Charts CI
```
Updated:
bitnami/spark:
- 7.2.2
cockroach-labs/cockroachdb:
- 11.2.0
datadog/datadog:
- 3.38.1
external-secrets/external-secrets:
- 0.9.5
hashicorp/consul:
- 1.2.2
hpe/hpe-csi-driver:
- 2.4.0
instana/instana-agent:
- 1.2.63
jaeger/jaeger-operator:
- 2.47.0
jfrog/artifactory-ha:
- 107.68.11
jfrog/artifactory-jcr:
- 107.68.11
koor-tech/koor-operator:
- 0.3.8
kubecost/cost-analyzer:
- 1.106.1
redpanda/redpanda:
- 5.4.10
yugabyte/yugabyte:
- 2.18.3+0
yugabyte/yugaware:
- 2.18.3+0
```
pull/889/head
github-actions[bot]
parent
e8da99dc5f
commit
14f128837d
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -1,6 +1,6 @@
|
|||
dependencies:
|
||||
- name: common
|
||||
repository: oci://registry-1.docker.io/bitnamicharts
|
||||
version: 2.10.0
|
||||
digest: sha256:023ded170632d04528f30332370f34fc8fb96efb2886a01d934cb3bd6e6d2e09
|
||||
generated: "2023-09-05T11:36:18.65087+02:00"
|
||||
version: 2.11.1
|
||||
digest: sha256:ead8f26c76a9ec082f23629a358e8efd8f88d87aaed734bf41febcb8a7bc5d4c
|
||||
generated: "2023-09-22T06:36:42.731159585Z"
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ annotations:
|
|||
category: Infrastructure
|
||||
images: |
|
||||
- name: spark
|
||||
image: docker.io/bitnami/spark:3.4.1-debian-11-r48
|
||||
image: docker.io/bitnami/spark:3.4.1-debian-11-r71
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 3.4.1
|
||||
|
|
@ -30,4 +30,4 @@ maintainers:
|
|||
name: spark
|
||||
sources:
|
||||
- https://github.com/bitnami/charts/tree/main/bitnami/spark
|
||||
version: 7.2.1
|
||||
version: 7.2.2
|
||||
|
|
|
|||
|
|
@ -86,7 +86,7 @@ The command removes all the Kubernetes components associated with the chart and
|
|||
| ------------------- | ----------------------------------------------------------------------------------------------------- | --------------------- |
|
||||
| `image.registry` | Spark image registry | `docker.io` |
|
||||
| `image.repository` | Spark image repository | `bitnami/spark` |
|
||||
| `image.tag` | Spark image tag (immutable tags are recommended) | `3.4.1-debian-11-r48` |
|
||||
| `image.tag` | Spark image tag (immutable tags are recommended) | `3.4.1-debian-11-r71` |
|
||||
| `image.digest` | Spark image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
|
||||
| `image.pullPolicy` | Spark image pull policy | `IfNotPresent` |
|
||||
| `image.pullSecrets` | Specify docker-registry secret names as an array | `[]` |
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ annotations:
|
|||
category: Infrastructure
|
||||
licenses: Apache-2.0
|
||||
apiVersion: v2
|
||||
appVersion: 2.9.2
|
||||
appVersion: 2.11.1
|
||||
description: A Library Helm Chart for grouping common logic between bitnami charts.
|
||||
This chart is not deployable by itself.
|
||||
home: https://bitnami.com
|
||||
|
|
@ -20,4 +20,4 @@ name: common
|
|||
sources:
|
||||
- https://github.com/bitnami/charts
|
||||
type: library
|
||||
version: 2.10.0
|
||||
version: 2.11.1
|
||||
|
|
|
|||
|
|
@ -83,3 +83,19 @@ imagePullSecrets:
|
|||
{{- end }}
|
||||
{{- end }}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Return the proper image version (ingores image revision/prerelease info & fallbacks to chart appVersion)
|
||||
{{ include "common.images.version" ( dict "imageRoot" .Values.path.to.the.image "chart" .Chart ) }}
|
||||
*/}}
|
||||
{{- define "common.images.version" -}}
|
||||
{{- $imageTag := .imageRoot.tag | toString -}}
|
||||
{{/* regexp from https://github.com/Masterminds/semver/blob/23f51de38a0866c5ef0bfc42b3f735c73107b700/version.go#L41-L44 */}}
|
||||
{{- if regexMatch `^([0-9]+)(\.[0-9]+)?(\.[0-9]+)?(-([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?(\+([0-9A-Za-z\-]+(\.[0-9A-Za-z\-]+)*))?$` $imageTag -}}
|
||||
{{- $version := semver $imageTag -}}
|
||||
{{- printf "%d.%d.%d" $version.Major $version.Minor $version.Patch -}}
|
||||
{{- else -}}
|
||||
{{- print .chart.AppVersion -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
|
|
|
|||
|
|
@ -11,21 +11,13 @@ Kubernetes standard labels
|
|||
*/}}
|
||||
{{- define "common.labels.standard" -}}
|
||||
{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
|
||||
{{ merge
|
||||
(include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml)
|
||||
(dict
|
||||
"app.kubernetes.io/name" (include "common.names.name" .context)
|
||||
"helm.sh/chart" (include "common.names.chart" .context)
|
||||
"app.kubernetes.io/instance" .context.Release.Name
|
||||
"app.kubernetes.io/managed-by" .context.Release.Service
|
||||
)
|
||||
| toYaml
|
||||
}}
|
||||
{{ merge (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) (dict "app.kubernetes.io/name" (include "common.names.name" .context) "helm.sh/chart" (include "common.names.chart" .context) "app.kubernetes.io/instance" .context.Release.Name "app.kubernetes.io/managed-by" .context.Release.Service "app.kubernetes.io/version" .context.Chart.AppVersion) | toYaml }}
|
||||
{{- else -}}
|
||||
app.kubernetes.io/name: {{ include "common.names.name" . }}
|
||||
helm.sh/chart: {{ include "common.names.chart" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
app.kubernetes.io/managed-by: {{ .Release.Service }}
|
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
|
|
@ -40,14 +32,7 @@ overwrote them on metadata.labels fields.
|
|||
*/}}
|
||||
{{- define "common.labels.matchLabels" -}}
|
||||
{{- if and (hasKey . "customLabels") (hasKey . "context") -}}
|
||||
{{ merge
|
||||
(pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance")
|
||||
(dict
|
||||
"app.kubernetes.io/name" (include "common.names.name" .context)
|
||||
"app.kubernetes.io/instance" .context.Release.Name
|
||||
)
|
||||
| toYaml
|
||||
}}
|
||||
{{ merge (pick (include "common.tplvalues.render" (dict "value" .customLabels "context" .context) | fromYaml) "app.kubernetes.io/name" "app.kubernetes.io/instance") (dict "app.kubernetes.io/name" (include "common.names.name" .context) "app.kubernetes.io/instance" .context.Release.Name ) | toYaml }}
|
||||
{{- else -}}
|
||||
app.kubernetes.io/name: {{ include "common.names.name" . }}
|
||||
app.kubernetes.io/instance: {{ .Release.Name }}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
"title": "Chart Values",
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"exampleValue": {
|
||||
"type": "string",
|
||||
"description": "",
|
||||
"default": "common-chart"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -95,7 +95,7 @@ diagnosticMode:
|
|||
image:
|
||||
registry: docker.io
|
||||
repository: bitnami/spark
|
||||
tag: 3.4.1-debian-11-r48
|
||||
tag: 3.4.1-debian-11-r71
|
||||
digest: ""
|
||||
## Specify a imagePullPolicy
|
||||
## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
|
||||
|
|
|
|||
|
|
@ -14,4 +14,4 @@ maintainers:
|
|||
name: cockroachdb
|
||||
sources:
|
||||
- https://github.com/cockroachdb/cockroach
|
||||
version: 11.1.7
|
||||
version: 11.2.0
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ CockroachDB cluster are:
|
|||
Finally, to open up the CockroachDB admin UI, you can port-forward from your
|
||||
local machine into one of the instances in the cluster:
|
||||
|
||||
kubectl port-forward {{ template "cockroachdb.fullname" . }}-0 {{ index .Values.conf `http-port` | int64 }}
|
||||
kubectl port-forward -n {{ .Release.Namespace }} {{ template "cockroachdb.fullname" . }}-0 {{ index .Values.conf `http-port` | int64 }}
|
||||
|
||||
Then you can access the admin UI at http{{ if .Values.tls.enabled }}s{{ end }}://localhost:{{ index .Values.conf `http-port` | int64 }}/ in your web browser.
|
||||
|
||||
|
|
|
|||
|
|
@ -30,6 +30,8 @@ spec:
|
|||
spec:
|
||||
{{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
runAsGroup: 1000
|
||||
runAsUser: 1000
|
||||
fsGroup: 1000
|
||||
|
|
@ -71,5 +73,11 @@ spec:
|
|||
value: {{ .Release.Namespace | quote }}
|
||||
- name: CLUSTER_DOMAIN
|
||||
value: {{ .Values.clusterDomain}}
|
||||
{{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "selfcerts.fullname" . }}
|
||||
{{- end}}
|
||||
|
|
|
|||
|
|
@ -27,6 +27,8 @@ spec:
|
|||
spec:
|
||||
{{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
runAsGroup: 1000
|
||||
runAsUser: 1000
|
||||
fsGroup: 1000
|
||||
|
|
@ -43,5 +45,11 @@ spec:
|
|||
env:
|
||||
- name: STATEFULSET_NAME
|
||||
value: {{ template "cockroachdb.fullname" . }}
|
||||
{{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
{{- end }}
|
||||
serviceAccountName: {{ template "rotatecerts.fullname" . }}
|
||||
{{- end}}
|
||||
|
|
|
|||
|
|
@ -40,6 +40,8 @@ spec:
|
|||
{{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
|
||||
{{- if and .Values.init.securityContext.enabled }}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
runAsGroup: 1000
|
||||
runAsUser: 1000
|
||||
fsGroup: 1000
|
||||
|
|
@ -72,6 +74,12 @@ spec:
|
|||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- if and .Values.init.securityContext.enabled }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: client-certs
|
||||
mountPath: /cockroach-certs/
|
||||
|
|
@ -247,6 +255,12 @@ spec:
|
|||
{{- with .Values.init.resources }}
|
||||
resources: {{- toYaml . | nindent 12 }}
|
||||
{{- end }}
|
||||
{{- if and .Values.init.securityContext.enabled }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop: ["ALL"]
|
||||
{{- end }}
|
||||
{{- if .Values.tls.enabled }}
|
||||
volumes:
|
||||
- name: client-certs
|
||||
|
|
|
|||
|
|
@ -65,6 +65,15 @@ spec:
|
|||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.namespace
|
||||
{{- if .Values.statefulset.securityContext.enabled }}
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
privileged: false
|
||||
readOnlyRootFilesystem: true
|
||||
{{- end }}
|
||||
volumeMounts:
|
||||
- name: certs
|
||||
mountPath: /cockroach-certs/
|
||||
|
|
@ -354,6 +363,8 @@ spec:
|
|||
{{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
|
||||
{{- if and .Values.securityContext.enabled }}
|
||||
securityContext:
|
||||
seccompProfile:
|
||||
type: "RuntimeDefault"
|
||||
fsGroup: 1000
|
||||
runAsGroup: 1000
|
||||
runAsUser: 1000
|
||||
|
|
|
|||
|
|
@ -1,5 +1,29 @@
|
|||
# Datadog changelog
|
||||
|
||||
## 3.38.1
|
||||
|
||||
* Enable Remote Config by default on the host agent only
|
||||
|
||||
## 3.38.0
|
||||
|
||||
* Default `Agent` and `Cluster-Agent` to `7.47.1` version.
|
||||
|
||||
## 3.37.1
|
||||
|
||||
* Temporarily revert enabling Remote Config by default
|
||||
|
||||
## 3.37.0
|
||||
|
||||
* Rename `datadog.securityAgent.compliance.xccdf.enabled` parameter to `datadog.securityAgent.compliance.host_benchmarks.enabled`.
|
||||
|
||||
## 3.36.4
|
||||
|
||||
* Disable Remote Config on the cluster checks runner
|
||||
|
||||
## 3.36.3
|
||||
|
||||
* Mount `/etc/passwd` in process agent only if `datadog.processAgent.processCollection` or `datadog.processAgent.processDiscovery` is enabled.
|
||||
|
||||
## 3.36.2
|
||||
|
||||
* Update `fips.image.tag` to `0.5.5` which upgrades HAProxy to 2.4.24 and zlib to 1.3
|
||||
|
|
|
|||
|
|
@ -19,4 +19,4 @@ name: datadog
|
|||
sources:
|
||||
- https://app.datadoghq.com/account/settings#agent/kubernetes
|
||||
- https://github.com/DataDog/datadog-agent
|
||||
version: 3.36.2
|
||||
version: 3.38.1
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
# Datadog
|
||||
|
||||
 
|
||||
 
|
||||
|
||||
[Datadog](https://www.datadoghq.com/) is a hosted infrastructure monitoring platform. This chart adds the Datadog Agent to all nodes in your cluster via a DaemonSet. It also optionally depends on the [kube-state-metrics chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics). For more information about monitoring Kubernetes with Datadog, please refer to the [Datadog documentation website](https://docs.datadoghq.com/agent/basic_agent_usage/kubernetes/).
|
||||
|
||||
|
|
@ -449,7 +449,7 @@ helm install <RELEASE_NAME> \
|
|||
| agents.image.pullPolicy | string | `"IfNotPresent"` | Datadog Agent image pull policy |
|
||||
| agents.image.pullSecrets | list | `[]` | Datadog Agent repository pullSecret (ex: specify docker registry credentials) |
|
||||
| agents.image.repository | string | `nil` | Override default registry + image.name for Agent |
|
||||
| agents.image.tag | string | `"7.47.0"` | Define the Agent version to use |
|
||||
| agents.image.tag | string | `"7.47.1"` | Define the Agent version to use |
|
||||
| agents.image.tagSuffix | string | `""` | Suffix to append to Agent tag |
|
||||
| agents.localService.forceLocalServiceEnabled | bool | `false` | Force the creation of the internal traffic policy service to target the agent running on the local node. By default, the internal traffic service is created only on Kubernetes 1.22+ where the feature became beta and enabled by default. This option allows to force the creation of the internal traffic service on kubernetes 1.21 where the feature was alpha and required a feature gate to be explicitly enabled. |
|
||||
| agents.localService.overrideName | string | `""` | Name of the internal traffic service to target the agent running on the local node |
|
||||
|
|
@ -490,7 +490,7 @@ helm install <RELEASE_NAME> \
|
|||
| clusterAgent.admissionController.failurePolicy | string | `"Ignore"` | Set the failure policy for dynamic admission control.' |
|
||||
| clusterAgent.admissionController.mutateUnlabelled | bool | `false` | Enable injecting config without having the pod label 'admission.datadoghq.com/enabled="true"' |
|
||||
| clusterAgent.admissionController.port | int | `8000` | Set port of cluster-agent admission controller service |
|
||||
| clusterAgent.admissionController.remoteInstrumentation.enabled | bool | `true` | Enable polling and applying library injection using Remote Config. # This feature is in beta, and enables Remote Config in the Cluster Agent. It also requires Cluster Agent version 7.43+. # Enabling this feature grants the Cluster Agent the permissions to patch Deployment objects in the cluster. |
|
||||
| clusterAgent.admissionController.remoteInstrumentation.enabled | bool | `false` | Enable polling and applying library injection using Remote Config. # This feature is in beta, and enables Remote Config in the Cluster Agent. It also requires Cluster Agent version 7.43+. # Enabling this feature grants the Cluster Agent the permissions to patch Deployment objects in the cluster. |
|
||||
| clusterAgent.admissionController.webhookName | string | `"datadog-webhook"` | Name of the mutatingwebhookconfigurations created by the cluster-agent |
|
||||
| clusterAgent.advancedConfd | object | `{}` | Provide additional cluster check configurations. Each key is an integration containing several config files. |
|
||||
| clusterAgent.affinity | object | `{}` | Allow the Cluster Agent Deployment to schedule using affinity rules |
|
||||
|
|
@ -513,7 +513,7 @@ helm install <RELEASE_NAME> \
|
|||
| clusterAgent.image.pullPolicy | string | `"IfNotPresent"` | Cluster Agent image pullPolicy |
|
||||
| clusterAgent.image.pullSecrets | list | `[]` | Cluster Agent repository pullSecret (ex: specify docker registry credentials) |
|
||||
| clusterAgent.image.repository | string | `nil` | Override default registry + image.name for Cluster Agent |
|
||||
| clusterAgent.image.tag | string | `"7.47.0"` | Cluster Agent image tag to use |
|
||||
| clusterAgent.image.tag | string | `"7.47.1"` | Cluster Agent image tag to use |
|
||||
| clusterAgent.livenessProbe | object | Every 15s / 6 KO / 1 OK | Override default Cluster Agent liveness probe settings |
|
||||
| clusterAgent.metricsProvider.aggregator | string | `"avg"` | Define the aggregator the cluster agent will use to process the metrics. The options are (avg, min, max, sum) |
|
||||
| clusterAgent.metricsProvider.createReaderRbac | bool | `true` | Create `external-metrics-reader` RBAC automatically (to allow HPA to read data from Cluster Agent) |
|
||||
|
|
@ -563,7 +563,7 @@ helm install <RELEASE_NAME> \
|
|||
| clusterChecksRunner.image.pullPolicy | string | `"IfNotPresent"` | Datadog Agent image pull policy |
|
||||
| clusterChecksRunner.image.pullSecrets | list | `[]` | Datadog Agent repository pullSecret (ex: specify docker registry credentials) |
|
||||
| clusterChecksRunner.image.repository | string | `nil` | Override default registry + image.name for Cluster Check Runners |
|
||||
| clusterChecksRunner.image.tag | string | `"7.47.0"` | Define the Agent version to use |
|
||||
| clusterChecksRunner.image.tag | string | `"7.47.1"` | Define the Agent version to use |
|
||||
| clusterChecksRunner.image.tagSuffix | string | `""` | Suffix to append to Agent tag |
|
||||
| clusterChecksRunner.livenessProbe | object | Every 15s / 6 KO / 1 OK | Override default agent liveness probe settings |
|
||||
| clusterChecksRunner.networkPolicy.create | bool | `false` | If true, create a NetworkPolicy for the cluster checks runners. DEPRECATED. Use datadog.networkPolicy.create instead |
|
||||
|
|
@ -698,7 +698,8 @@ helm install <RELEASE_NAME> \
|
|||
| datadog.securityAgent.compliance.checkInterval | string | `"20m"` | Compliance check run interval |
|
||||
| datadog.securityAgent.compliance.configMap | string | `nil` | Contains CSPM compliance benchmarks that will be used |
|
||||
| datadog.securityAgent.compliance.enabled | bool | `false` | Set to true to enable Cloud Security Posture Management (CSPM) |
|
||||
| datadog.securityAgent.compliance.xccdf.enabled | bool | `false` | Set to true to enable XCCDF (this feature is supported from Agent 7.45, and requires 160 MB extra memory for the `security-agent` container) |
|
||||
| datadog.securityAgent.compliance.host_benchmarks.enabled | bool | `false` | Set to true to enable host benchmarks (this feature is supported from Agent 7.47, and requires 160 MB extra memory for the `security-agent` container) |
|
||||
| datadog.securityAgent.compliance.xccdf.enabled | bool | `false` | |
|
||||
| datadog.securityAgent.runtime.activityDump.cgroupDumpTimeout | int | `20` | Set to the desired duration of a single container tracing (in minutes) |
|
||||
| datadog.securityAgent.runtime.activityDump.cgroupWaitListSize | int | `0` | Set to the size of the wait list for already traced containers |
|
||||
| datadog.securityAgent.runtime.activityDump.enabled | bool | `true` | Set to true to enable the collection of CWS activity dumps |
|
||||
|
|
|
|||
|
|
@ -10,5 +10,5 @@ securityAgent:
|
|||
enabled: true
|
||||
# Set an empty configMap so that we don't try to mount one
|
||||
configMap:
|
||||
xccdf:
|
||||
host_benchmarks:
|
||||
enabled: true
|
||||
|
|
|
|||
|
|
@ -476,3 +476,13 @@ You have enabled creataion of PodSecurityPolicy, however PSP have been removed f
|
|||
|
||||
You should deactivate these options: clusterAgent.podSecurity.podSecurityPolicy.create and/or agents.podSecurity.podSecurityPolicy.create
|
||||
{{- end }}
|
||||
|
||||
{{- if .Values.datadog.securityAgent.compliance.xccdf.enabled }}
|
||||
#################################################################
|
||||
#### WARNING: Deprecation notice ####
|
||||
#################################################################
|
||||
|
||||
You are using the datadog.securityAgent.compliance.xccdf.enabled parameter which has been replaced by datadog.securityAgent.compliance.host_benchmarks.enabled.
|
||||
This version still supports both but the support of the old name will be dropped in the next major version of our Helm chart.
|
||||
More information about this change: https://github.com/DataDog/helm-charts/pull/1161
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -88,9 +88,11 @@
|
|||
mountPath: /host/sys/fs/cgroup
|
||||
mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }}
|
||||
readOnly: true
|
||||
{{- if or .Values.datadog.processAgent.processCollection .Values.datadog.processAgent.processDiscovery}}
|
||||
- name: passwd
|
||||
mountPath: /etc/passwd
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
- name: procdir
|
||||
mountPath: /host/proc
|
||||
mountPropagation: {{ .Values.datadog.hostVolumeMountPropagation }}
|
||||
|
|
|
|||
|
|
@ -34,9 +34,11 @@
|
|||
{{- if .Values.datadog.securityAgent.compliance.enabled }}
|
||||
- name: DD_COMPLIANCE_CONFIG_CHECK_INTERVAL
|
||||
value: {{ .Values.datadog.securityAgent.compliance.checkInterval | quote }}
|
||||
{{- if .Values.datadog.securityAgent.compliance.xccdf.enabled }}
|
||||
{{- if or .Values.datadog.securityAgent.compliance.xccdf.enabled .Values.datadog.securityAgent.compliance.host_benchmarks.enabled }}
|
||||
- name: DD_COMPLIANCE_CONFIG_XCCDF_ENABLED
|
||||
value: {{ .Values.datadog.securityAgent.compliance.xccdf.enabled | quote }}
|
||||
value: "true"
|
||||
- name: DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED
|
||||
value: "true"
|
||||
{{- end }}
|
||||
- name: HOST_ROOT
|
||||
value: /host/root
|
||||
|
|
|
|||
|
|
@ -185,6 +185,8 @@ spec:
|
|||
value: "false"
|
||||
- name: DD_APM_ENABLED
|
||||
value: "false"
|
||||
- name: DD_REMOTE_CONFIGURATION_ENABLED
|
||||
value: "false"
|
||||
- name: DD_HOSTNAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
|
|
|
|||
|
|
@ -532,7 +532,7 @@ datadog:
|
|||
processAgent:
|
||||
# datadog.processAgent.enabled -- Set this to true to enable live process monitoring agent
|
||||
|
||||
## Note: /etc/passwd is automatically mounted to allow username resolution.
|
||||
## Note: /etc/passwd is automatically mounted when `processCollection` or `processDiscovery` is enabled.
|
||||
## ref: https://docs.datadoghq.com/graphing/infrastructure/process/#kubernetes-daemonset
|
||||
enabled: true
|
||||
|
||||
|
|
@ -666,10 +666,14 @@ datadog:
|
|||
# datadog.securityAgent.compliance.checkInterval -- Compliance check run interval
|
||||
checkInterval: 20m
|
||||
|
||||
# datadog.securityAgent.compliance.xccdf.enabled -- Set to true to enable XCCDF (this feature is supported from Agent 7.45, and requires 160 MB extra memory for the `security-agent` container)
|
||||
# DEPRECATED. Use datadog.securityAgent.compliance.host_benchmarks.enabled instead.
|
||||
xccdf:
|
||||
enabled: false
|
||||
|
||||
# datadog.securityAgent.compliance.host_benchmarks.enabled -- Set to true to enable host benchmarks (this feature is supported from Agent 7.47, and requires 160 MB extra memory for the `security-agent` container)
|
||||
host_benchmarks:
|
||||
enabled: false
|
||||
|
||||
runtime:
|
||||
# datadog.securityAgent.runtime.enabled -- Set to true to enable Cloud Workload Security (CWS)
|
||||
enabled: false
|
||||
|
|
@ -816,7 +820,7 @@ clusterAgent:
|
|||
name: cluster-agent
|
||||
|
||||
# clusterAgent.image.tag -- Cluster Agent image tag to use
|
||||
tag: 7.47.0
|
||||
tag: 7.47.1
|
||||
|
||||
# clusterAgent.image.digest -- Cluster Agent image digest to use, takes precedence over tag if specified
|
||||
digest: ""
|
||||
|
|
@ -978,7 +982,7 @@ clusterAgent:
|
|||
# clusterAgent.admissionController.remoteInstrumentation.enabled -- Enable polling and applying library injection using Remote Config.
|
||||
## This feature is in beta, and enables Remote Config in the Cluster Agent. It also requires Cluster Agent version 7.43+.
|
||||
## Enabling this feature grants the Cluster Agent the permissions to patch Deployment objects in the cluster.
|
||||
enabled: true
|
||||
enabled: false
|
||||
|
||||
# clusterAgent.admissionController.port -- Set port of cluster-agent admission controller service
|
||||
port: 8000
|
||||
|
|
@ -1224,7 +1228,7 @@ agents:
|
|||
name: agent
|
||||
|
||||
# agents.image.tag -- Define the Agent version to use
|
||||
tag: 7.47.0
|
||||
tag: 7.47.1
|
||||
|
||||
# agents.image.digest -- Define Agent image digest to use, takes precedence over tag if specified
|
||||
digest: ""
|
||||
|
|
@ -1690,7 +1694,7 @@ clusterChecksRunner:
|
|||
name: agent
|
||||
|
||||
# clusterChecksRunner.image.tag -- Define the Agent version to use
|
||||
tag: 7.47.0
|
||||
tag: 7.47.1
|
||||
|
||||
# clusterChecksRunner.image.digest -- Define Agent image digest to use, takes precedence over tag if specified
|
||||
digest: ""
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ annotations:
|
|||
catalog.cattle.io/kube-version: '>= 1.19.0-0'
|
||||
catalog.cattle.io/release-name: external-secrets
|
||||
apiVersion: v2
|
||||
appVersion: v0.9.4
|
||||
appVersion: v0.9.5
|
||||
description: External secret management for Kubernetes
|
||||
home: https://github.com/external-secrets/external-secrets
|
||||
icon: https://raw.githubusercontent.com/external-secrets/external-secrets/main/assets/eso-logo-large.png
|
||||
|
|
@ -17,4 +17,4 @@ maintainers:
|
|||
name: mcavoyk
|
||||
name: external-secrets
|
||||
type: application
|
||||
version: 0.9.4
|
||||
version: 0.9.5
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
[//]: # (README.md generated by gotmpl. DO NOT EDIT.)
|
||||
|
||||
 
|
||||
 
|
||||
|
||||
External secret management for Kubernetes
|
||||
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ spec:
|
|||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "external-secrets-cert-controller.selectorLabels" . | nindent 8 }}
|
||||
{{- include "external-secrets-cert-controller.labels" . | nindent 8 }}
|
||||
{{- with .Values.certController.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: acraccesstokens.generators.external-secrets.io
|
||||
spec:
|
||||
group: generators.external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: clusterexternalsecrets.external-secrets.io
|
||||
spec:
|
||||
group: external-secrets.io
|
||||
|
|
@ -433,6 +433,9 @@ spec:
|
|||
- type
|
||||
type: object
|
||||
type: array
|
||||
externalSecretName:
|
||||
description: ExternalSecretName is the name of the ExternalSecrets created by the ClusterExternalSecret
|
||||
type: string
|
||||
failedNamespaces:
|
||||
description: Failed namespaces are the namespaces that failed to apply an ExternalSecret
|
||||
items:
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: clustersecretstores.external-secrets.io
|
||||
spec:
|
||||
group: external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: ecrauthorizationtokens.generators.external-secrets.io
|
||||
spec:
|
||||
group: generators.external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: externalsecrets.external-secrets.io
|
||||
spec:
|
||||
group: external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: fakes.generators.external-secrets.io
|
||||
spec:
|
||||
group: generators.external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: gcraccesstokens.generators.external-secrets.io
|
||||
spec:
|
||||
group: generators.external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: passwords.generators.external-secrets.io
|
||||
spec:
|
||||
group: generators.external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: pushsecrets.external-secrets.io
|
||||
spec:
|
||||
group: external-secrets.io
|
||||
|
|
@ -70,6 +70,9 @@ spec:
|
|||
- remoteRef
|
||||
- secretKey
|
||||
type: object
|
||||
metadata:
|
||||
description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
required:
|
||||
- match
|
||||
type: object
|
||||
|
|
@ -198,6 +201,9 @@ spec:
|
|||
- remoteRef
|
||||
- secretKey
|
||||
type: object
|
||||
metadata:
|
||||
description: Metadata is metadata attached to the secret. The structure of metadata is provider specific, please look it up in the provider documentation.
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
required:
|
||||
- match
|
||||
type: object
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: secretstores.external-secrets.io
|
||||
spec:
|
||||
group: external-secrets.io
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
{{- if and .Values.crds.conversion.enabled .Values.webhook.certManager.enabled .Values.webhook.certManager.addInjectorAnnotations }}
|
||||
cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "external-secrets.fullname" . }}-webhook
|
||||
{{- end }}
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: vaultdynamicsecrets.generators.external-secrets.io
|
||||
spec:
|
||||
group: generators.external-secrets.io
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ spec:
|
|||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "external-secrets.selectorLabels" . | nindent 8 }}
|
||||
{{- include "external-secrets.labels" . | nindent 8 }}
|
||||
{{- with .Values.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -1,11 +1,11 @@
|
|||
{{- if .Values.serviceMonitor.enabled }}
|
||||
{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled -}}
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: {{ include "external-secrets.fullname" . }}-metrics
|
||||
namespace: {{ .Release.Namespace | quote }}
|
||||
labels:
|
||||
{{- include "external-secrets.selectorLabels" . | nindent 4 }}
|
||||
{{- include "external-secrets.labels" . | nindent 4 }}
|
||||
spec:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ spec:
|
|||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
labels:
|
||||
{{- include "external-secrets-webhook.selectorLabels" . | nindent 8 }}
|
||||
{{- include "external-secrets-webhook.labels" . | nindent 8 }}
|
||||
{{- with .Values.webhook.podLabels }}
|
||||
{{- toYaml . | nindent 8 }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@ should match snapshot of default values:
|
|||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: external-secrets-cert-controller
|
||||
app.kubernetes.io/version: v0.9.4
|
||||
helm.sh/chart: external-secrets-0.9.4
|
||||
app.kubernetes.io/version: v0.9.5
|
||||
helm.sh/chart: external-secrets-0.9.5
|
||||
name: RELEASE-NAME-external-secrets-cert-controller
|
||||
namespace: NAMESPACE
|
||||
spec:
|
||||
|
|
@ -22,7 +22,10 @@ should match snapshot of default values:
|
|||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: external-secrets-cert-controller
|
||||
app.kubernetes.io/version: v0.9.5
|
||||
helm.sh/chart: external-secrets-0.9.5
|
||||
spec:
|
||||
automountServiceAccountToken: true
|
||||
containers:
|
||||
|
|
@ -35,7 +38,7 @@ should match snapshot of default values:
|
|||
- --secret-namespace=NAMESPACE
|
||||
- --metrics-addr=:8080
|
||||
- --healthz-addr=:8081
|
||||
image: ghcr.io/external-secrets/external-secrets:v0.9.4
|
||||
image: ghcr.io/external-secrets/external-secrets:v0.9.5
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: cert-controller
|
||||
ports:
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@ should match snapshot of default values:
|
|||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: external-secrets
|
||||
app.kubernetes.io/version: v0.9.4
|
||||
helm.sh/chart: external-secrets-0.9.4
|
||||
app.kubernetes.io/version: v0.9.5
|
||||
helm.sh/chart: external-secrets-0.9.5
|
||||
name: RELEASE-NAME-external-secrets
|
||||
namespace: NAMESPACE
|
||||
spec:
|
||||
|
|
@ -22,13 +22,16 @@ should match snapshot of default values:
|
|||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: external-secrets
|
||||
app.kubernetes.io/version: v0.9.5
|
||||
helm.sh/chart: external-secrets-0.9.5
|
||||
spec:
|
||||
automountServiceAccountToken: true
|
||||
containers:
|
||||
- args:
|
||||
- --concurrent=1
|
||||
image: ghcr.io/external-secrets/external-secrets:v0.9.4
|
||||
image: ghcr.io/external-secrets/external-secrets:v0.9.5
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: external-secrets
|
||||
ports:
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ should match snapshot of default values:
|
|||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.12.1
|
||||
controller-gen.kubebuilder.io/version: v0.13.0
|
||||
name: secretstores.external-secrets.io
|
||||
spec:
|
||||
conversion:
|
||||
|
|
|
|||
|
|
@ -7,8 +7,8 @@ should match snapshot of default values:
|
|||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: external-secrets-webhook
|
||||
app.kubernetes.io/version: v0.9.4
|
||||
helm.sh/chart: external-secrets-0.9.4
|
||||
app.kubernetes.io/version: v0.9.5
|
||||
helm.sh/chart: external-secrets-0.9.5
|
||||
name: RELEASE-NAME-external-secrets-webhook
|
||||
namespace: NAMESPACE
|
||||
spec:
|
||||
|
|
@ -22,7 +22,10 @@ should match snapshot of default values:
|
|||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: external-secrets-webhook
|
||||
app.kubernetes.io/version: v0.9.5
|
||||
helm.sh/chart: external-secrets-0.9.5
|
||||
spec:
|
||||
automountServiceAccountToken: true
|
||||
containers:
|
||||
|
|
@ -34,7 +37,7 @@ should match snapshot of default values:
|
|||
- --check-interval=5m
|
||||
- --metrics-addr=:8080
|
||||
- --healthz-addr=:8081
|
||||
image: ghcr.io/external-secrets/external-secrets:v0.9.4
|
||||
image: ghcr.io/external-secrets/external-secrets:v0.9.5
|
||||
imagePullPolicy: IfNotPresent
|
||||
name: webhook
|
||||
ports:
|
||||
|
|
@ -78,8 +81,8 @@ should match snapshot of default values:
|
|||
app.kubernetes.io/instance: RELEASE-NAME
|
||||
app.kubernetes.io/managed-by: Helm
|
||||
app.kubernetes.io/name: external-secrets-webhook
|
||||
app.kubernetes.io/version: v0.9.4
|
||||
app.kubernetes.io/version: v0.9.5
|
||||
external-secrets.io/component: webhook
|
||||
helm.sh/chart: external-secrets-0.9.4
|
||||
helm.sh/chart: external-secrets-0.9.5
|
||||
name: RELEASE-NAME-external-secrets-webhook
|
||||
namespace: NAMESPACE
|
||||
|
|
|
|||
|
|
@ -0,0 +1,34 @@
|
|||
suite: test service monitor
|
||||
templates:
|
||||
- servicemonitor.yaml
|
||||
tests:
|
||||
- it: should render service monitor when APIVersions is present and serviceMonitor is enabled
|
||||
set:
|
||||
serviceMonitor.enabled: true
|
||||
capabilities:
|
||||
apiVersions:
|
||||
- "monitoring.coreos.com/v1"
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 6
|
||||
- it: should not render service monitor when APIVersions is not present but serviceMonitor is enabled
|
||||
set:
|
||||
serviceMonitor.enabled: true
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
- it: should not render service monitor when APIVersions is present and serviceMonitor is disabled
|
||||
set:
|
||||
serviceMonitor.enabled: false
|
||||
capabilities:
|
||||
apiVersions:
|
||||
- "monitoring.coreos.com/v1"
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
- it: should not render service monitor when APIVersions is not present and serviceMonitor is disabled
|
||||
set:
|
||||
serviceMonitor.enabled: false
|
||||
asserts:
|
||||
- hasDocuments:
|
||||
count: 0
|
||||
|
|
@ -1,11 +1,11 @@
|
|||
annotations:
|
||||
artifacthub.io/images: |
|
||||
- name: consul
|
||||
image: hashicorp/consul:1.16.1
|
||||
image: hashicorp/consul:1.16.2
|
||||
- name: consul-k8s-control-plane
|
||||
image: hashicorp/consul-k8s-control-plane:1.2.1
|
||||
image: hashicorp/consul-k8s-control-plane:1.2.2
|
||||
- name: consul-dataplane
|
||||
image: hashicorp/consul-dataplane:1.2.1
|
||||
image: hashicorp/consul-dataplane:1.2.2
|
||||
- name: envoy
|
||||
image: envoyproxy/envoy:v1.25.9
|
||||
artifacthub.io/license: MPL-2.0
|
||||
|
|
@ -25,7 +25,7 @@ annotations:
|
|||
catalog.cattle.io/kube-version: '>=1.22.0-0'
|
||||
catalog.cattle.io/release-name: consul
|
||||
apiVersion: v2
|
||||
appVersion: 1.16.1
|
||||
appVersion: 1.16.2
|
||||
description: Official HashiCorp Consul Chart
|
||||
home: https://www.consul.io
|
||||
icon: https://raw.githubusercontent.com/hashicorp/consul-k8s/main/assets/icon.png
|
||||
|
|
@ -34,4 +34,4 @@ name: consul
|
|||
sources:
|
||||
- https://github.com/hashicorp/consul
|
||||
- https://github.com/hashicorp/consul-k8s
|
||||
version: 1.2.1
|
||||
version: 1.2.2
|
||||
|
|
|
|||
|
|
@ -22,6 +22,8 @@ securityContext:
|
|||
capabilities:
|
||||
drop:
|
||||
- ALL
|
||||
add:
|
||||
- NET_BIND_SERVICE
|
||||
runAsNonRoot: true
|
||||
seccompProfile:
|
||||
type: RuntimeDefault
|
||||
|
|
|
|||
|
|
@ -38,6 +38,9 @@ spec:
|
|||
"vault.hashicorp.com/agent-inject-template-serverca.crt": {{ template "consul.serverTLSCATemplate" . }}
|
||||
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
|
||||
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
|
||||
{{ end }}
|
||||
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
|
||||
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
|
||||
{{- end }}
|
||||
{{- if and .Values.global.secretsBackend.vault.ca.secretName .Values.global.secretsBackend.vault.ca.secretKey }}
|
||||
"vault.hashicorp.com/agent-extra-secret": "{{ .Values.global.secretsBackend.vault.ca.secretName }}"
|
||||
|
|
|
|||
|
|
@ -75,6 +75,9 @@ spec:
|
|||
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
|
||||
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
|
||||
{{- end }}
|
||||
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
|
||||
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
|
||||
{{- end }}
|
||||
{{- if and .Values.global.enterpriseLicense.secretName (not .Values.global.acls.manageSystemACLs) }}
|
||||
{{- with .Values.global.enterpriseLicense }}
|
||||
"vault.hashicorp.com/agent-inject-secret-enterpriselicense.txt": "{{ .secretName }}"
|
||||
|
|
|
|||
|
|
@ -84,6 +84,9 @@ spec:
|
|||
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
|
||||
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
|
||||
{{- end }}
|
||||
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
|
||||
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
serviceAccountName: {{ template "consul.fullname" . }}-connect-injector
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: controlplanerequestlimits.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: controlplanerequestlimits.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: exportedservices.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: exportedservices.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -1,18 +1,20 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
---
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: gatewayclassconfigs.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: gatewayclassconfigs.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
@ -78,7 +80,61 @@ spec:
|
|||
maximum: 8
|
||||
minimum: 1
|
||||
type: integer
|
||||
resources:
|
||||
description: Resources defines the resource requirements for the
|
||||
gateway.
|
||||
properties:
|
||||
claims:
|
||||
description: "Claims lists the names of resources, defined
|
||||
in spec.resourceClaims, that are used by this container.
|
||||
\n This is an alpha field and requires enabling the DynamicResourceAllocation
|
||||
feature gate. \n This field is immutable. It can only be
|
||||
set for containers."
|
||||
items:
|
||||
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
|
||||
properties:
|
||||
name:
|
||||
description: Name must match the name of one entry in
|
||||
pod.spec.resourceClaims of the Pod where this field
|
||||
is used. It makes that resource available inside a
|
||||
container.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
x-kubernetes-list-map-keys:
|
||||
- name
|
||||
x-kubernetes-list-type: map
|
||||
limits:
|
||||
additionalProperties:
|
||||
anyOf:
|
||||
- type: integer
|
||||
- type: string
|
||||
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
||||
x-kubernetes-int-or-string: true
|
||||
description: 'Limits describes the maximum amount of compute
|
||||
resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
|
||||
type: object
|
||||
requests:
|
||||
additionalProperties:
|
||||
anyOf:
|
||||
- type: integer
|
||||
- type: string
|
||||
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
||||
x-kubernetes-int-or-string: true
|
||||
description: 'Requests describes the minimum amount of compute
|
||||
resources required. If Requests is omitted for a container,
|
||||
it defaults to Limits if that is explicitly specified, otherwise
|
||||
to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
|
||||
type: object
|
||||
type: object
|
||||
type: object
|
||||
mapPrivilegedContainerPorts:
|
||||
description: The value to add to privileged ports ( ports < 1024)
|
||||
for gateway containers
|
||||
format: int32
|
||||
type: integer
|
||||
nodeSelector:
|
||||
additionalProperties:
|
||||
type: string
|
||||
|
|
@ -86,6 +142,10 @@ spec:
|
|||
pod to fit on a node. Selector which must match a node''s labels
|
||||
for the pod to be scheduled on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
|
||||
type: object
|
||||
openshiftSCCName:
|
||||
description: The name of the OpenShift SecurityContextConstraints
|
||||
resource for this gateway class to use.
|
||||
type: string
|
||||
podSecurityPolicy:
|
||||
description: The name of an existing Kubernetes PodSecurityPolicy
|
||||
to bind to the managed ServiceAccount if ACLs are managed.
|
||||
|
|
@ -138,19 +198,6 @@ spec:
|
|||
type: string
|
||||
type: object
|
||||
type: array
|
||||
openshiftSCCName:
|
||||
description: The name of an existing SecurityContextConstraints
|
||||
resource to bind to the managed role when running on OpenShift.
|
||||
type: string
|
||||
mapPrivilegedContainerPorts:
|
||||
type: integer
|
||||
format: int32
|
||||
minimum: 0
|
||||
maximum: 64512
|
||||
description: mapPrivilegedContainerPorts is the value which Consul will add to privileged container port
|
||||
values (ports < 1024) defined on a Gateway when the number is greater than 0. This cannot be more than
|
||||
64512 as the highest privileged port is 1023, which would then map to 65535, which is the highest
|
||||
valid port number.
|
||||
type: object
|
||||
type: object
|
||||
served: true
|
||||
|
|
|
|||
|
|
@ -6,14 +6,15 @@ kind: CustomResourceDefinition
|
|||
metadata:
|
||||
annotations:
|
||||
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
creationTimestamp: null
|
||||
name: gatewayclasses.gateway.networking.k8s.io
|
||||
spec:
|
||||
group: gateway.networking.k8s.io
|
||||
|
|
|
|||
|
|
@ -6,14 +6,15 @@ kind: CustomResourceDefinition
|
|||
metadata:
|
||||
annotations:
|
||||
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
creationTimestamp: null
|
||||
name: gateways.gateway.networking.k8s.io
|
||||
spec:
|
||||
group: gateway.networking.k8s.io
|
||||
|
|
|
|||
|
|
@ -6,14 +6,15 @@ kind: CustomResourceDefinition
|
|||
metadata:
|
||||
annotations:
|
||||
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
creationTimestamp: null
|
||||
name: grpcroutes.gateway.networking.k8s.io
|
||||
spec:
|
||||
group: gateway.networking.k8s.io
|
||||
|
|
|
|||
|
|
@ -6,14 +6,15 @@ kind: CustomResourceDefinition
|
|||
metadata:
|
||||
annotations:
|
||||
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
creationTimestamp: null
|
||||
name: httproutes.gateway.networking.k8s.io
|
||||
spec:
|
||||
group: gateway.networking.k8s.io
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: ingressgateways.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: ingressgateways.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
@ -78,6 +81,43 @@ spec:
|
|||
while waiting for a connection to be established.
|
||||
format: int32
|
||||
type: integer
|
||||
passiveHealthCheck:
|
||||
description: PassiveHealthCheck configuration determines how upstream
|
||||
proxy instances will be monitored for removal from the load
|
||||
balancing pool.
|
||||
properties:
|
||||
baseEjectionTime:
|
||||
description: The base time that a host is ejected for. The
|
||||
real time is equal to the base time multiplied by the number
|
||||
of times the host has been ejected and is capped by max_ejection_time
|
||||
(Default 300s). Defaults to 30s.
|
||||
type: string
|
||||
enforcingConsecutive5xx:
|
||||
description: EnforcingConsecutive5xx is the % chance that
|
||||
a host will be actually ejected when an outlier status is
|
||||
detected through consecutive 5xx. This setting can be used
|
||||
to disable ejection or to ramp it up slowly. Ex. Setting
|
||||
this to 10 will make it a 10% chance that the host will
|
||||
be ejected.
|
||||
format: int32
|
||||
type: integer
|
||||
interval:
|
||||
description: Interval between health check analysis sweeps.
|
||||
Each sweep may remove hosts or return hosts to the pool.
|
||||
Ex. setting this to "10s" will set the interval to 10 seconds.
|
||||
type: string
|
||||
maxEjectionPercent:
|
||||
description: The maximum % of an upstream cluster that can
|
||||
be ejected due to outlier detection. Defaults to 10% but
|
||||
will eject at least one host regardless of the value.
|
||||
format: int32
|
||||
type: integer
|
||||
maxFailures:
|
||||
description: MaxFailures is the count of consecutive failures
|
||||
that results in a host being removed from the pool.
|
||||
format: int32
|
||||
type: integer
|
||||
type: object
|
||||
type: object
|
||||
listeners:
|
||||
description: Listeners declares what ports the ingress gateway should
|
||||
|
|
@ -157,6 +197,47 @@ spec:
|
|||
service is located. Partitioning is a Consul Enterprise
|
||||
feature.
|
||||
type: string
|
||||
passiveHealthCheck:
|
||||
description: PassiveHealthCheck configuration determines
|
||||
how upstream proxy instances will be monitored for removal
|
||||
from the load balancing pool.
|
||||
properties:
|
||||
baseEjectionTime:
|
||||
description: The base time that a host is ejected
|
||||
for. The real time is equal to the base time multiplied
|
||||
by the number of times the host has been ejected
|
||||
and is capped by max_ejection_time (Default 300s).
|
||||
Defaults to 30s.
|
||||
type: string
|
||||
enforcingConsecutive5xx:
|
||||
description: EnforcingConsecutive5xx is the % chance
|
||||
that a host will be actually ejected when an outlier
|
||||
status is detected through consecutive 5xx. This
|
||||
setting can be used to disable ejection or to ramp
|
||||
it up slowly. Ex. Setting this to 10 will make it
|
||||
a 10% chance that the host will be ejected.
|
||||
format: int32
|
||||
type: integer
|
||||
interval:
|
||||
description: Interval between health check analysis
|
||||
sweeps. Each sweep may remove hosts or return hosts
|
||||
to the pool. Ex. setting this to "10s" will set
|
||||
the interval to 10 seconds.
|
||||
type: string
|
||||
maxEjectionPercent:
|
||||
description: The maximum % of an upstream cluster
|
||||
that can be ejected due to outlier detection. Defaults
|
||||
to 10% but will eject at least one host regardless
|
||||
of the value.
|
||||
format: int32
|
||||
type: integer
|
||||
maxFailures:
|
||||
description: MaxFailures is the count of consecutive
|
||||
failures that results in a host being removed from
|
||||
the pool.
|
||||
format: int32
|
||||
type: integer
|
||||
type: object
|
||||
requestHeaders:
|
||||
description: Allow HTTP header manipulation to be configured.
|
||||
properties:
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: jwtproviders.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: jwtproviders.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
@ -120,6 +123,66 @@ spec:
|
|||
the proxy listener will wait for the JWKS to be fetched
|
||||
before being activated. \n Default value is false."
|
||||
type: boolean
|
||||
jwksCluster:
|
||||
description: "JWKSCluster defines how the specified Remote JWKS
|
||||
URI is to be fetched."
|
||||
properties:
|
||||
connectTimeout:
|
||||
description: "The timeout for new network connections to hosts
|
||||
in the cluster. \n If not set, a default value of 5s will be
|
||||
used."
|
||||
format: int64
|
||||
type: integer
|
||||
discoveryType:
|
||||
description: "DiscoveryType refers to the service discovery type
|
||||
to use for resolving the cluster. \n Defaults to STRICT_DNS."
|
||||
type: string
|
||||
tlsCertificates:
|
||||
description: "TLSCertificates refers to the data containing
|
||||
certificate authority certificates to use in verifying a presented
|
||||
peer certificate."
|
||||
properties:
|
||||
caCertificateProviderInstance:
|
||||
description: "CaCertificateProviderInstance Certificate provider
|
||||
instance for fetching TLS certificates."
|
||||
properties:
|
||||
instanceName:
|
||||
description: "InstanceName refers to the certificate provider
|
||||
instance name. \n The default value is 'default'."
|
||||
type: string
|
||||
certificateName:
|
||||
description: "CertificateName is used to specify certificate
|
||||
instances or types. For example, \"ROOTCA\" to specify a
|
||||
root-certificate (validation context) or \"example.com\"
|
||||
to specify a certificate for a particular domain. \n
|
||||
The default value is the empty string."
|
||||
type: string
|
||||
type: object
|
||||
trustedCA:
|
||||
description: "TrustedCA defines TLS certificate data containing
|
||||
certificate authority certificates to use in verifying a presented
|
||||
peer certificate. \n Exactly one of Filename, EnvironmentVariable,
|
||||
InlineString or InlineBytes must be specified."
|
||||
properties:
|
||||
filename:
|
||||
description: "The name of the file on the local system to use a
|
||||
data source for trusted CA certificates."
|
||||
type: string
|
||||
environmentVariable:
|
||||
description: "The environment variable on the local system to use
|
||||
a data source for trusted CA certificates."
|
||||
type: string
|
||||
inlineString:
|
||||
description: "A string to inline in the configuration for use as
|
||||
a data source for trusted CA certificates."
|
||||
type: string
|
||||
inlineBytes:
|
||||
description: "A sequence of bytes to inline in the configuration
|
||||
for use as a data source for trusted CA certificates."
|
||||
type: string
|
||||
type: object
|
||||
type: object
|
||||
type: object
|
||||
requestTimeoutMs:
|
||||
description: RequestTimeoutMs is the number of milliseconds
|
||||
to time out when making a request for the JWKS.
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: meshes.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: meshes.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -1,18 +1,20 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
---
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: meshservices.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: meshservices.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: peeringacceptors.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: peeringacceptors.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if and .Values.connectInject.enabled .Values.global.peering.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: peeringdialers.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: peeringdialers.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: proxydefaults.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: proxydefaults.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: samenessgroups.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: samenessgroups.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: servicedefaults.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: servicedefaults.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
@ -291,18 +294,22 @@ spec:
|
|||
The real time is equal to the base time multiplied by
|
||||
the number of times the host has been ejected and is
|
||||
capped by max_ejection_time (Default 300s). Defaults
|
||||
to 30000ms or 30s.
|
||||
to 30s.
|
||||
type: string
|
||||
enforcingConsecutive5xx:
|
||||
description: EnforcingConsecutive5xx is the % chance that
|
||||
a host will be actually ejected when an outlier status
|
||||
is detected through consecutive 5xx. This setting can
|
||||
be used to disable ejection or to ramp it up slowly.
|
||||
Ex. Setting this to 10 will make it a 10% chance that
|
||||
the host will be ejected.
|
||||
format: int32
|
||||
type: integer
|
||||
interval:
|
||||
description: Interval between health check analysis sweeps.
|
||||
Each sweep may remove hosts or return hosts to the pool.
|
||||
Ex. setting this to "10s" will set the interval to 10
|
||||
seconds.
|
||||
type: string
|
||||
maxEjectionPercent:
|
||||
description: The maximum % of an upstream cluster that
|
||||
|
|
@ -408,19 +415,22 @@ spec:
|
|||
The real time is equal to the base time multiplied
|
||||
by the number of times the host has been ejected and
|
||||
is capped by max_ejection_time (Default 300s). Defaults
|
||||
to 30000ms or 30s.
|
||||
to 30s.
|
||||
type: string
|
||||
enforcingConsecutive5xx:
|
||||
description: EnforcingConsecutive5xx is the % chance
|
||||
that a host will be actually ejected when an outlier
|
||||
status is detected through consecutive 5xx. This setting
|
||||
can be used to disable ejection or to ramp it up slowly.
|
||||
Ex. Setting this to 10 will make it a 10% chance that
|
||||
the host will be ejected.
|
||||
format: int32
|
||||
type: integer
|
||||
interval:
|
||||
description: Interval between health check analysis
|
||||
sweeps. Each sweep may remove hosts or return hosts
|
||||
to the pool.
|
||||
to the pool. Ex. setting this to "10s" will set the
|
||||
interval to 10 seconds.
|
||||
type: string
|
||||
maxEjectionPercent:
|
||||
description: The maximum % of an upstream cluster that
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: serviceintentions.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: serviceintentions.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: serviceresolvers.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: serviceresolvers.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: servicerouters.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: servicerouters.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: servicesplitters.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: servicesplitters.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{{- if and .Values.connectInject.enabled .Values.connectInject.apiGateway.manageExternalCRDs }}
|
||||
{{- if and .Values.connectInject.enabled (or .Values.connectInject.apiGateway.manageExternalCRDs .Values.connectInject.apiGateway.manageNonStandardCRDs ) }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
|
|
@ -7,15 +7,15 @@ kind: CustomResourceDefinition
|
|||
metadata:
|
||||
annotations:
|
||||
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
creationTimestamp: null
|
||||
name: tcproutes.gateway.networking.k8s.io
|
||||
spec:
|
||||
group: gateway.networking.k8s.io
|
||||
|
|
|
|||
|
|
@ -1,18 +1,21 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Copyright (c) HashiCorp, Inc.
|
||||
# SPDX-License-Identifier: MPL-2.0
|
||||
|
||||
---
|
||||
apiVersion: apiextensions.k8s.io/v1
|
||||
kind: CustomResourceDefinition
|
||||
metadata:
|
||||
annotations:
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: terminatinggateways.consul.hashicorp.com
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
controller-gen.kubebuilder.io/version: v0.8.0
|
||||
creationTimestamp: null
|
||||
name: terminatinggateways.consul.hashicorp.com
|
||||
spec:
|
||||
group: consul.hashicorp.com
|
||||
names:
|
||||
|
|
|
|||
|
|
@ -7,15 +7,15 @@ kind: CustomResourceDefinition
|
|||
metadata:
|
||||
annotations:
|
||||
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
creationTimestamp: null
|
||||
name: tlsroutes.gateway.networking.k8s.io
|
||||
spec:
|
||||
group: gateway.networking.k8s.io
|
||||
|
|
|
|||
|
|
@ -7,15 +7,15 @@ kind: CustomResourceDefinition
|
|||
metadata:
|
||||
annotations:
|
||||
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1538
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: crd
|
||||
gateway.networking.k8s.io/bundle-version: v0.6.2
|
||||
gateway.networking.k8s.io/channel: experimental
|
||||
creationTimestamp: null
|
||||
name: udproutes.gateway.networking.k8s.io
|
||||
spec:
|
||||
group: gateway.networking.k8s.io
|
||||
|
|
|
|||
|
|
@ -31,9 +31,6 @@ spec:
|
|||
{{- end }}
|
||||
annotations:
|
||||
"consul.hashicorp.com/connect-inject": "false"
|
||||
{{- if .Values.global.acls.annotations }}
|
||||
{{- tpl .Values.global.acls.annotations . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
serviceAccountName: {{ template "consul.fullname" . }}-gateway-cleanup
|
||||
|
|
@ -58,8 +55,4 @@ spec:
|
|||
tolerations:
|
||||
{{ tpl .Values.global.acls.tolerations . | indent 8 | trim }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.acls.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,19 @@
|
|||
{{- if .Values.connectInject.enabled }}
|
||||
# Configuration of Gateway Resources Job which creates managed Gateway configuration.
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: {{ template "consul.fullname" . }}-gateway-resources-config
|
||||
namespace: {{ .Release.Namespace }}
|
||||
labels:
|
||||
app: {{ template "consul.name" . }}
|
||||
chart: {{ template "consul.chart" . }}
|
||||
heritage: {{ .Release.Service }}
|
||||
release: {{ .Release.Name }}
|
||||
component: gateway-resources
|
||||
data:
|
||||
{{- if .Values.connectInject.apiGateway.managedGatewayClass.resources }}
|
||||
resources.json: |
|
||||
{{ toJson .Values.connectInject.apiGateway.managedGatewayClass.resources }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
|
@ -31,9 +31,6 @@ spec:
|
|||
{{- end }}
|
||||
annotations:
|
||||
"consul.hashicorp.com/connect-inject": "false"
|
||||
{{- if .Values.global.acls.annotations }}
|
||||
{{- tpl .Values.global.acls.annotations . | nindent 8 }}
|
||||
{{- end }}
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
serviceAccountName: {{ template "consul.fullname" . }}-gateway-resources
|
||||
|
|
@ -111,12 +108,16 @@ spec:
|
|||
limits:
|
||||
memory: "50Mi"
|
||||
cpu: "50m"
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /consul/config
|
||||
readOnly: true
|
||||
{{- if .Values.global.acls.tolerations }}
|
||||
tolerations:
|
||||
{{ tpl .Values.global.acls.tolerations . | indent 8 | trim }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.acls.nodeSelector }}
|
||||
nodeSelector:
|
||||
{{ tpl .Values.global.acls.nodeSelector . | indent 8 | trim }}
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: {{ template "consul.fullname" . }}-gateway-resources-config
|
||||
{{- end }}
|
||||
|
|
|
|||
|
|
@ -125,6 +125,9 @@ spec:
|
|||
{{- if $root.Values.global.secretsBackend.vault.agentAnnotations }}
|
||||
{{ tpl $root.Values.global.secretsBackend.vault.agentAnnotations $root | nindent 8 | trim }}
|
||||
{{- end }}
|
||||
{{- if (and ($root.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" $root.Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
|
||||
"vault.hashicorp.com/namespace": "{{ $root.Values.global.secretsBackend.vault.vaultNamespace }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if (and $root.Values.global.metrics.enabled $root.Values.global.metrics.enableGatewayMetrics) }}
|
||||
"prometheus.io/scrape": "true"
|
||||
|
|
|
|||
|
|
@ -21,6 +21,8 @@ spec:
|
|||
# but we can provide it for defense in depth.
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
defaultAddCapabilities:
|
||||
- NET_BIND_SERVICE
|
||||
# Allow core volume types.
|
||||
volumes:
|
||||
- 'configMap'
|
||||
|
|
|
|||
|
|
@ -70,6 +70,9 @@ spec:
|
|||
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
|
||||
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
|
||||
{{- end }}
|
||||
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
|
||||
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- if (and .Values.global.metrics.enabled .Values.global.metrics.enableGatewayMetrics) }}
|
||||
"prometheus.io/scrape": "true"
|
||||
|
|
|
|||
|
|
@ -18,6 +18,8 @@ spec:
|
|||
# but we can provide it for defense in depth.
|
||||
requiredDropCapabilities:
|
||||
- ALL
|
||||
defaultAddCapabilities:
|
||||
- NET_BIND_SERVICE
|
||||
# Allow core volume types.
|
||||
volumes:
|
||||
- 'configMap'
|
||||
|
|
|
|||
|
|
@ -59,6 +59,9 @@ spec:
|
|||
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
|
||||
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
|
||||
{{- end }}
|
||||
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
|
||||
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
|
|
|
|||
|
|
@ -49,6 +49,10 @@ spec:
|
|||
{{- if .Values.global.acls.annotations }}
|
||||
{{- tpl .Values.global.acls.annotations . | nindent 8 }}
|
||||
{{- end }}
|
||||
{{- if .Values.global.argocd.enabled }}
|
||||
"argocd.argoproj.io/hook": "Sync"
|
||||
"argocd.argoproj.io/hook-delete-policy": "HookSucceeded"
|
||||
{{- end }}
|
||||
{{- if .Values.global.secretsBackend.vault.enabled }}
|
||||
|
||||
{{- /* Run the Vault agent as both an init container and sidecar.
|
||||
|
|
@ -93,6 +97,9 @@ spec:
|
|||
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
|
||||
{{ tpl .Values.global.secretsBackend.vault.agentAnnotations . | nindent 8 | trim }}
|
||||
{{- end }}
|
||||
{{- if (and (.Values.global.secretsBackend.vault.vaultNamespace) (not (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace")))}}
|
||||
"vault.hashicorp.com/namespace": "{{ .Values.global.secretsBackend.vault.vaultNamespace }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
spec:
|
||||
restartPolicy: Never
|
||||
|
|
@ -143,9 +150,12 @@ spec:
|
|||
fieldPath: metadata.name
|
||||
# Extract the Vault namespace from the Vault agent annotations.
|
||||
{{- if .Values.global.secretsBackend.vault.enabled }}
|
||||
{{- if .Values.global.secretsBackend.vault.agentAnnotations }}
|
||||
{{- if and (.Values.global.secretsBackend.vault.agentAnnotations) (hasKey (default "" .Values.global.secretsBackend.vault.agentAnnotations | fromYaml) "vault.hashicorp.com/namespace") }}
|
||||
- name: VAULT_NAMESPACE
|
||||
value: {{ get (tpl .Values.global.secretsBackend.vault.agentAnnotations . | fromYaml) "vault.hashicorp.com/namespace" }}
|
||||
{{- else if .Values.global.secretsBackend.vault.vaultNamespace }}
|
||||
- name: VAULT_NAMESPACE
|
||||
value: {{ .Values.global.secretsBackend.vault.vaultNamespace }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
{{- include "consul.consulK8sConsulServerEnvVars" . | nindent 8 }}
|
||||
|
|
|
|||
|
|
@ -72,6 +72,9 @@ data:
|
|||
"ca_file": "/consul/vault-ca/tls.crt",
|
||||
{{- end }}
|
||||
"intermediate_pki_path": "{{ .connectCA.intermediatePKIPath }}",
|
||||
{{- if (and (.vaultNamespace) (not (contains "namespace" (default "" .connectCA.additionalConfig)))) }}
|
||||
"namespace": "{{ .vaultNamespace }}",
|
||||
{{- end }}
|
||||
"root_pki_path": "{{ .connectCA.rootPKIPath }}",
|
||||
"auth_method": {
|
||||
"type": "kubernetes",
|
||||
|
|
@ -198,16 +201,7 @@ data:
|
|||
"sink": {
|
||||
{{- range $index, $element := .Values.server.auditLogs.sinks }}
|
||||
{{- if ne $index 0 }},{{end}}
|
||||
"{{ $element.name }}": {
|
||||
{{- $firstKeyValuePair := false }}
|
||||
{{- range $k, $v := $element }}
|
||||
{{- if ne $k "name" }}
|
||||
{{- if ne $firstKeyValuePair false }},{{end}}
|
||||
{{- $firstKeyValuePair = true }}
|
||||
"{{ $k }}": "{{ $v }}"
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
}
|
||||
"{{ get $element "name" }}": {{ omit $element "name" | toJson }}
|
||||
{{- end }}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue