andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Charts CI 

```
Updated:
  dh2i/dxemssql:
    - 1.0.6
  dh2i/dxenterprisesqlag:
    - 1.0.2
  dh2i/dxoperator:
    - 1.0.2
  f5/nginx-ingress:
    - 1.2.2
  kasten/k10:
    - 7.0.0
  linkerd/linkerd-control-plane:
    - 2024.5.5
  linkerd/linkerd-crds:
    - 2024.5.5
  traefik/traefik:
    - 28.2.0
```
pull/1022/head
github-actions[bot] 2024-06-01 00:59:17 +00:00
parent 9216fbed52
commit 17d6677054
84 changed files with 5240 additions and 3573 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/dh2i/dxemssql-1.0.6.tgz Normal file
View File

Binary file not shown.

BIN
assets/dh2i/dxenterprisesqlag-1.0.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/dh2i/dxoperator-1.0.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/f5/nginx-ingress-1.2.2.tgz Normal file
View File

Binary file not shown.

BIN
assets/kasten/k10-7.0.1.tgz Normal file
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-control-plane-2024.5.4.tgz
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-control-plane-2024.5.5.tgz Normal file
View File

Binary file not shown.

BIN
assets/linkerd/linkerd-crds-2024.5.5.tgz Normal file
View File

Binary file not shown.

BIN
assets/traefik/traefik-28.2.0.tgz Normal file
View File

Binary file not shown.

2
charts/dh2i/dxemssql/Chart.yaml
View File

@ -16,4 +16,4 @@ maintainers:
url: https://dh2i.com
name: dxemssql
type: application
version: 1.0.5
version: 1.0.6

23
charts/dh2i/dxemssql/questions.yml
View File

@ -14,9 +14,9 @@ questions:
group: General
- variable: enableLoadBalancers
label: "Enable External Load Balancers"
type: string
type: boolean
description: "Enable or disable automatic provisioning of an external load balancer for each replica in the StatefulSet."
required: true
default: true
group: General
- variable: DX_LICENSE
label: "License Key"
@ -53,15 +53,27 @@ questions:
group: "DxEnterprise"
- variable: DX_NEW_CLUSTER
label: "Create a New Cluster"
type: string
type: boolean
description: "Whether or not to create a new DxEnterprise cluster, or join an existing one using the provided One-Time Passkey."
default: "true"
default: true
group: "DxEnterprise"
- variable: DX_USE_NAT
label: "Join using NAT matchmaker"
type: boolean
default: false
description: "Enables the NAT matchmaker to find peers when forming a cluster. Requires DX_OTPK to be set in the dxe secret."
group: "DxEnterprise"
- variable: DX_JOIN_TARGET
label: "Join target"
type: string
default: ""
description: "The name or IP address of a peer DxEnterprise cluster node to join to when forming a cluster."
group: "DxEnterprise"
- variable: dxeImage.repository
label: "Repository"
type: string
description: "The repository to pull the DxEnterprise image from."
default: "dh2i/dxe"
default: "docker.io/dh2i/dxe"
group: "DxEnterprise"
subquestions:
- variable: dxeImage.pullPolicy
@ -89,7 +101,6 @@ questions:
type: enum
default: "N"
description: "Accept the terms of the SQL Server EULA."
required: true
group: "SQL Server"
options:
- "Y"

6
charts/dh2i/dxemssql/templates/statefulset.yaml
View File

@ -71,7 +71,11 @@ spec:
- name: DX_AG_OPTIONS
value: {{ .Values.DX_AG_OPTIONS | quote }}
- name: DX_NEW_CLUSTER
value: {{ .Values.DX_NEW_CLUSTER | lower | quote }}
value: {{ .Values.DX_NEW_CLUSTER | toString | lower | quote }}
- name: DX_USE_NAT
value: {{ .Values.DX_USE_NAT | toString | lower | quote }}
- name: DX_JOIN_TARGET
value: {{ .Values.DX_JOIN_TARGET | quote }}
- name: MSSQL_SA_PASSWORD
valueFrom:
secretKeyRef:

8
charts/dh2i/dxemssql/values.yaml
View File

@ -8,7 +8,7 @@
# Only set this value below 3 if you intend to assign these replicas to an existing availability group
replicas: 3
secretKeys: null
enableLoadBalancers: "true"
enableLoadBalancers: true
# SQL Server settings
sqlImage:
@ -22,7 +22,7 @@ MSSQL_AGENT_ENABLED: "false"
# DxEnterprise settings
dxeImage:
repository: dh2i/dxe
repository: docker.io/dh2i/dxe
pullPolicy: Always
tag: latest
DX_LICENSE: null
@ -30,7 +30,9 @@ DX_ACCEPT_EULA: null
DX_VHOST_NAME: "VHOST1"
DX_AG_NAME: "AG1"
DX_AG_OPTIONS: ""
DX_NEW_CLUSTER: "true"
DX_NEW_CLUSTER: true
DX_USE_NAT: false
DX_JOIN_TARGET: ""
nameOverride: ""
fullnameOverride: ""

6
charts/dh2i/dxenterprisesqlag/Chart.yaml
View File

@ -1,18 +1,18 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: DxOperator - DxE + SQL Server AG
catalog.cattle.io/kube-version: '>= 1.20.0-0'
catalog.cattle.io/kube-version: '>= 1.26.0-0'
catalog.cattle.io/release-name: dxenterprisesqlag
charts.openshift.io/name: DxOperator - DxE + SQL Server AG
apiVersion: v2
appVersion: "23.0"
description: SQL Server AGs using DH2i DxOperator
icon: https://raw.githubusercontent.com/dh2i/helm/main/assets/DH2i_Logo_Icon.png
kubeVersion: '>= 1.20.0-0'
kubeVersion: '>= 1.26.0-0'
maintainers:
- email: support@dh2i.com
name: DH2i Company
url: https://dh2i.com
name: dxenterprisesqlag
type: application
version: 1.0.1
version: 1.0.2

4
charts/dh2i/dxenterprisesqlag/README.md
View File

@ -9,6 +9,6 @@ This chart deploys a SQL Server Availability group in Kubernetes managed by DxOp
## Additional Information
Instructions for creating this chart using Helm can be found in the [DxOperator Helm Guide](https://support.dh2i.com).
Instructions for creating this chart using Helm can be found in the [DxOperator Helm Guide](https://support.dh2i.com/dxoperator/v1.0.67.0/guides/dxesqlag-helm).
Before creating an availability group, reference SQL Server's [quorum considerations](https://support.dh2i.com/docs/kbs/sql_server/availability_groups/quorum-considerations-for-sql-server-availability-groups) when determining the quantity of replicas to deploy.
Before creating an availability group, reference SQL Server's [quorum considerations](https://support.dh2i.com/docs/v23.0/kbs/sql_server/availability_groups/quorum-considerations-for-sql-server-availability-groups) when determining the quantity of replicas to deploy.

15
charts/dh2i/dxenterprisesqlag/questions.yaml
View File

@ -93,13 +93,20 @@ questions:
required: false
default: VHOST1
group: DxEnterprise
- variable: dxEnterpriseContainer.joinExistingCluster
label: "Join Existing cluster"
- variable: dxEnterpriseContainer.joinTarget.useNat
label: "Join using NAT matchmaker"
type: boolean
description: "Whether or not the DxEnterprise cluster should join an existing DxEnterprise cluster using a provided OTPK."
required: false
default: false
description: "Enables the NAT matchmaker to find peers when forming a cluster. Requires DX_OTPK to be set in the dxe secret."
required: false
group: DxEnterprise
- variable: dxEnterpriseContainer.joinTarget.target
label: "Join target"
type: string
default: ""
description: "The name or IP address of a peer DxEnterprise cluster node to join to when forming a cluster."
required: false
group: "DxEnterprise"
# SQL Server section
- variable: sqlServerContainer.acceptEula

4
charts/dh2i/dxenterprisesqlag/templates/dxenterprisesqlag.yaml
View File

@ -40,7 +40,9 @@ spec:
acceptEula: {{ .Values.dxEnterpriseContainer.acceptEula }}
clusterSecret: {{ .Values.dxEnterpriseContainer.clusterSecret }}
vhostName: {{ .Values.dxEnterpriseContainer.vhostName }}
joinExistingCluster: {{ .Values.dxEnterpriseContainer.joinExistingCluster }}
joinTarget:
target: {{ .Values.dxEnterpriseContainer.joinTarget.target }}
useNat: {{ .Values.dxEnterpriseContainer.joinTarget.useNat }}
volumeClaimConfiguration:
{{- toYaml .Values.dxEnterpriseContainer.volumeClaimConfiguration | nindent 10 }}
resources:

4
charts/dh2i/dxenterprisesqlag/values.yaml
View File

@ -31,7 +31,9 @@ dxEnterpriseContainer:
acceptEula: false
clusterSecret: ""
vhostName: VHOST1
joinExistingCluster: false
joinTarget:
target: ""
useNat: false
volumeClaimConfiguration: null
#operator will assume the values below if volumeClaimConfiguration: null
#storageClassName: <Kubernetes default>

6
charts/dh2i/dxoperator/Chart.yaml
View File

@ -1,16 +1,18 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: DxOperator
catalog.cattle.io/kube-version: '>= 1.26.0-0'
catalog.cattle.io/release-name: dxoperator
charts.openshift.io/name: DxOperator
apiVersion: v2
appVersion: 1.0.57.0
appVersion: 1.0.67.0
description: DH2i operator for Kubernetes
icon: https://raw.githubusercontent.com/dh2i/helm/main/assets/DH2i_Logo_Icon.png
kubeVersion: '>= 1.26.0-0'
maintainers:
- email: support@dh2i.com
name: DH2i Company
url: https://dh2i.com
name: dxoperator
type: application
version: 1.0.1
version: 1.0.2

2
charts/dh2i/dxoperator/README.md
View File

@ -8,4 +8,4 @@ This chart deploys DH2i's Kubernetes operator.
## Additional Information
Instructions for creating this chart using Helm can be found in the [DxOperator Helm Guide](https://support.dh2i.com).
Instructions for creating this chart using Helm can be found in the [DxOperator Helm Guide](https://support.dh2i.com/dxoperator/v1.0.67.0/guides/dxesqlag-helm).

864
charts/dh2i/dxoperator/crds/crd.yaml
View File

@ -12,9 +12,6 @@ spec:
listKind: DxEnterpriseSqlAgList
plural: dxenterprisesqlags
singular: dxenterprisesqlag
shortNames:
- dxesqlag
- dxesqlags
scope: Namespaced
versions:
- name: v1
@ -1035,14 +1032,100 @@ spec:
description: The pull policy for the DxEnterprise image
type: string
joinExistingCluster:
description: Whether or not to join an existing cluster.
The DxEnterprise cluster will join a remote cluster
using the DX_OTPK variable set in the clusterSecret
description: 'DEPRECATED: Use ''joinTarget''. Whether
or not to join an existing cluster. The DxEnterprise
cluster will join a remote cluster using the DX_OTPK
variable set in the clusterSecret'
type: boolean
joinTarget:
description: The configuration for the external target
cluster each pod will join to.
properties:
target:
description: The target hostname, IP, or FQDN for
the join process.
type: string
useNat:
description: Whether or not the target is a NAT match-making
service.
type: boolean
type: object
otpkExpiration:
description: 'The date and/or time the OTPK will expire.
Default: 1 hour'
type: string
readinessProbe:
description: 'The readiness probe for DxEnterprise. Default:
initialDelay = 5, period = 10, failureThreshold = 15,
tcpSocket: 7979'
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
nullable: true
type: integer
grpc:
properties:
port:
format: int32
type: integer
service:
type: string
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
path:
type: string
port:
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
nullable: true
type: integer
periodSeconds:
format: int32
nullable: true
type: integer
successThreshold:
format: int32
nullable: true
type: integer
tcpSocket:
properties:
host:
type: string
port:
x-kubernetes-int-or-string: true
type: object
terminationGracePeriodSeconds:
format: int64
nullable: true
type: integer
timeoutSeconds:
format: int32
nullable: true
type: integer
type: object
resources:
properties:
claims:
@ -1066,8 +1149,13 @@ spec:
type: string
volumeClaimConfiguration:
description: Configuration options for the required volume
claim for DxEnterprise.
claim for DxEnterprise. Default resource request is
1Gi
properties:
accessModes:
items:
type: string
type: array
resources:
properties:
claims:
@ -1087,6 +1175,26 @@ spec:
storageClassName:
type: string
type: object
volumeMounts:
description: Additional pod volumes to mount into the
container filesystem.
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
nullable: true
type: boolean
subPath:
type: string
subPathExpr:
type: string
type: object
type: array
required:
- acceptEula
- clusterSecret
@ -1746,6 +1854,78 @@ spec:
description: The secret containing the MSSQL_SA_PASSWORD
environment variable.
type: string
readinessProbe:
description: 'The readiness probe for SQL Server. Default:
initialDelay = 5, period = 10, failureThreshold = 60,
tcpSocket: 1433'
properties:
exec:
properties:
command:
items:
type: string
type: array
type: object
failureThreshold:
format: int32
nullable: true
type: integer
grpc:
properties:
port:
format: int32
type: integer
service:
type: string
type: object
httpGet:
properties:
host:
type: string
httpHeaders:
items:
properties:
name:
type: string
value:
type: string
type: object
type: array
path:
type: string
port:
x-kubernetes-int-or-string: true
scheme:
type: string
type: object
initialDelaySeconds:
format: int32
nullable: true
type: integer
periodSeconds:
format: int32
nullable: true
type: integer
successThreshold:
format: int32
nullable: true
type: integer
tcpSocket:
properties:
host:
type: string
port:
x-kubernetes-int-or-string: true
type: object
terminationGracePeriodSeconds:
format: int64
nullable: true
type: integer
timeoutSeconds:
format: int32
nullable: true
type: integer
type: object
resources:
properties:
claims:
@ -1764,8 +1944,12 @@ spec:
type: object
volumeClaimConfiguration:
description: Configuration options for the required volume
claim for SQL Server.
claim for SQL Server. Default resource request is 4Gi
properties:
accessModes:
items:
type: string
type: array
resources:
properties:
claims:
@ -1785,6 +1969,26 @@ spec:
storageClassName:
type: string
type: object
volumeMounts:
description: Additional pod volumes to mount into the
container filesystem.
items:
properties:
mountPath:
type: string
mountPropagation:
type: string
name:
type: string
readOnly:
nullable: true
type: boolean
subPath:
type: string
subPathExpr:
type: string
type: object
type: array
required:
- acceptEula
- mssqlPID
@ -1926,6 +2130,650 @@ spec:
type: string
type: object
type: array
volumes:
items:
properties:
awsElasticBlockStore:
properties:
fsType:
type: string
partition:
format: int32
nullable: true
type: integer
readOnly:
nullable: true
type: boolean
volumeID:
type: string
type: object
azureDisk:
properties:
cachingMode:
type: string
diskName:
type: string
diskURI:
type: string
fsType:
type: string
kind:
type: string
readOnly:
nullable: true
type: boolean
type: object
azureFile:
properties:
readOnly:
nullable: true
type: boolean
secretName:
type: string
shareName:
type: string
type: object
cephfs:
properties:
monitors:
items:
type: string
type: array
path:
type: string
readOnly:
nullable: true
type: boolean
secretFile:
type: string
secretRef:
properties:
name:
type: string
type: object
user:
type: string
type: object
cinder:
properties:
fsType:
type: string
readOnly:
nullable: true
type: boolean
secretRef:
properties:
name:
type: string
type: object
volumeID:
type: string
type: object
configMap:
properties:
defaultMode:
format: int32
nullable: true
type: integer
items:
items:
properties:
key:
type: string
mode:
format: int32
nullable: true
type: integer
path:
type: string
type: object
type: array
name:
type: string
optional:
nullable: true
type: boolean
type: object
csi:
properties:
driver:
type: string
fsType:
type: string
nodePublishSecretRef:
properties:
name:
type: string
type: object
readOnly:
nullable: true
type: boolean
volumeAttributes:
additionalProperties:
type: string
type: object
type: object
downwardAPI:
properties:
defaultMode:
format: int32
nullable: true
type: integer
items:
items:
properties:
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
type: object
mode:
format: int32
nullable: true
type: integer
path:
type: string
resourceFieldRef:
properties:
containerName:
type: string
divisor:
properties:
format:
enum:
- DecimalExponent
- BinarySI
- DecimalSI
type: string
value:
type: string
type: object
resource:
type: string
type: object
type: object
type: array
type: object
emptyDir:
properties:
medium:
type: string
sizeLimit:
properties:
format:
enum:
- DecimalExponent
- BinarySI
- DecimalSI
type: string
value:
type: string
type: object
type: object
ephemeral:
properties:
volumeClaimTemplate:
properties:
metadata:
type: object
spec:
properties:
accessModes:
items:
type: string
type: array
dataSource:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
type: object
dataSourceRef:
properties:
apiGroup:
type: string
kind:
type: string
name:
type: string
namespace:
type: string
type: object
resources:
properties:
claims:
items:
properties:
name:
type: string
type: object
type: array
limits:
type: object
x-kubernetes-preserve-unknown-fields: true
requests:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
selector:
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
type: array
type: object
type: array
matchLabels:
additionalProperties:
type: string
type: object
type: object
storageClassName:
type: string
volumeMode:
type: string
volumeName:
type: string
type: object
type: object
type: object
fc:
properties:
fsType:
type: string
lun:
format: int32
nullable: true
type: integer
readOnly:
nullable: true
type: boolean
targetWWNs:
items:
type: string
type: array
wwids:
items:
type: string
type: array
type: object
flexVolume:
properties:
driver:
type: string
fsType:
type: string
options:
additionalProperties:
type: string
type: object
readOnly:
nullable: true
type: boolean
secretRef:
properties:
name:
type: string
type: object
type: object
flocker:
properties:
datasetName:
type: string
datasetUUID:
type: string
type: object
gcePersistentDisk:
properties:
fsType:
type: string
partition:
format: int32
nullable: true
type: integer
pdName:
type: string
readOnly:
nullable: true
type: boolean
type: object
gitRepo:
properties:
directory:
type: string
repository:
type: string
revision:
type: string
type: object
glusterfs:
properties:
endpoints:
type: string
path:
type: string
readOnly:
nullable: true
type: boolean
type: object
hostPath:
properties:
path:
type: string
type:
type: string
type: object
iscsi:
properties:
chapAuthDiscovery:
nullable: true
type: boolean
chapAuthSession:
nullable: true
type: boolean
fsType:
type: string
initiatorName:
type: string
iqn:
type: string
iscsiInterface:
type: string
lun:
format: int32
type: integer
portals:
items:
type: string
type: array
readOnly:
nullable: true
type: boolean
secretRef:
properties:
name:
type: string
type: object
targetPortal:
type: string
type: object
name:
type: string
nfs:
properties:
path:
type: string
readOnly:
nullable: true
type: boolean
server:
type: string
type: object
persistentVolumeClaim:
properties:
claimName:
type: string
readOnly:
nullable: true
type: boolean
type: object
photonPersistentDisk:
properties:
fsType:
type: string
pdID:
type: string
type: object
portworxVolume:
properties:
fsType:
type: string
readOnly:
nullable: true
type: boolean
volumeID:
type: string
type: object
projected:
properties:
defaultMode:
format: int32
nullable: true
type: integer
sources:
items:
properties:
configMap:
properties:
items:
items:
properties:
key:
type: string
mode:
format: int32
nullable: true
type: integer
path:
type: string
type: object
type: array
name:
type: string
optional:
nullable: true
type: boolean
type: object
downwardAPI:
properties:
items:
items:
properties:
fieldRef:
properties:
apiVersion:
type: string
fieldPath:
type: string
type: object
mode:
format: int32
nullable: true
type: integer
path:
type: string
resourceFieldRef:
properties:
containerName:
type: string
divisor:
properties:
format:
enum:
- DecimalExponent
- BinarySI
- DecimalSI
type: string
value:
type: string
type: object
resource:
type: string
type: object
type: object
type: array
type: object
secret:
properties:
items:
items:
properties:
key:
type: string
mode:
format: int32
nullable: true
type: integer
path:
type: string
type: object
type: array
name:
type: string
optional:
nullable: true
type: boolean
type: object
serviceAccountToken:
properties:
audience:
type: string
expirationSeconds:
format: int64
nullable: true
type: integer
path:
type: string
type: object
type: object
type: array
type: object
quobyte:
properties:
group:
type: string
readOnly:
nullable: true
type: boolean
registry:
type: string
tenant:
type: string
user:
type: string
volume:
type: string
type: object
rbd:
properties:
fsType:
type: string
image:
type: string
keyring:
type: string
monitors:
items:
type: string
type: array
pool:
type: string
readOnly:
nullable: true
type: boolean
secretRef:
properties:
name:
type: string
type: object
user:
type: string
type: object
scaleIO:
properties:
fsType:
type: string
gateway:
type: string
protectionDomain:
type: string
readOnly:
nullable: true
type: boolean
secretRef:
properties:
name:
type: string
type: object
sslEnabled:
nullable: true
type: boolean
storageMode:
type: string
storagePool:
type: string
system:
type: string
volumeName:
type: string
type: object
secret:
properties:
defaultMode:
format: int32
nullable: true
type: integer
items:
items:
properties:
key:
type: string
mode:
format: int32
nullable: true
type: integer
path:
type: string
type: object
type: array
optional:
nullable: true
type: boolean
secretName:
type: string
type: object
storageos:
properties:
fsType:
type: string
readOnly:
nullable: true
type: boolean
secretRef:
properties:
name:
type: string
type: object
volumeName:
type: string
volumeNamespace:
type: string
type: object
vsphereVolume:
properties:
fsType:
type: string
storagePolicyID:
type: string
storagePolicyName:
type: string
volumePath:
type: string
type: object
type: object
type: array
required:
- dxEnterpriseContainer
- mssqlServerContainer

8
charts/f5/nginx-ingress/Chart.yaml
View File

@ -4,10 +4,10 @@ annotations:
catalog.cattle.io/kube-version: '>= 1.23.0-0'
catalog.cattle.io/release-name: nginx-ingress
apiVersion: v2
appVersion: 3.5.1
appVersion: 3.5.2
description: NGINX Ingress Controller
home: https://github.com/nginxinc/kubernetes-ingress
icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.1/charts/nginx-ingress/chart-icon.png
icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/charts/nginx-ingress/chart-icon.png
keywords:
- ingress
- nginx
@ -17,6 +17,6 @@ maintainers:
name: nginxinc
name: nginx-ingress
sources:
- https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.1/charts/nginx-ingress
- https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/charts/nginx-ingress
type: application
version: 1.2.1
version: 1.2.2

20
charts/f5/nginx-ingress/README.md
View File

@ -51,10 +51,10 @@ kubectl apply -f crds/
Alternatively, CRDs can be upgraded without pulling the chart by running:
```console
kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.1/deploy/crds.yaml
kubectl apply -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/deploy/crds.yaml
```
In the above command, `v3.5.1` represents the version of NGINX Ingress Controller release rather than the Helm chart version.
In the above command, `v3.5.2` represents the version of NGINX Ingress Controller release rather than the Helm chart version.
> **Note**
>
@ -87,14 +87,14 @@ To install the chart with the release name my-release (my-release is the name th
For NGINX:
```console
helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.1
helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2
```
For NGINX Plus: (assuming you have pushed the Ingress Controller image `nginx-plus-ingress` to your private registry
`myregistry.example.com`)
```console
helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.1 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true
helm install my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2 --set controller.image.repository=myregistry.example.com/nginx-plus-ingress --set controller.nginxplus=true
```
This will install the latest `edge` version of the Ingress Controller from GitHub Container Registry. If you prefer to
@ -109,7 +109,7 @@ CRDs](#upgrading-the-crds).
To upgrade the release `my-release`:
```console
helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.1
helm upgrade my-release oci://ghcr.io/nginxinc/charts/nginx-ingress --version 1.2.2
```
### Uninstalling the Chart
@ -150,7 +150,7 @@ upgrading/deleting the CRDs.
1. Pull the chart sources:
```console
helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.2.1
helm pull oci://ghcr.io/nginxinc/charts/nginx-ingress --untar --version 1.2.2
```
2. Change your working directory to nginx-ingress:
@ -236,7 +236,7 @@ The steps you should follow depend on the Helm release name:
Selector: app=nginx-ingress-nginx-ingress
```
2. Checkout the latest available tag using `git checkout v3.5.1`
2. Checkout the latest available tag using `git checkout v3.5.2`
3. Navigate to `/kubernates-ingress/charts/nginx-ingress`
@ -288,7 +288,7 @@ reviewing its events:
Selector: app=<helm_release_name>-nginx-ingress
```
2. Checkout the latest available tag using `git checkout v3.5.1`
2. Checkout the latest available tag using `git checkout v3.5.2`
3. Navigate to `/kubernates-ingress/charts/nginx-ingress`
@ -355,7 +355,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
|`controller.logLevel` | The log level of the Ingress Controller. | 1 |
|`controller.image.digest` | The image digest of the Ingress Controller. | None |
|`controller.image.repository` | The image repository of the Ingress Controller. | nginx/nginx-ingress |
|`controller.image.tag` | The tag of the Ingress Controller image. | 3.5.1 |
|`controller.image.tag` | The tag of the Ingress Controller image. | 3.5.2 |
|`controller.image.pullPolicy` | The pull policy for the Ingress Controller image. | IfNotPresent |
|`controller.lifecycle` | The lifecycle of the Ingress Controller pods. | {} |
|`controller.customConfigMap` | The name of the custom ConfigMap used by the Ingress Controller. If set, then the default config is ignored. | "" |
@ -386,7 +386,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont
|`controller.initContainerResources` | The resources of the init container which is used when `readOnlyRootFilesystem` is enabled by either setting `controller.securityContext.readOnlyRootFilesystem` or `controller.readOnlyRootFilesystem`to `true`. | requests: cpu=100m,memory=128Mi |
|`controller.replicaCount` | The number of replicas of the Ingress Controller deployment. | 1 |
|`controller.ingressClass.name` | A class of the Ingress Controller. An IngressClass resource with the name equal to the class must be deployed. Otherwise, the Ingress Controller will fail to start. The Ingress Controller only processes resources that belong to its class - i.e. have the "ingressClassName" field resource equal to the class. The Ingress Controller processes all the VirtualServer/VirtualServerRoute/TransportServer resources that do not have the "ingressClassName" field for all versions of Kubernetes. | nginx |
|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.5.1, do not set the value to false. | true |
|`controller.ingressClass.create` | Creates a new IngressClass object with the name `controller.ingressClass.name`. Set to `false` to use an existing ingressClass created using `kubectl` with the same name. If you use `helm upgrade`, do not change the values from the previous release as helm will delete IngressClass objects managed by helm. If you are upgrading from a release earlier than 3.5.2, do not set the value to false. | true |
|`controller.ingressClass.setAsDefaultIngress` | New Ingresses without an `"ingressClassName"` field specified will be assigned the class specified in `controller.ingressClass.name`. Requires `controller.ingressClass.create`. | false |
|`controller.watchNamespace` | Comma separated list of namespaces the Ingress Controller should watch for resources. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespaceLabel`. Please note that if configuring multiple namespaces using the Helm cli `--set` option, the string needs to wrapped in double quotes and the commas escaped using a backslash - e.g. `--set controller.watchNamespace="default\,nginx-ingress"`. | "" |
|`controller.watchNamespaceLabel` | Configures the Ingress Controller to watch only those namespaces with label foo=bar. By default the Ingress Controller watches all namespaces. Mutually exclusive with `controller.watchNamespace`. | "" |

2
charts/f5/nginx-ingress/values-icp.yaml
View File

@ -4,7 +4,7 @@ controller:
nginxplus: true
image:
repository: mycluster.icp:8500/kube-system/nginx-plus-ingress
tag: "3.5.1"
tag: "3.5.2"
nodeSelector:
beta.kubernetes.io/arch: "amd64"
proxy: true

2
charts/f5/nginx-ingress/values-plus.yaml
View File

@ -3,4 +3,4 @@ controller:
nginxplus: true
image:
repository: nginx-plus-ingress
tag: "3.5.1"
tag: "3.5.2"

10
charts/f5/nginx-ingress/values.schema.json
View File

@ -336,10 +336,10 @@
},
"tag": {
"type": "string",
"default": "3.5.1",
"default": "3.5.2",
"title": "The tag of the Ingress Controller image",
"examples": [
"3.5.1"
"3.5.2"
]
},
"digest": {
@ -376,7 +376,7 @@
"examples": [
{
"repository": "nginx/nginx-ingress",
"tag": "3.5.1",
"tag": "3.5.2",
"pullPolicy": "IfNotPresent"
}
]
@ -1466,7 +1466,7 @@
"customPorts": [],
"image": {
"repository": "nginx/nginx-ingress",
"tag": "3.5.1",
"tag": "3.5.2",
"digest": "",
"pullPolicy": "IfNotPresent"
},
@ -2007,7 +2007,7 @@
"customPorts": [],
"image": {
"repository": "nginx/nginx-ingress",
"tag": "3.5.1",
"tag": "3.5.2",
"digest": "",
"pullPolicy": "IfNotPresent"
},

2
charts/f5/nginx-ingress/values.yaml
View File

@ -78,7 +78,7 @@ controller:
repository: nginx/nginx-ingress
## The tag of the Ingress Controller image. If not specified the appVersion from Chart.yaml is used as a tag.
# tag: "3.5.1"
# tag: "3.5.2"
## The digest of the Ingress Controller image.
## If digest is specified it has precedence over tag and will be used instead
# digest: "sha256:CHANGEME"

2
charts/kasten/k10/Chart.lock
View File

@ -6,4 +6,4 @@ dependencies:
repository: ""
version: 25.18.0
digest: sha256:e35117c8aba9f6bde24ae45b5e05b0342b03029dfb2676236c389572cc502066
generated: "2024-05-18T05:55:02.501542941Z"
generated: "2024-05-31T17:50:43.005351945Z"

4
charts/kasten/k10/Chart.yaml
View File

@ -4,7 +4,7 @@ annotations:
catalog.cattle.io/kube-version: '>= 1.17.0-0'
catalog.cattle.io/release-name: k10
apiVersion: v2
appVersion: 6.5.14
appVersion: 7.0.0
dependencies:
- condition: grafana.enabled
name: grafana
@ -21,4 +21,4 @@ maintainers:
- email: contact@kasten.io
name: kastenIO
name: k10
version: 6.5.1401
version: 7.0.1

2
charts/kasten/k10/README.md
View File

@ -285,6 +285,8 @@ Parameter | Description | Default
`priorityClassName.<deploymentName>` | Overrides the default [priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) name for the specified deployment | `{}`
`ephemeralPVCOverhead` | Set the percentage increase for the ephemeral Persistent Volume Claim's storage request, e.g. PVC size = (file raw size) * (1 + `ephemeralPVCOverhead`) | `0.1`
`datastore.parallelUploads` | Specifies how many files can be uploaded in parallel to the data store | `8`
`kastenDisasterRecovery.quickMode.enabled` | Enables K10 Quick Disaster Recovery | `false`
`fips.enabled` | Specifies whether K10 should be run in the FIPS mode of operation | `false`
## Helm tips and tricks
There is a way of setting values via a yaml file instead of using `--set`.

4
charts/kasten/k10/templates/NOTES.txt
View File

@ -1,4 +1,8 @@
Thank you for installing Kastens K10 Data Management Platform {{ .Chart.Version }}!
{{- if .Values.fips.enabled }}
You are operating in FIPS mode.
{{- end }}
Documentation can be found at https://docs.kasten.io/.

5
charts/kasten/k10/templates/_definitions.tpl
View File

@ -208,16 +208,17 @@ state-svc:
cpu: 2m
memory: 30Mi
{{- end -}}
{{- define "k10.multiClusterVersion" -}}2{{- end -}}
{{- define "k10.multiClusterVersion" -}}2.5{{- end -}}
{{- define "k10.mcExternalPort" -}}18000{{- end -}}
{{- define "k10.defaultKubeVirtVMsUnfreezeTimeout" -}}5m{{- end -}}
{{- define "k10.aggAuditPolicyFile" -}}agg-audit-policy.yaml{{- end -}}
{{- define "k10.siemAuditLogFilePath" -}}-{{- end -}}
{{- define "k10.siemAuditLogFileSize" -}}100{{- end -}}
{{- define "k10.kanisterToolsImageTag" -}}0.108.0{{- end -}}
{{- define "k10.kanisterToolsImageTag" -}}0.109.0{{- end -}}
{{- define "k10.disabledServicesEnvVar" -}}K10_DISABLED_SERVICES{{- end -}}
{{- define "k10.openShiftClientSecretEnvVar" -}}K10_OPENSHIFT_CLIENT_SECRET{{- end -}}
{{- define "k10.defaultK10DefaultPriorityClassName" -}}{{- end -}}
{{- define "k10.dexServiceAccountName" -}}k10-dex-k10-sa{{- end -}}
{{- define "k10.gatewayPrefixVarName" -}}PREFIX_PATH{{- end -}}
{{- define "k10.gatewayRequestHeadersVarName" -}}EXTAUTH_REQUEST_HEADERS{{- end -}}
{{- define "k10.gatewayAuthHeadersVarName" -}}EXTAUTH_AUTH_HEADERS{{- end -}}

61
charts/kasten/k10/templates/_helpers.tpl
View File

@ -116,11 +116,12 @@
{{- end -}}
{{- /* FIPS */ -}}
{{- $fips := .Values.fips | default dict -}}
{{- if $fips.enabled -}}
{{- if .Values.fips.enabled -}}
{{- $internal_capabilities = append $internal_capabilities "fips.strict" -}}
{{- $internal_capabilities = append $internal_capabilities "crypto.k10.v2" -}}
{{- $internal_capabilities = append $internal_capabilities "crypto.storagerepository.v2" -}}
{{- $internal_capabilities = append $internal_capabilities "crypto.vbr.v2" -}}
{{- $internal_capabilities = append $internal_capabilities "gateway" -}}
{{- end -}}
{{- concat $internal_capabilities (.Values.capabilities | default list) | join " " -}}
@ -138,6 +139,32 @@
{{- concat $internal_capabilities_mask (.Values.capabilitiesMask | default list) | join " " -}}
{{- end -}}
{{/*
k10.capability checks whether a given capability is enabled
For example:
include "k10.capability" (. | merge (dict "capability" "SOME.CAPABILITY"))
*/}}
{{- define "k10.capability" -}}
{{- $capabilities := dict -}}
{{- range $capability := include "k10.capabilities" . | splitList " " -}}
{{- $_ := set $capabilities $capability "enabled" -}}
{{- end -}}
{{- range $capability := include "k10.capabilities_mask" . | splitList " " -}}
{{- $_ := unset $capabilities $capability -}}
{{- end -}}
{{- index $capabilities .capability | default "" -}}
{{- end -}}
{{/*
k10.capability.gateway checks whether the "gateway" capability is enabled
*/}}
{{- define "k10.capability.gateway" -}}
{{- include "k10.capability" (. | merge (dict "capability" "gateway")) -}}
{{- end -}}
{{/* Check if basic auth is needed */}}
{{- define "basicauth.check" -}}
{{- if .Values.auth.basicAuth.enabled }}
@ -1213,39 +1240,32 @@ running in the same cluster.
{{/* Fail if FIPS is enabled and Grafana is turned on */}}
{{- define "k10.fail.fipsGrafana" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.grafana.enabled) -}}
{{- if and (.Values.fips.enabled) (.Values.grafana.enabled) -}}
{{- fail "fips.enabled and grafana.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and Prometheus is turned on */}}
{{- define "k10.fail.fipsPrometheus" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.prometheus.server.enabled) -}}
{{- if and (.Values.fips.enabled) (.Values.prometheus.server.enabled) -}}
{{- fail "fips.enabled and prometheus.server.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and Multicluster is turned on */}}
{{- define "k10.fail.fipsMulticluster" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.multicluster.enabled) -}}
{{- if and (.Values.fips.enabled) (.Values.multicluster.enabled) -}}
{{- fail "fips.enabled and multicluster.enabled cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and PDF reporting is turned on */}}
{{- define "k10.fail.fipsPDFReports" -}}
{{- if and ((.Values.fips | default dict).enabled) (.Values.reporting.pdfReports) -}}
{{- if and (.Values.fips.enabled) (.Values.reporting.pdfReports) -}}
{{- fail "fips.enabled and reporting.pdfReports cannot both be enabled at the same time" -}}
{{- end -}}
{{- end -}}
{{/* Fail if FIPS is enabled and next gen gateway is turned off */}}
{{- define "k10.fail.fipsGatewayNextGen" -}}
{{- if and ((.Values.fips | default dict).enabled) (not .Values.gateway.next_gen) -}}
{{- fail "gateway.next_gen must be enabled if fips.enabled=true" -}}
{{- end -}}
{{- end -}}
{{/* Check to see whether SIEM logging is enabled */}}
{{- define "k10.siemEnabled" -}}
{{- if or .Values.siem.logging.cluster.enabled .Values.siem.logging.cloud.awsS3.enabled -}}
@ -1273,8 +1293,15 @@ running in the same cluster.
{{/* Returns a generated name for the OpenShift Service Account secret */}}
{{- define "get.openshiftServiceAccountSecretName" -}}
{{- $serviceAccount := required "auth.openshift.serviceAccount field is required" .Values.auth.openshift.serviceAccount -}}
{{ printf "%s-k10-secret" $serviceAccount | quote }}
{{ printf "%s-k10-secret" (include "get.openshiftServiceAccountName" .) | quote }}
{{- end -}}
{{/*
Returns a generated name for the OpenShift Service Account if a service account name
is not configuredby the user using the helm value auth.openshift.serviceAccount
*/}}
{{- define "get.openshiftServiceAccountName" -}}
{{ default (include "k10.dexServiceAccountName" .) .Values.auth.openshift.serviceAccount}}
{{- end -}}
{{/*
@ -1286,6 +1313,10 @@ the Microsoft Go toolchain and Red Hat's OpenSSL.
value: "1"
- name: OPENSSL_FORCE_FIPS_MODE
value: "1"
{{- if .Values.fips.disable_ems }}
- name: KASTEN_CRYPTO_POLICY
value: disable_ems
{{- end }}
{{- end }}
{{/*

15
charts/kasten/k10/templates/_k10_container.tpl
View File

@ -309,7 +309,7 @@ There are 3 valid states of the secret provided by customer:
name: k10-config
key: clustername
{{- end }}
{{- if (.Values.fips | default dict).enabled }}
{{- if .Values.fips.enabled }}
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
{{- end }}
{{- with $capabilities := include "k10.capabilities" . }}
@ -333,6 +333,13 @@ There are 3 valid states of the secret provided by customer:
name: k10-config
key: kubeVirtVMsUnFreezeTimeout
{{- end }}
{{- if eq $service "executor" }}
- name: QUICK_DISASTER_RECOVERY_ENABLED
valueFrom:
configMapKeyRef:
name: k10-config
key: quickDisasterRecoveryEnabled
{{- end }}
{{- if or (eq $service "executor") (eq $service "controllermanager") }}
{{- if or .Values.global.imagePullSecret (or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath) }}
- name: IMAGE_PULL_SECRET_NAMES
@ -877,7 +884,7 @@ There are 3 valid states of the secret provided by customer:
- name: K10_CAPABILITIES_MASK
value: {{ $capabilities_mask | quote }}
{{- end }}
{{- if (.Values.fips | default dict).enabled }}
{{- if .Values.fips.enabled }}
{{- include "k10.enforceFIPSEnvironmentVariables" . | nindent 10 }}
{{- end }}
volumeMounts:
@ -899,7 +906,7 @@ There are 3 valid states of the secret provided by customer:
image: {{ include "get.dexImage" . }}
{{- if .Values.auth.ldap.enabled }}
command: ["/usr/local/bin/dex", "serve", "/dex-config/config.yaml"]
{{- if (.Values.fips | default dict).enabled }}
{{- if .Values.fips.enabled }}
env:
{{- include "k10.enforceFIPSEnvironmentVariables" . | nindent 10 }}
{{- end }}
@ -924,7 +931,7 @@ There are 3 valid states of the secret provided by customer:
{{- else }}
value: {{ .Values.auth.openshift.clientSecret }}
{{- end }}
{{- if (.Values.fips | default dict).enabled }}
{{- if .Values.fips.enabled }}
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
{{- end }}
{{- end }}

2
charts/kasten/k10/templates/_k10_image_tag.tpl
View File

@ -1 +1 @@
{{- define "k10.imageTag" -}}6.5.14{{- end -}}
{{- define "k10.imageTag" -}}7.0.0{{- end -}}

2
charts/kasten/k10/templates/_k10_metering.tpl
View File

@ -183,7 +183,7 @@ spec:
name: k10-config
key: clustername
{{- end }}
{{- if (.Values.fips | default dict).enabled }}
{{- if .Values.fips.enabled }}
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
{{- end }}
{{- with $capabilities := include "k10.capabilities" . }}

8
charts/kasten/k10/templates/gateway.yaml
View File

@ -10,7 +10,7 @@ metadata:
service: gateway
{{ include "helm.labels" . | indent 4 }}
name: gateway
{{- if not $.Values.gateway.next_gen }}
{{- if not (include "k10.capability.gateway" $) }}
annotations:
getambassador.io/config: |
---
@ -82,7 +82,7 @@ spec:
selector:
service: gateway
---
{{- if not $.Values.gateway.next_gen }}
{{- if not (include "k10.capability.gateway" $) }}
{{- if .Values.gateway.exposeAdminPort }}
apiVersion: v1
kind: Service
@ -125,7 +125,7 @@ spec:
component: gateway
{{ include "helm.labels" . | indent 8 }}
{{- include "k10.azMarketPlace.billingIdentifier" . }}
{{- if $.Values.gateway.next_gen }}
{{- if (include "k10.capability.gateway" $) }}
spec:
serviceAccountName: {{ template "serviceAccountName" . }}
{{- dict "main" . "k10_deployment_name" "gateway" | include "k10.priorityClassName" | indent 6}}
@ -151,7 +151,7 @@ spec:
configMapKeyRef:
name: k10-config
key: version
{{- if (.Values.fips | default dict).enabled }}
{{- if .Values.fips.enabled }}
{{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }}
{{- end }}
{{- with $capabilities := include "k10.capabilities" . }}

6
charts/kasten/k10/templates/k10-config.yaml
View File

@ -69,6 +69,8 @@ data:
k10JobMaxWaitDuration: {{ .Values.maxJobWaitDuration | quote }}
quickDisasterRecoveryEnabled: {{ .Values.kastenDisasterRecovery.quickMode.enabled | quote }}
k10ForceRootInKanisterHooks: {{ .Values.forceRootInKanisterHooks | quote }}
{{- if .Values.awsConfig.efsBackupVaultName }}
@ -135,7 +137,7 @@ data:
name: OpenShift
config:
issuer: {{ .Values.auth.openshift.openshiftURL }}
clientID: {{printf "system:serviceaccount:%s:%s" .Release.Namespace .Values.auth.openshift.serviceAccount }}
clientID: {{ printf "system:serviceaccount:%s:%s" .Release.Namespace (include "get.openshiftServiceAccountName" .) }}
clientSecret: {{ printf "{{ getenv \"%s\" }}" (include "k10.openShiftClientSecretEnvVar" . ) }}
redirectURI: {{ printf "%s/dex/callback" (trimSuffix "/" .Values.auth.openshift.dashboardURL) }}
insecureCA: {{ .Values.auth.openshift.insecureCA }}
@ -222,7 +224,7 @@ binaryData:
{{ $files.Get . | b64enc }}
{{- end }}
{{ end }}
{{ if .Values.gateway.next_gen }}
{{ if (include "k10.capability.gateway" $) }}
---
apiVersion: v1
kind: ConfigMap

48
charts/kasten/k10/templates/rbac.yaml
View File

@ -71,14 +71,36 @@ metadata:
namespace: {{ .Release.Namespace }}
rules:
- apiGroups:
- ""
- "apps"
resources:
- deployments
verbs:
- get
- update
- watch
- list
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- create
- delete
- list
- apiGroups:
- "apik10.kasten.io"
resources:
- k10s
verbs:
- list
- patch
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- get
- apiGroups:
- ""
resources:
@ -105,6 +127,30 @@ rules:
- jobs
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- create
- get
- delete
- apiGroups:
- "networking.k8s.io"
resources:
- networkpolicies
verbs:
- get
- create
- list
- delete
- apiGroups:
- ""
resources:
- endpoints
verbs:
- list
- get
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1

2
charts/kasten/k10/templates/secrets.yaml
View File

@ -158,7 +158,7 @@ type: kubernetes.io/service-account-token
metadata:
name: {{ include "get.openshiftServiceAccountSecretName" . }}
annotations:
kubernetes.io/service-account.name: {{ .Values.auth.openshift.serviceAccount | quote }}
kubernetes.io/service-account.name: {{ include "get.openshiftServiceAccountName" . | quote }}
{{- end }}
{{- if and (.Values.auth.openshift.enabled) (not .Values.auth.openshift.secretName) }}
---

1
charts/kasten/k10/templates/secure_deployment.tpl
View File

@ -18,4 +18,3 @@ A secure deployment is defined as one of the following:
{{- include "k10.fail.fipsPrometheus" . -}}
{{- include "k10.fail.fipsMulticluster" . -}}
{{- include "k10.fail.fipsPDFReports" . -}}
{{- include "k10.fail.fipsGatewayNextGen" . -}}

17
charts/kasten/k10/templates/serviceaccount.yaml
View File

@ -25,3 +25,20 @@ metadata:
name: {{ template "meteringServiceAccountName" . }}
namespace: {{ .Release.Namespace }}
{{- end }}
{{- if and (.Values.auth.openshift.enabled) (not .Values.auth.openshift.serviceAccount) }}
{{- if or (.Values.auth.openshift.clientSecret) (.Values.auth.openshift.clientSecretName) }}
{{ fail "auth.openshift.serviceAccount is required when auth.openshift.clientSecret or auth.openshift.clientSecretName is used "}}
{{- end }}
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ include "k10.dexServiceAccountName" . }}
namespace: {{ .Release.Namespace }}
annotations:
{{- $dashboardURL := (trimSuffix "/" (required "auth.openshift.dashboardURL field is required" .Values.auth.openshift.dashboardURL)) -}}
{{- if (not (hasSuffix .Release.Name $dashboardURL)) }}
{{ fail "auth.openshift.dashboardURL should end with the K10's release name" }}
{{- end }}
serviceaccounts.openshift.io/oauth-redirecturi.dex: {{ printf "%s/dex/callback" $dashboardURL }}
{{- end }}

4
charts/kasten/k10/templates/v0services.yaml
View File

@ -21,7 +21,7 @@ metadata:
{{ include "helm.labels" $ | indent 4 }}
component: {{ . }}
run: {{ . }}-svc
{{- if not $.Values.gateway.next_gen }}
{{- if not (include "k10.capability.gateway" $) }}
{{- if or $exposed_service (eq . "frontend") $mc_exposed_service }}
annotations:
getambassador.io/config: |
@ -164,7 +164,7 @@ spec:
apiVersion: v1
kind: Service
metadata:
{{- if not $.Values.gateway.next_gen }}
{{- if not (include "k10.capability.gateway" $) }}
annotations:
getambassador.io/config: |
---

27
charts/kasten/k10/values.schema.json
View File

@ -2712,6 +2712,33 @@
"default": 0.1,
"title": "Storage overhead for ephemeral PVCs",
"description": "Set the percentage increase for the ephemeral Persistent Volume Claim's storage request, e.g. pvc size = (file raw size) * (1 + `ephemeralPVCOverhead`)"
},
"kastenDisasterRecovery": {
"type": "object",
"properties": {
"quickMode": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"default": false,
"description": "Enables K10 Quick Disaster Recovery feature, with ability to restore necessary K10 resources and exported restore points of applications.",
"title": "Enable K10 Quick Disaster Recovery."
}
}
}
}
},
"fips": {
"type": "object",
"properties": {
"enabled": {
"type": "boolean",
"default": false,
"description": "Enables K10 FIPS (Federal Information Processing Standard) mode of operation.",
"title": "Enable K10 FIPS mode of operation."
}
}
}
}
}

7
charts/kasten/k10/values.yaml
View File

@ -513,3 +513,10 @@ ephemeralPVCOverhead: 0.1
datastore:
parallelUploads: 8
kastenDisasterRecovery:
quickMode:
enabled: false
fips:
enabled: false

4
charts/linkerd/linkerd-control-plane/Chart.yaml
View File

@ -6,7 +6,7 @@ annotations:
catalog.cattle.io/kube-version: '>=1.22.0-0'
catalog.cattle.io/release-name: linkerd-control-plane
apiVersion: v2
appVersion: edge-24.5.4
appVersion: edge-24.5.5
dependencies:
- name: partials
repository: file://./charts/partials
@ -26,4 +26,4 @@ name: linkerd-control-plane
sources:
- https://github.com/linkerd/linkerd2/
type: application
version: 2024.5.4
version: 2024.5.5

2
charts/linkerd/linkerd-control-plane/README.md
View File

@ -3,7 +3,7 @@
Linkerd gives you observability, reliability, and security
for your microservices — with no code change required.
![Version: 2024.5.4](https://img.shields.io/badge/Version-2024.5.4-informational?style=flat-square)
![Version: 2024.5.5](https://img.shields.io/badge/Version-2024.5.5-informational?style=flat-square)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square)

2
charts/linkerd/linkerd-control-plane/values.yaml
View File

@ -24,7 +24,7 @@ controlPlaneTracing: false
# -- namespace to send control plane traces to
controlPlaneTracingNamespace: linkerd-jaeger
# -- control plane version. See Proxy section for proxy version
linkerdVersion: edge-24.5.4
linkerdVersion: edge-24.5.5
# -- default kubernetes deployment strategy
deploymentStrategy:
rollingUpdate:

2
charts/linkerd/linkerd-crds/Chart.yaml
View File

@ -23,4 +23,4 @@ name: linkerd-crds
sources:
- https://github.com/linkerd/linkerd2/
type: application
version: 2024.5.4
version: 2024.5.5

2
charts/linkerd/linkerd-crds/README.md
View File

@ -3,7 +3,7 @@
Linkerd gives you observability, reliability, and security
for your microservices — with no code change required.
![Version: 2024.5.4](https://img.shields.io/badge/Version-2024.5.4-informational?style=flat-square)
![Version: 2024.5.5](https://img.shields.io/badge/Version-2024.5.5-informational?style=flat-square)
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
**Homepage:** <https://linkerd.io>

380
charts/traefik/traefik/Changelog.md
View File

@ -1,5 +1,385 @@
# Change Log
## 28.2.0 ![AppVersion: v3.0.1](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.1&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm)
**Release date:** 2024-05-28
* fix(IngressClass): provides annotation on IngressRoutes when it's enabled
* feat: ✨ simplify values and provide more examples
* feat: add deletecollection right on secrets
* chore(release): 🚀 publish v28.2.0
* chore(deps): update traefik docker tag to v3.0.1
### Default value changes
```diff
diff --git a/traefik/values.yaml b/traefik/values.yaml
index 2fd9282..c558c78 100644
--- a/traefik/values.yaml
+++ b/traefik/values.yaml
@@ -1,4 +1,7 @@
# Default values for Traefik
+# This is a YAML-formatted file.
+# Declare variables to be passed into templates
+
image:
# -- Traefik image host registry
registry: docker.io
@@ -12,9 +15,6 @@ image:
# -- Add additional label to all resources
commonLabels: {}
-#
-# Configure the deployment
-#
deployment:
# -- Enable deployment
enabled: true
@@ -74,10 +74,6 @@ deployment:
# - name: volume-permissions
# image: busybox:latest
# command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
- # securityContext:
- # runAsNonRoot: true
- # runAsGroup: 65532
- # runAsUser: 65532
# volumeMounts:
# - name: data
# mountPath: /data
@@ -112,13 +108,11 @@ deployment:
# -- Set a runtimeClassName on pod
runtimeClassName:
-# -- Pod disruption budget
+# -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/)
podDisruptionBudget:
- enabled: false
- # maxUnavailable: 1
- # maxUnavailable: 33%
- # minAvailable: 0
- # minAvailable: 25%
+ enabled:
+ maxUnavailable:
+ minAvailable:
# -- Create a default IngressClass for Traefik
ingressClass:
@@ -155,7 +149,6 @@ experimental:
# annotations:
# cert-manager.io/issuer: letsencrypt
-## Create an IngressRoute for the dashboard
ingressRoute:
dashboard:
# -- Create an IngressRoute for the dashboard
@@ -221,15 +214,7 @@ livenessProbe:
# -- The number of seconds to wait for a probe response before considering it as failed.
timeoutSeconds: 2
-# -- Define Startup Probe for container: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
-# eg.
-# `startupProbe:
-# exec:
-# command:
-# - mycommand
-# - foo
-# initialDelaySeconds: 5
-# periodSeconds: 5`
+# -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes)
startupProbe:
providers:
@@ -276,18 +261,8 @@ providers:
# -- Allows Traefik to automatically watch for file changes
watch: true
# -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/)
- content: ""
- # http:
- # routers:
- # router0:
- # entryPoints:
- # - web
- # middlewares:
- # - my-basic-auth
- # service: service-foo
- # rule: Path(`/foo`)
+ content:
-#
# -- Add volumes to the traefik pod. The volume name will be passed to tpl.
# This can be used to mount a cert pair or a configmap that holds a config.toml file.
# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
@@ -311,26 +286,21 @@ additionalVolumeMounts: []
logs:
general:
- # -- By default, the logs use a text format (common), but you can
- # also ask for the json format in the format option
- # format: json
+ # -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format)
+ # @default common
+ format:
# By default, the level is set to ERROR.
# -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
level: INFO
access:
# -- To enable access logs
enabled: false
- ## By default, logs are written using the Common Log Format (CLF) on stdout.
- ## To write logs in JSON, use json in the format option.
- ## If the given format is unsupported, the default (CLF) is used instead.
- # format: json
+ # -- Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format)
+ format:
# filePath: "/var/log/traefik/access.log
- ## To write the logs in an asynchronous fashion, specify a bufferingSize option.
- ## This option represents the number of log lines Traefik will keep in memory before writing
- ## them to the selected output. In some cases, this option can greatly help performances.
- # bufferingSize: 100
- ## Filtering
- # -- https://docs.traefik.io/observability/access-logs/#filtering
+ # -- Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize)
+ bufferingSize:
+ # -- Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering)
filters: {}
# statuscodes: "200,300-302"
# retryattempts: true
@@ -345,15 +315,11 @@ logs:
names: {}
## Examples:
# ClientUsername: drop
+ # -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers)
headers:
# -- Available modes: keep, drop, redact.
defaultmode: drop
- # -- Names of the headers to limit.
names: {}
- ## Examples:
- # User-Agent: redact
- # Authorization: drop
- # Content-Type: keep
metrics:
## -- Enable metrics for internal resources. Default: false
@@ -567,16 +533,15 @@ globalArguments:
- "--global.checknewversion"
- "--global.sendanonymoususage"
-#
-# Configure Traefik static configuration
# -- Additional arguments to be passed at Traefik's binary
-# All available options available on https://docs.traefik.io/reference/static-configuration/cli/
-## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
+# See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/)
+# Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
additionalArguments: []
# - "--providers.kubernetesingress.ingressclass=traefik-internal"
# - "--log.level=DEBUG"
# -- Environment variables to be passed to Traefik's binary
+# @default -- See _values.yaml_
env:
- name: POD_NAME
valueFrom:
@@ -586,25 +551,9 @@ env:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
-# - name: SOME_VAR
-# value: some-var-value
-# - name: SOME_VAR_FROM_CONFIG_MAP
-# valueFrom:
-# configMapRef:
-# name: configmap-name
-# key: config-key
-# - name: SOME_SECRET
-# valueFrom:
-# secretKeyRef:
-# name: secret-name
-# key: secret-key
# -- Environment variables to be passed to Traefik's binary from configMaps or secrets
envFrom: []
-# - configMapRef:
-# name: config-map-name
-# - secretRef:
-# name: secret-name
ports:
traefik:
@@ -766,28 +715,12 @@ ports:
# -- The port protocol (TCP/UDP)
protocol: TCP
-# -- TLS Options are created as TLSOption CRDs
-# https://doc.traefik.io/traefik/https/tls/#tls-options
+# -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options)
# When using `labelSelector`, you'll need to set labels on tlsOption accordingly.
-# Example:
-# tlsOptions:
-# default:
-# labels: {}
-# sniStrict: true
-# custom-options:
-# labels: {}
-# curvePreferences:
-# - CurveP521
-# - CurveP384
+# See EXAMPLE.md for details.
tlsOptions: {}
-# -- TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate
-# https://doc.traefik.io/traefik/https/tls/#default-certificate
-# Example:
-# tlsStore:
-# default:
-# defaultCertificate:
-# secretName: tls-cert
+# -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details.
tlsStore: {}
service:
@@ -839,29 +772,8 @@ service:
autoscaling:
# -- Create HorizontalPodAutoscaler object.
+ # See EXAMPLES.md for more details.
enabled: false
-# minReplicas: 1
-# maxReplicas: 10
-# metrics:
-# - type: Resource
-# resource:
-# name: cpu
-# target:
-# type: Utilization
-# averageUtilization: 60
-# - type: Resource
-# resource:
-# name: memory
-# target:
-# type: Utilization
-# averageUtilization: 60
-# behavior:
-# scaleDown:
-# stabilizationWindowSeconds: 300
-# policies:
-# - type: Pods
-# value: 1
-# periodSeconds: 60
persistence:
# -- Enable persistence using Persistent Volume Claims
@@ -879,27 +791,10 @@ persistence:
# -- Only mount a subpath of the Volume into the pod
# subPath: ""
-# -- Certificates resolvers configuration
+# -- Certificates resolvers configuration.
+# Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers
+# See EXAMPLES.md for more details.
certResolvers: {}
-# letsencrypt:
-# # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
-# email: email@example.com
-# dnsChallenge:
-# # also add the provider's required configuration under env
-# # or expand then from secrets/configmaps with envfrom
-# # cf. https://doc.traefik.io/traefik/https/acme/#providers
-# provider: digitalocean
-# # add futher options for the dns challenge as needed
-# # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge
-# delayBeforeCheck: 30
-# resolvers:
-# - 1.1.1.1
-# - 8.8.8.8
-# tlsChallenge: true
-# httpChallenge:
-# entryPoint: "web"
-# # It has to match the path with a persistent volume
-# storage: /data/acme.json
# -- If hostNetwork is true, runs traefik in the host network namespace
# To prevent unschedulabel pods due to port collisions, if hostNetwork=true
@@ -933,14 +828,8 @@ serviceAccount:
# -- Additional serviceAccount annotations (e.g. for oidc authentication)
serviceAccountAnnotations: {}
-# -- The resources parameter defines CPU and memory requirements and limits for Traefik's containers.
+# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
resources: {}
-# requests:
-# cpu: "100m"
-# memory: "50Mi"
-# limits:
-# cpu: "300m"
-# memory: "150Mi"
# -- This example pod anti-affinity forces the scheduler to put traefik pods
# -- on nodes where no other traefik pods are scheduled.
@@ -970,30 +859,22 @@ topologySpreadConstraints: []
# topologyKey: kubernetes.io/hostname
# whenUnsatisfiable: DoNotSchedule
-# -- Pods can have priority.
-# -- Priority indicates the importance of a Pod relative to other Pods.
+# -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)
priorityClassName: ""
-# -- Set the container security context
-# -- To run the container with ports below 1024 this will need to be adjusted to run as root
+# -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)
+# @default -- See _values.yaml_
securityContext:
+ allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
readOnlyRootFilesystem: true
- allowPrivilegeEscalation: false
+# -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context)
+# @default -- See _values.yaml_
podSecurityContext:
- # /!\ When setting fsGroup, Kubernetes will recursively change ownership and
- # permissions for the contents of each volume to match the fsGroup. This can
- # be an issue when storing sensitive content like TLS Certificates /!\
- # fsGroup: 65532
- # -- Specifies the policy for changing ownership and permissions of volume contents to match the fsGroup.
- fsGroupChangePolicy: "OnRootMismatch"
- # -- The ID of the group for all containers in the pod to run as.
runAsGroup: 65532
- # -- Specifies whether the containers should run as a non-root user.
runAsNonRoot: true
- # -- The ID of the user for all containers in the pod to run as.
runAsUser: 65532
#
@@ -1003,16 +884,16 @@ podSecurityContext:
# See #595 for more details and traefik/tests/values/extra.yaml for example.
extraObjects: []
-# This will override the default Release Namespace for Helm.
+# -- This field override the default Release Namespace for Helm.
# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules`
-# namespaceOverride: traefik
-#
-## -- This will override the default app.kubernetes.io/instance label for all Objects.
-# instanceLabelOverride: traefik
+namespaceOverride:
+
+## -- This field override the default app.kubernetes.io/instance label for all Objects.
+instanceLabelOverride:
-# -- Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/
+# Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/
hub:
- # Name of Secret with key 'token' set to a valid license token.
+ # -- Name of `Secret` with key 'token' set to a valid license token.
# It enables API Gateway.
token:
apimanagement:
```
## 28.1.0 ![AppVersion: v3.0.0](https://img.shields.io/static/v1?label=AppVersion&message=v3.0.0&color=success&logo=) ![Kubernetes: >=1.22.0-0](https://img.shields.io/static/v1?label=Kubernetes&message=%3E%3D1.22.0-0&color=informational&logo=kubernetes) ![Helm: v3](https://img.shields.io/static/v1?label=Helm&message=v3&color=informational&logo=helm)
* fix(Traefik Hub): do not deploy mutating webhook when enabling only API Gateway

11
charts/traefik/traefik/Chart.yaml
View File

@ -1,13 +1,14 @@
annotations:
artifacthub.io/changes: "- \"fix(Traefik Hub): do not deploy mutating webhook when
enabling only API Gateway\"\n- \"feat(Traefik Hub): use Traefik Proxy otlp config\"\n-
\"chore: \U0001F527 update Traefik Hub CRD to v1.3.3\"\n"
artifacthub.io/changes: "- \"fix(IngressClass): provides annotation on IngressRoutes
when it's enabled\"\n- \"feat: ✨ simplify values and provide more examples\"\n-
\"feat: add deletecollection right on secrets\"\n- \"chore(release): \U0001F680
publish v28.2.0\"\n- \"chore(deps): update traefik docker tag to v3.0.1\"\n"
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Traefik Proxy
catalog.cattle.io/kube-version: '>=1.22.0-0'
catalog.cattle.io/release-name: traefik
apiVersion: v2
appVersion: v3.0.0
appVersion: v3.0.1
description: A Traefik based Kubernetes ingress controller
home: https://traefik.io/
icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png
@ -29,4 +30,4 @@ sources:
- https://github.com/traefik/traefik
- https://github.com/traefik/traefik-helm-chart
type: application
version: 28.1.0
version: 28.2.0

117
charts/traefik/traefik/EXAMPLES.md
View File

@ -278,6 +278,64 @@ service:
service.beta.kubernetes.io/azure-load-balancer-resource-group: myResourceGroup
```
Here is a more complete example, using also native Let's encrypt feature of Traefik Proxy with Azure DNS:
```yaml
persistence:
enabled: true
size: 128Mi
certResolvers:
letsencrypt:
email: "{{ letsencrypt_email }}"
#caServer: https://acme-v02.api.letsencrypt.org/directory # Production server
caServer: https://acme-staging-v02.api.letsencrypt.org/directory # Staging server
dnsChallenge:
provider: azuredns
storage: /data/acme.json
env:
- name: AZURE_CLIENT_ID
value: "{{ azure_dns_challenge_application_id }}"
- name: AZURE_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: azuredns-secret
key: client-secret
- name: AZURE_SUBSCRIPTION_ID
value: "{{ azure_subscription_id }}"
- name: AZURE_TENANT_ID
value: "{{ azure_tenant_id }}"
- name: AZURE_RESOURCE_GROUP
value: "{{ azure_resource_group }}"
deployment:
initContainers:
- name: volume-permissions
image: busybox:latest
command: ["sh", "-c", "ls -la /; touch /data/acme.json; chmod -v 600 /data/acme.json"]
volumeMounts:
- mountPath: /data
name: data
podSecurityContext:
fsGroup: 65532
fsGroupChangePolicy: "OnRootMismatch"
service:
spec:
type: LoadBalancer
annotations:
service.beta.kubernetes.io/azure-load-balancer-resource-group: "{{ azure_node_resource_group }}"
service.beta.kubernetes.io/azure-pip-name: "{{ azure_resource_group }}"
service.beta.kubernetes.io/azure-dns-label-name: "{{ azure_resource_group }}"
service.beta.kubernetes.io/azure-allowed-ip-ranges: "{{ ip_range | join(',') }}"
extraObjects:
- apiVersion: v1
kind: Secret
metadata:
name: azuredns-secret
namespace: traefik
type: Opaque
stringData:
client-secret: "{{ azure_dns_challenge_application_secret }}"
```
# Use HTTP3
By default, it will use a Load balancers with mixed protocols on `websecure`
@ -356,6 +414,26 @@ By default, Kubernetes recursively changes ownership and permissions for the con
=> An initContainer can be used to avoid an issue on this sensitive file.
See [#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more details.
Once the provider is ready, it can be used in an `IngressRoute`:
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: [...]
spec:
entryPoints: [...]
routes: [...]
tls:
certResolver: letsencrypt
```
See [the list of supported providers](https://doc.traefik.io/traefik/https/acme/#providers) for others.
## Example with CloudFlare
This example needs a CloudFlare token in a Kubernetes `Secret` and a working `StorageClass`.
**Step 1**: Create `Secret` with CloudFlare token:
```yaml
@ -366,7 +444,7 @@ metadata:
name: cloudflare
type: Opaque
stringData:
token: TTT
token: {{ SET_A_VALID_TOKEN_HERE }}
```
**Step 2**:
@ -394,26 +472,11 @@ deployment:
volumeMounts:
- mountPath: /data
name: data
podSecurityContext:
fsGroup: 65532
fsGroupChangePolicy: "OnRootMismatch"
```
and after, in an `IngressRoute`:
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: [...]
spec:
entryPoints: [...]
routes: [...]
tls:
certResolver: letsencrypt
```
This example needs a CloudFlare token in a Kubernetes `Secret` and a working `StorageClass`.
See [the list of supported providers](https://doc.traefik.io/traefik/https/acme/#providers) for others.
# Provide default certificate with cert-manager and CloudFlare DNS
Setup:
@ -619,6 +682,22 @@ spec:
maxReplicas: 3
```
# Configure TLS
The [TLS options](https://doc.traefik.io/traefik/https/tls/#tls-options) allow one to configure some parameters of the TLS connection.
```yaml
tlsOptions:
default:
labels: {}
sniStrict: true
custom-options:
labels: {}
curvePreferences:
- CurveP521
- CurveP384
```
# Use latest build of Traefik v3 from master
An experimental build of Traefik Proxy is available on a specific repository.

43
charts/traefik/traefik/VALUES.md
View File

@ -1,6 +1,6 @@
# traefik
![Version: 28.1.0](https://img.shields.io/badge/Version-28.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.0.0](https://img.shields.io/badge/AppVersion-v3.0.0-informational?style=flat-square)
![Version: 28.2.0](https://img.shields.io/badge/Version-28.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v3.0.1](https://img.shields.io/badge/AppVersion-v3.0.1-informational?style=flat-square)
A Traefik based Kubernetes ingress controller
@ -28,11 +28,11 @@ Kubernetes: `>=1.22.0-0`
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| additionalArguments | list | `[]` | Additional arguments to be passed at Traefik's binary All available options available on https://docs.traefik.io/reference/static-configuration/cli/ # Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` |
| additionalArguments | list | `[]` | Additional arguments to be passed at Traefik's binary See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/) Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` |
| additionalVolumeMounts | list | `[]` | Additional volumeMounts to add to the Traefik container |
| affinity | object | `{}` | on nodes where no other traefik pods are scheduled. It should be used when hostNetwork: true to prevent port conflicts |
| autoscaling.enabled | bool | `false` | Create HorizontalPodAutoscaler object. |
| certResolvers | object | `{}` | Certificates resolvers configuration |
| autoscaling.enabled | bool | `false` | Create HorizontalPodAutoscaler object. See EXAMPLES.md for more details. |
| certResolvers | object | `{}` | Certificates resolvers configuration. Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers See EXAMPLES.md for more details. |
| commonLabels | object | `{}` | Add additional label to all resources |
| core.defaultRuleSyntax | string | `nil` | Can be used to use globally v2 router syntax See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes |
| deployment.additionalContainers | list | `[]` | Additional containers (e.g. for metric offloading sidecars) |
@ -52,14 +52,13 @@ Kubernetes: `>=1.22.0-0`
| deployment.runtimeClassName | string | `nil` | Set a runtimeClassName on pod |
| deployment.shareProcessNamespace | bool | `false` | Use process namespace sharing |
| deployment.terminationGracePeriodSeconds | int | `60` | Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down |
| env | list | `[{"name":"POD_NAME","valueFrom":{"fieldRef":{"fieldPath":"metadata.name"}}},{"name":"POD_NAMESPACE","valueFrom":{"fieldRef":{"fieldPath":"metadata.namespace"}}}]` | Environment variables to be passed to Traefik's binary |
| env | list | See _values.yaml_ | Environment variables to be passed to Traefik's binary |
| envFrom | list | `[]` | Environment variables to be passed to Traefik's binary from configMaps or secrets |
| experimental.kubernetesGateway.enabled | bool | `false` | Enable traefik experimental GatewayClass CRD |
| experimental.plugins | object | `{}` | Enable traefik experimental plugins |
| extraObjects | list | `[]` | Extra objects to deploy (value evaluated as a template) In some cases, it can avoid the need for additional, extended or adhoc deployments. See #595 for more details and traefik/tests/values/extra.yaml for example. |
| globalArguments | list | `["--global.checknewversion","--global.sendanonymoususage"]` | Global command arguments to be passed to all traefik's pods |
| hostNetwork | bool | `false` | If hostNetwork is true, runs traefik in the host network namespace To prevent unschedulabel pods due to port collisions, if hostNetwork=true and replicas>1, a pod anti-affinity is recommended and will be set if the affinity is left as default. |
| hub | object | `{"apimanagement":{"admission":{"listenAddr":null,"secretName":null},"enabled":null},"ratelimit":{"redis":{"cluster":null,"database":null,"endpoints":null,"password":null,"sentinel":{"masterset":null,"password":null,"username":null},"timeout":null,"tls":{"ca":null,"cert":null,"insecureSkipVerify":null,"key":null},"username":null}},"sendlogs":null,"token":null}` | Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/ |
| hub.apimanagement.admission.listenAddr | string | `nil` | WebHook admission server listen address. Default: "0.0.0.0:9943". |
| hub.apimanagement.admission.secretName | string | `nil` | Certificate of the WebHook admission server. Default: "hub-agent-cert". |
| hub.apimanagement.enabled | string | `nil` | Set to true in order to enable API Management. Requires a valid license token. |
@ -76,6 +75,8 @@ Kubernetes: `>=1.22.0-0`
| hub.ratelimit.redis.tls.insecureSkipVerify | string | `nil` | When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false. |
| hub.ratelimit.redis.tls.key | string | `nil` | Path to the private key used for the secure connection. |
| hub.ratelimit.redis.username | string | `nil` | The username to use when connecting to Redis endpoints. Default: "". |
| hub.sendlogs | string | `nil` | |
| hub.token | string | `nil` | Name of `Secret` with key 'token' set to a valid license token. It enables API Gateway. |
| image.pullPolicy | string | `"IfNotPresent"` | Traefik image pull policy |
| image.registry | string | `"docker.io"` | Traefik image host registry |
| image.repository | string | `"traefik"` | Traefik image repository |
@ -95,18 +96,22 @@ Kubernetes: `>=1.22.0-0`
| ingressRoute.healthcheck.matchRule | string | `"PathPrefix(`/ping`)"` | The router match rule used for the healthcheck ingressRoute |
| ingressRoute.healthcheck.middlewares | list | `[]` | Additional ingressRoute middlewares (e.g. for authentication) |
| ingressRoute.healthcheck.tls | object | `{}` | TLS options (e.g. secret containing certificate) |
| instanceLabelOverride | string | `nil` | |
| livenessProbe.failureThreshold | int | `3` | The number of consecutive failures allowed before considering the probe as failed. |
| livenessProbe.initialDelaySeconds | int | `2` | The number of seconds to wait before starting the first probe. |
| livenessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. |
| livenessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. |
| livenessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. |
| logs.access.addInternals | string | `nil` | Enables accessLogs for internal resources. Default: false. |
| logs.access.bufferingSize | string | `nil` | Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize) |
| logs.access.enabled | bool | `false` | To enable access logs |
| logs.access.fields.general.defaultmode | string | `"keep"` | Available modes: keep, drop, redact. |
| logs.access.fields.general.names | object | `{}` | Names of the fields to limit. |
| logs.access.fields.headers | object | `{"defaultmode":"drop","names":{}}` | [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers) |
| logs.access.fields.headers.defaultmode | string | `"drop"` | Available modes: keep, drop, redact. |
| logs.access.fields.headers.names | object | `{}` | Names of the headers to limit. |
| logs.access.filters | object | `{}` | https://docs.traefik.io/observability/access-logs/#filtering |
| logs.access.filters | object | `{}` | Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering) |
| logs.access.format | string | `nil` | Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format) |
| logs.general.format | string | `nil` | Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format) @default common |
| logs.general.level | string | `"INFO"` | Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO. |
| metrics.addInternals | string | `nil` | |
| metrics.otlp.addEntryPointsLabels | string | `nil` | Enable metrics on entry points. Default: true |
@ -130,6 +135,7 @@ Kubernetes: `>=1.22.0-0`
| metrics.otlp.http.tls.key | string | `nil` | The path to the private key. When using this option, setting the cert option is required. |
| metrics.otlp.pushInterval | string | `nil` | Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s |
| metrics.prometheus.entryPoint | string | `"metrics"` | Entry point used to expose metrics. |
| namespaceOverride | string | `nil` | This field override the default Release Namespace for Helm. It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules` |
| nodeSelector | object | `{}` | nodeSelector is the simplest recommended form of node selection constraint. |
| persistence.accessMode | string | `"ReadWriteOnce"` | |
| persistence.annotations | object | `{}` | |
@ -137,11 +143,8 @@ Kubernetes: `>=1.22.0-0`
| persistence.name | string | `"data"` | |
| persistence.path | string | `"/data"` | |
| persistence.size | string | `"128Mi"` | |
| podDisruptionBudget | object | `{"enabled":false}` | Pod disruption budget |
| podSecurityContext.fsGroupChangePolicy | string | `"OnRootMismatch"` | Specifies the policy for changing ownership and permissions of volume contents to match the fsGroup. |
| podSecurityContext.runAsGroup | int | `65532` | The ID of the group for all containers in the pod to run as. |
| podSecurityContext.runAsNonRoot | bool | `true` | Specifies whether the containers should run as a non-root user. |
| podSecurityContext.runAsUser | int | `65532` | The ID of the user for all containers in the pod to run as. |
| podDisruptionBudget | object | `{"enabled":null,"maxUnavailable":null,"minAvailable":null}` | [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/) |
| podSecurityContext | object | See _values.yaml_ | [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) |
| podSecurityPolicy | object | `{"enabled":false}` | Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding |
| ports.metrics.expose | object | `{"default":false}` | You may not want to expose the metrics port on production deployments. If you want to access it from outside your cluster, use `kubectl port-forward` or create a secure ingress |
| ports.metrics.exposedPort | int | `9100` | The exposed port for this service |
@ -167,8 +170,8 @@ Kubernetes: `>=1.22.0-0`
| ports.websecure.tls.enabled | bool | `true` | |
| ports.websecure.tls.options | string | `""` | |
| ports.websecure.transport | object | `{"keepAliveMaxRequests":null,"keepAliveMaxTime":null,"lifeCycle":{"graceTimeOut":null,"requestAcceptGraceTimeout":null},"respondingTimeouts":{"idleTimeout":null,"readTimeout":null,"writeTimeout":null}}` | Set transport settings for the entrypoint; see also https://doc.traefik.io/traefik/routing/entrypoints/#transport |
| priorityClassName | string | `""` | Priority indicates the importance of a Pod relative to other Pods. |
| providers.file.content | string | `""` | File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) |
| priorityClassName | string | `""` | [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/) |
| providers.file.content | string | `nil` | File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/) |
| providers.file.enabled | bool | `false` | Create a file provider |
| providers.file.watch | bool | `true` | Allows Traefik to automatically watch for file changes |
| providers.kubernetesCRD.allowCrossNamespace | bool | `false` | Allows IngressRoute to reference resources in namespace other than theirs |
@ -188,8 +191,8 @@ Kubernetes: `>=1.22.0-0`
| readinessProbe.periodSeconds | int | `10` | The number of seconds to wait between consecutive probes. |
| readinessProbe.successThreshold | int | `1` | The minimum consecutive successes required to consider the probe successful. |
| readinessProbe.timeoutSeconds | int | `2` | The number of seconds to wait for a probe response before considering it as failed. |
| resources | object | `{}` | The resources parameter defines CPU and memory requirements and limits for Traefik's containers. |
| securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true}` | To run the container with ports below 1024 this will need to be adjusted to run as root |
| resources | object | `{}` | [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container. |
| securityContext | object | See _values.yaml_ | [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) |
| service.additionalServices | object | `{}` | |
| service.annotations | object | `{}` | Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config) |
| service.annotationsTCP | object | `{}` | Additional annotations for TCP service only |
@ -203,9 +206,9 @@ Kubernetes: `>=1.22.0-0`
| service.type | string | `"LoadBalancer"` | |
| serviceAccount | object | `{"name":""}` | The service account the pods will use to interact with the Kubernetes API |
| serviceAccountAnnotations | object | `{}` | Additional serviceAccount annotations (e.g. for oidc authentication) |
| startupProbe | string | `nil` | Define Startup Probe for container: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes eg. `startupProbe: exec: command: - mycommand - foo initialDelaySeconds: 5 periodSeconds: 5` |
| tlsOptions | object | `{}` | TLS Options are created as TLSOption CRDs https://doc.traefik.io/traefik/https/tls/#tls-options When using `labelSelector`, you'll need to set labels on tlsOption accordingly. Example: tlsOptions: default: labels: {} sniStrict: true custom-options: labels: {} curvePreferences: - CurveP521 - CurveP384 |
| tlsStore | object | `{}` | TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate https://doc.traefik.io/traefik/https/tls/#default-certificate Example: tlsStore: default: defaultCertificate: secretName: tls-cert |
| startupProbe | string | `nil` | Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes) |
| tlsOptions | object | `{}` | TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options) When using `labelSelector`, you'll need to set labels on tlsOption accordingly. See EXAMPLE.md for details. |
| tlsStore | object | `{}` | TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details. |
| tolerations | list | `[]` | Tolerations allow the scheduler to schedule pods with matching taints. |
| topologySpreadConstraints | list | `[]` | You can use topology spread constraints to control how Pods are spread across your cluster among failure-domains. |
| tracing | object | `{"addInternals":null,"otlp":{"enabled":false,"grpc":{"enabled":false,"endpoint":null,"insecure":null,"tls":{"ca":null,"cert":null,"insecureSkipVerify":null,"key":null}},"http":{"enabled":false,"endpoint":null,"headers":null,"tls":{"ca":null,"cert":null,"insecureSkipVerify":null,"key":null}}}}` | https://doc.traefik.io/traefik/observability/tracing/overview/ |

5
charts/traefik/traefik/templates/dashboard-ingressroute.yaml
View File

@ -4,8 +4,11 @@ kind: IngressRoute
metadata:
name: {{ template "traefik.fullname" . }}-dashboard
namespace: {{ template "traefik.namespace" . }}
{{- with .Values.ingressRoute.dashboard.annotations }}
annotations:
{{- if and .Values.ingressClass.enabled (or .Values.providers.kubernetesCRD.enabled .Values.providers.kubernetesIngress.enabled) }}
kubernetes.io/ingress.class: {{ .Values.ingressClass.name | default (include "traefik.fullname" .) }}
{{- end }}
{{- with .Values.ingressRoute.dashboard.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:

3
charts/traefik/traefik/templates/healthcheck-ingressroute.yaml
View File

@ -5,6 +5,9 @@ metadata:
name: {{ template "traefik.fullname" . }}-healthcheck
namespace: {{ template "traefik.namespace" . }}
annotations:
{{- if and .Values.ingressClass.enabled (or .Values.providers.kubernetesCRD.enabled .Values.providers.kubernetesIngress.enabled) }}
kubernetes.io/ingress.class: {{ .Values.ingressClass.name | default (include "traefik.fullname" .) }}
{{- end }}
{{- with .Values.ingressRoute.healthcheck.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}

4
charts/traefik/traefik/templates/provider-file-cm.yaml
View File

@ -7,6 +7,6 @@ metadata:
labels:
{{- include "traefik.labels" . | nindent 4 }}
data:
config.yml: |
{{ .Values.providers.file.content | nindent 4 }}
config.yml:
{{ toYaml .Values.providers.file.content | nindent 4 }}
{{- end -}}

11
charts/traefik/traefik/templates/rbac/clusterrole.yaml
View File

@ -127,7 +127,6 @@ rules:
- apiratelimits
- apis
- apiversions
- edgeingresses
verbs:
- list
- watch
@ -146,8 +145,6 @@ rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- namespaces
- pods
- nodes
@ -193,13 +190,11 @@ rules:
- update
- create
- delete
- deletecollection
- apiGroups:
- apps
resources:
- deployments
- statefulsets
- replicasets
- daemonsets
verbs:
- get
- list
@ -213,8 +208,4 @@ rules:
- get
- list
- watch
- create
- update
- patch
- delete
{{- end -}}

85
charts/traefik/traefik/templates/rbac/role.yaml
View File

@ -119,5 +119,90 @@ rules:
verbs:
- update
{{- end -}}
{{- if $.Values.hub.token }}
- apiGroups:
- hub.traefik.io
resources:
- accesscontrolpolicies
- apiaccesses
- apiportals
- apiratelimits
- apis
- apiversions
verbs:
- list
- watch
- create
- update
- patch
- delete
- get
- apiGroups:
- ""
resources:
- namespaces
- pods
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- get
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- update
- create
- delete
- deletecollection
- apiGroups:
- apps
resources:
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
{{- end -}}
{{- end -}}
{{- end -}}

203
charts/traefik/traefik/values.yaml
View File

@ -1,4 +1,7 @@
# Default values for Traefik
# This is a YAML-formatted file.
# Declare variables to be passed into templates
image:
# -- Traefik image host registry
registry: docker.io
@ -12,9 +15,6 @@ image:
# -- Add additional label to all resources
commonLabels: {}
#
# Configure the deployment
#
deployment:
# -- Enable deployment
enabled: true
@ -74,10 +74,6 @@ deployment:
# - name: volume-permissions
# image: busybox:latest
# command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
# securityContext:
# runAsNonRoot: true
# runAsGroup: 65532
# runAsUser: 65532
# volumeMounts:
# - name: data
# mountPath: /data
@ -112,13 +108,11 @@ deployment:
# -- Set a runtimeClassName on pod
runtimeClassName:
# -- Pod disruption budget
# -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/)
podDisruptionBudget:
enabled: false
# maxUnavailable: 1
# maxUnavailable: 33%
# minAvailable: 0
# minAvailable: 25%
enabled:
maxUnavailable:
minAvailable:
# -- Create a default IngressClass for Traefik
ingressClass:
@ -155,7 +149,6 @@ experimental:
# annotations:
# cert-manager.io/issuer: letsencrypt
## Create an IngressRoute for the dashboard
ingressRoute:
dashboard:
# -- Create an IngressRoute for the dashboard
@ -221,15 +214,7 @@ livenessProbe:
# -- The number of seconds to wait for a probe response before considering it as failed.
timeoutSeconds: 2
# -- Define Startup Probe for container: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes
# eg.
# `startupProbe:
# exec:
# command:
# - mycommand
# - foo
# initialDelaySeconds: 5
# periodSeconds: 5`
# -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes)
startupProbe:
providers:
@ -276,18 +261,8 @@ providers:
# -- Allows Traefik to automatically watch for file changes
watch: true
# -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/)
content: ""
# http:
# routers:
# router0:
# entryPoints:
# - web
# middlewares:
# - my-basic-auth
# service: service-foo
# rule: Path(`/foo`)
content:
#
# -- Add volumes to the traefik pod. The volume name will be passed to tpl.
# This can be used to mount a cert pair or a configmap that holds a config.toml file.
# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
@ -311,26 +286,21 @@ additionalVolumeMounts: []
logs:
general:
# -- By default, the logs use a text format (common), but you can
# also ask for the json format in the format option
# format: json
# -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format)
# @default common
format:
# By default, the level is set to ERROR.
# -- Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
level: INFO
access:
# -- To enable access logs
enabled: false
## By default, logs are written using the Common Log Format (CLF) on stdout.
## To write logs in JSON, use json in the format option.
## If the given format is unsupported, the default (CLF) is used instead.
# format: json
# -- Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format)
format:
# filePath: "/var/log/traefik/access.log
## To write the logs in an asynchronous fashion, specify a bufferingSize option.
## This option represents the number of log lines Traefik will keep in memory before writing
## them to the selected output. In some cases, this option can greatly help performances.
# bufferingSize: 100
## Filtering
# -- https://docs.traefik.io/observability/access-logs/#filtering
# -- Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize)
bufferingSize:
# -- Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering)
filters: {}
# statuscodes: "200,300-302"
# retryattempts: true
@ -345,15 +315,11 @@ logs:
names: {}
## Examples:
# ClientUsername: drop
# -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers)
headers:
# -- Available modes: keep, drop, redact.
defaultmode: drop
# -- Names of the headers to limit.
names: {}
## Examples:
# User-Agent: redact
# Authorization: drop
# Content-Type: keep
metrics:
## -- Enable metrics for internal resources. Default: false
@ -567,16 +533,15 @@ globalArguments:
- "--global.checknewversion"
- "--global.sendanonymoususage"
#
# Configure Traefik static configuration
# -- Additional arguments to be passed at Traefik's binary
# All available options available on https://docs.traefik.io/reference/static-configuration/cli/
## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
# See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/)
# Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
additionalArguments: []
# - "--providers.kubernetesingress.ingressclass=traefik-internal"
# - "--log.level=DEBUG"
# -- Environment variables to be passed to Traefik's binary
# @default -- See _values.yaml_
env:
- name: POD_NAME
valueFrom:
@ -586,25 +551,9 @@ env:
valueFrom:
fieldRef:
fieldPath: metadata.namespace
# - name: SOME_VAR
# value: some-var-value
# - name: SOME_VAR_FROM_CONFIG_MAP
# valueFrom:
# configMapRef:
# name: configmap-name
# key: config-key
# - name: SOME_SECRET
# valueFrom:
# secretKeyRef:
# name: secret-name
# key: secret-key
# -- Environment variables to be passed to Traefik's binary from configMaps or secrets
envFrom: []
# - configMapRef:
# name: config-map-name
# - secretRef:
# name: secret-name
ports:
traefik:
@ -766,28 +715,12 @@ ports:
# -- The port protocol (TCP/UDP)
protocol: TCP
# -- TLS Options are created as TLSOption CRDs
# https://doc.traefik.io/traefik/https/tls/#tls-options
# -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options)
# When using `labelSelector`, you'll need to set labels on tlsOption accordingly.
# Example:
# tlsOptions:
# default:
# labels: {}
# sniStrict: true
# custom-options:
# labels: {}
# curvePreferences:
# - CurveP521
# - CurveP384
# See EXAMPLE.md for details.
tlsOptions: {}
# -- TLS Store are created as TLSStore CRDs. This is useful if you want to set a default certificate
# https://doc.traefik.io/traefik/https/tls/#default-certificate
# Example:
# tlsStore:
# default:
# defaultCertificate:
# secretName: tls-cert
# -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details.
tlsStore: {}
service:
@ -839,29 +772,8 @@ service:
autoscaling:
# -- Create HorizontalPodAutoscaler object.
# See EXAMPLES.md for more details.
enabled: false
# minReplicas: 1
# maxReplicas: 10
# metrics:
# - type: Resource
# resource:
# name: cpu
# target:
# type: Utilization
# averageUtilization: 60
# - type: Resource
# resource:
# name: memory
# target:
# type: Utilization
# averageUtilization: 60
# behavior:
# scaleDown:
# stabilizationWindowSeconds: 300
# policies:
# - type: Pods
# value: 1
# periodSeconds: 60
persistence:
# -- Enable persistence using Persistent Volume Claims
@ -879,27 +791,10 @@ persistence:
# -- Only mount a subpath of the Volume into the pod
# subPath: ""
# -- Certificates resolvers configuration
# -- Certificates resolvers configuration.
# Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers
# See EXAMPLES.md for more details.
certResolvers: {}
# letsencrypt:
# # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
# email: email@example.com
# dnsChallenge:
# # also add the provider's required configuration under env
# # or expand then from secrets/configmaps with envfrom
# # cf. https://doc.traefik.io/traefik/https/acme/#providers
# provider: digitalocean
# # add futher options for the dns challenge as needed
# # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge
# delayBeforeCheck: 30
# resolvers:
# - 1.1.1.1
# - 8.8.8.8
# tlsChallenge: true
# httpChallenge:
# entryPoint: "web"
# # It has to match the path with a persistent volume
# storage: /data/acme.json
# -- If hostNetwork is true, runs traefik in the host network namespace
# To prevent unschedulabel pods due to port collisions, if hostNetwork=true
@ -933,14 +828,8 @@ serviceAccount:
# -- Additional serviceAccount annotations (e.g. for oidc authentication)
serviceAccountAnnotations: {}
# -- The resources parameter defines CPU and memory requirements and limits for Traefik's containers.
# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
resources: {}
# requests:
# cpu: "100m"
# memory: "50Mi"
# limits:
# cpu: "300m"
# memory: "150Mi"
# -- This example pod anti-affinity forces the scheduler to put traefik pods
# -- on nodes where no other traefik pods are scheduled.
@ -970,30 +859,22 @@ topologySpreadConstraints: []
# topologyKey: kubernetes.io/hostname
# whenUnsatisfiable: DoNotSchedule
# -- Pods can have priority.
# -- Priority indicates the importance of a Pod relative to other Pods.
# -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)
priorityClassName: ""
# -- Set the container security context
# -- To run the container with ports below 1024 this will need to be adjusted to run as root
# -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)
# @default -- See _values.yaml_
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
# -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context)
# @default -- See _values.yaml_
podSecurityContext:
# /!\ When setting fsGroup, Kubernetes will recursively change ownership and
# permissions for the contents of each volume to match the fsGroup. This can
# be an issue when storing sensitive content like TLS Certificates /!\
# fsGroup: 65532
# -- Specifies the policy for changing ownership and permissions of volume contents to match the fsGroup.
fsGroupChangePolicy: "OnRootMismatch"
# -- The ID of the group for all containers in the pod to run as.
runAsGroup: 65532
# -- Specifies whether the containers should run as a non-root user.
runAsNonRoot: true
# -- The ID of the user for all containers in the pod to run as.
runAsUser: 65532
#
@ -1003,16 +884,16 @@ podSecurityContext:
# See #595 for more details and traefik/tests/values/extra.yaml for example.
extraObjects: []
# This will override the default Release Namespace for Helm.
# -- This field override the default Release Namespace for Helm.
# It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules`
# namespaceOverride: traefik
#
## -- This will override the default app.kubernetes.io/instance label for all Objects.
# instanceLabelOverride: traefik
namespaceOverride:
# -- Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/
## -- This field override the default app.kubernetes.io/instance label for all Objects.
instanceLabelOverride:
# Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/
hub:
# Name of Secret with key 'token' set to a valid license token.
# -- Name of `Secret` with key 'token' set to a valid license token.
# It enables API Gateway.
token:
apimanagement:

228
index.yaml
View File

@ -13330,6 +13330,29 @@ entries:
- assets/weka/csi-wekafsplugin-0.6.400.tgz
version: 0.6.400
dxemssql:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: DxEnterprise for Microsoft SQL AG
catalog.cattle.io/kube-version: '>= 1.20.0-0'
catalog.cattle.io/release-name: dxemssql
charts.openshift.io/name: DxEnterprise for Microsoft SQL AG
apiVersion: v2
appVersion: "23.0"
created: "2024-06-01T00:58:21.691766865Z"
description: Helm chart for DH2i's DxEnterprise clustering solution with SQL Server
availability groups
digest: 30550a1c6803eb6bbbc5b7f5796af8ee652a671bd325fe6e724899ff1845deb8
icon: https://raw.githubusercontent.com/dh2i/helm/main/assets/DH2i_Logo_Icon.png
kubeVersion: '>= 1.20.0-0'
maintainers:
- email: support@dh2i.com
name: DH2i Company
url: https://dh2i.com
name: dxemssql
type: application
urls:
- assets/dh2i/dxemssql-1.0.6.tgz
version: 1.0.6
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: DxEnterprise for Microsoft SQL AG
@ -13446,6 +13469,28 @@ entries:
- assets/dh2i/dxemssql-1.0.1.tgz
version: 1.0.1
dxenterprisesqlag:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: DxOperator - DxE + SQL Server AG
catalog.cattle.io/kube-version: '>= 1.26.0-0'
catalog.cattle.io/release-name: dxenterprisesqlag
charts.openshift.io/name: DxOperator - DxE + SQL Server AG
apiVersion: v2
appVersion: "23.0"
created: "2024-06-01T00:58:21.692560248Z"
description: SQL Server AGs using DH2i DxOperator
digest: e0370474c5b4076ba19b9d21763ed5545b7553be4bc163c2333f60a25d396daa
icon: https://raw.githubusercontent.com/dh2i/helm/main/assets/DH2i_Logo_Icon.png
kubeVersion: '>= 1.26.0-0'
maintainers:
- email: support@dh2i.com
name: DH2i Company
url: https://dh2i.com
name: dxenterprisesqlag
type: application
urls:
- assets/dh2i/dxenterprisesqlag-1.0.2.tgz
version: 1.0.2
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: DxOperator - DxE + SQL Server AG
@ -13469,6 +13514,28 @@ entries:
- assets/dh2i/dxenterprisesqlag-1.0.1.tgz
version: 1.0.1
dxoperator:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: DxOperator
catalog.cattle.io/kube-version: '>= 1.26.0-0'
catalog.cattle.io/release-name: dxoperator
charts.openshift.io/name: DxOperator
apiVersion: v2
appVersion: 1.0.67.0
created: "2024-06-01T00:58:21.693613874Z"
description: DH2i operator for Kubernetes
digest: 4bb8c1d637f9e7b00fa96daddeacc0ce8df6214abfdc379deff308674fe21cb0
icon: https://raw.githubusercontent.com/dh2i/helm/main/assets/DH2i_Logo_Icon.png
kubeVersion: '>= 1.26.0-0'
maintainers:
- email: support@dh2i.com
name: DH2i Company
url: https://dh2i.com
name: dxoperator
type: application
urls:
- assets/dh2i/dxoperator-1.0.2.tgz
version: 1.0.2
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: DxOperator
@ -26690,6 +26757,34 @@ entries:
- assets/trilio/k8s-triliovault-operator-v2.0.200.tgz
version: v2.0.200
k10:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: K10
catalog.cattle.io/kube-version: '>= 1.17.0-0'
catalog.cattle.io/release-name: k10
apiVersion: v2
appVersion: 7.0.0
created: "2024-06-01T00:58:24.07274013Z"
dependencies:
- condition: grafana.enabled
name: grafana
repository: file://./charts/grafana
version: 7.3.2
- condition: prometheus.server.enabled
name: prometheus
repository: file://./charts/prometheus
version: 25.18.0
description: Kastens K10 Data Management Platform
digest: a49e4e7b8eb31c2755244ee1033980fe5354f226d40caddfd575fb7ef9b86ce7
home: https://kasten.io/
icon: https://docs.kasten.io/_static/logo-kasten-k10-blue-white.png
maintainers:
- email: contact@kasten.io
name: kastenIO
name: k10
urls:
- assets/kasten/k10-7.0.1.tgz
version: 7.0.1
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: K10
@ -31467,17 +31562,49 @@ entries:
catalog.cattle.io/kube-version: '>=1.22.0-0'
catalog.cattle.io/release-name: linkerd-control-plane
apiVersion: v2
appVersion: edge-24.5.4
created: "2024-05-24T00:54:44.438401576Z"
appVersion: edge-24.5.5
created: "2024-06-01T00:58:33.125548498Z"
dependencies:
- name: partials
repository: file://./charts/partials
version: 0.1.0
description: 'Linkerd gives you observability, reliability, and security for your
microservices — with no code change required. '
digest: e1a189d3d116d340861cc32c37d694a5c9eadafd2cd541e2cc0b400cea05638e
digest: a46935897d5e1abc1af3d24d9775d27d6bd26d7adfecd3ff3a0d7da45eeca5b8
home: https://linkerd.io
icon: file://assets/icons/linkerd-control-plane.png
icon: https://linkerd.io/images/logo-only-200h.png
keywords:
- service-mesh
kubeVersion: '>=1.22.0-0'
maintainers:
- email: cncf-linkerd-dev@lists.cncf.io
name: Linkerd authors
url: https://linkerd.io/
name: linkerd-control-plane
sources:
- https://github.com/linkerd/linkerd2/
type: application
urls:
- assets/linkerd/linkerd-control-plane-2024.5.5.tgz
version: 2024.5.5
- annotations:
catalog.cattle.io/auto-install: linkerd-crds
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Linkerd Control Plane
catalog.cattle.io/kube-version: '>=1.22.0-0'
catalog.cattle.io/release-name: linkerd-control-plane
apiVersion: v2
appVersion: edge-24.5.4
created: "2024-06-01T00:58:24.854642237Z"
dependencies:
- name: partials
repository: file://./charts/partials
version: 0.1.0
description: 'Linkerd gives you observability, reliability, and security for your
microservices — with no code change required. '
digest: 166e27da10c14a8959f3c9a53271e1305c186d40bcc0f344f78f5595df37b7e6
home: https://linkerd.io
icon: https://linkerd.io/images/logo-only-200h.png
keywords:
- service-mesh
kubeVersion: '>=1.22.0-0'
@ -32186,6 +32313,36 @@ entries:
- assets/linkerd/linkerd-control-plane-1.12.5.tgz
version: 1.12.5
linkerd-crds:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Linkerd CRDs
catalog.cattle.io/kube-version: '>=1.22.0-0'
catalog.cattle.io/release-name: linkerd-crds
apiVersion: v2
created: "2024-06-01T00:58:33.166902996Z"
dependencies:
- name: partials
repository: file://./charts/partials
version: 0.1.0
description: 'Linkerd gives you observability, reliability, and security for your
microservices — with no code change required. '
digest: f9654f224f8ba7319bd7b260e103de6fd819a357fe9542b5a4a00de30e0f210b
home: https://linkerd.io
icon: https://linkerd.io/images/logo-only-200h.png
keywords:
- service-mesh
kubeVersion: '>=1.22.0-0'
maintainers:
- email: cncf-linkerd-dev@lists.cncf.io
name: Linkerd authors
url: https://linkerd.io/
name: linkerd-crds
sources:
- https://github.com/linkerd/linkerd2/
type: application
urls:
- assets/linkerd/linkerd-crds-2024.5.5.tgz
version: 2024.5.5
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Linkerd CRDs
@ -35081,6 +35238,32 @@ entries:
- assets/nats/nats-0.10.0.tgz
version: 0.10.0
nginx-ingress:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: NGINX Ingress Controller
catalog.cattle.io/kube-version: '>= 1.23.0-0'
catalog.cattle.io/release-name: nginx-ingress
apiVersion: v2
appVersion: 3.5.2
created: "2024-06-01T00:58:21.846303816Z"
description: NGINX Ingress Controller
digest: 6716e2355dc8fa9f11a11a43b512deb76a24d9cd98950ee1119ccd3dc219619f
home: https://github.com/nginxinc/kubernetes-ingress
icon: https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/v3.5.2/charts/nginx-ingress/chart-icon.png
keywords:
- ingress
- nginx
kubeVersion: '>= 1.23.0-0'
maintainers:
- email: kubernetes@nginx.com
name: nginxinc
name: nginx-ingress
sources:
- https://github.com/nginxinc/kubernetes-ingress/tree/v3.5.2/charts/nginx-ingress
type: application
urls:
- assets/f5/nginx-ingress-1.2.2.tgz
version: 1.2.2
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: NGINX Ingress Controller
@ -52605,6 +52788,43 @@ entries:
- assets/intel/tcs-issuer-0.1.0.tgz
version: 0.1.0
traefik:
- annotations:
artifacthub.io/changes: "- \"fix(IngressClass): provides annotation on IngressRoutes
when it's enabled\"\n- \"feat: ✨ simplify values and provide more examples\"\n-
\"feat: add deletecollection right on secrets\"\n- \"chore(release): \U0001F680
publish v28.2.0\"\n- \"chore(deps): update traefik docker tag to v3.0.1\"\n"
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Traefik Proxy
catalog.cattle.io/kube-version: '>=1.22.0-0'
catalog.cattle.io/release-name: traefik
apiVersion: v2
appVersion: v3.0.1
created: "2024-06-01T00:58:35.248532017Z"
description: A Traefik based Kubernetes ingress controller
digest: adaf0ea047da678d8b8bc77bea3319d709d4fce6887974b90485e8f17c0838e9
home: https://traefik.io/
icon: https://raw.githubusercontent.com/traefik/traefik/v2.3/docs/content/assets/img/traefik.logo.png
keywords:
- traefik
- ingress
- networking
kubeVersion: '>=1.22.0-0'
maintainers:
- email: michel.loiseleur@traefik.io
name: mloiseleur
- email: charlie.haley@traefik.io
name: charlie-haley
- email: remi.buisson@traefik.io
name: darkweaver87
- name: jnoordsij
name: traefik
sources:
- https://github.com/traefik/traefik
- https://github.com/traefik/traefik-helm-chart
type: application
urls:
- assets/traefik/traefik-28.2.0.tgz
version: 28.2.0
- annotations:
artifacthub.io/changes: "- \"fix(Traefik Hub): do not deploy mutating webhook
when enabling only API Gateway\"\n- \"feat(Traefik Hub): use Traefik Proxy