return 1
fi
if [[ $(cat $MINIO_ACCESSKEY_SECRETKEY_TMP|wc -l) -ne 2 ]];then
echo "credentials file is invalid"
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
return 1
fi
SVCACCT=$(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP)
# Create the svcacct if it does not exist
if ! checkSvcacctExists ; then
echo "Creating svcacct '$SVCACCT'"
# Check if policy file is define
if [ -z $FILENAME ]; then
${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) myminio $USER
else
${MC} admin user svcacct add --access-key $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --secret-key $(tail -n1 $MINIO_ACCESSKEY_SECRETKEY_TMP) --policy /config/$FILENAME.json myminio $USER
fi
else
echo "Svcacct '$SVCACCT' already exists."
fi
#clean up credentials files.
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.svcaccts }}
{{ $global := . }}
# Create the svcaccts
{{- range $idx, $svc := .Values.svcaccts }}
echo {{ tpl .accessKey $global }} > $MINIO_ACCESSKEY_SECRETKEY_TMP
{{- if .existingSecret }}
cat /config/secrets-svc/{{ tpl .existingSecret $global }}/{{ tpl .existingSecretKey $global }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
# Add a new line if it doesn't exist
sed -i '$a\' $MINIO_ACCESSKEY_SECRETKEY_TMP
{{ else }}
echo {{ .secretKey }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
{{- end }}
{{- if $svc.policy}}
createSvcacct {{ .user }} svc_policy_{{ $idx }}
{{ else }}
createSvcacct {{ .user }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,107 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# AccessKey and secretkey credentials file are added to prevent shell execution errors caused by special characters.
# Special characters for example : ',",<,>,{,}
MINIO_ACCESSKEY_SECRETKEY_TMP="/tmp/accessKey_and_secretKey_tmp"
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 1 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# checkUserExists ()
# Check if the user exists, by using the exit code of `mc admin user info`
checkUserExists() {
CMD=$(${MC} admin user info myminio $(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP) > /dev/null 2>&1)
return $?
}
# createUser ($policy)
createUser() {
POLICY=$1
#check accessKey_and_secretKey_tmp file
if [[ ! -f $MINIO_ACCESSKEY_SECRETKEY_TMP ]];then
echo "credentials file does not exist"
return 1
fi
if [[ $(cat $MINIO_ACCESSKEY_SECRETKEY_TMP|wc -l) -ne 2 ]];then
echo "credentials file is invalid"
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
return 1
fi
USER=$(head -1 $MINIO_ACCESSKEY_SECRETKEY_TMP)
# Create the user if it does not exist
if ! checkUserExists ; then
echo "Creating user '$USER'"
cat $MINIO_ACCESSKEY_SECRETKEY_TMP | ${MC} admin user add myminio
else
echo "User '$USER' already exists."
fi
#clean up credentials files.
rm -f $MINIO_ACCESSKEY_SECRETKEY_TMP
# set policy for user
if [ ! -z $POLICY -a $POLICY != " " ] ; then
echo "Adding policy '$POLICY' for '$USER'"
set +e ; # policy already attach errors out, allow it.
${MC} admin policy attach myminio $POLICY --user=$USER
set -e
else
echo "User '$USER' has no policy attached."
fi
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.users }}
{{ $global := . }}
# Create the users
{{- range .Values.users }}
echo {{ tpl .accessKey $global }} > $MINIO_ACCESSKEY_SECRETKEY_TMP
{{- if .existingSecret }}
cat /config/secrets/{{ tpl .existingSecret $global }}/{{ tpl .existingSecretKey $global }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
# Add a new line if it doesn't exist
sed -i '$a\' $MINIO_ACCESSKEY_SECRETKEY_TMP
createUser {{ .policy }}
{{ else }}
echo {{ .secretKey }} >> $MINIO_ACCESSKEY_SECRETKEY_TMP
createUser {{ .policy }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,58 @@
#!/bin/sh
set -e ; # Have script exit in the event of a failed command.
{{- if .Values.configPathmc }}
MC_CONFIG_DIR="{{ .Values.configPathmc }}"
MC="/usr/bin/mc --insecure --config-dir ${MC_CONFIG_DIR}"
{{- else }}
MC="/usr/bin/mc --insecure"
{{- end }}
# connectToMinio
# Use a check-sleep-check loop to wait for MinIO service to be available
connectToMinio() {
SCHEME=$1
ATTEMPTS=0 ; LIMIT=29 ; # Allow 30 attempts
set -e ; # fail if we can't read the keys.
ACCESS=$(cat /config/rootUser) ; SECRET=$(cat /config/rootPassword) ;
set +e ; # The connections to minio are allowed to fail.
echo "Connecting to MinIO server: $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT" ;
MC_COMMAND="${MC} alias set myminio $SCHEME://$MINIO_ENDPOINT:$MINIO_PORT $ACCESS $SECRET" ;
$MC_COMMAND ;
STATUS=$? ;
until [ $STATUS = 0 ]
do
ATTEMPTS=`expr $ATTEMPTS + 1` ;
echo \"Failed attempts: $ATTEMPTS\" ;
if [ $ATTEMPTS -gt $LIMIT ]; then
exit 1 ;
fi ;
sleep 2 ; # 1 second intervals between attempts
$MC_COMMAND ;
STATUS=$? ;
done ;
set -e ; # reset `e` as active
return 0
}
# runCommand ($@)
# Run custom mc command
runCommand() {
${MC} "$@"
return $?
}
# Try connecting to MinIO instance
{{- if .Values.tls.enabled }}
scheme=https
{{- else }}
scheme=http
{{- end }}
connectToMinio $scheme
{{ if .Values.customCommands }}
# Run custom commands
{{- range .Values.customCommands }}
runCommand {{ .command }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,28 @@
{{- $statements_length := len .statements -}}
{{- $statements_length := sub $statements_length 1 -}}
{
"Version": "2012-10-17",
"Statement": [
{{- range $i, $statement := .statements }}
{
"Effect": "Allow",
"Action": [
"{{ $statement.actions | join "\",\n\"" }}"
]{{ if $statement.resources }},
"Resource": [
"{{ $statement.resources | join "\",\n\"" }}"
]{{ end }}
{{- if $statement.conditions }}
{{- $condition_len := len $statement.conditions }}
{{- $condition_len := sub $condition_len 1 }}
,
"Condition": {
{{- range $k,$v := $statement.conditions }}
{{- range $operator,$object := $v }}
"{{ $operator }}": { {{ $object }} }{{- if lt $k $condition_len }},{{- end }}
{{- end }}{{- end }}
}{{- end }}
}{{ if lt $i $statements_length }},{{end }}
{{- end }}
]
}

View File

@ -0,0 +1,246 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "minio.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "minio.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "minio.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for networkpolicy.
*/}}
{{- define "minio.networkPolicy.apiVersion" -}}
{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.Version -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare ">=1.7-0, <1.16-0" .Capabilities.KubeVersion.Version -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else if semverCompare "^1.16-0" .Capabilities.KubeVersion.Version -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for deployment.
*/}}
{{- define "minio.deployment.apiVersion" -}}
{{- if semverCompare "<1.9-0" .Capabilities.KubeVersion.Version -}}
{{- print "apps/v1beta2" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for statefulset.
*/}}
{{- define "minio.statefulset.apiVersion" -}}
{{- if semverCompare "<1.16-0" .Capabilities.KubeVersion.Version -}}
{{- print "apps/v1beta2" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for ingress.
*/}}
{{- define "minio.ingress.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for console ingress.
*/}}
{{- define "minio.consoleIngress.apiVersion" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.GitVersion -}}
{{- print "networking.k8s.io/v1beta1" -}}
{{- else -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Determine secret name.
*/}}
{{- define "minio.secretName" -}}
{{- if .Values.existingSecret -}}
{{- .Values.existingSecret }}
{{- else -}}
{{- include "minio.fullname" . -}}
{{- end -}}
{{- end -}}
{{/*
Determine name for scc role and rolebinding
*/}}
{{- define "minio.sccRoleName" -}}
{{- printf "%s-%s" "scc" (include "minio.fullname" .) | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Properly format optional additional arguments to MinIO binary
*/}}
{{- define "minio.extraArgs" -}}
{{- range .Values.extraArgs -}}
{{ " " }}{{ . }}
{{- end -}}
{{- end -}}
{{/*
Return the proper Docker Image Registry Secret Names
*/}}
{{- define "minio.imagePullSecrets" -}}
{{/*
Helm 2.11 supports the assignment of a value to a variable defined in a different scope,
but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic.
Also, we can not use a single if because lazy evaluation is not an option
*/}}
{{- if .Values.global }}
{{- if .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range .Values.global.imagePullSecrets }}
- name: {{ . }}
{{- end }}
{{- else if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets }}
{{- end -}}
{{- else if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets }}
{{- end -}}
{{- end -}}
{{/*
Formats volumeMount for MinIO TLS keys and trusted certs
*/}}
{{- define "minio.tlsKeysVolumeMount" -}}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume
mountPath: {{ .Values.certsPath }}
{{- end }}
{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
{{- $casPath := printf "%s/CAs" .Values.certsPath | clean }}
- name: trusted-cert-secret-volume
mountPath: {{ $casPath }}
{{- end }}
{{- end -}}
{{/*
Formats volume for MinIO TLS keys and trusted certs
*/}}
{{- define "minio.tlsKeysVolume" -}}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume
secret:
secretName: {{ tpl .Values.tls.certSecret $ }}
items:
- key: {{ .Values.tls.publicCrt }}
path: public.crt
- key: {{ .Values.tls.privateKey }}
path: private.key
{{- end }}
{{- if or .Values.tls.enabled (ne .Values.trustedCertsSecret "") }}
{{- $certSecret := eq .Values.trustedCertsSecret "" | ternary .Values.tls.certSecret .Values.trustedCertsSecret }}
{{- $publicCrt := eq .Values.trustedCertsSecret "" | ternary .Values.tls.publicCrt "" }}
- name: trusted-cert-secret-volume
secret:
secretName: {{ $certSecret }}
{{- if ne $publicCrt "" }}
items:
- key: {{ $publicCrt }}
path: public.crt
{{- end }}
{{- end }}
{{- end -}}
{{/*
Returns the available value for certain key in an existing secret (if it exists),
otherwise it generates a random value.
*/}}
{{- define "minio.getValueFromSecret" }}
{{- $len := (default 16 .Length) | int -}}
{{- $obj := (lookup "v1" "Secret" .Namespace .Name).data -}}
{{- if $obj }}
{{- index $obj .Key | b64dec -}}
{{- else -}}
{{- randAlphaNum $len -}}
{{- end -}}
{{- end }}
{{- define "minio.root.username" -}}
{{- if .Values.rootUser }}
{{- .Values.rootUser | toString }}
{{- else }}
{{- include "minio.getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "minio.fullname" .) "Length" 20 "Key" "rootUser") }}
{{- end }}
{{- end -}}
{{- define "minio.root.password" -}}
{{- if .Values.rootPassword }}
{{- .Values.rootPassword | toString }}
{{- else }}
{{- include "minio.getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "minio.fullname" .) "Length" 40 "Key" "rootPassword") }}
{{- end }}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes, add below linux tolerations to
workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
beta.kubernetes.io/os: linux
{{- else -}}
kubernetes.io/os: linux
{{- end -}}
{{- end -}}
{{/*
URL prefix for container images to be compatible with Rancher
*/}}
{{- define "registry-url" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/
{{- end -}}
{{- end -}}

View File

@ -0,0 +1,32 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
initialize: |-
{{- include (print $.Template.BasePath "/_helper_create_bucket.txt") . | nindent 4 }}
add-user: |-
{{- include (print $.Template.BasePath "/_helper_create_user.txt") . | nindent 4 }}
add-policy: |-
{{- include (print $.Template.BasePath "/_helper_create_policy.txt") . | nindent 4 }}
{{- range $idx, $policy := .Values.policies }}
# Policy: {{ $policy.name }}
policy_{{ $idx }}.json: |-
{{- include (print $.Template.BasePath "/_helper_policy.tpl") . | nindent 4 }}
{{ end }}
{{- range $idx, $svc := .Values.svcaccts }}
{{- if $svc.policy }}
# SVC: {{ $svc.accessKey }}
svc_policy_{{ $idx }}.json: |-
{{- include (print $.Template.BasePath "/_helper_policy.tpl") .policy | nindent 4 }}
{{- end }}
{{- end }}
add-svcacct: |-
{{- include (print $.Template.BasePath "/_helper_create_svcacct.txt") . | nindent 4 }}
custom-command: |-
{{- include (print $.Template.BasePath "/_helper_custom_command.txt") . | nindent 4 }}

View File

@ -0,0 +1,55 @@
{{- if .Values.consoleIngress.enabled -}}
{{- $fullName := printf "%s-console" (include "minio.fullname" .) -}}
{{- $servicePort := .Values.consoleService.port -}}
{{- $ingressPath := .Values.consoleIngress.path -}}
apiVersion: {{ template "minio.consoleIngress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.consoleIngress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.consoleIngress.annotations }}
annotations: {{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.consoleIngress.ingressClassName }}
ingressClassName: {{ .Values.consoleIngress.ingressClassName }}
{{- end }}
{{- if .Values.consoleIngress.tls }}
tls:
{{- range .Values.consoleIngress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.consoleIngress.hosts }}
- http:
paths:
- path: {{ $ingressPath }}
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
pathType: Prefix
backend:
service:
name: {{ $fullName }}
port:
number: {{ $servicePort }}
{{- else }}
backend:
serviceName: {{ $fullName }}
servicePort: {{ $servicePort }}
{{- end }}
{{- if . }}
host: {{ tpl . $ | quote }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,43 @@
{{ $scheme := .Values.tls.enabled | ternary "https" "http" }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "minio.fullname" . }}-console
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.consoleService.annotations }}
annotations: {{- toYaml .Values.consoleService.annotations | nindent 4 }}
{{- end }}
spec:
{{- if (or (eq .Values.consoleService.type "ClusterIP" "") (empty .Values.consoleService.type)) }}
type: ClusterIP
{{- if not (empty .Values.consoleService.clusterIP) }}
clusterIP: {{ .Values.consoleService.clusterIP }}
{{- end }}
{{- else if eq .Values.consoleService.type "LoadBalancer" }}
type: {{ .Values.consoleService.type }}
loadBalancerIP: {{ default "" .Values.consoleService.loadBalancerIP }}
{{- else }}
type: {{ .Values.consoleService.type }}
{{- end }}
ports:
- name: {{ $scheme }}
port: {{ .Values.consoleService.port }}
protocol: TCP
{{- if (and (eq .Values.consoleService.type "NodePort") ( .Values.consoleService.nodePort)) }}
nodePort: {{ .Values.consoleService.nodePort }}
{{- else }}
targetPort: {{ .Values.minioConsolePort }}
{{- end }}
{{- if .Values.consoleService.externalIPs }}
externalIPs:
{{- range $i , $ip := .Values.consoleService.externalIPs }}
- {{ $ip }}
{{- end }}
{{- end }}
selector:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}

View File

@ -0,0 +1,198 @@
{{- if eq .Values.mode "standalone" }}
{{ $scheme := .Values.tls.enabled | ternary "https" "http" }}
{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }}
apiVersion: {{ template "minio.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.additionalLabels }}
{{- toYaml .Values.additionalLabels | nindent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations: {{- toYaml .Values.additionalAnnotations | nindent 4 }}
{{- end }}
spec:
strategy:
type: {{ .Values.deploymentUpdate.type }}
{{- if eq .Values.deploymentUpdate.type "RollingUpdate" }}
rollingUpdate:
maxSurge: {{ .Values.deploymentUpdate.maxSurge }}
maxUnavailable: {{ .Values.deploymentUpdate.maxUnavailable }}
{{- end }}
replicas: 1
selector:
matchLabels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
template:
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
annotations:
{{- if not .Values.ignoreChartChecksums }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- toYaml .Values.podAnnotations | trimSuffix "\n" | nindent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if .Values.runtimeClassName }}
runtimeClassName: "{{ .Values.runtimeClassName }}"
{{- end }}
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
runAsGroup: {{ .Values.securityContext.runAsGroup }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }}
fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
{{- end }}
{{- end }}
{{ if .Values.serviceAccount.create }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ default .Values.image.registry (include "registry-url" .) }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- "/bin/sh"
- "-ce"
- "/usr/bin/docker-entrypoint.sh minio server {{ $bucketRoot }} -S {{ .Values.certsPath }} --address :{{ .Values.minioAPIPort }} --console-address :{{ .Values.minioConsolePort }} {{- template "minio.extraArgs" . }}"
volumeMounts:
- name: minio-user
mountPath: "/tmp/credentials"
readOnly: true
- name: export
mountPath: {{ .Values.mountPath }}
{{- if and .Values.persistence.enabled .Values.persistence.subPath }}
subPath: "{{ .Values.persistence.subPath }}"
{{- end }}
{{- if .Values.extraSecret }}
- name: extra-secret
mountPath: "/tmp/minio-config-env"
{{- end }}
{{- include "minio.tlsKeysVolumeMount" . | indent 12 }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
ports:
- name: {{ $scheme }}
containerPort: {{ .Values.minioAPIPort }}
- name: {{ $scheme }}-console
containerPort: {{ .Values.minioConsolePort }}
env:
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: {{ template "minio.secretName" . }}
key: rootUser
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "minio.secretName" . }}
key: rootPassword
{{- if .Values.extraSecret }}
- name: MINIO_CONFIG_ENV_FILE
value: "/tmp/minio-config-env/config.env"
{{- end }}
{{- if .Values.metrics.serviceMonitor.public }}
- name: MINIO_PROMETHEUS_AUTH_TYPE
value: "public"
{{- end }}
{{- if .Values.oidc.enabled }}
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
value: {{ .Values.oidc.configUrl }}
- name: MINIO_IDENTITY_OPENID_CLIENT_ID
value: {{ .Values.oidc.clientId }}
- name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
value: {{ .Values.oidc.clientSecret }}
- name: MINIO_IDENTITY_OPENID_CLAIM_NAME
value: {{ .Values.oidc.claimName }}
- name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX
value: {{ .Values.oidc.claimPrefix }}
- name: MINIO_IDENTITY_OPENID_SCOPES
value: {{ .Values.oidc.scopes }}
- name: MINIO_IDENTITY_OPENID_REDIRECT_URI
value: {{ .Values.oidc.redirectUri }}
- name: MINIO_IDENTITY_OPENID_COMMENT
value: {{ .Values.oidc.comment }}
{{- end }}
{{- if .Values.etcd.endpoints }}
- name: MINIO_ETCD_ENDPOINTS
value: {{ join "," .Values.etcd.endpoints | quote }}
{{- if .Values.etcd.clientCert }}
- name: MINIO_ETCD_CLIENT_CERT
value: "/tmp/credentials/etcd_client_cert.pem"
{{- end }}
{{- if .Values.etcd.clientCertKey }}
- name: MINIO_ETCD_CLIENT_CERT_KEY
value: "/tmp/credentials/etcd_client_cert_key.pem"
{{- end }}
{{- if .Values.etcd.pathPrefix }}
- name: MINIO_ETCD_PATH_PREFIX
value: {{ .Values.etcd.pathPrefix }}
{{- end }}
{{- if .Values.etcd.corednsPathPrefix }}
- name: MINIO_ETCD_COREDNS_PATH
value: {{ .Values.etcd.corednsPathPrefix }}
{{- end }}
{{- end }}
{{- range $key, $val := .Values.environment }}
- name: {{ $key }}
value: {{ tpl $val $ | quote }}
{{- end }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.extraContainers }}
{{- if eq (typeOf .) "string" }}
{{- tpl . $ | nindent 8 }}
{{- else }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
{{- include "minio.imagePullSecrets" . | indent 6 }}
{{- with .Values.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
tolerations: {{- toYaml . | nindent 8 }}
{{- include "linux-node-tolerations" . | nindent 8 }}
{{- with .Values.tolerations }}
{{ toYaml . | indent 8 }}
{{- end }}
volumes:
- name: export
{{- if .Values.persistence.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.existingClaim | default (include "minio.fullname" .) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.extraSecret }}
- name: extra-secret
secret:
secretName: {{ .Values.extraSecret }}
{{- end }}
- name: minio-user
secret:
secretName: {{ template "minio.secretName" . }}
{{- include "minio.tlsKeysVolume" . | indent 8 }}
{{- if .Values.extraVolumes }}
{{ toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,55 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "minio.fullname" . -}}
{{- $servicePort := .Values.service.port -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: {{ template "minio.ingress.apiVersion" . }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- with .Values.ingress.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.ingress.annotations }}
annotations: {{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.ingressClassName }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- http:
paths:
- path: {{ $ingressPath }}
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
pathType: Prefix
backend:
service:
name: {{ $fullName }}
port:
number: {{ $servicePort }}
{{- else }}
backend:
serviceName: {{ $fullName }}
servicePort: {{ $servicePort }}
{{- end }}
{{- if . }}
host: {{ tpl . $ | quote }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,26 @@
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ template "minio.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
podSelector:
matchLabels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
ingress:
- ports:
- port: {{ .Values.minioAPIPort }}
- port: {{ .Values.minioConsolePort }}
{{- if not .Values.networkPolicy.allowExternal }}
from:
- podSelector:
matchLabels:
{{ template "minio.name" . }}-client: "true"
{{- end }}
{{- end }}

View File

@ -0,0 +1,17 @@
{{- if .Values.podDisruptionBudget.enabled }}
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" }}
apiVersion: policy/v1beta1
{{- else }}
apiVersion: policy/v1
{{- end }}
kind: PodDisruptionBudget
metadata:
name: minio
labels:
app: {{ template "minio.name" . }}
spec:
maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
selector:
matchLabels:
app: {{ template "minio.name" . }}
{{- end }}

View File

@ -0,0 +1,256 @@
{{- if or .Values.buckets .Values.users .Values.policies .Values.customCommands .Values.svcaccts }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "minio.fullname" . }}-post-job
labels:
app: {{ template "minio.name" . }}-post-job
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
annotations:
"helm.sh/hook": post-install,post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation
{{- with .Values.postJob.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
labels:
app: {{ template "minio.name" . }}-job
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
{{- if .Values.postJob.podAnnotations }}
annotations: {{- toYaml .Values.postJob.podAnnotations | nindent 8 }}
{{- end }}
spec:
restartPolicy: OnFailure
{{- include "minio.imagePullSecrets" . | indent 6 }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
{{- with .Values.postJob.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
{{- with .Values.postJob.tolerations }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.postJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.postJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.postJob.securityContext.runAsGroup }}
fsGroup: {{ .Values.postJob.securityContext.fsGroup }}
{{- end }}
volumes:
- name: etc-path
emptyDir: {}
- name: tmp
emptyDir: {}
- name: minio-configuration
projected:
sources:
- configMap:
name: {{ template "minio.fullname" . }}
- secret:
name: {{ template "minio.secretName" . }}
{{- range (concat .Values.users (default (list) .Values.svcaccts)) }}
{{- if .existingSecret }}
- secret:
name: {{ tpl .existingSecret $ }}
items:
- key: {{ .existingSecretKey }}
path: secrets/{{ tpl .existingSecret $ }}/{{ tpl .existingSecretKey $ }}
{{- end }}
{{- end }}
{{- range ( default list .Values.svcaccts ) }}
{{- if .existingSecret }}
- secret:
name: {{ tpl .existingSecret $ }}
items:
- key: {{ .existingSecretKey }}
path: secrets-svc/{{ tpl .existingSecret $ }}/{{ tpl .existingSecretKey $ }}
{{- end }}
{{- end }}
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
secret:
secretName: {{ .Values.tls.certSecret }}
items:
- key: {{ .Values.tls.publicCrt }}
path: CAs/public.crt
{{- end }}
{{- if .Values.serviceAccount.create }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- end }}
{{- if .Values.policies }}
initContainers:
- name: minio-make-policy
image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.makePolicyJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.makePolicyJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.makePolicyJob.securityContext.runAsGroup }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makePolicyJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: [ "/bin/sh /config/add-policy; EV=$?; {{ .Values.makePolicyJob.exitCommand }} && exit $EV" ]
{{- else }}
command: [ "/bin/sh", "/config/add-policy" ]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: etc-path
mountPath: /etc/minio/mc
- name: tmp
mountPath: /tmp
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{- end }}
resources: {{- toYaml .Values.makePolicyJob.resources | nindent 12 }}
{{- end }}
containers:
{{- if .Values.buckets }}
- name: minio-make-bucket
image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.makeBucketJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.makeBucketJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.makeBucketJob.securityContext.runAsGroup }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makeBucketJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: [ "/bin/sh /config/initialize; EV=$?; {{ .Values.makeBucketJob.exitCommand }} && exit $EV" ]
{{- else }}
command: [ "/bin/sh", "/config/initialize" ]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: etc-path
mountPath: /etc/minio/mc
- name: tmp
mountPath: /tmp
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{- end }}
resources: {{- toYaml .Values.makeBucketJob.resources | nindent 12 }}
{{- end }}
{{- if .Values.users }}
- name: minio-make-user
image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.makeUserJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.makeUserJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.makeUserJob.securityContext.runAsGroup }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makeUserJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: [ "/bin/sh /config/add-user; EV=$?; {{ .Values.makeUserJob.exitCommand }} && exit $EV" ]
{{- else }}
command: [ "/bin/sh", "/config/add-user" ]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: etc-path
mountPath: /etc/minio/mc
- name: tmp
mountPath: /tmp
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{- end }}
resources: {{- toYaml .Values.makeUserJob.resources | nindent 12 }}
{{- end }}
{{- if .Values.customCommands }}
- name: minio-custom-command
image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.customCommandJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.customCommandJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.customCommandJob.securityContext.runAsGroup }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.customCommandJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: [ "/bin/sh /config/custom-command; EV=$?; {{ .Values.customCommandJob.exitCommand }} && exit $EV" ]
{{- else }}
command: [ "/bin/sh", "/config/custom-command" ]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: etc-path
mountPath: /etc/minio/mc
- name: tmp
mountPath: /tmp
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{- end }}
resources: {{- toYaml .Values.customCommandJob.resources | nindent 12 }}
{{- end }}
{{- if .Values.svcaccts }}
- name: minio-make-svcacct
image: "{{ default .Values.mcImage.registry (include "registry-url" .) }}{{ .Values.mcImage.repository }}:{{ .Values.mcImage.tag }}"
{{- if .Values.makeServiceAccountJob.securityContext.enabled }}
securityContext:
runAsUser: {{ .Values.makeServiceAccountJob.securityContext.runAsUser }}
runAsGroup: {{ .Values.makeServiceAccountJob.securityContext.runAsGroup }}
{{- end }}
imagePullPolicy: {{ .Values.mcImage.pullPolicy }}
{{- if .Values.makeServiceAccountJob.exitCommand }}
command: [ "/bin/sh", "-c" ]
args: ["/bin/sh /config/add-svcacct; EV=$?; {{ .Values.makeServiceAccountJob.exitCommand }} && exit $EV" ]
{{- else }}
command: ["/bin/sh", "/config/add-svcacct"]
{{- end }}
env:
- name: MINIO_ENDPOINT
value: {{ template "minio.fullname" . }}
- name: MINIO_PORT
value: {{ .Values.service.port | quote }}
volumeMounts:
- name: etc-path
mountPath: /etc/minio/mc
- name: tmp
mountPath: /tmp
- name: minio-configuration
mountPath: /config
{{- if .Values.tls.enabled }}
- name: cert-secret-volume-mc
mountPath: {{ .Values.configPathmc }}certs
{{- end }}
resources: {{- toYaml .Values.makeServiceAccountJob.resources | nindent 12 }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,86 @@
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}}
{{- if .Values.serviceAccount.create }}
{{- if .Values.global.rbac.pspEnabled }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }}
app: {{ .Values.serviceAccount.name | quote }}
{{- if .Values.global.rbac.pspAnnotations }}
annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }}
{{- end }}
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Permits the container to run with root privileges as well.
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
readOnlyRootFilesystem: false
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }}
app: {{ .Values.serviceAccount.name | quote }}
rules:
{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }}
- apiGroups: ['policy']
{{- else }}
- apiGroups: ['extensions']
{{- end }}
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ .Values.serviceAccount.name | quote }}
app: {{ .Values.serviceAccount.name | quote }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ printf "%s-psp" .Values.serviceAccount.name | quote }}
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount.name | quote }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,32 @@
{{- if eq .Values.mode "standalone" }}
{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.persistence.annotations }}
annotations: {{- toYaml .Values.persistence.annotations | nindent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
resources:
requests:
storage: {{ .Values.persistence.size | quote }}
{{- if .Values.persistence.storageClass }}
{{- if (eq "-" .Values.persistence.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- end }}
{{- if .Values.persistence.volumeName }}
volumeName: "{{ .Values.persistence.volumeName }}"
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,21 @@
{{- if not .Values.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "minio.secretName" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
type: Opaque
data:
rootUser: {{ include "minio.root.username" . | b64enc | quote }}
rootPassword: {{ include "minio.root.password" . | b64enc | quote }}
{{- if .Values.etcd.clientCert }}
etcd_client.crt: {{ .Values.etcd.clientCert | toString | b64enc | quote }}
{{- end }}
{{- if .Values.etcd.clientCertKey }}
etcd_client.key: {{ .Values.etcd.clientCertKey | toString | b64enc | quote }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,45 @@
{{- if and .Values.securityContext.enabled .Values.persistence.enabled (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: []
readOnlyRootFilesystem: false
defaultAddCapabilities: []
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
fsGroup:
type: MustRunAs
ranges:
- max: {{ .Values.securityContext.fsGroup }}
min: {{ .Values.securityContext.fsGroup }}
runAsUser:
type: MustRunAs
uid: {{ .Values.securityContext.runAsUser }}
seLinuxContext:
type: MustRunAs
supplementalGroups:
type: RunAsAny
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
{{- end }}

View File

@ -0,0 +1,44 @@
{{ $scheme := .Values.tls.enabled | ternary "https" "http" }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
monitoring: "true"
{{- if .Values.service.annotations }}
annotations: {{- toYaml .Values.service.annotations | nindent 4 }}
{{- end }}
spec:
{{- if (or (eq .Values.service.type "ClusterIP" "") (empty .Values.service.type)) }}
type: ClusterIP
{{- if not (empty .Values.service.clusterIP) }}
clusterIP: {{ .Values.service.clusterIP }}
{{- end }}
{{- else if eq .Values.service.type "LoadBalancer" }}
type: {{ .Values.service.type }}
loadBalancerIP: {{ default "" .Values.service.loadBalancerIP }}
{{- else }}
type: {{ .Values.service.type }}
{{- end }}
ports:
- name: {{ $scheme }}
port: {{ .Values.service.port }}
protocol: TCP
{{- if (and (eq .Values.service.type "NodePort") ( .Values.service.nodePort)) }}
nodePort: {{ .Values.service.nodePort }}
{{- else }}
targetPort: {{ .Values.minioAPIPort }}
{{- end }}
{{- if .Values.service.externalIPs }}
externalIPs:
{{- range $i , $ip := .Values.service.externalIPs }}
- {{ $ip }}
{{- end }}
{{- end }}
selector:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}

View File

@ -0,0 +1,6 @@
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ .Values.serviceAccount.name | quote }}
{{- end }}

View File

@ -0,0 +1,112 @@
{{- if and .Values.metrics.serviceMonitor.enabled .Values.metrics.serviceMonitor.includeNode }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "minio.fullname" . }}
{{- if .Values.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{- end }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.annotations }}
annotations: {{- toYaml .Values.metrics.serviceMonitor.annotations | nindent 4 }}
{{- end }}
spec:
endpoints:
{{- if .Values.tls.enabled }}
- port: https
scheme: https
tlsConfig:
ca:
secret:
name: {{ .Values.tls.certSecret }}
key: {{ .Values.tls.publicCrt }}
serverName: {{ template "minio.fullname" . }}
{{- else }}
- port: http
scheme: http
{{- end }}
path: /minio/v2/metrics/node
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelConfigs }}
{{- toYaml .Values.metrics.serviceMonitor.relabelConfigs | nindent 6 }}
{{- end }}
{{- if not .Values.metrics.serviceMonitor.public }}
bearerTokenSecret:
name: {{ template "minio.fullname" . }}-prometheus
key: token
{{- end }}
namespaceSelector:
matchNames:
- {{ .Release.Namespace | quote }}
selector:
matchLabels:
app: {{ include "minio.name" . }}
release: {{ .Release.Name }}
monitoring: "true"
{{- end }}
{{- if .Values.metrics.serviceMonitor.enabled }}
---
apiVersion: monitoring.coreos.com/v1
kind: Probe
metadata:
name: {{ template "minio.fullname" . }}-cluster
{{- if .Values.metrics.serviceMonitor.namespace }}
namespace: {{ .Values.metrics.serviceMonitor.namespace }}
{{- end }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.metrics.serviceMonitor.additionalLabels }}
{{- toYaml .Values.metrics.serviceMonitor.additionalLabels | nindent 4 }}
{{- end }}
spec:
jobName: {{ template "minio.fullname" . }}
{{- if .Values.tls.enabled }}
tlsConfig:
ca:
secret:
name: {{ .Values.tls.certSecret }}
key: {{ .Values.tls.publicCrt }}
serverName: {{ template "minio.fullname" . }}
{{- end }}
prober:
url: {{ template "minio.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.port }}
path: /minio/v2/metrics/cluster
{{- if .Values.tls.enabled }}
scheme: https
{{- else }}
scheme: http
{{- end }}
{{- if .Values.metrics.serviceMonitor.relabelConfigsCluster }}
{{- toYaml .Values.metrics.serviceMonitor.relabelConfigsCluster | nindent 2 }}
{{- end }}
targets:
staticConfig:
static:
- {{ template "minio.fullname" . }}.{{ .Release.Namespace }}
{{- if not .Values.metrics.serviceMonitor.public }}
{{- if .Values.metrics.serviceMonitor.interval }}
interval: {{ .Values.metrics.serviceMonitor.interval }}
{{- end }}
{{- if .Values.metrics.serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }}
{{- end }}
bearerTokenSecret:
name: {{ template "minio.fullname" . }}-prometheus
key: token
{{- end }}
{{- end }}

View File

@ -0,0 +1,248 @@
{{- if eq .Values.mode "distributed" }}
{{ $poolCount := .Values.pools | int }}
{{ $nodeCount := .Values.replicas | int }}
{{ $replicas := mul $poolCount $nodeCount }}
{{ $drivesPerNode := .Values.drivesPerNode | int }}
{{ $scheme := .Values.tls.enabled | ternary "https" "http" }}
{{ $mountPath := .Values.mountPath }}
{{ $bucketRoot := or ($.Values.bucketRoot) ($.Values.mountPath) }}
{{ $subPath := .Values.persistence.subPath }}
{{ $penabled := .Values.persistence.enabled }}
{{ $accessMode := .Values.persistence.accessMode }}
{{ $storageClass := .Values.persistence.storageClass }}
{{ $psize := .Values.persistence.size }}
apiVersion: v1
kind: Service
metadata:
name: {{ template "minio.fullname" . }}-svc
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
publishNotReadyAddresses: true
clusterIP: None
ports:
- name: {{ $scheme }}
port: {{ .Values.service.port }}
protocol: TCP
targetPort: {{ .Values.minioAPIPort }}
selector:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
---
apiVersion: {{ template "minio.statefulset.apiVersion" . }}
kind: StatefulSet
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
chart: {{ template "minio.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
{{- if .Values.additionalLabels }}
{{- toYaml .Values.additionalLabels | nindent 4 }}
{{- end }}
{{- if .Values.additionalAnnotations }}
annotations: {{- toYaml .Values.additionalAnnotations | nindent 4 }}
{{- end }}
spec:
updateStrategy:
type: {{ .Values.statefulSetUpdate.updateStrategy }}
podManagementPolicy: "Parallel"
serviceName: {{ template "minio.fullname" . }}-svc
replicas: {{ $replicas }}
selector:
matchLabels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
template:
metadata:
name: {{ template "minio.fullname" . }}
labels:
app: {{ template "minio.name" . }}
release: {{ .Release.Name }}
{{- if .Values.podLabels }}
{{- toYaml .Values.podLabels | nindent 8 }}
{{- end }}
annotations:
{{- if not .Values.ignoreChartChecksums }}
checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- toYaml .Values.podAnnotations | nindent 8 }}
{{- end }}
spec:
{{- if .Values.priorityClassName }}
priorityClassName: "{{ .Values.priorityClassName }}"
{{- end }}
{{- if .Values.runtimeClassName }}
runtimeClassName: "{{ .Values.runtimeClassName }}"
{{- end }}
{{- if and .Values.securityContext.enabled .Values.persistence.enabled }}
securityContext:
runAsUser: {{ .Values.securityContext.runAsUser }}
runAsGroup: {{ .Values.securityContext.runAsGroup }}
fsGroup: {{ .Values.securityContext.fsGroup }}
{{- if and (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "20") }}
fsGroupChangePolicy: {{ .Values.securityContext.fsGroupChangePolicy }}
{{- end }}
{{- end }}
{{- if .Values.serviceAccount.create }}
serviceAccountName: {{ .Values.serviceAccount.name }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: "{{ default .Values.image.registry (include "registry-url" .) }}{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command: [
"/bin/sh",
"-ce",
"/usr/bin/docker-entrypoint.sh minio server {{- range $i := until $poolCount }}{{ $factor := mul $i $nodeCount }}{{ $endIndex := add $factor $nodeCount }}{{ $beginIndex := mul $i $nodeCount }} {{ $scheme }}://{{ template `minio.fullname` $ }}-{{ `{` }}{{ $beginIndex }}...{{ sub $endIndex 1 }}{{ `}`}}.{{ template `minio.fullname` $ }}-svc.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}{{if (gt $drivesPerNode 1)}}{{ $bucketRoot }}-{{ `{` }}0...{{ sub $drivesPerNode 1 }}{{ `}` }}{{ else }}{{ $bucketRoot }}{{end }}{{- end }} -S {{ .Values.certsPath }} --address :{{ .Values.minioAPIPort }} --console-address :{{ .Values.minioConsolePort }} {{- template `minio.extraArgs` . }}"
]
volumeMounts:
{{- if $penabled }}
{{- if (gt $drivesPerNode 1) }}
{{- range $i := until $drivesPerNode }}
- name: export-{{ $i }}
mountPath: {{ $mountPath }}-{{ $i }}
{{- if and $penabled $subPath }}
subPath: {{ $subPath }}
{{- end }}
{{- end }}
{{- else }}
- name: export
mountPath: {{ $mountPath }}
{{- if and $penabled $subPath }}
subPath: {{ $subPath }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.extraSecret }}
- name: extra-secret
mountPath: "/tmp/minio-config-env"
{{- end }}
{{- include "minio.tlsKeysVolumeMount" . | indent 12 }}
{{- if .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
ports:
- name: {{ $scheme }}
containerPort: {{ .Values.minioAPIPort }}
- name: {{ $scheme }}-console
containerPort: {{ .Values.minioConsolePort }}
env:
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: {{ template "minio.secretName" . }}
key: rootUser
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: {{ template "minio.secretName" . }}
key: rootPassword
{{- if .Values.extraSecret }}
- name: MINIO_CONFIG_ENV_FILE
value: "/tmp/minio-config-env/config.env"
{{- end }}
{{- if .Values.metrics.serviceMonitor.public }}
- name: MINIO_PROMETHEUS_AUTH_TYPE
value: "public"
{{- end }}
{{- if .Values.oidc.enabled }}
- name: MINIO_IDENTITY_OPENID_CONFIG_URL
value: {{ .Values.oidc.configUrl }}
- name: MINIO_IDENTITY_OPENID_CLIENT_ID
value: {{ .Values.oidc.clientId }}
- name: MINIO_IDENTITY_OPENID_CLIENT_SECRET
value: {{ .Values.oidc.clientSecret }}
- name: MINIO_IDENTITY_OPENID_CLAIM_NAME
value: {{ .Values.oidc.claimName }}
- name: MINIO_IDENTITY_OPENID_CLAIM_PREFIX
value: {{ .Values.oidc.claimPrefix }}
- name: MINIO_IDENTITY_OPENID_SCOPES
value: {{ .Values.oidc.scopes }}
- name: MINIO_IDENTITY_OPENID_REDIRECT_URI
value: {{ .Values.oidc.redirectUri }}
- name: MINIO_IDENTITY_OPENID_COMMENT
value: {{ .Values.oidc.comment }}
{{- end }}
{{- range $key, $val := .Values.environment }}
- name: {{ $key }}
value: {{ tpl $val $ | quote }}
{{- end }}
resources: {{- toYaml .Values.resources | nindent 12 }}
{{- with .Values.extraContainers }}
{{- if eq (typeOf .) "string" }}
{{- tpl . $ | nindent 8 }}
{{- else }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
{{- include "minio.imagePullSecrets" . | indent 6 }}
{{- with .Values.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
{{- with .Values.tolerations }}
{{ toYaml . | indent 8 }}
{{- end }}
{{- if and (gt $replicas 1) (ge .Capabilities.KubeVersion.Major "1") (ge .Capabilities.KubeVersion.Minor "19") }}
{{- with .Values.topologySpreadConstraints }}
topologySpreadConstraints: {{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}
volumes:
- name: minio-user
secret:
secretName: {{ template "minio.secretName" . }}
{{- if .Values.extraSecret }}
- name: extra-secret
secret:
secretName: {{ .Values.extraSecret }}
{{- end }}
{{- include "minio.tlsKeysVolume" . | indent 8 }}
{{- if .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
{{- if .Values.persistence.enabled }}
volumeClaimTemplates:
{{- if gt $drivesPerNode 1 }}
{{- range $diskId := until $drivesPerNode}}
- metadata:
name: export-{{ $diskId }}
{{- if $.Values.persistence.annotations }}
annotations: {{- toYaml $.Values.persistence.annotations | nindent 10 }}
{{- end }}
spec:
accessModes: [ {{ $accessMode | quote }} ]
{{- if $storageClass }}
storageClassName: {{ $storageClass }}
{{- end }}
resources:
requests:
storage: {{ $psize }}
{{- end }}
{{- else }}
- metadata:
name: export
{{- if $.Values.persistence.annotations }}
annotations: {{- toYaml $.Values.persistence.annotations | nindent 10 }}
{{- end }}
spec:
accessModes: [ {{ $accessMode | quote }} ]
{{- if $storageClass }}
storageClassName: {{ $storageClass }}
{{- end }}
resources:
requests:
storage: {{ $psize }}
{{- end }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,542 @@
## Provide a name in place of minio for `app:` labels
##
nameOverride: ""
## Provide a name to substitute for the full names of resources
##
fullnameOverride: ""
## set kubernetes cluster domain where minio is running
##
clusterDomain: cluster.local
## Set default image, imageTag, and imagePullPolicy. mode is used to indicate the
##
image:
repository: rancher/mirrored-minio-minio
tag: RELEASE.2023-07-07T07-13-57Z
pullPolicy: IfNotPresent
imagePullSecrets: []
# - name: "image-pull-secret"
## Set default image, imageTag, and imagePullPolicy for the `mc` (the minio
## client used to create a default bucket).
##
mcImage:
repository: rancher/mirrored-minio-mc
tag: RELEASE.2023-06-28T21-54-17Z
pullPolicy: IfNotPresent
## minio mode, i.e. standalone or distributed
mode: distributed ## other supported values are "standalone"
## Additional labels to include with deployment or statefulset
additionalLabels: {}
## Additional annotations to include with deployment or statefulset
additionalAnnotations: {}
## Typically the deployment/statefulset includes checksums of secrets/config,
## So that when these change on a subsequent helm install, the deployment/statefulset
## is restarted. This can result in unnecessary restarts under GitOps tooling such as
## flux, so set to "true" to disable this behaviour.
ignoreChartChecksums: false
## Additional arguments to pass to minio binary
extraArgs: []
## Additional volumes to minio container
extraVolumes: []
## Additional volumeMounts to minio container
extraVolumeMounts: []
## Additional sidecar containers
extraContainers: []
## Internal port number for MinIO S3 API container
## Change service.port to change external port number
minioAPIPort: "9000"
## Internal port number for MinIO Browser Console container
## Change consoleService.port to change external port number
minioConsolePort: "9001"
## Update strategy for Deployments
deploymentUpdate:
type: RollingUpdate
maxUnavailable: 0
maxSurge: 100%
## Update strategy for StatefulSets
statefulSetUpdate:
updateStrategy: RollingUpdate
## Pod priority settings
## ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/
##
priorityClassName: ""
## Pod runtime class name
## ref https://kubernetes.io/docs/concepts/containers/runtime-class/
##
runtimeClassName: ""
## Set default rootUser, rootPassword
## AccessKey and secretKey is generated when not set
## Distributed MinIO ref: https://min.io/docs/minio/linux/operations/install-deploy-manage/deploy-minio-multi-node-multi-drive.html
##
rootUser: ""
rootPassword: ""
## Use existing Secret that store following variables:
##
## | Chart var | .data.<key> in Secret |
## |:----------------------|:-------------------------|
## | rootUser | rootUser |
## | rootPassword | rootPassword |
##
## All mentioned variables will be ignored in values file.
## .data.rootUser and .data.rootPassword are mandatory,
## others depend on enabled status of corresponding sections.
existingSecret: ""
## Directory on the MinIO pof
certsPath: "/etc/minio/certs/"
configPathmc: "/etc/minio/mc/"
## Path where PV would be mounted on the MinIO Pod
mountPath: "/export"
## Override the root directory which the minio server should serve from.
## If left empty, it defaults to the value of {{ .Values.mountPath }}
## If defined, it must be a sub-directory of the path specified in {{ .Values.mountPath }}
##
bucketRoot: ""
# Number of drives attached to a node
drivesPerNode: 1
# Number of MinIO containers running
replicas: 16
# Number of expanded MinIO clusters
pools: 1
## TLS Settings for MinIO
tls:
enabled: false
## Create a secret with private.key and public.crt files and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
certSecret: ""
publicCrt: public.crt
privateKey: private.key
## Trusted Certificates Settings for MinIO. Ref: https://min.io/docs/minio/linux/operations/network-encryption.html#third-party-certificate-authorities
## Bundle multiple trusted certificates into one secret and pass that here. Ref: https://github.com/minio/minio/tree/master/docs/tls/kubernetes#2-create-kubernetes-secret
## When using self-signed certificates, remember to include MinIO's own certificate in the bundle with key public.crt.
## If certSecret is left empty and tls is enabled, this chart installs the public certificate from .Values.tls.certSecret.
trustedCertsSecret: ""
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
persistence:
enabled: true
annotations: {}
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
existingClaim: ""
## minio data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
## Storage class of PV to bind. By default it looks for standard storage class.
## If the PV uses a different storage class, specify that here.
storageClass: ""
volumeName: ""
accessMode: ReadWriteOnce
size: 500Gi
## If subPath is set mount a sub folder of a volume instead of the root of the volume.
## This is especially handy for volume plugins that don't natively support sub mounting (like glusterfs).
##
subPath: ""
## Expose the MinIO service to be accessed from outside the cluster (LoadBalancer service).
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
## ref: http://kubernetes.io/docs/user-guide/services/
##
service:
type: ClusterIP
clusterIP: ~
port: "9000"
nodePort: 32000
loadBalancerIP: ~
externalIPs: []
annotations: {}
## Configure Ingress based on the documentation here: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
ingress:
enabled: false
ingressClassName: ~
labels: {}
# node-role.kubernetes.io/ingress: platform
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# kubernetes.io/ingress.allow-http: "false"
# kubernetes.io/ingress.global-static-ip-name: ""
# nginx.ingress.kubernetes.io/secure-backends: "true"
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
path: /
hosts:
- minio-example.local
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
consoleService:
type: ClusterIP
clusterIP: ~
port: "9001"
nodePort: 32001
loadBalancerIP: ~
externalIPs: []
annotations: {}
consoleIngress:
enabled: false
ingressClassName: ~
labels: {}
# node-role.kubernetes.io/ingress: platform
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
# kubernetes.io/ingress.allow-http: "false"
# kubernetes.io/ingress.global-static-ip-name: ""
# nginx.ingress.kubernetes.io/secure-backends: "true"
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# nginx.ingress.kubernetes.io/whitelist-source-range: 0.0.0.0/0
path: /
hosts:
- console.minio-example.local
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
## Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
tolerations: []
affinity: {}
topologySpreadConstraints: []
## Add stateful containers to have security context, if enabled MinIO will run as this
## user and group NOTE: securityContext is only enabled if persistence.enabled=true
securityContext:
enabled: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
# Additational pod annotations
podAnnotations: {}
# Additional pod labels
podLabels: {}
## Configure resource requests and limits
## ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources:
requests:
memory: 16Gi
## List of policies to be created after minio install
##
## In addition to default policies [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
## you can define additional policies with custom supported actions and resources
policies: []
## writeexamplepolicy policy grants creation or deletion of buckets with name
## starting with example. In addition, grants objects write permissions on buckets starting with
## example.
# - name: writeexamplepolicy
# statements:
# - resources:
# - 'arn:aws:s3:::example*/*'
# actions:
# - "s3:AbortMultipartUpload"
# - "s3:GetObject"
# - "s3:DeleteObject"
# - "s3:PutObject"
# - "s3:ListMultipartUploadParts"
# - resources:
# - 'arn:aws:s3:::example*'
# actions:
# - "s3:CreateBucket"
# - "s3:DeleteBucket"
# - "s3:GetBucketLocation"
# - "s3:ListBucket"
# - "s3:ListBucketMultipartUploads"
## readonlyexamplepolicy policy grants access to buckets with name starting with example.
## In addition, grants objects read permissions on buckets starting with example.
# - name: readonlyexamplepolicy
# statements:
# - resources:
# - 'arn:aws:s3:::example*/*'
# actions:
# - "s3:GetObject"
# - resources:
# - 'arn:aws:s3:::example*'
# actions:
# - "s3:GetBucketLocation"
# - "s3:ListBucket"
# - "s3:ListBucketMultipartUploads"
## conditionsexample policy creates all access to example bucket with aws:username="johndoe" and source ip range 10.0.0.0/8 and 192.168.0.0/24 only
# - name: conditionsexample
# statements:
# - resources:
# - 'arn:aws:s3:::example/*'
# actions:
# - 's3:*'
# conditions:
# - StringEquals: '"aws:username": "johndoe"'
# - IpAddress: |
# "aws:SourceIp": [
# "10.0.0.0/8",
# "192.168.0.0/24"
# ]
#
## Additional Annotations for the Kubernetes Job makePolicyJob
makePolicyJob:
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
resources:
requests:
memory: 128Mi
# Command to run after the main command on exit
exitCommand: ""
## List of users to be created after minio install
##
users:
## Username, password and policy to be assigned to the user
## Default policies are [readonly|readwrite|writeonly|consoleAdmin|diagnostics]
## Add new policies as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management.html#access-management
## NOTE: this will fail if LDAP is enabled in your MinIO deployment
## make sure to disable this if you are using LDAP.
- accessKey: console
secretKey: console123
policy: consoleAdmin
# Or you can refer to specific secret
#- accessKey: externalSecret
# existingSecret: my-secret
# existingSecretKey: password
# policy: readonly
## Additional Annotations for the Kubernetes Job makeUserJob
makeUserJob:
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
resources:
requests:
memory: 128Mi
# Command to run after the main command on exit
exitCommand: ""
## List of service accounts to be created after minio install
##
svcaccts: []
## accessKey, secretKey and parent user to be assigned to the service accounts
## Add new service accounts as explained here https://min.io/docs/minio/kubernetes/upstream/administration/identity-access-management/minio-user-management.html#service-accounts
# - accessKey: console-svcacct
# secretKey: console123
# user: console
## Or you can refer to specific secret
# - accessKey: externalSecret
# existingSecret: my-secret
# existingSecretKey: password
# user: console
## You also can pass custom policy
# - accessKey: console-svcacct
# secretKey: console123
# user: console
# policy:
# statements:
# - resources:
# - 'arn:aws:s3:::example*/*'
# actions:
# - "s3:AbortMultipartUpload"
# - "s3:GetObject"
# - "s3:DeleteObject"
# - "s3:PutObject"
# - "s3:ListMultipartUploadParts"
makeServiceAccountJob:
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
resources:
requests:
memory: 128Mi
# Command to run after the main command on exit
exitCommand: ""
## List of buckets to be created after minio install
##
buckets: []
# # Name of the bucket
# - name: bucket1
# # Policy to be set on the
# # bucket [none|download|upload|public]
# policy: none
# # Purge if bucket exists already
# purge: false
# # set versioning for
# # bucket [true|false]
# versioning: false
# # set objectlocking for
# # bucket [true|false] NOTE: versioning is enabled by default if you use locking
# objectlocking: false
# - name: bucket2
# policy: none
# purge: false
# versioning: true
# # set objectlocking for
# # bucket [true|false] NOTE: versioning is enabled by default if you use locking
# objectlocking: false
## Additional Annotations for the Kubernetes Job makeBucketJob
makeBucketJob:
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
resources:
requests:
memory: 128Mi
# Command to run after the main command on exit
exitCommand: ""
## List of command to run after minio install
## NOTE: the mc command TARGET is always "myminio"
customCommands:
# - command: "admin policy attach myminio consoleAdmin --group='cn=ops,cn=groups,dc=example,dc=com'"
## Additional Annotations for the Kubernetes Job customCommandJob
customCommandJob:
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
resources:
requests:
memory: 128Mi
# Command to run after the main command on exit
exitCommand: ""
## Merge jobs
postJob:
podAnnotations: {}
annotations: {}
securityContext:
enabled: false
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
nodeSelector: {}
tolerations: []
affinity: {}
## Use this field to add environment variables relevant to MinIO server. These fields will be passed on to MinIO container(s)
## when Chart is deployed
environment:
## Please refer for comprehensive list https://min.io/docs/minio/linux/reference/minio-server/minio-server.html
## MINIO_SUBNET_LICENSE: "License key obtained from https://subnet.min.io"
## MINIO_BROWSER: "off"
## The name of a secret in the same kubernetes namespace which contain secret values
## This can be useful for LDAP password, etc
## The key in the secret must be 'config.env'
##
extraSecret: ~
## OpenID Identity Management
## The following section documents environment variables for enabling external identity management using an OpenID Connect (OIDC)-compatible provider.
## See https://min.io/docs/minio/linux/operations/external-iam/configure-openid-external-identity-management.html for a tutorial on using these variables.
oidc:
enabled: false
configUrl: "https://identity-provider-url/.well-known/openid-configuration"
clientId: "minio"
clientSecret: ""
claimName: "policy"
scopes: "openid,profile,email"
redirectUri: "https://console-endpoint-url/oauth_callback"
# Can leave empty
claimPrefix: ""
comment: ""
networkPolicy:
enabled: false
allowExternal: true
## PodDisruptionBudget settings
## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
##
podDisruptionBudget:
enabled: false
maxUnavailable: 1
## Specify the service account to use for the MinIO pods. If 'create' is set to 'false'
## and 'name' is left unspecified, the account 'default' will be used.
serviceAccount:
create: true
## The name of the service account to use. If 'create' is 'true', a service account with that name
## will be created.
name: "minio-sa"
metrics:
serviceMonitor:
enabled: false
# scrape each node/pod individually for additional metrics
includeNode: false
public: true
additionalLabels: {}
annotations: {}
# for node metrics
relabelConfigs: {}
# for cluster metrics
relabelConfigsCluster: {}
# metricRelabelings:
# - regex: (server|pod)
# action: labeldrop
namespace: ~
# Scrape interval, for example `interval: 30s`
interval: ~
# Scrape timeout, for example `scrapeTimeout: 10s`
scrapeTimeout: ~
## ETCD settings: https://github.com/minio/minio/blob/master/docs/sts/etcd.md
## Define endpoints to enable this section.
etcd:
endpoints: []
pathPrefix: ""
corednsPathPrefix: ""
clientCert: ""
clientCertKey: ""

View File

@ -0,0 +1,23 @@
annotations:
app.aquarist-labs.io/name: s3gw
apiVersion: v2
appVersion: latest
description: 'Easy-to-use Open Source and Cloud Native S3 service for use on Rancher''s
Kubernetes. '
home: https://github.com/aquarist-labs/s3gw
icon: https://raw.githubusercontent.com/aquarist-labs/aquarium-website/gh-pages/images/logo-xl.png
keywords:
- storage
- s3
kubeVersion: '>=1.14'
maintainers:
- email: s3gw@suse.com
name: s3gw maintainers
url: https://github.com/orgs/aquarist-labs/projects/5
name: s3gw
sources:
- https://github.com/aquarist-labs/s3gw-charts
- https://github.com/aquarist-labs/s3gw
- https://github.com/aquarist-labs/ceph
type: application
version: 0.14.0

View File

@ -0,0 +1,61 @@
# [s3gw][s3gw-url]
s3gw is an S3-compatible service focused on deployments in a Kubernetes
environment backed by any PVC, including Longhorn. Since its inception, the
primary focus has been on cloud native deployments. However, the s3gw can be
deployed in a myriad of scenarios, provided some form of storage is attached.
s3gw is based on Cephs RADOSGW (RGW) but runs as a standalone service without
the RADOS cluster and relies on a storage backend still under heavy development
by the storage team at SUSE. A web-based UI for management and an object
explorer are also part of s3gw.
## Quickstart
To install s3gw using Helm add the chart to your Helm repository and then run
`helm install`:
```bash
helm add repo s3gw https://aquarist-labs.github.io/s3gw-charts/
helm \
--namespace s3gw-system \
install s3gw \
s3gw/s3gw \
--create-namespace \
-f /path/to/your/custom/values.yaml
```
## Rancher
Installing s3gw via the Rancher App Catalog is made easy, the steps are as
follows:
- Cluster -> Projects/Namespaces - create the `s3gw` namespace.
- Apps -> Repositories -> Create `s3gw` using the s3gw-charts Git URL
<https://aquarist-labs.github.io/s3gw-charts/> and the `main` branch.
- Apps -> Charts -> Install `Traefik`.
- Apps -> Charts -> Install `s3gw`. Select the `s3gw` namespace previously
created. A `pvc` for `s3gw` will be created automatically during installation.
## Documentation
You can access our documentation [here][docs-url].
## License
Licensed under the Apache License, Version 2.0 (the "License");
you may not use licensed files except in compliance with the License.
You may obtain a copy of the License at
<http://www.apache.org/licenses/LICENSE-2.0>
or the LICENSE file in this repository.
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
[s3gw-url]: https://s3gw.io
[docs-url]: https://s3gw-docs.readthedocs.io/en/latest/helm-charts/

View File

@ -0,0 +1,16 @@
# s3gw
s3gw is an easy-to-use Open Source and Cloud Native S3 service running on
Rancher's Kubernetes.
* It complements the Rancher portfolio by offering an S3 service for Longhorn
volume backups, Harvester backups, Epinio backups and OPNI models.
* It is deployed on a single pod, ideal for development, Edge, IoT and smaller
on-prem deployments.
* It leverages the feature-rich S3 gateway from Ceph but without the rest of
the Ceph stack.
For more information, see the [manual][1] and the [chart documentation][2].
[1]: https://s3gw-docs.readthedocs.io
[2]: https://github.com/aquarist-labs/s3gw-charts/blob/main/README.md

View File

@ -0,0 +1,293 @@
---
questions:
# General settings
- variable: useCertManager
label: Use cert-manager
default: "true"
description: "Use cert-manager to provision TLS certificates"
type: boolean
group: "General"
- variable: tls.publicDomain.crt
show_if: "useCertManager=false"
description: "S3 TLS certificate (Public Domain)"
label: "S3 TLS certificate (Public Domain)"
type: string
group: "General"
- variable: tls.publicDomain.key
show_if: "useCertManager=false"
description: "S3 TLS key (Public Domain)"
label: "S3 TLS key (Public Domain)"
type: string
group: "General"
- variable: tls.privateDomain.crt
show_if: "useCertManager=false"
description: "S3 TLS certificate (Private Domain)"
label: "S3 TLS certificate (Private Domain)"
type: string
group: "General"
- variable: tls.privateDomain.key
show_if: "useCertManager=false"
description: "S3 TLS key (Private Domain)"
label: "S3 TLS key (Private Domain)"
type: string
group: "General"
- variable: tls.ui.publicDomain.crt
show_if: "useCertManager=false"
description: "UI TLS certificate"
label: "UI TLS certificate"
type: string
group: "General"
- variable: tls.ui.publicDomain.key
show_if: "useCertManager=false"
description: "UI TLS key"
label: "UI TLS key"
type: string
group: "General"
- variable: certManagerNamespace
show_if: "useCertManager=true"
label: cert-manager's namespace
default: "cert-manager"
description: "cert-manager's namespace"
type: string
required: false
- variable: useCustomTlsIssuer
show_if: "useCertManager=true"
label: Use your own TLS issuer
default: "false"
description: "Use your own TLS issuer"
type: boolean
group: "General"
show_subquestion_if: true
subquestions:
- variable: customTlsIssuer
label: Custom TLS issuer
description: "Name of the custom TLS issuer to use"
type: string
required: false
- variable: tlsIssuer
show_if: "useCertManager=true&&useCustomTlsIssuer=false"
label: TLS issuer
description: "Name of the predefined TLS issuer to use"
type: enum
required: false
group: "General"
options:
- "s3gw-issuer"
- "s3gw-letsencrypt-issuer"
- variable: email
show_if: "useCertManager=true&&tlsIssuer=s3gw-letsencrypt-issuer"
label: email address to use with s3gw-letsencrypt-issuer
description: "email address to use with s3gw-letsencrypt-issuer"
type: string
required: false
group: "General"
- variable: serviceName
default: s3gw
description: "S3 Service Name"
label: "S3 Service Name"
required: true
type: string
group: "General"
- variable: defaultUserCredentialsSecret
default: s3gw-creds
description: |
"The name of the secret containing the
S3 credentials for the default user"
type: string
group: "General"
- variable: useExistingSecret
default: false
description: |
"Check this to use a preexisting secret
containing the S3 credentials for the default user"
type: boolean
group: "General"
- variable: accessKey
show_if: "useExistingSecret=false"
default: test
description: |
"Set this as the empty string to make the Chart
to compute a random alphanumeric value"
label: "S3 Access Key"
type: string
group: "General"
- variable: secretKey
show_if: "useExistingSecret=false"
default: test
description: |
"Set this as the empty string to make the Chart
to compute a random alphanumeric value"
label: "S3 Secret Key"
type: string
group: "General"
- variable: ingress.enabled
default: true
description: "Deploy an Ingress (Required for TLS and UI)"
label: "Enable Ingress"
required: true
type: boolean
group: "General"
- variable: publicDomain
show_if: ingress.enabled=true
default: be.127.0.0.1.omg.howdoi.website
description: "Public domain of the S3 Service used by the Ingress"
label: "Public Domain"
required: true
type: string
group: "General"
- variable: privateDomain
default: svc.cluster.local
description: "Private domain of the S3 Service used inside the Kubernetes cluster"
label: "Private Domain"
required: true
type: string
group: "General"
- variable: ui.enabled
default: false
description: "UI Enabled"
label: "UI Enabled"
required: true
type: boolean
group: "General"
- variable: ui.serviceName
default: s3gw-ui
description: "UI Service Name"
label: "UI Service Name"
required: true
type: string
group: "General"
- variable: ui.publicDomain
show_if: ingress.enabled=true
default: fe.127.0.0.1.omg.howdoi.website
description: "Public domain of the UI Service used by the Ingress"
label: "UI Public Domain"
required: true
type: string
group: "General"
# Storage
- variable: storageSize
description: "Storage Size"
type: string
default: 10Gi
label: "Storage Size"
group: "Storage"
- variable: storageClass.name
description: "Storage Class Name"
type: string
default: "longhorn-single"
required: true
label: "Storage Class"
group: "Storage"
- variable: storageClass.create
description: |
Create a new opinionated storage class backed by longhorn.io
type: boolean
default: true
label: "Create Storage Class"
group: "Storage"
# Advanced Options
- variable: imageRegistry
default:
description: "Image Registry"
label: "Image Registry"
required: false
type: string
group: "Advanced"
- variable: imageCredentials.username
default:
description: "Registry Username"
label: "Username"
required: false
type: string
group: "Advanced"
- variable: imageCredentials.password
default:
description: "Registry Password"
label: "Password"
required: false
type: string
group: "Advanced"
- variable: imageCredentials.email
default:
description: "Registry Email"
label: "Email"
required: false
type: string
group: "Advanced"
- variable: imagePullPolicy
default:
description: "Image Pull Policy"
label: "Image Pull Policy"
required: false
type: string
group: "Advanced"
- variable: imageName
default:
description: "Gateway Image Name"
label: "Image Name"
required: false
type: string
group: "Advanced"
- variable: imageTag
default:
description: "Image Tag"
label: "Image Tag"
required: false
type: string
group: "Advanced"
- variable: ui.imageName
default:
description: "UI Image Name"
label: "UI Image Name"
required: false
type: string
group: "Advanced"
- variable: ui.imageTag
default:
description: "UI Image Tag"
label: "UI Image Tag"
required: false
type: string
group: "Advanced"
- variable: logLevel
default: "1"
description: "s3gw pod log level, lower values are less verbose"
label: "s3gw pod log level"
required: false
type: string
group: "Advanced"

View File

@ -0,0 +1,16 @@
Thank you for installing {{ .Chart.Name }} {{ printf "v%s" .Chart.Version }}
The S3 endpoint is available at:
{{ printf "%s.%s" .Values.serviceName .Values.publicDomain | indent 4 }}
{{ if .Values.ui.enabled}}
and the web interface is available at:
{{ printf "%s.%s" .Values.ui.serviceName .Values.ui.publicDomain | indent 4 }}
{{- end }}
{{ if and (not .Values.useExistingSecret) (empty .Values.accessKey) }}
An access key has been generated: {{ include "s3gw.defaultAccessKey" . | quote }}
{{- end }}
{{- if and (not .Values.useExistingSecret) (empty .Values.secretKey) }}
A secret key has been generated: {{ include "s3gw.defaultSecretKey" . | quote }}
{{ end }}

View File

@ -0,0 +1,140 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "s3gw.name" -}}
{{- .Chart.Name }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "s3gw.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "s3gw.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "s3gw.labels" -}}
helm.sh/chart: {{ include "s3gw.chart" . }}
{{ include "s3gw.commonSelectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{- define "s3gw.commonSelectorLabels" -}}
app.kubernetes.io/name: {{ include "s3gw.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{- define "s3gw.selectorLabels" -}}
{{ include "s3gw.commonSelectorLabels" . }}
app.kubernetes.io/component: gateway
{{- end }}
{{- define "s3gw-ui.selectorLabels" -}}
{{ include "s3gw.commonSelectorLabels" . }}
app.kubernetes.io/component: ui
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "s3gw.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "s3gw.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Version helpers for the image tag
*/}}
{{- define "s3gw.image" -}}
{{- $defaulttag := printf "v%s" .Chart.Version }}
{{- $tag := default $defaulttag .Values.image.tag }}
{{- $name := default "s3gw/s3gw" .Values.image.repository }}
{{- $registry := include "registry-url" . }}
{{- printf "%s%s:%s" $registry $name $tag }}
{{- end }}
{{- define "s3gw-ui.image" -}}
{{- $tag := default (printf "v%s" .Chart.Version) .Values.ui.image.tag }}
{{- $name := default "s3gw/s3gw-ui" .Values.ui.image.repository }}
{{- $registry := include "registry-url" . }}
{{- printf "%s%s:%s" $registry $name $tag }}
{{- end }}
{{/*
Image Pull Secret
*/}}
{{- define "s3gw.imagePullSecret" -}}
{{- $un := .Values.imageCredentials.username }}
{{- $pw := .Values.imageCredentials.password }}
{{- $em := .Values.imageCredentials.email }}
{{- $rg := include "registry-url" . }}
{{- $au := (printf "%s:%s" $un $pw | b64enc) }}
{{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" $rg $un $pw $em $au | b64enc}}
{{- end }}
{{/*
Default Access Credentials
*/}}
{{- define "s3gw.defaultAccessKey" -}}
{{- $key := default (randAlphaNum 32) .Values.accessKey }}
{{- printf "%s" $key }}
{{- end }}
{{- define "s3gw.defaultSecretKey" -}}
{{- $key := default (randAlphaNum 32) .Values.secretKey }}
{{- printf "%s" $key }}
{{- end }}
{{/*
Windows cluster will add default taint for linux nodes, add below linux tolerations to
workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
beta.kubernetes.io/os: linux
{{- else -}}
kubernetes.io/os: linux
{{- end -}}
{{- end -}}
{{/*
URL prefix for container images to be compatible with Rancher
*/}}
{{- define "registry-url" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{ trimSuffix "/" .Values.global.cattle.systemDefaultRegistry }}/
{{- end -}}
{{- end -}}

View File

@ -0,0 +1,38 @@
{{- if .Values.useCertManager }}
---
# s3gw-ca root certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: s3gw-ca-cert
namespace: {{ .Values.certManagerNamespace }}
labels:
{{ include "s3gw.labels" . | indent 4}}
spec:
commonName: s3gw-ca
isCA: true
issuerRef:
kind: ClusterIssuer
name: s3gw-self-signed-issuer
privateKey:
algorithm: ECDSA
size: 256
secretName: s3gw-ca-root
---
# s3gw internal service certificate (private domain)
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: s3gw-cluster-ip-cert
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4}}
spec:
dnsNames:
- '{{ .Values.serviceName }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}'
- '*.{{ .Values.serviceName }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}'
issuerRef:
kind: ClusterIssuer
name: s3gw-issuer
secretName: s3gw-cluster-ip-tls
{{- end }}

View File

@ -0,0 +1,13 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: s3gw-config
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4}}
data:
{{- if .Values.ui.enabled }}
RGW_SERVICE_URL: 'https://{{ .Values.serviceName }}.{{ .Values.publicDomain }}'
{{- end }}
RGW_DEFAULT_USER_SYSTEM: "1"

View File

@ -0,0 +1,111 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Chart.Name }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
spec:
replicas: 1
selector:
matchLabels:
{{ include "s3gw.selectorLabels" . | indent 6 }}
strategy:
type: Recreate
template:
metadata:
labels:
{{ include "s3gw.selectorLabels" . | indent 8 }}
spec:
{{- if .Values.imageCredentials }}
imagePullSecrets:
- name: {{ .Chart.Name }}-image-pull-secret
{{- end }}
serviceAccountName: {{ include "s3gw.serviceAccountName" . }}
containers:
- name: {{ .Chart.Name }}
image: {{ include "s3gw.image" . | quote }}
imagePullPolicy: {{ default "IfNotPresent" .Values.imagePullPolicy }}
args:
- "--rgw-dns-name"
{{- if .Values.ingress.enabled }}
- {{ .Values.serviceName }}.{{ .Values.publicDomain }},
{{ .Values.serviceName }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}
{{- else}}
- {{ .Values.serviceName }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}
{{- end }}
- "--rgw-backend-store"
- sfs
- "--debug-rgw"
- '{{ .Values.logLevel }}'
- "--rgw_frontends"
- "beast port=7480 ssl_port=7481
ssl_certificate=/s3gw-cluster-ip-tls/tls.crt
ssl_private_key=/s3gw-cluster-ip-tls/tls.key"
ports:
- containerPort: 7480
name: s3
- containerPort: 7481
name: s3-tls
envFrom:
- secretRef:
name: {{ .Values.defaultUserCredentialsSecret }}
volumeMounts:
- name: s3gw-lh-store
mountPath: /data
- name: s3gw-cluster-ip-tls
mountPath: /s3gw-cluster-ip-tls
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
volumes:
- name: s3gw-lh-store
persistentVolumeClaim:
claimName: {{ .Release.Name }}-pvc
- name: s3gw-cluster-ip-tls
secret:
secretName: s3gw-cluster-ip-tls
optional: false
{{- if .Values.ui.enabled }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: '{{ .Chart.Name }}-ui'
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
spec:
replicas: 1
selector:
matchLabels:
{{ include "s3gw-ui.selectorLabels" . | indent 6 }}
strategy: {}
template:
metadata:
labels:
{{ include "s3gw-ui.selectorLabels" . | indent 8}}
spec:
{{- if .Values.imageCredentials }}
imagePullSecrets:
- name: {{ .Chart.Name }}-image-pull-secret
{{- end }}
serviceAccountName: {{ include "s3gw.serviceAccountName" . }}
containers:
- name: s3gw-ui
image: {{ include "s3gw-ui.image" . | quote }}
imagePullPolicy: {{ default "IfNotPresent" .Values.ui.imagePullPolicy }}
ports:
- containerPort: 8080
envFrom:
- configMapRef:
name: s3gw-config
- secretRef:
name: {{ .Values.defaultUserCredentialsSecret }}
nodeSelector:
{{- include "linux-node-selector" . | nindent 8 }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8 }}
{{- end }}

View File

@ -0,0 +1,157 @@
{{- if .Values.ingress.enabled }}
---
# S3 Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: '{{ .Chart.Name }}'
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.middlewares:
'{{ .Release.Namespace }}-cors-header@kubernetescrd'
cert-manager.io/cluster-issuer: {{ default .Values.tlsIssuer .Values.customTlsIssuer | quote }}
spec:
tls:
- hosts:
- '{{ .Values.serviceName }}.{{ .Values.publicDomain }}'
- '*.{{ .Values.serviceName }}.{{ .Values.publicDomain }}'
secretName: s3gw-ingress-tls
rules:
- host: '{{ .Values.serviceName }}.{{ .Values.publicDomain }}'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: '{{ .Values.serviceName }}'
port:
number: 80
- host: '*.{{ .Values.serviceName }}.{{ .Values.publicDomain }}'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: '{{ .Values.serviceName }}'
port:
number: 80
---
# S3 No TLS Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: '{{ .Chart.Name }}-no-tls'
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
annotations:
traefik.ingress.kubernetes.io/router.middlewares:
'{{ .Release.Namespace }}-cors-header@kubernetescrd'
spec:
rules:
- host: '{{ .Values.serviceName }}.{{ .Values.publicDomain }}'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: '{{ .Values.serviceName }}'
port:
number: 80
- host: '*.{{ .Values.serviceName }}.{{ .Values.publicDomain }}'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: '{{ .Values.serviceName }}'
port:
number: 80
{{- if .Values.ui.enabled }}
---
# UI Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: '{{ .Chart.Name }}-ui'
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.middlewares:
'{{ .Release.Namespace }}-cors-header@kubernetescrd'
cert-manager.io/cluster-issuer: {{ default .Values.tlsIssuer .Values.customTlsIssuer | quote }}
spec:
tls:
- hosts:
- '{{ .Values.ui.serviceName }}.{{ .Values.ui.publicDomain }}'
secretName: s3gw-ui-ingress-tls
rules:
- host: '{{ .Values.ui.serviceName }}.{{ .Values.ui.publicDomain }}'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: '{{ .Values.ui.serviceName }}'
port:
number: 80
---
# UI No TLS Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: '{{ .Chart.Name }}-ui-no-tls'
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
annotations:
traefik.ingress.kubernetes.io/router.middlewares:
'{{ .Release.Namespace }}-cors-header@kubernetescrd'
spec:
rules:
- host: '{{ .Values.ui.serviceName }}.{{ .Values.ui.publicDomain }}'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: '{{ .Values.ui.serviceName }}'
port:
number: 80
{{- end }}
---
# Middleware for Traefik
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: cors-header
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
spec:
headers:
accessControlAllowMethods:
- "DELETE"
- "GET"
- "HEAD"
- "POST"
- "PUT"
- "OPTIONS"
accessControlAllowOriginList:
- "*"
accessControlAllowHeaders:
- "*"
accessControlExposeHeaders:
- "*"
{{- end }}

View File

@ -0,0 +1,86 @@
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" -}}
{{- if .Values.serviceAccount.create }}
{{- if .Values.global.rbac.pspEnabled }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "s3gw.serviceAccountName" . }}-psp
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ include "s3gw.serviceAccountName" . }}
app: {{ include "s3gw.serviceAccountName" . }}
{{- if .Values.global.rbac.pspAnnotations }}
annotations: {{ toYaml .Values.global.rbac.pspAnnotations | nindent 4 }}
{{- end }}
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
# Permits the container to run with root privileges as well.
rule: 'RunAsAny'
seLinux:
# This policy assumes the nodes are using AppArmor rather than SELinux.
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 0
max: 65535
readOnlyRootFilesystem: false
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "s3gw.serviceAccountName" . }}-psp
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ include "s3gw.serviceAccountName" . }}
app: {{ include "s3gw.serviceAccountName" . }}
rules:
{{- if semverCompare "> 1.15.0-0" .Capabilities.KubeVersion.GitVersion }}
- apiGroups: ['policy']
{{- else }}
- apiGroups: ['extensions']
{{- end }}
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- {{ include "s3gw.serviceAccountName" . }}-psp
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "s3gw.serviceAccountName" . }}-psp
labels:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: "{{ replace "+" "_" .Chart.Version }}"
app.kubernetes.io/part-of: {{ include "s3gw.serviceAccountName" . }}
app: {{ include "s3gw.serviceAccountName" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "s3gw.serviceAccountName" . }}-psp
subjects:
- kind: ServiceAccount
name: {{ include "s3gw.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,27 @@
{{- if not .Values.useExistingSecret }}
---
apiVersion: v1
kind: Secret
metadata:
name: '{{ .Values.defaultUserCredentialsSecret }}'
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
type: Opaque
stringData:
RGW_DEFAULT_USER_ACCESS_KEY: {{ include "s3gw.defaultAccessKey" . | quote }}
RGW_DEFAULT_USER_SECRET_KEY: {{ include "s3gw.defaultSecretKey" . | quote }}
{{- end }}
{{- if .Values.imageCredentials }}
---
apiVersion: v1
kind: Secret
metadata:
name: '{{ .Chart.Name }}-image-pull-secret'
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ template "s3gw.imagePullSecret" . }}
{{- end }}

View File

@ -0,0 +1,38 @@
---
apiVersion: v1
kind: Service
metadata:
name: '{{ .Values.serviceName }}'
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
spec:
selector:
{{ include "s3gw.selectorLabels" . | indent 4 }}
ports:
- name: s3
protocol: TCP
port: 80
targetPort: s3
- name: s3-tls
protocol: TCP
port: 443
targetPort: s3-tls
{{- if .Values.ui.enabled }}
---
apiVersion: v1
kind: Service
metadata:
name: '{{ .Values.ui.serviceName }}'
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
spec:
selector:
{{ include "s3gw-ui.selectorLabels" . | indent 4 }}
ports:
- name: webui
protocol: TCP
port: 80
targetPort: 8080
{{- end }}

View File

@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "s3gw.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "s3gw.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end -}}

View File

@ -0,0 +1,56 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: '{{ .Release.Name }}-pvc'
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
spec:
storageClassName: {{ .Values.storageClass.name }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storageSize }}
{{- if (or .Values.storageClass.create .Values.storageClass.local) }}
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: {{ .Values.storageClass.name }}
namespace: {{ .Release.Namespace }}
labels:
{{ include "s3gw.labels" . | indent 4 }}
volumeBindingMode: Immediate
{{- if .Values.storageClass.local }}
provisioner: kubernetes.io/no-provisioner
{{- else }}
provisioner: driver.longhorn.io
allowVolumeExpansion: true
reclaimPolicy: Delete
parameters:
fsType: ext4
numberOfReplicas: "1"
staleReplicaTimeout: "2880"
fromBackup: ""
{{- end }}
{{- if .Values.storageClass.local }}
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: '{{ .Release.Name }}.{{ .Release.Namespace }}-local-pv'
labels:
{{ include "s3gw.labels" . | indent 4 }}
type: local
spec:
storageClassName: {{ .Values.storageClass.name }}
capacity:
storage: {{ .Values.storageSize }}
accessModes:
- ReadWriteOnce
hostPath:
path: {{ .Values.storageClass.localPath }}
{{- end }}
{{- end }}

View File

@ -0,0 +1,32 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: 'smoke-{{ .Chart.Name }}-bucket-create'
namespace: '{{ .Release.Namespace }}'
annotations:
helm.sh/hook: test
spec:
template:
spec:
containers:
- name: create-bucket
image: opensuse/tumbleweed:latest
command:
- /bin/sh
- -exc
- zypper -n install --no-recommends libs3-tools;
s3 -u -t 50 create testbucket;
s3 -u -t 50 list | grep testbucket
env:
- name: S3_ACCESS_KEY_ID
value: {{ .Values.accessKey | quote }}
- name: S3_SECRET_ACCESS_KEY
value: {{ .Values.secretKey | quote }}
- name: S3_HOSTNAME
value:
'{{ .Values.serviceName }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}'
restartPolicy: Never
backoffLimit: 3

Some files were not shown because too many files have changed in this diff Show More