diff --git a/assets/airlock/microgateway-4.4.1.tgz b/assets/airlock/microgateway-4.4.1.tgz new file mode 100644 index 000000000..e68360649 Binary files /dev/null and b/assets/airlock/microgateway-4.4.1.tgz differ diff --git a/assets/airlock/microgateway-cni-4.4.1.tgz b/assets/airlock/microgateway-cni-4.4.1.tgz new file mode 100644 index 000000000..049ec58bb Binary files /dev/null and b/assets/airlock/microgateway-cni-4.4.1.tgz differ diff --git a/assets/kasten/k10-7.0.1401.tgz b/assets/kasten/k10-7.0.1401.tgz new file mode 100644 index 000000000..9b923682f Binary files /dev/null and b/assets/kasten/k10-7.0.1401.tgz differ diff --git a/assets/kuma/kuma-2.9.1.tgz b/assets/kuma/kuma-2.9.1.tgz new file mode 100644 index 000000000..511e017f7 Binary files /dev/null and b/assets/kuma/kuma-2.9.1.tgz differ diff --git a/assets/netscaler/netscaler-cpx-with-ingress-controller-2.2.10.tgz b/assets/netscaler/netscaler-cpx-with-ingress-controller-2.2.10.tgz new file mode 100644 index 000000000..36639a1fc Binary files /dev/null and b/assets/netscaler/netscaler-cpx-with-ingress-controller-2.2.10.tgz differ diff --git a/assets/netscaler/netscaler-ingress-controller-2.2.10.tgz b/assets/netscaler/netscaler-ingress-controller-2.2.10.tgz new file mode 100644 index 000000000..eee5a0c91 Binary files /dev/null and b/assets/netscaler/netscaler-ingress-controller-2.2.10.tgz differ diff --git a/assets/trilio/k8s-triliovault-operator-5.0.0.tgz b/assets/trilio/k8s-triliovault-operator-5.0.0.tgz new file mode 100644 index 000000000..772f95f21 Binary files /dev/null and b/assets/trilio/k8s-triliovault-operator-5.0.0.tgz differ diff --git a/charts/airlock/microgateway-cni/4.4.1/.helmignore b/charts/airlock/microgateway-cni/4.4.1/.helmignore new file mode 100644 index 000000000..8561d2892 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/.helmignore @@ -0,0 +1,27 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +# Helm unit tests +/tests +/validation diff --git a/charts/airlock/microgateway-cni/4.4.1/Chart.yaml b/charts/airlock/microgateway-cni/4.4.1/Chart.yaml new file mode 100644 index 000000000..4abf51221 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/Chart.yaml @@ -0,0 +1,43 @@ +annotations: + artifacthub.io/category: security + artifacthub.io/license: MIT + artifacthub.io/links: | + - name: Airlock Microgateway Documentation + url: https://docs.airlock.com/microgateway/4.4/ + - name: Airlock Microgateway Labs + url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io + - name: Airlock Microgateway Forum + url: https://forum.airlock.com/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Airlock Microgateway CNI + catalog.cattle.io/kube-version: '>=1.25.0-0' + catalog.cattle.io/release-name: "" + charts.openshift.io/name: Airlock Microgateway CNI +apiVersion: v2 +appVersion: 4.4.1 +description: A Helm chart for deploying the Airlock Microgateway CNI plugin +home: https://www.airlock.com/en/microgateway +icon: file://assets/icons/microgateway-cni.svg +keywords: +- WAF +- Web Application Firewall +- WAAP +- Web Application and API protection +- OWASP +- Airlock +- Microgateway +- Security +- Filtering +- DevSecOps +- shift left +- CNI +kubeVersion: '>=1.25.0-0' +maintainers: +- email: support@airlock.com + name: Airlock + url: https://www.airlock.com/ +name: microgateway-cni +sources: +- https://github.com/airlock/microgateway +type: application +version: 4.4.1 diff --git a/charts/airlock/microgateway-cni/4.4.1/README.md b/charts/airlock/microgateway-cni/4.4.1/README.md new file mode 100644 index 000000000..77c0a31b4 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/README.md @@ -0,0 +1,137 @@ +# Airlock Microgateway CNI + +![Version: 4.4.1](https://img.shields.io/badge/Version-4.4.1-informational?style=flat-square) ![AppVersion: 4.4.1](https://img.shields.io/badge/AppVersion-4.4.1-informational?style=flat-square) + +*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.* + + + + + Microgateway + + +Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability. +__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.4.1).__ + +### Features +* Kubernetes native integration with sidecar injection and Gateway API support +* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction +* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication +* Content security filters for protecting against known attacks (OWASP Top 10) +* Access control using OpenID Connect to allow only authenticated users to access the protected services +* API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation + +For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**. + +## Documentation and links + +Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway. + +* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html) +* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html) +* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html) +* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html) +* [GitHub](https://github.com/airlock/microgateway) + +# Quick start guide + +The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**. + +## Prerequisites +* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0) + +## Deploy Airlock Microgateway CNI +1. Install the CNI Plugin with Helm. + > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni). + ```bash + # Standard setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + ```bash + # GKE setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.1/deploy/charts/airlock-microgateway-cni/gke-values.yaml + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + ```bash + # OpenShift setup + helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' -f https://raw.githubusercontent.com/airlock/microgateway/4.4.1/deploy/charts/airlock-microgateway-cni/openshift-values.yaml + kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + > **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details). + +2. (Recommended) You can verify the correctness of the installation with `helm test`. + ```bash + # Standard and GKE setup + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' + helm test airlock-microgateway-cni -n kube-system --logs + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' + ``` + ```bash + # OpenShift setup + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' + helm test airlock-microgateway-cni -n openshift-operators --logs + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.4.1' + ``` + + Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error. + +## Support + +### Premium support +If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process). + +### Community support +For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question. +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. | +| commonAnnotations | object | `{}` | Annotations to add to all resources. | +| commonLabels | object | `{}` | Labels to add to all resources. | +| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. | +| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. | +| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. | +| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. | +| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. | +| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. | +| image.digest | string | `"sha256:fa2f5d8587024f0d0b29505204c964002cfd7facf79748ccc98b8caf1a70f0d8"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. | +| image.tag | string | `"4.4.1"` | Image tag to pull. | +| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. | +| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. | +| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation | +| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. | +| podAnnotations | object | `{}` | Annotations to add to all Pods. | +| podLabels | object | `{}` | Labels to add to all Pods. | +| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). | +| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. | +| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. | +| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. | +| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | +| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | +| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | +| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. | + +## License +View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image. +* Decompiling or reverse engineering is not permitted. +* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted. + +Airlock® is a security innovation by [ergon](https://www.ergon.ch/en) + + + + + + + Airlock Secure Access Hub + + diff --git a/charts/airlock/microgateway-cni/4.4.1/gke-values.yaml b/charts/airlock/microgateway-cni/4.4.1/gke-values.yaml new file mode 100644 index 000000000..d6d5c21d1 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/gke-values.yaml @@ -0,0 +1,4 @@ +# values for deploying on GKE + +config: + cniBinDir: "/home/kubernetes/bin" diff --git a/charts/airlock/microgateway-cni/4.4.1/openshift-values.yaml b/charts/airlock/microgateway-cni/4.4.1/openshift-values.yaml new file mode 100644 index 000000000..3b1d6cccd --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/openshift-values.yaml @@ -0,0 +1,15 @@ +# values for deploying on OpenShift + +rbac: + createSCCRole: true + +privileged: true + +multusNetworkAttachmentDefinition: + create: true + namespace: default + +config: + installMode: "standalone" + cniNetDir: "/etc/cni/multus/net.d" + cniBinDir: "/var/lib/cni/bin" diff --git a/charts/airlock/microgateway-cni/4.4.1/questions.yml b/charts/airlock/microgateway-cni/4.4.1/questions.yml new file mode 100644 index 000000000..73ed44d64 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/questions.yml @@ -0,0 +1,18 @@ +questions: + - variable: config.cniNetDir + required: true + type: string + label: CNI Network Configuration Directory + group: "CNI Settings" + description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host." + - variable: config.cniBinDir + required: true + type: string + label: CNI Plugin Binaries Directory + group: "CNI Settings" + description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host." + - variable: config.installMode + required: true + label: CNI Plugin Installation Mode + group: "CNI Settings" + description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment." diff --git a/charts/airlock/microgateway-cni/4.4.1/templates/NOTES.txt b/charts/airlock/microgateway-cni/4.4.1/templates/NOTES.txt new file mode 100644 index 000000000..bb94ff521 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/templates/NOTES.txt @@ -0,0 +1,15 @@ +Thank you for installing Airlock Microgateway CNI. + +Please ensure that the helm values'.config.cniNetDir' and '.config.cniBinDir' are configured for your Kubernetes distribution. +For further information, consider our manual https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}. +The chapter 'Setup > Installation' describes how to set those settings correctly. + +Further information: +* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }} +* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm + +Next steps: +* Install Airlock Microgateway (if not done already) + https://artifacthub.io/packages/helm/airlock-microgateway/microgateway + +Your release version is {{ .Chart.Version }}. \ No newline at end of file diff --git a/charts/airlock/microgateway-cni/4.4.1/templates/_helpers.tpl b/charts/airlock/microgateway-cni/4.4.1/templates/_helpers.tpl new file mode 100644 index 000000000..996491a87 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/templates/_helpers.tpl @@ -0,0 +1,101 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "airlock-microgateway-cni.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Convert an image configuration object into an image ref string. +*/}} +{{- define "airlock-microgateway-cni.image" -}} + {{- if .digest -}} + {{- printf "%s@%s" .repository .digest -}} + {{- else if .tag -}} + {{- printf "%s:%s" .repository .tag -}} + {{- else -}} + {{- printf "%s" .repository -}} + {{- end -}} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) +and the longest suffix is 13 characters. +If release name contains chart name it will be used as a full name. +*/}} +{{- define "airlock-microgateway-cni.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 50 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "airlock-microgateway-cni.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "airlock-microgateway-cni.labels" -}} +helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }} +{{ include "airlock-microgateway-cni.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.commonLabels }} +{{ toYaml .}} +{{- end }} +{{- end }} + +{{/* +Common labels without component +*/}} +{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}} +{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}} +{{ unset $labels "app.kubernetes.io/component" | toYaml }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "airlock-microgateway-cni.selectorLabels" -}} +app.kubernetes.io/component: cni-plugin-installer +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }} +{{- end }} + +{{/* +Create the name of the service account to use for the CNI Plugin +*/}} +{{- define "airlock-microgateway-cni.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{- define "airlock-microgateway-cni.isSemver" -}} +{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}} +{{- end -}} + +{{- define "airlock-microgateway-cni.docsVersion" -}} +{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} + {{- $version := (semver .Chart.AppVersion) -}} + {{- $version.Major }}.{{ $version.Minor -}} +{{- else -}} + {{- print "latest" -}} +{{- end -}} +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.4.1/templates/clusterrole.yaml b/charts/airlock/microgateway-cni/4.4.1/templates/clusterrole.yaml new file mode 100644 index 000000000..ef88ac783 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/templates/clusterrole.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - patch +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.4.1/templates/clusterrolebinding.yaml b/charts/airlock/microgateway-cni/4.4.1/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..04f87cb0f --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "airlock-microgateway-cni.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.4.1/templates/configmap.yaml b/charts/airlock/microgateway-cni/4.4.1/templates/configmap.yaml new file mode 100644 index 000000000..b880116ef --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/templates/configmap.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + plugin-conf.json: |- + { + "type": "{{ include "airlock-microgateway-cni.fullname" . }}", + "debug": {{ eq .Values.config.logLevel "debug" }}, + "logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log", + "kubernetes": { + "kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig", + "excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }} + } + } diff --git a/charts/airlock/microgateway-cni/4.4.1/templates/daemonset.yaml b/charts/airlock/microgateway-cni/4.4.1/templates/daemonset.yaml new file mode 100644 index 000000000..4ba9f2669 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/templates/daemonset.yaml @@ -0,0 +1,136 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + kubectl.kubernetes.io/default-container: cni-installer + {{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - args: + - --log-level + - "{{ .Values.config.logLevel }}" + env: + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + key: plugin-conf.json + name: {{ include "airlock-microgateway-cni.fullname" . }} + - name: CNI_BIN_DIR + value: /host/opt/cni/bin + - name: CNI_NET_DIR + value: /host/etc/cni/net.d + - name: KUBECONFIG_FILE_NAME + value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" + - name: INSTALL_MODE + value: {{ .Values.config.installMode }} + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: {{ include "airlock-microgateway-cni.image" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cni-installer + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + startupProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 5 + initialDelaySeconds: 3 + periodSeconds: 3 + timeoutSeconds: 3 + readinessProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 1 + periodSeconds: 60 + timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /run/cni-installer + name: cni-installer-status + hostNetwork: true + priorityClassName: system-node-critical + restartPolicy: Always + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + terminationGracePeriodSeconds: 5 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir + - emptyDir: {} + name: cni-installer-status diff --git a/charts/airlock/microgateway-cni/4.4.1/templates/network-attachment-definition.yaml b/charts/airlock/microgateway-cni/4.4.1/templates/network-attachment-definition.yaml new file mode 100644 index 000000000..5d657e309 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/templates/network-attachment-definition.yaml @@ -0,0 +1,13 @@ +{{- if .Values.multusNetworkAttachmentDefinition.create -}} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.4.1/templates/scc-role.yaml b/charts/airlock/microgateway-cni/4.4.1/templates/scc-role.yaml new file mode 100644 index 000000000..862748692 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/templates/scc-role.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway-cni/4.4.1/templates/scc-rolebinding.yaml b/charts/airlock/microgateway-cni/4.4.1/templates/scc-rolebinding.yaml new file mode 100644 index 000000000..ebd02982c --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/templates/scc-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged +subjects: +- kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.4.1/templates/serviceaccount.yaml b/charts/airlock/microgateway-cni/4.4.1/templates/serviceaccount.yaml new file mode 100644 index 000000000..3dc8d58ea --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.4.1/templates/tests/rbac.yaml b/charts/airlock/microgateway-cni/4.4.1/templates/tests/rbac.yaml new file mode 100644 index 000000000..744799333 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/templates/tests/rbac.yaml @@ -0,0 +1,64 @@ +{{- if .Values.tests.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" +subjects: +- kind: ServiceAccount + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests +rules: +- apiGroups: + - "apps" + resources: + - daemonsets + resourceNames: + - {{ include "airlock-microgateway-cni.fullname" . }} + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - list +{{- if .Values.rbac.createSCCRole }} +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use +{{- end -}} +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.4.1/templates/tests/test-install.yaml b/charts/airlock/microgateway-cni/4.4.1/templates/tests/test-install.yaml new file mode 100644 index 000000000..12d8c8de7 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/templates/tests/test-install.yaml @@ -0,0 +1,103 @@ +{{- if .Values.tests.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install" + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: test-install + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + restartPolicy: Never + containers: + - name: test + image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}" + securityContext: + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + readOnly: true + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + readOnly: true + command: + - sh + - -c + - | + set -eu + + fail() { + echo "Error: ${1}" + echo "" + echo 'CNI installer logs:' + kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer + exit 1 + } + + containsMGWCNIConf() { + cat "${1}" | grep -qe '"type":.*"{{ include "airlock-microgateway-cni.fullname" . }}"' + } + + if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then + fail 'CNI DaemonSet rollout did not complete within timeout' + fi + + echo "Checking whether CNI binary was installed" + if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then + fail 'CNI binary was not installed' + fi + + echo "Checking whether CNI kubeconfig was installed" + if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then + fail 'CNI kubeconfig was not created' + fi + + echo "Checking whether CNI configuration was written" + case {{ .Values.config.installMode }} in + "chained") + for file in "/host/etc/cni/net.d/"*.conflist; do + if containsMGWCNIConf "${file}"; then + echo "Success" + exit 0 + fi + done + ;; + "standalone") + if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then + echo "Success" + exit 0 + fi + ;; + "manual") + echo "- Skipping because we are in 'manual' install mode" + echo "Success" + exit 0 + ;; + esac + + fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found' + serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.4.1/values.schema.json b/charts/airlock/microgateway-cni/4.4.1/values.schema.json new file mode 100644 index 000000000..e087bd700 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/values.schema.json @@ -0,0 +1,225 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "type": "object", + "properties": { + "nameOverride": { + "type": "string" + }, + "fullnameOverride": { + "type": "string" + }, + "commonLabels": { + "$ref": "#/definitions/StringMap" + }, + "commonAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "minLength": 1 + } + }, + "required": [ + "name" + ], + "additionalProperties": true + } + }, + "image": { + "$ref": "#/definitions/Image" + }, + "podAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "podLabels": { + "$ref": "#/definitions/StringMap" + }, + "resources": { + "type": "object" + }, + "nodeSelector": { + "$ref": "#/definitions/StringMap" + }, + "affinity": { + "type": "object" + }, + "rbac": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "createSCCRole": { + "type": "boolean" + } + }, + "required": [ + "create", + "createSCCRole" + ], + "additionalProperties": false + }, + "privileged": { + "type": "boolean" + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "annotations": { + "$ref": "#/definitions/StringMap" + }, + "name": { + "type": "string" + } + }, + "required": [ + "annotations", + "create", + "name" + ], + "additionalProperties": false + }, + "multusNetworkAttachmentDefinition": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "namespace": { + "type": "string" + } + }, + "required": [ + "create", + "namespace" + ], + "additionalProperties": false + }, + "config": { + "type": "object", + "properties": { + "installMode": { + "type": "string", + "enum": [ + "chained", + "standalone", + "manual" + ] + }, + "logLevel": { + "type": "string", + "enum": [ + "debug", + "info", + "warn", + "error" + ] + }, + "cniNetDir": { + "type": "string", + "minLength": 1 + }, + "cniBinDir": { + "type": "string", + "minLength": 1 + }, + "excludeNamespaces": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "cniBinDir", + "cniNetDir", + "excludeNamespaces", + "installMode", + "logLevel" + ], + "additionalProperties": false + }, + "tests": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "additionalProperties": false + }, + "global": { + "type": "object" + } + }, + "required": [ + "affinity", + "commonAnnotations", + "commonLabels", + "config", + "fullnameOverride", + "image", + "imagePullSecrets", + "multusNetworkAttachmentDefinition", + "nameOverride", + "nodeSelector", + "podAnnotations", + "podLabels", + "privileged", + "rbac", + "resources", + "serviceAccount", + "tests" + ], + "additionalProperties": false, + "definitions": { + "StringMap": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "Image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "minLength": 1 + }, + "tag": { + "type": "string" + }, + "digest": { + "type": "string", + "pattern": "^$|^sha256:[a-f0-9]{64}$" + }, + "pullPolicy": { + "type": "string", + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "required": [ + "digest", + "pullPolicy", + "repository", + "tag" + ], + "additionalProperties": false + } + } +} diff --git a/charts/airlock/microgateway-cni/4.4.1/values.yaml b/charts/airlock/microgateway-cni/4.4.1/values.yaml new file mode 100644 index 000000000..d1116802d --- /dev/null +++ b/charts/airlock/microgateway-cni/4.4.1/values.yaml @@ -0,0 +1,85 @@ +# -- Allows overriding the name to use instead of "microgateway-cni". +nameOverride: "" +# -- Allows overriding the name to use as full name of resources. +fullnameOverride: "" +# -- Labels to add to all resources. +commonLabels: {} +# -- Annotations to add to all resources. +commonAnnotations: {} +# -- ImagePullSecrets to use when pulling images. +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +# Specifies the Airlock Microgateway CNI image. +image: + # -- Image repository from which to pull the Airlock Microgateway CNI image. + repository: "quay.io/airlock/microgateway-cni" + # -- Image tag to pull. + tag: "4.4.1" + # -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). + # Overrides tag when specified. + digest: "sha256:fa2f5d8587024f0d0b29505204c964002cfd7facf79748ccc98b8caf1a70f0d8" + # -- Pull policy for this image. + pullPolicy: IfNotPresent +# -- Annotations to add to all Pods. +podAnnotations: {} +# -- Labels to add to all Pods. +podLabels: {} +# -- Resource restrictions to apply to the CNI installer container. +resources: + requests: + cpu: 10m + memory: 100Mi +# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. +nodeSelector: + kubernetes.io/os: linux +# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. +affinity: {} +# Configures the generation of RBAC Roles and RoleBindings. +rbac: + # -- Whether to create RBAC resources which are required for the CNI plugin to function. + create: true + # -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. + createSCCRole: false +# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). +privileged: false +# Configures the generation of the ServiceAccount. +serviceAccount: + # -- Whether a ServiceAccount should be created. + create: true + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- Name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" +# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift) +multusNetworkAttachmentDefinition: + # -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. + create: false + # -- Namespace in which the NetworkAttachmentDefinition is deployed. + # Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces + # may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation + namespace: default +# Parameters for the CNI installer configuration. +config: + # -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), + # as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) + # or in `manual` mode, where no CNI network configuration is written. + installMode: "chained" + # -- Log level for the CNI installer and plugin. + logLevel: info + # -- Directory where the CNI config files reside on the host. + # This path can either be found in the documentation of your Kubernetes distribution or CNI provider. + # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. + cniNetDir: "/etc/cni/net.d" + # -- Directory where the CNI plugin binaries reside on the host. + # This path can either be found in the documentation of your Kubernetes distribution or CNI provider. + # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. + cniBinDir: "/opt/cni/bin" + # -- Namespaces for which this CNI plugin should not apply any modifications. + excludeNamespaces: + - kube-system +tests: + # -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). + # If set to false, `helm test` will not run any tests. + enabled: false diff --git a/charts/airlock/microgateway/4.2.3/.helmignore b/charts/airlock/microgateway/4.2.3/.helmignore index 101ff5ac5..8561d2892 100644 --- a/charts/airlock/microgateway/4.2.3/.helmignore +++ b/charts/airlock/microgateway/4.2.3/.helmignore @@ -21,8 +21,7 @@ .idea/ *.tmproj .vscode/ -# CRDs kustomization.yaml -/crds/kustomization.yaml + # Helm unit tests /tests /validation diff --git a/charts/airlock/microgateway/4.2.3/Chart.yaml b/charts/airlock/microgateway/4.2.3/Chart.yaml index a248008ae..f4d50752c 100644 --- a/charts/airlock/microgateway/4.2.3/Chart.yaml +++ b/charts/airlock/microgateway/4.2.3/Chart.yaml @@ -9,15 +9,15 @@ annotations: - name: Airlock Microgateway Forum url: https://forum.airlock.com/ catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Airlock Microgateway + catalog.cattle.io/display-name: Airlock Microgateway CNI catalog.cattle.io/kube-version: '>=1.25.0-0' - catalog.cattle.io/release-name: microgateway - charts.openshift.io/name: Airlock Microgateway + catalog.cattle.io/release-name: microgateway-cni + charts.openshift.io/name: Airlock Microgateway CNI apiVersion: v2 appVersion: 4.2.3 -description: A Helm chart for deploying the Airlock Microgateway +description: A Helm chart for deploying the Airlock Microgateway CNI plugin home: https://www.airlock.com/en/microgateway -icon: file://assets/icons/microgateway.svg +icon: file://assets/icons/microgateway-cni.svg keywords: - WAF - Web Application Firewall @@ -30,14 +30,13 @@ keywords: - Filtering - DevSecOps - shift left -- control plane -- Operator +- CNI kubeVersion: '>=1.25.0-0' maintainers: - email: support@airlock.com name: Airlock url: https://www.airlock.com/ -name: microgateway +name: microgateway-cni sources: - https://github.com/airlock/microgateway type: application diff --git a/charts/airlock/microgateway/4.2.3/README.md b/charts/airlock/microgateway/4.2.3/README.md index 1a75b9b2c..2c5823d06 100644 --- a/charts/airlock/microgateway/4.2.3/README.md +++ b/charts/airlock/microgateway/4.2.3/README.md @@ -1,4 +1,4 @@ -# Airlock Microgateway +# Airlock Microgateway CNI ![Version: 4.2.3](https://img.shields.io/badge/Version-4.2.3-informational?style=flat-square) ![AppVersion: 4.2.3](https://img.shields.io/badge/AppVersion-4.2.3-informational?style=flat-square) @@ -40,61 +40,43 @@ Check the official documentation at **[docs.airlock.com](https://docs.airlock.co The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**. ## Prerequisites -* [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) -* [Airlock Microgateway License](#obtain-airlock-microgateway-license) -* [cert-manager](https://cert-manager.io/) * [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0) -In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license. -For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing. -### Obtain Airlock Microgateway License -1. Either request a community or premium license - * Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community) - * Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium) -2. Check your inbox and save the license file microgateway-license.txt locally. - -> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type. -### Deploy cert-manager -```bash -# Install cert-manager -kubectl apply -k https://github.com/airlock/microgateway/examples/utilities/cert-manager/?ref=4.2.3 - -# Wait for the cert-manager to be up and running -kubectl -n cert-manager wait --for=condition=ready --timeout=600s pod -l app.kubernetes.io/instance=cert-manager -``` - -## Deploy Airlock Microgateway Operator - -> This guide assumes a microgateway-license.txt file is present in the working directory. - -1. Install CRDs and Operator. +## Deploy Airlock Microgateway CNI +1. Install the CNI Plugin with Helm. + > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni). ```bash - # Create namespace - kubectl create namespace airlock-microgateway-system - - # Install License - kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt - - # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades) - helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.2.3' --wait + # Standard setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3' + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni ``` + ```bash + # GKE setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3' -f https://raw.githubusercontent.com/airlock/microgateway/4.2.3/deploy/charts/airlock-microgateway-cni/gke-values.yaml + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + ```bash + # OpenShift setup + helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3' -f https://raw.githubusercontent.com/airlock/microgateway/4.2.3/deploy/charts/airlock-microgateway-cni/openshift-values.yaml + kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details). 2. (Recommended) You can verify the correctness of the installation with `helm test`. ```bash - helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.2.3' - helm test airlock-microgateway -n airlock-microgateway-system --logs - helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.2.3' + # Standard and GKE setup + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3' + helm test airlock-microgateway-cni -n kube-system --logs + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3' + ``` + ```bash + # OpenShift setup + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3' + helm test airlock-microgateway-cni -n openshift-operators --logs + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.2.3' ``` -### Upgrading CRDs - -The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster. -CRDs should instead be manually upgraded before upgrading the Operator itself via the following command: -```bash -kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.2.3 --server-side --force-conflicts -``` - -**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts. + Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error. ## Support @@ -107,45 +89,33 @@ For the community edition, check our **[Airlock community forum](https://forum.a | Key | Type | Default | Description | |-----|------|---------|-------------| +| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. | | commonAnnotations | object | `{}` | Annotations to add to all resources. | | commonLabels | object | `{}` | Labels to add to all resources. | -| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". | -| engine.image.digest | string | `"sha256:9b0debeef611172aa5ca79c6b8cd045e56a3c883763ec62c0fa211bb86d35304"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | -| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. | -| engine.image.tag | string | `"4.2.3"` | Image tag to pull. | -| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. | -| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. | -| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. | +| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. | +| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. | +| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. | +| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. | +| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. | | fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. | +| image.digest | string | `"sha256:82b5924866840f783cce2e9b4095b7710a0e1cbf555498e8723ca811ca916290"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. | +| image.tag | string | `"4.2.3"` | Image tag to pull. | | imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. | -| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. | -| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". | -| networkValidator.image.digest | string | `"sha256:a212cef6665b2464a41307162fa96e9623aa45c3fa32c39d320eae8b730d81e0"` | SHA256 image digest to pull (in the format "sha256:a212cef6665b2464a41307162fa96e9623aa45c3fa32c39d320eae8b730d81e0"). Overrides tag when specified. | -| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| networkValidator.image.repository | string | `"cgr.dev/chainguard/busybox"` | Image repository from which to pull the busybox image for the Airlock Microgateway Network Validator init-container. | -| networkValidator.image.tag | string | `""` | Image tag to pull. | -| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. | -| operator.config.logLevel | string | `"info"` | Operator application log level. | -| operator.image.digest | string | `"sha256:a429dfdb636e76bfbee7c59cfbe53d5f396c1f5603d5cb187f6283301ba4d7ba"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. | -| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. | -| operator.image.tag | string | `"4.2.3"` | Image tag to pull. | -| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. | -| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. | -| operator.podLabels | object | `{}` | Labels to add to all Pods. | -| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. | -| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. | -| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. | -| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | -| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | -| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | -| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. | -| operator.serviceLabels | object | `{}` | Labels to add to the Service. | -| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. | -| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. | -| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. | -| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. | +| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. | +| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation | +| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. | +| podAnnotations | object | `{}` | Annotations to add to all Pods. | +| podLabels | object | `{}` | Labels to add to all Pods. | +| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). | +| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. | +| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. | +| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. | +| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | +| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | +| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | | tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. | ## License diff --git a/charts/airlock/microgateway/4.2.3/crds/accesscontrols.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/accesscontrols.microgateway.airlock.com.yaml deleted file mode 100644 index dea146ba5..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/accesscontrols.microgateway.airlock.com.yaml +++ /dev/null @@ -1,124 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: accesscontrols.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: AccessControl - listKind: AccessControlList - plural: accesscontrols - singular: accesscontrol - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: AccessControl specifies the options to perform access control with a Microgateway Engine container. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specifies how the Airlock Microgateway Engine performs access control. - properties: - policies: - description: Policies configures access control policies. - items: - properties: - authorization: - description: Authorization configures how requests are authorized. An empty object value {} disables authorization. - properties: - authentication: - description: Authentication specifies that clients need to be authenticated with the provided method. - properties: - oidc: - description: OIDC configures client authentication using OpenID Connect. - properties: - oidcRelyingPartyRef: - description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - oidcRelyingPartyRef - type: object - type: object - type: object - identityPropagation: - description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application. - properties: - actions: - description: Actions specifies the propagation actions. - items: - properties: - identityPropagationRef: - description: IdentityPropagationRef selects an IdentityPropagation to apply. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - identityPropagationRef - type: object - type: array - onFailure: - description: |- - OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values: - _Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations. - enum: - - Pass - type: string - required: - - actions - - onFailure - type: object - required: - - authorization - type: object - maxItems: 1 - minItems: 1 - type: array - required: - - policies - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.2.3/crds/contentsecurities.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/contentsecurities.microgateway.airlock.com.yaml deleted file mode 100644 index e5f25bf30..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/contentsecurities.microgateway.airlock.com.yaml +++ /dev/null @@ -1,127 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: contentsecurities.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: ContentSecurity - listKind: ContentSecurityList - plural: contentsecurities - singular: contentsecurity - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ContentSecurity specifies the options to secure an upstream web application with a Microgateway Engine container. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specifies the options to secure an upstream web application with a Microgateway Engine container. - properties: - apiProtection: - description: |- - APIProtection defines the relevant configurations to protect APIs. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - openAPIRef: - description: |- - OpenAPIRef selects the relevant OpenAPI configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - filter: - description: |- - Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests - to protect against various attack patterns. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - denyRulesRef: - description: |- - DenyRulesRef selects the relevant DenyRules configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - headerRewritesRef: - description: |- - HeaderRewritesRef selects the relevant HeaderRewrites. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - limitsRef: - description: |- - LimitsRef selects the relevant Limits configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - parserRef: - description: |- - ParserRef selects the relevant Parser configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.2.3/crds/denyrules.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/denyrules.microgateway.airlock.com.yaml deleted file mode 100644 index 00e680b58..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/denyrules.microgateway.airlock.com.yaml +++ /dev/null @@ -1,1508 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: denyrules.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: DenyRules - listKind: DenyRulesList - plural: denyrules - singular: denyrules - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - DenyRules configures request filtering using Airlock built-in and custom deny rules. - Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application. - To handle possible false positives, lower the security level or define fine-granular deny rule exceptions - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired deny rules behavior. - properties: - request: - description: Request configures deny rules for downstream requests. - properties: - builtIn: - description: BuiltIn configures the built-in deny rules. - properties: - exceptions: - description: Exceptions allows to define exceptions for specific requests and deny rules. - items: - description: |- - DenyRulesException defines an exception for deny rules. Exceptions may be defined by any or a combination of the following elements: blockedData (the request data causing a block) or requestConditions (properties of a request without taking into consideration the reason why a request has been blocked). - At least one of blockedData and requestConditions must be set. - properties: - blockedData: - description: BlockedData defines an exception based on the request data causing the block. - properties: - header: - description: |- - Header defines an exception based on a blocked header. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - json: - description: |- - JSON defines an exception based on a blocked JSON property. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - jsonPath: - description: |- - JSONPath defines the JSONPath pattern to match the path within the JSON. - Expressions in JSONPath i.e. `?(expr)` are not supported. - minLength: 1 - type: string - key: - description: |- - Key defines the key of the JSON property. - At most one of key and value can be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value defines the value of the JSON property. - At most one of key and value can be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - parameter: - description: |- - Parameter defines an exception based on a blocked parameter. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - name: - description: Name defines the name of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - source: - default: Any - description: Source defines the source of the parameter. - enum: - - Query - - Post - - Any - type: string - value: - description: Value defines the value of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - path: - description: |- - Path defines an exception based on the blocked path. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - pathSegment: - description: |- - PathSegment defines an exception based on a blocked path segment. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - segments: - description: Segments defines the position of a segment within the path. - properties: - index: - description: Index specifies an exact path segment position by index (0-based). - minimum: 0 - type: integer - type: object - value: - description: Value defines the value of a path segment. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - type: object - requestConditions: - description: RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - ruleKeys: - description: RuleKeys restricts the exception to a set of deny rules. - items: - description: |- - A deny rule name can be any of the following values: - ENCODING | - EXPLOIT | - HPP | - HTML | - IDOR | - LDAP | - NOSQL | - OGNL | - PHP | - PROTOCOL | - SANITY | - SCANNING | - SQL | - TEMPLATE | - UNIXCMD | - WINCMD | - XSS - enum: - - ENCODING - - EXPLOIT - - HPP - - HTML - - IDOR - - LDAP - - NOSQL - - OGNL - - PHP - - PROTOCOL - - SANITY - - SCANNING - - SQL - - TEMPLATE - - UNIXCMD - - WINCMD - - XSS - type: string - minItems: 1 - type: array - type: object - type: array - overrides: - description: Overrides allows to override the builtIn settings for specific deny rules. - items: - description: DenyRulesOverride allows to override the builtIn settings for specific deny rules. - properties: - conditions: - description: Conditions select which built-in deny rules' settings will be adjusted. - properties: - ruleKeys: - description: RuleKeys is a list of built-in deny rule names. - items: - description: |- - A deny rule name can be any of the following values: - ENCODING | - EXPLOIT | - HPP | - HTML | - IDOR | - LDAP | - NOSQL | - OGNL | - PHP | - PROTOCOL | - SANITY | - SCANNING | - SQL | - TEMPLATE | - UNIXCMD | - WINCMD | - XSS - enum: - - ENCODING - - EXPLOIT - - HPP - - HTML - - IDOR - - LDAP - - NOSQL - - OGNL - - PHP - - PROTOCOL - - SANITY - - SCANNING - - SQL - - TEMPLATE - - UNIXCMD - - WINCMD - - XSS - type: string - minItems: 1 - type: array - types: - description: Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules. - items: - description: |- - A deny rule override type name can be any of the following values: - Header | - Parameter | - Path | - JSON - enum: - - Header - - Parameter - - Path - - PathSegment - - JSON - type: string - minItems: 0 - type: array - type: object - settings: - description: Settings override the corresponding properties for the selected rules. - properties: - level: - description: Level specifies the filter strength. - enum: - - Unfiltered - - Basic - - Standard - - Strict - type: string - threatHandlingMode: - description: ThreatHandlingMode specifies how threats should be handled. - enum: - - Block - - LogOnly - type: string - type: object - type: object - type: array - settings: - description: Settings contains the keys which will be adjusted. - properties: - level: - default: Standard - description: Level represents a set of deny rules with different filter strengths. - enum: - - Unfiltered - - Basic - - Standard - - Strict - type: string - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches. - enum: - - Block - - LogOnly - type: string - type: object - type: object - custom: - description: Custom allows configuring additional deny rules. - properties: - rules: - description: Rules defines list of additional deny rules. - items: - properties: - blockData: - description: BlockData specifies the request data which should cause a block. - properties: - header: - description: |- - Header specifies to block requests containing a matching header. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - json: - description: |- - JSON specifies to block requests containing a matching JSON property in the body. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - key: - description: Key defines the key of a JSON object. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a JSON object. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - parameter: - description: |- - Parameter specifies to block requests containing a matching parameter. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - name: - description: Name defines the name of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - path: - description: |- - Path specifies to block requests with a matching path. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - matcher: - description: Matcher specifies which path to block. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - pathSegment: - description: |- - PathSegment specifies to block requests containing a matching path segment. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - segments: - description: |- - Segments restricts which path segments are filtered by this rule. - If not specified, all segments of a path are filtered. - properties: - index: - description: Index restricts the rule to the path segment at this index (0-based). - minimum: 0 - type: integer - type: object - value: - description: Value specifies which path segment values to block. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - required: - - value - type: object - type: object - requestConditions: - description: RequestConditions defines additional request properties which must be matched in order for this rule to apply. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - ruleKey: - description: RuleKey defines a technical key for the deny rule. Must be unique. - minLength: 1 - pattern: ^[A-Z][A-Z0-9_]*$ - type: string - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches. - enum: - - Block - - LogOnly - type: string - required: - - blockData - - ruleKey - type: object - type: array - x-kubernetes-list-map-keys: - - ruleKey - x-kubernetes-list-type: map - type: object - type: object - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.2.3/crds/envoyclusters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/envoyclusters.microgateway.airlock.com.yaml deleted file mode 100644 index 90983db5d..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/envoyclusters.microgateway.airlock.com.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: envoyclusters.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: EnvoyCluster - listKind: EnvoyClusterList - plural: envoyclusters - singular: envoycluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: EnvoyCluster is an additional Envoy Cluster resource which is added to those defined by the Airlock Microgateway. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired additional Envoy cluster. - properties: - value: - description: Value defines the Envoy Cluster which is added to those configured by the Airlock Microgateway. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.2.3/crds/envoyconfigurations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/envoyconfigurations.microgateway.airlock.com.yaml deleted file mode 100644 index 6b73e0bfc..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/envoyconfigurations.microgateway.airlock.com.yaml +++ /dev/null @@ -1,182 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: envoyconfigurations.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: EnvoyConfiguration - listKind: EnvoyConfigurationList - plural: envoyconfigurations - singular: envoyconfiguration - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - EnvoyConfiguration is the Schema for the envoyconfigurations API - {{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration - properties: - envoyResources: - description: EnvoyResources defines the desired state for each resource type. - properties: - clusters: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - endpoints: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - extensions: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - listeners: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - routes: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - runtimes: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - scopedRoutes: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - secrets: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - nodeID: - description: NodeID defines the ID of the envoy node - type: string - required: - - nodeID - type: object - status: - description: EnvoyConfigurationStatus defines the observed state of EnvoyConfiguration - properties: - conditions: - items: - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status to another. - format: date-time - type: string - message: - description: A human-readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of EnvoyConfiguration condition. - type: string - required: - - status - - type - type: object - type: array - status: - type: string - xds: - properties: - resourceTypes: - additionalProperties: - description: XdsResourceTypeSyncStatus defines the sync status of xDS for a specific resource type - properties: - errorMessage: - description: ErrorMessage defines an optional message why the currently served resources of this resource type are rejected by the client. - type: string - resources: - additionalProperties: - description: XdsResourceStatus defines the status of xDS for a specific resource - properties: - version: - description: Version defines the version which is currently served for this resource. - type: string - required: - - version - type: object - description: Resources defines the resources which are currently served for this resource type. - type: object - status: - description: Status defines the current sync status of this resource type. - type: string - version: - description: Version defines the version which is currently served for this resource type. - type: string - required: - - resources - - status - - version - type: object - description: ResourceTypes defines the sync statuses for each resource type. - type: object - version: - description: Version defines the version of the underlying xDS snapshot. - type: integer - required: - - version - type: object - required: - - status - - xds - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/airlock/microgateway/4.2.3/crds/headerrewrites.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/headerrewrites.microgateway.airlock.com.yaml deleted file mode 100644 index 9df1a1db2..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/headerrewrites.microgateway.airlock.com.yaml +++ /dev/null @@ -1,759 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: headerrewrites.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: HeaderRewrites - listKind: HeaderRewritesList - plural: headerrewrites - singular: headerrewrites - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: HeaderRewrites is the Schema for the headerrewrites API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired header rewriting behavior. - properties: - request: - description: Request defines manipulations on upstream request headers. - properties: - add: - description: Add defines which request headers will be added before forwarding to the upstream. - properties: - custom: - description: |- - Custom allows configuring additional upstream request headers. - Add selected headers. - items: - properties: - headers: - description: Headers to add. - items: - description: HeaderRewritesHeader specifies a header with a particular value - properties: - name: - description: Name defines the name of a header. - minLength: 1 - type: string - value: - description: Value defines the value of a header. - type: string - required: - - name - - value - type: object - minItems: 1 - type: array - mode: - default: AddIfAbsent - description: Mode defines the header addition strategy. - enum: - - AddIfAbsent - - OverwriteOrAdd - type: string - name: - description: Name describing the configured operation. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - allow: - description: |- - Allow defines which request headers will be forwarded to the upstream. - This can either be allHeaders or matchingHeaders. - Default: matchingHeaders: {...} - properties: - allHeaders: - description: AllHeaders specifies that all request headers should be forwarded. - type: object - matchingHeaders: - description: MatchingHeaders specifies which request headers should be forwarded. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream request headers. - properties: - standardHeaders: - default: true - description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream request headers. - items: - properties: - headers: - description: Headers to allow. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - remove: - description: Remove defines which request headers will be removed before forwarding to the upstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream request headers. - properties: - alternativeForwardedHeaders: - default: true - description: |- - AlternativeForwardedHeaders removes downstream request headers which could potentially - be abused to alter the upstream's view of the remote connection. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream request headers. - items: - properties: - headers: - description: Headers to remove. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - response: - description: Response defines manipulations on upstream response headers. - properties: - add: - description: Add defines which response headers will be added before forwarding to the downstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response headers. - properties: - csp: - default: true - description: |- - CSP sets a content security policy which allows only same-origin requests except for images - if the 'Content-Security-Policy' header is not set by the upstream. - type: boolean - featurePolicy: - default: false - description: |- - FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features - if the 'Feature-Policy' header is not set by the upstream. - **Deprecated:** Use permissionsPolicy instead. - type: boolean - hsts: - default: true - description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream. - type: boolean - hstsPreload: - default: false - description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload. - type: boolean - permissionsPolicy: - default: true - description: |- - PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features - if the 'Permissions-Policy' header is not set by the upstream. - type: boolean - referrerPolicy: - default: true - description: |- - ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests - if the 'Referrer-Policy' header is not set by the upstream. - type: boolean - xContentTypeOptions: - default: true - description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream. - type: boolean - xFrameOptions: - default: true - description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to add. - items: - description: HeaderRewritesHeader specifies a header with a particular value - properties: - name: - description: Name defines the name of a header. - minLength: 1 - type: string - value: - description: Value defines the value of a header. - type: string - required: - - name - - value - type: object - minItems: 1 - type: array - mode: - default: AddIfAbsent - description: Mode defines the header addition strategy. - enum: - - AddIfAbsent - - OverwriteOrAdd - type: string - name: - description: Name describing the configured operation. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - allow: - description: |- - Allow defines which response headers will be forwarded to the downstream. - This can either be allHeaders or matchingHeaders. - Default: allHeaders: {} - properties: - allHeaders: - description: AllHeaders specifies that all response headers should be forwarded. - type: object - matchingHeaders: - description: MatchingHeaders specifies which response headers should be forwarded. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response header. - properties: - standardHeaders: - default: false - description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to allow. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - remove: - description: Remove defines which response headers will be removed before forwarding to the downstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response headers. - properties: - auth: - description: Auth defines the categories of headers concerning authentication. - properties: - basic: - default: false - description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication. - type: boolean - negotiate: - default: true - description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate. - type: boolean - ntlm: - default: true - description: |- - NTLM removes upstream response headers that advise clients to authenticate with NTLM. - By default, these headers are removed, because NTLM pass-through is not supported. - type: boolean - type: object - informationLeakage: - description: InformationLeakage defines the categories of headers concerning information leakage. - properties: - application: - default: true - description: Application removes upstream response headers that leak information about the deployed software. - type: boolean - server: - default: true - description: Server removes upstream response headers that leak information about the server. - type: boolean - type: object - permissiveCors: - default: true - description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to remove. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured remove operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - settings: - description: Settings configures the HeaderRewrites filter. - properties: - operationalMode: - default: Production - description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses. - enum: - - Production - - Integration - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.2.3/crds/identitypropagations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/identitypropagations.microgateway.airlock.com.yaml deleted file mode 100644 index 9b8c69599..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/identitypropagations.microgateway.airlock.com.yaml +++ /dev/null @@ -1,108 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: identitypropagations.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: IdentityPropagation - listKind: IdentityPropagationList - plural: identitypropagations - singular: identitypropagation - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: IdentityPropagation specifies the desired identity propagation. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired identity propagation. - properties: - header: - description: Header configures identity propagation via a request header. - properties: - name: - description: Name of the header to set. - minLength: 1 - type: string - value: - description: Value to propagate to the application. - properties: - source: - description: Source from which to extract the value. - properties: - metadata: - description: Metadata specifies to extract a value from an Envoy dynamic filter metadata key. - properties: - key: - description: Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`. - minLength: 1 - type: string - namespace: - description: Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`. - minLength: 1 - type: string - required: - - key - - namespace - type: object - oidc: - description: OIDC specifies to extract a value from the result of an OpenID Connect flow. - properties: - idToken: - description: IDToken specifies to extract the value from the OpenID Connect ID Token. - properties: - claim: - description: Claim selects the JWT claim from which to extract the value. - minLength: 1 - type: string - required: - - claim - type: object - required: - - idToken - type: object - type: object - required: - - source - type: object - required: - - name - - value - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.2.3/crds/limits.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/limits.microgateway.airlock.com.yaml deleted file mode 100644 index 23adafe3b..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/limits.microgateway.airlock.com.yaml +++ /dev/null @@ -1,453 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: limits.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: Limits - listKind: LimitsList - plural: limits - singular: limits - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Limits contains the configuration for limits. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired limits behavior. - properties: - request: - description: Request defines the limits for requests. - properties: - limited: - description: Limited enables limits on request scope. - properties: - exceptions: - description: Exceptions defines limit exceptions. - items: - description: LimitsException defines an exception for limits. - properties: - length: - description: Length defines an exception for length limits based on the data element exceeding the limit. - properties: - json: - description: JSON defines a key and value length limit exception for a JSON property. - properties: - jsonPath: - description: |- - JSONPath restricts the exception to JSON properties with a matching JSONPath. - Expressions in JSONPath i.e. `?(expr)` are not supported. - minLength: 1 - type: string - required: - - jsonPath - type: object - parameter: - description: Parameter defines a name and value length limit exception for a parameter. - properties: - name: - description: Name restricts the exception to parameters with a matching name. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - source: - default: Any - description: Source restricts the exception to parameters of this kind. - enum: - - Query - - Post - - Any - type: string - required: - - name - type: object - type: object - requestConditions: - description: RequestConditions defines additional request properties which must be matched in order for this exception to apply. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - type: object - type: array - general: - description: General defines general request limits. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Ki - description: BodySize limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective only for requests that are parsed (e.g. JSON data). File uploads are not affected by this limit. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - pathLength: - anyOf: - - type: integer - - type: string - default: 1Ki - description: PathLength defines the maximum path length for requests. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - json: - description: JSON defines the limits for JSON requests. - properties: - elementCount: - default: 10000 - description: ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive). - format: int64 - type: integer - keyCount: - default: 250 - description: KeyCount defines the maximum number of keys of a single JSON object (non-recursive). - format: int64 - type: integer - keyLength: - anyOf: - - type: integer - - type: string - default: "128" - description: KeyLength defines the maximum length for JSON keys. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - nestingDepth: - default: 100 - description: NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays. - format: int64 - type: integer - valueLength: - anyOf: - - type: integer - - type: string - default: 8Ki - description: ValueLength defines the maximum length for JSON values. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - parameter: - description: Parameter defines the limits for request parameters. - properties: - count: - default: 128 - description: Count defines the maximum number of request parameters. - format: int64 - type: integer - nameLength: - anyOf: - - type: integer - - type: string - default: "128" - description: NameLength defines the maximum length for parameter names. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - valueLength: - anyOf: - - type: integer - - type: string - default: 8Ki - description: ValueLength defines the maximum length for parameter values. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - unlimited: - description: Unlimited disables all limits on request scope. - type: object - type: object - settings: - description: Settings configures the limits filter. - properties: - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled when a limit hits. - enum: - - Block - - LogOnly - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.2.3/crds/oidcproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/oidcproviders.microgateway.airlock.com.yaml deleted file mode 100644 index 69116b40a..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/oidcproviders.microgateway.airlock.com.yaml +++ /dev/null @@ -1,301 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: oidcproviders.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: OIDCProvider - listKind: OIDCProviderList - plural: oidcproviders - singular: oidcprovider - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - OIDCProvider specifies an OpenID Provider (OP). - - - {{% notice warning %}} The OIDC feature is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened. - In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases: - - The state parameter is guessable. - - ID token and access token are stored in cookies and are thus sent to the accessing client. - {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of an OpenID Provider. - properties: - static: - description: Static configures an OpenID Provider by explicitly specifying all endpoints. - properties: - endpoints: - description: Endpoints specifies the OpenID Provider endpoints. - properties: - authorization: - description: Authorization specifies the endpoint to which the authorization request is sent. - properties: - uri: - description: URI specifies the endpoint address. - format: uri - minLength: 1 - pattern: ^(http|https)://.*$ - type: string - required: - - uri - type: object - token: - description: Token configures the endpoint from which the access, ID and refresh tokens are obtained. - properties: - tls: - description: TLS defines TLS settings. - properties: - certificateVerification: - description: CertificateVerification specifies how the certificate presented by the server is verified. - properties: - custom: - description: |- - Custom explicitly specifies how the server certificate should be verified. - Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key. - properties: - allowedSANs: - description: |- - AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, - that is to say, the SAN is verified if at least one matcher is matched. - AllowedSANs requires trustedCA to be set. - items: - description: |- - TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. - properties: - matcher: - description: Matcher defines the string matcher for the SAN value. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - sanType: - description: SanType defines the type of SAN matcher. - enum: - - DNS - - Email - - URI - - IPAddress - type: string - required: - - matcher - - sanType - type: object - minItems: 1 - type: array - certificatePinning: - description: |- - CertificatePinning defines constraints the presented certificate must fulfill. - If more than one constraint is configured only one must be satisfied. - At least one of allowedSPKIs and allowedHashes must be set. - properties: - allowedHashes: - description: |- - AllowedHashes is a list of hex-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - allowedSPKIs: - description: |- - AllowedSPKIs is a list of base64-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - type: object - crl: - description: CRL defines the Certificate Revocation List (CRL) settings. - properties: - lists: - description: Lists defines the list of secretRefs containing Certificate Revocation Lists. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - validationMode: - default: VerifyChain - description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. - enum: - - VerifyLeafCertOnly - - VerifyChain - type: string - type: object - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - verificationDepth: - default: 1 - description: |- - VerificationDepth specifies the hops in the certificate chain at which validation is performed. - 1 means that either the leaf or the signing CA must be in the set of trusted certificates. - format: int32 - type: integer - required: - - certificates - type: object - type: object - disabled: - description: |- - Disabled specifies to trust any certificate without verification. - THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. - type: object - publicCAs: - description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image. - type: object - type: object - ciphers: - description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. - items: - type: string - minItems: 1 - type: array - protocol: - description: Protocol defines the supported TLS protocol versions. - properties: - maximum: - description: Maximum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - minimum: - description: Minimum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - type: object - type: object - uri: - description: URI specifies the endpoint address. - format: uri - minLength: 1 - pattern: ^(http|https)://.*$ - type: string - required: - - uri - type: object - required: - - authorization - - token - type: object - required: - - endpoints - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.2.3/crds/oidcrelyingparties.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/oidcrelyingparties.microgateway.airlock.com.yaml deleted file mode 100644 index 708e48aaf..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/oidcrelyingparties.microgateway.airlock.com.yaml +++ /dev/null @@ -1,219 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: oidcrelyingparties.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: OIDCRelyingParty - listKind: OIDCRelyingPartyList - plural: oidcrelyingparties - singular: oidcrelyingparty - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP). - - - {{% notice warning %}} The OIDC feature is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened. - In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases: - - The state parameter is guessable. - - ID token and access token are stored in cookies and are thus sent to the accessing client. - {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the OIDC Relying Party configuration. - properties: - clientID: - description: ClientID specifies the OIDCRelyingParty "client_id". - minLength: 1 - type: string - credentials: - description: Credentials used for client authentication on the back-channel with the authorization server. - properties: - clientSecret: - description: ClientSecret authenticates with the client password issued by the OpenID Provider (OP). - properties: - method: - default: BasicAuth - description: Method specifies in which format the client secret is sent with the authorization request. - enum: - - BasicAuth - - FormURLEncoded - type: string - secretRef: - description: SecretRef specifies the kubernetes secret containing the client password with key "client.secret". - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - required: - - clientSecret - type: object - oidcProviderRef: - description: OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - pathMapping: - description: PathMapping configures the action matching. - properties: - logoutPath: - description: LogoutPath specifies which request paths should initiate a logout. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - redirectPath: - description: RedirectPath specifies which request paths should be interpreted as a response from the authorization endpoint. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - required: - - logoutPath - - redirectPath - type: object - redirectURI: - description: |- - RedirectURI configures the "redirect_uri" parameter included in the authorization request. - May contain envoy command operators, e.g. '%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback'. - minLength: 1 - type: string - required: - - clientID - - credentials - - oidcProviderRef - - pathMapping - - redirectURI - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.2.3/crds/openapis.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/openapis.microgateway.airlock.com.yaml deleted file mode 100644 index fafda725e..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/openapis.microgateway.airlock.com.yaml +++ /dev/null @@ -1,167 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: openapis.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: OpenAPI - listKind: OpenAPIList - plural: openapis - singular: openapi - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: OpenAPI contains the configuration for the OpenAPI specification. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired OpenAPI specification. - properties: - response: - description: Response defines the validation behaviour for responses. - properties: - secured: - description: Secured enables response checking. - properties: - validation: - default: Lax - description: Validation defines the validation mode for responses. - enum: - - Lax - - Strict - type: string - type: object - unsecured: - description: Unsecured disables response checking. - type: object - type: object - settings: - description: Settings defines the settings to configure OpenAPI specification enforcement. - properties: - logging: - description: Logging specifies the access log behavior. - properties: - maxFailedSubvalidations: - default: 10 - description: MaxFailedSubvalidations defines the maximum number of failed subvalidations being logged. - format: int64 - type: integer - type: object - schema: - description: Schema configures the OpenAPI specification. - properties: - source: - description: Source specifies the OpenAPI specification to be enforced. - properties: - configMapRef: - description: ConfigMapRef references the configmap by its name containing the well-known key 'openapi.json'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - required: - - source - type: object - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled. - enum: - - Block - - LogOnly - type: string - validation: - description: Validation specifies the patterns for the validation behavior. - properties: - authentication: - description: Authentication defines the settings for the authentication scheme. - properties: - oAuth2: - description: OAuth2 specifies the OAuth2 parameters. - properties: - allowedParameters: - description: AllowedParameters specifies the allowed parameters for the authentication scheme. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined allowed parameters. - properties: - standardParameters: - default: true - description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters. - type: boolean - type: object - custom: - description: Custom allows configuring additional allowed parameters. - items: - minLength: 1 - type: string - minItems: 1 - type: array - type: object - type: object - oidc: - description: Oidc specifies the OIDC parameters. - properties: - allowedParameters: - description: AllowedParameters specifies the allowed parameters for the authentication scheme. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined allowed parameters. - properties: - standardParameters: - default: true - description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters. - type: boolean - type: object - custom: - description: Custom allows configuring additional allowed parameters. - items: - minLength: 1 - type: string - minItems: 1 - type: array - type: object - type: object - type: object - type: object - required: - - schema - type: object - required: - - settings - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.2.3/crds/parsers.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/parsers.microgateway.airlock.com.yaml deleted file mode 100644 index b450d488b..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/parsers.microgateway.airlock.com.yaml +++ /dev/null @@ -1,358 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: parsers.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: Parser - listKind: ParserList - plural: parsers - singular: parser - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Parser contains the configuration for content parsers (default and custom). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired parser behavior. - properties: - request: - description: Request defines the parsing for downstream requests. - properties: - custom: - description: Custom allows configuring additional rules for parser selection. - properties: - rules: - description: |- - Rules defines a custom set prepended before built-in rules of enabled request parsers. - Disable all built-in parsers to overrule them completely. - items: - properties: - action: - description: |- - Action specifies what should happen when a request condition matches. - Only one of parse or skip can be set. - properties: - parse: - description: Parse activates the configured parser. - properties: - form: - description: Form activates the Form parser. - type: object - json: - description: JSON activates the JSON parser. - type: object - multipart: - description: Multipart activates the multipart parser. - type: object - type: object - skip: - description: Skip disables any content parsing - type: object - type: object - requestConditions: - description: RequestConditions defines additional request properties which must be matched in order for this rule to apply. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - required: - - action - - requestConditions - type: object - type: array - type: object - defaultContentType: - default: application/x-www-form-urlencoded - description: DefaultContentType specifies the content-type header which should be injected into the request before parser selection if it is not already present and the request has a body. - minLength: 1 - type: string - parsers: - description: Parsers defines the configuration for the available content parsers. - properties: - form: - description: Form defines the configuration for the form parser. - properties: - enable: - default: true - description: Enable defines whether form payloads are inspected. - type: boolean - mediaTypePattern: - default: .*urlencoded.* - description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as form arguments. - minLength: 1 - type: string - type: object - json: - description: JSON defines the configuration for the JSON parser. - properties: - enable: - default: true - description: Enable defines whether json payloads are inspected. - type: boolean - mediaTypePattern: - default: .*json.* - description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as JSON. - minLength: 1 - type: string - type: object - multipart: - description: Multipart defines the configuration for the multipart parser. - properties: - enable: - default: true - description: Enable defines whether multipart payloads are inspected. - type: boolean - mediaTypePattern: - default: .*multipart.* - description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as a multipart payload. - minLength: 1 - type: string - type: object - type: object - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.2.3/crds/sidecargateways.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/sidecargateways.microgateway.airlock.com.yaml deleted file mode 100644 index 04b5f45d3..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/sidecargateways.microgateway.airlock.com.yaml +++ /dev/null @@ -1,731 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: sidecargateways.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: SidecarGateway - listKind: SidecarGatewayList - plural: sidecargateways - singular: sidecargateway - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired sidecar gateway behavior. - properties: - applications: - description: Applications defines applications which run on different ports. - items: - properties: - containerPort: - default: 8080 - description: |- - ContainerPort refers to the container port. - This must be a valid port number, 0 < x < 65536. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - downstream: - description: Downstream defines the downstream configuration for this application - properties: - protocol: - description: |- - Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set. - Default: auto: {} - properties: - auto: - description: Auto specifies that the protocol should be inferred. - properties: - http2: - description: HTTP2 specifies the settings for when HTTP/2 is inferred. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - http1: - description: HTTP1 specifies that the client is assumed to speak HTTP/1.1. - type: object - http2: - description: HTTP2 specifies that the client is assumed to speak HTTP/2. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - remoteIP: - description: |- - RemoteIP defines how the remote IP of a client is propagated. - Default: xff: {...} - properties: - connectionIP: - description: ConnectionIP configures to use the source IP address of the direct downstream connection. - type: object - customHeader: - description: CustomHeader specifies to use a custom header for remote IP extraction. - properties: - headerName: - description: HeaderName specifies the name of the custom header containing the remote IP. - minLength: 1 - type: string - required: - default: true - description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403. - type: boolean - required: - - headerName - type: object - xff: - description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction. - properties: - numTrustedHops: - default: 1 - description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry. - format: int32 - minimum: 1 - type: integer - type: object - type: object - requestNormalizations: - description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching. - properties: - mergeSlashes: - default: true - description: MergeSlashes ensures that adjacent slashes in the path are merged into one. - type: boolean - normalizePath: - default: true - description: NormalizePath ensures normalization according to RFC 3986 without case normalization. - type: boolean - type: object - restrictions: - description: Restrictions defines restrictions for downstream. - properties: - http: - description: HTTP defines limits for the HTTP protocol. - properties: - headersLength: - anyOf: - - type: integer - - type: string - default: 60Ki - description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - timeouts: - description: Timeouts defines timeouts for downstream - properties: - http: - description: HTTP defines the settings for HTTP timeouts. - properties: - idle: - default: 5m - description: |- - Idle defines the settings for the idle timeout when no data is sent or received. - A value of 0 will completely disable the timeout. - Default: 5m - type: string - maxDuration: - default: 5m - description: |- - MaxDuration defines the total duration for a HTTP request/response stream. - A value of 0 will completely disable the timeout. - Default: 5m - type: string - requestHeaders: - default: 10s - description: |- - RequestHeaders defines the duration before all request headers must be received. - A value of 0 will completely disable the timeout. - Default: 10s - type: string - type: object - type: object - tls: - description: TLS defines the TLS settings. - properties: - ciphers: - description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. - items: - type: string - minItems: 1 - type: array - clientCertificate: - description: |- - ClientCertificate defines the TLS settings for verification of client certificates. - At most one of ignored, optional and required can be set. - Default: ignored: {} - properties: - ignored: - description: Ignored disables verification of the client certificate. - type: object - optional: - description: |- - Optional enables verification of the client certificate if one is presented. - In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate. - properties: - crl: - description: CRL defines the Certificate Revocation List (CRL) settings. - properties: - lists: - description: Lists defines the list of secretRefs containing Certificate Revocation Lists. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - validationMode: - default: VerifyChain - description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. - enum: - - VerifyLeafCertOnly - - VerifyChain - type: string - type: object - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - verificationDepth: - default: 1 - description: |- - VerificationDepth specifies the hops in the certificate chain at which validation is performed. - 1 means that either the leaf or the signing CA must be in the set of trusted certificates. - format: int32 - type: integer - required: - - certificates - type: object - required: - - trustedCA - type: object - required: - description: |- - Required contains settings for client certificate verification. A client must present a valid certificate. - At least one of trustedCA and certificatePinning must be set. - properties: - allowedSANs: - description: |- - AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, - that is to say, the SAN is verified if at least one matcher is matched. - AllowedSANs requires trustedCA to be set. - items: - description: |- - TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. - properties: - matcher: - description: Matcher defines the string matcher for the SAN value. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - sanType: - description: SanType defines the type of SAN matcher. - enum: - - DNS - - Email - - URI - - IPAddress - type: string - required: - - matcher - - sanType - type: object - minItems: 1 - type: array - certificatePinning: - description: |- - CertificatePinning defines the constraints a client certificate must fulfill. - If more than one constraint is configured only one must be satisfied. - At least one of allowedSPKIs and allowedHashes must be set. - properties: - allowedHashes: - description: |- - AllowedHashes is a list of hex-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - allowedSPKIs: - description: |- - AllowedSPKIs is a list of base64-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - type: object - crl: - description: CRL defines the Certificate Revocation List (CRL) settings. - properties: - lists: - description: Lists defines the list of secretRefs containing Certificate Revocation Lists. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - validationMode: - default: VerifyChain - description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. - enum: - - VerifyLeafCertOnly - - VerifyChain - type: string - type: object - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - verificationDepth: - default: 1 - description: |- - VerificationDepth specifies the hops in the certificate chain at which validation is performed. - 1 means that either the leaf or the signing CA must be in the set of trusted certificates. - format: int32 - type: integer - required: - - certificates - type: object - type: object - type: object - enable: - default: false - description: Enable defines if the downstream connection is encrypted. - type: boolean - protocol: - description: Protocol defines the supported TLS protocol versions. - properties: - maximum: - description: Maximum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - minimum: - description: Minimum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - type: object - secretRef: - description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls). - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - xfcc: - description: |- - XFCC defines the handling of X-Forwarded-Client-Cert header. Meaning of the possible values: - _Sanitize_: Do not send the XFCC header to the next hop. This is the default value. - _ForwardOnly_: When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request. - _AppendAndForward_: When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it. - _SanitizeAndSet_: When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop. - _AlwaysForwardOnly_: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS. - Note: When forwarding the XFCC header in the request you might have to adjust the header length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http) - enum: - - Sanitize - - ForwardOnly - - AppendAndForward - - SanitizeAndSet - - AlwaysForwardOnly - type: string - type: object - type: object - envoyHTTPFilterRefs: - description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters. - properties: - prepend: - description: Prepend selects the relevant EnvoyHTTPFilters which are added before those configured by the Airlock Microgateway. - items: - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - routes: - description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies. - items: - description: |- - SidecarGatewayApplicationRoute defines the security configurations for different paths. - At most one of secured and unsecured can be set. - Default: secured: {...} - properties: - pathPrefix: - default: / - description: PathPrefix defines the path prefix used during route selection. - minLength: 1 - type: string - secured: - description: Secured enables WAF processing for this route. - properties: - accessControlRef: - description: |- - AccessControlRef selects the relevant AccessControl configuration resource. - If undefined, Airlock Microgateway does not perform any access control. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - contentSecurityRef: - description: |- - ContentSecurityRef selects the relevant ContentSecurity configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - unsecured: - description: |- - Unsecured disables all WAF functionality and therefore protection for this route. - WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged. - type: object - type: object - type: array - x-kubernetes-list-map-keys: - - pathPrefix - x-kubernetes-list-type: map - telemetryRef: - description: |- - TelemetryRef selects the relevant Telemetry configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - upstream: - description: Upstream defines the upstream configuration for this application - properties: - protocol: - description: |- - Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set. - Default: auto: {} - properties: - auto: - description: Auto specifies to use the protocol negotiated via TLS ALPN (if supported) or HTTP/1.1 as fallback. - properties: - http2: - description: HTTP2 specifies the settings for when HTTP/2 is inferred. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - http1: - description: HTTP1 specifies to use HTTP/1.1. - type: object - http2: - description: HTTP2 specifies to use HTTP/2. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - timeouts: - description: Timeouts defines the timeout settings. - properties: - http: - description: HTTP defines the settings for HTTP timeouts. - properties: - idle: - description: |- - Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited. - A value of 0 will completely disable the timeout. - type: string - maxDuration: - default: 15s - description: |- - MaxDuration defines the total duration for a HTTP request/response stream. - Default: 15s - type: string - type: object - type: object - tls: - description: TLS defines the TLS settings. - properties: - ciphers: - description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. - items: - type: string - minItems: 1 - type: array - enable: - default: false - description: Enable defines if the upstream connection is encrypted. - type: boolean - protocol: - description: Protocol defines the supported TLS protocol versions. - properties: - maximum: - description: Maximum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - minimum: - description: Minimum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - type: object - type: object - type: object - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - containerPort - x-kubernetes-list-type: map - envoyClusterRefs: - description: EnvoyClusterRefs selects the relevant EnvoyClusters. - items: - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - podSelector: - description: PodSelector defines to which Pods the configuration will be applied to. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels. - type: object - type: object - required: - - applications - type: object - status: - description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date. - properties: - conditions: - items: - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status to another. - format: date-time - type: string - message: - description: A human-readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of SidecarGateway condition. - type: string - required: - - status - - type - type: object - type: array - pods: - items: - properties: - envoyConfig: - description: EnvoyConfig indicates the name of the EnvoyConfig CR which references the SidecarGateway. - type: string - name: - description: Name indicates the name of the Pod which references the SidecarGateway. - type: string - required: - - name - type: object - type: array - status: - type: string - required: - - status - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/airlock/microgateway/4.2.3/crds/telemetries.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.2.3/crds/telemetries.microgateway.airlock.com.yaml deleted file mode 100644 index b55fcba21..000000000 --- a/charts/airlock/microgateway/4.2.3/crds/telemetries.microgateway.airlock.com.yaml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.14.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 - name: telemetries.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: Telemetry - listKind: TelemetryList - plural: telemetries - singular: telemetry - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Telemetry contains the configuration for telemetry (logging, metrics & tracing). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired telemetry behavior. - properties: - correlation: - description: Correlation defines the correlation aspects of Telemetry. - properties: - request: - description: Request defines the request related correlation settings of Telemetry. - properties: - allowDownstreamRequestID: - default: true - description: AllowDownstreamRequestID defines whether trace sampling will consider a provided x-request-id. - type: boolean - alterRequestID: - default: true - description: AlterRequestID defines whether to alter the UUID to reflect the trace sampling decision. If disabled no modification to the UUID will be performed, this may break tracing in the upstream. - type: boolean - type: object - type: object - logging: - description: Logging defines the logging aspects of Telemetry. - properties: - accessLog: - description: AccessLog defines the access log settings of Telemetry. - properties: - format: - description: Format defines the Access Log format of the sidecar. - properties: - json: - description: JSON defines the Access Log format as JSON. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.2.3/gke-values.yaml b/charts/airlock/microgateway/4.2.3/gke-values.yaml new file mode 100644 index 000000000..d6d5c21d1 --- /dev/null +++ b/charts/airlock/microgateway/4.2.3/gke-values.yaml @@ -0,0 +1,4 @@ +# values for deploying on GKE + +config: + cniBinDir: "/home/kubernetes/bin" diff --git a/charts/airlock/microgateway/4.2.3/openshift-values.yaml b/charts/airlock/microgateway/4.2.3/openshift-values.yaml new file mode 100644 index 000000000..3b1d6cccd --- /dev/null +++ b/charts/airlock/microgateway/4.2.3/openshift-values.yaml @@ -0,0 +1,15 @@ +# values for deploying on OpenShift + +rbac: + createSCCRole: true + +privileged: true + +multusNetworkAttachmentDefinition: + create: true + namespace: default + +config: + installMode: "standalone" + cniNetDir: "/etc/cni/multus/net.d" + cniBinDir: "/var/lib/cni/bin" diff --git a/charts/airlock/microgateway/4.2.3/questions.yml b/charts/airlock/microgateway/4.2.3/questions.yml new file mode 100644 index 000000000..73ed44d64 --- /dev/null +++ b/charts/airlock/microgateway/4.2.3/questions.yml @@ -0,0 +1,18 @@ +questions: + - variable: config.cniNetDir + required: true + type: string + label: CNI Network Configuration Directory + group: "CNI Settings" + description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host." + - variable: config.cniBinDir + required: true + type: string + label: CNI Plugin Binaries Directory + group: "CNI Settings" + description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host." + - variable: config.installMode + required: true + label: CNI Plugin Installation Mode + group: "CNI Settings" + description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment." diff --git a/charts/airlock/microgateway/4.2.3/templates/NOTES.txt b/charts/airlock/microgateway/4.2.3/templates/NOTES.txt index 8e7d84a8f..e8aa45888 100644 --- a/charts/airlock/microgateway/4.2.3/templates/NOTES.txt +++ b/charts/airlock/microgateway/4.2.3/templates/NOTES.txt @@ -1,22 +1,3 @@ -Thank you for installing Airlock Microgateway. -If you have not already done so, make sure that Airlock Microgateway CNI is also installed on the cluster. +Thank you for installing Airlock Microgateway CNI. -For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" .}}. -Detailed CRD API reference documentation is also available at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" .}}/api/crds. -{{ if .Values.crds.skipVersionCheck }} -- CRD version check skipped -{{- else }} -{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}} -{{- if $outdatedCRDs -}} - {{- fail (printf ` - -Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'. -Therefore, the CRDs must be manually upgraded with the following command before deploying this chart: - -kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts - -If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.` - .Chart.AppVersion) - -}} -{{- end -}} -{{- end -}} +For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" .}}. diff --git a/charts/airlock/microgateway/4.2.3/templates/_helpers.tpl b/charts/airlock/microgateway/4.2.3/templates/_helpers.tpl index 1c3bb34a2..996491a87 100644 --- a/charts/airlock/microgateway/4.2.3/templates/_helpers.tpl +++ b/charts/airlock/microgateway/4.2.3/templates/_helpers.tpl @@ -1,16 +1,14 @@ {{/* Expand the name of the chart. -We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) -and the longest explicit suffix is 14 characters. */}} -{{- define "airlock-microgateway.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }} +{{- define "airlock-microgateway-cni.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Convert an image configuration object into an image ref string. */}} -{{- define "airlock-microgateway.image" -}} +{{- define "airlock-microgateway-cni.image" -}} {{- if .digest -}} {{- printf "%s@%s" .repository .digest -}} {{- else if .tag -}} @@ -22,19 +20,19 @@ Convert an image configuration object into an image ref string. {{/* Create a default fully qualified app name. -We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) -and the longest implicit suffix is 27 characters. +We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) +and the longest suffix is 13 characters. If release name contains chart name it will be used as a full name. */}} -{{- define "airlock-microgateway.fullname" -}} +{{- define "airlock-microgateway-cni.fullname" -}} {{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }} +{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }} {{- else }} {{- $name := default .Chart.Name .Values.nameOverride }} {{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 36 | trimSuffix "-" }} +{{- .Release.Name | trunc 50 | trimSuffix "-" }} {{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }} +{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }} {{- end }} {{- end }} {{- end }} @@ -42,88 +40,59 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "airlock-microgateway.chart" -}} +{{- define "airlock-microgateway-cni.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "airlock-microgateway.sharedLabels" -}} -helm.sh/chart: {{ include "airlock-microgateway.chart" . }} +{{- define "airlock-microgateway-cni.labels" -}} +helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }} +{{ include "airlock-microgateway-cni.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/part-of: {{ .Chart.Name }} {{- with .Values.commonLabels }} {{ toYaml .}} {{- end }} {{- end }} {{/* -Common Selector labels +Common labels without component */}} -{{- define "airlock-microgateway.sharedSelectorLabels" -}} -app.kubernetes.io/instance: {{ .Release.Name }} +{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}} +{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}} +{{ unset $labels "app.kubernetes.io/component" | toYaml }} {{- end }} {{/* -Restricted Container Security Context +Selector labels */}} -{{- define "airlock-microgateway.restrictedSecurityContext" -}} -allowPrivilegeEscalation: false -privileged: false -runAsNonRoot: true -capabilities: - drop: ["ALL"] -readOnlyRootFilesystem: true -seccompProfile: - type: RuntimeDefault +{{- define "airlock-microgateway-cni.selectorLabels" -}} +app.kubernetes.io/component: cni-plugin-installer +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }} {{- end }} -{{/* Precondition: May only be used if AppVersion is isSemver */}} -{{- define "airlock-microgateway.supportedCRDVersionPattern" -}} -{{- $version := (semver .Chart.AppVersion) -}} -{{- if $version.Prerelease -}} ->= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }} -{{- else -}} ->= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0 -{{- end -}} -{{- end -}} +{{/* +Create the name of the service account to use for the CNI Plugin +*/}} +{{- define "airlock-microgateway-cni.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} -{{- define "airlock-microgateway.outdatedCRDs" -}} -{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}} - {{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}} - {{- range $path, $_ := .Files.Glob "crds/*.yaml" -}} - {{- $api := ($.Files.Get $path | fromYaml).metadata.name -}} - {{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}} - {{- $isOutdated := false -}} - {{- if $crd -}} - {{/* If CRD is already present in the cluster, it must have the minimum supported version */}} - {{- $isOutdated = true -}} - {{- if hasKey $crd.metadata "labels" -}} - {{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}} - {{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}} - {{- if (semverCompare $supportedVersion $crdVersion) }} - {{- $isOutdated = false -}} - {{- end }} - {{- end -}} - {{- end -}} - {{- end -}} - {{- if $isOutdated }} -{{ base $path }} - {{- end }} - {{- end -}} -{{- end -}} -{{- end -}} - -{{- define "airlock-microgateway.isSemver" -}} +{{- define "airlock-microgateway-cni.isSemver" -}} {{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}} {{- end -}} -{{- define "airlock-microgateway.docsVersion" -}} -{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} +{{- define "airlock-microgateway-cni.docsVersion" -}} +{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} {{- $version := (semver .Chart.AppVersion) -}} {{- $version.Major }}.{{ $version.Minor -}} {{- else -}} diff --git a/charts/airlock/microgateway/4.2.3/templates/clusterrole.yaml b/charts/airlock/microgateway/4.2.3/templates/clusterrole.yaml new file mode 100644 index 000000000..ef88ac783 --- /dev/null +++ b/charts/airlock/microgateway/4.2.3/templates/clusterrole.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - patch +{{- end -}} diff --git a/charts/airlock/microgateway/4.2.3/templates/clusterrolebinding.yaml b/charts/airlock/microgateway/4.2.3/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..04f87cb0f --- /dev/null +++ b/charts/airlock/microgateway/4.2.3/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "airlock-microgateway-cni.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.2.3/templates/configmap.yaml b/charts/airlock/microgateway/4.2.3/templates/configmap.yaml new file mode 100644 index 000000000..b880116ef --- /dev/null +++ b/charts/airlock/microgateway/4.2.3/templates/configmap.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + plugin-conf.json: |- + { + "type": "{{ include "airlock-microgateway-cni.fullname" . }}", + "debug": {{ eq .Values.config.logLevel "debug" }}, + "logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log", + "kubernetes": { + "kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig", + "excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }} + } + } diff --git a/charts/airlock/microgateway/4.2.3/templates/daemonset.yaml b/charts/airlock/microgateway/4.2.3/templates/daemonset.yaml new file mode 100644 index 000000000..4ba9f2669 --- /dev/null +++ b/charts/airlock/microgateway/4.2.3/templates/daemonset.yaml @@ -0,0 +1,136 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + kubectl.kubernetes.io/default-container: cni-installer + {{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - args: + - --log-level + - "{{ .Values.config.logLevel }}" + env: + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + key: plugin-conf.json + name: {{ include "airlock-microgateway-cni.fullname" . }} + - name: CNI_BIN_DIR + value: /host/opt/cni/bin + - name: CNI_NET_DIR + value: /host/etc/cni/net.d + - name: KUBECONFIG_FILE_NAME + value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" + - name: INSTALL_MODE + value: {{ .Values.config.installMode }} + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: {{ include "airlock-microgateway-cni.image" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cni-installer + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + startupProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 5 + initialDelaySeconds: 3 + periodSeconds: 3 + timeoutSeconds: 3 + readinessProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 1 + periodSeconds: 60 + timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /run/cni-installer + name: cni-installer-status + hostNetwork: true + priorityClassName: system-node-critical + restartPolicy: Always + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + terminationGracePeriodSeconds: 5 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir + - emptyDir: {} + name: cni-installer-status diff --git a/charts/airlock/microgateway/4.2.3/templates/network-attachment-definition.yaml b/charts/airlock/microgateway/4.2.3/templates/network-attachment-definition.yaml new file mode 100644 index 000000000..5d657e309 --- /dev/null +++ b/charts/airlock/microgateway/4.2.3/templates/network-attachment-definition.yaml @@ -0,0 +1,13 @@ +{{- if .Values.multusNetworkAttachmentDefinition.create -}} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/_webhooks.gen.tpl b/charts/airlock/microgateway/4.2.3/templates/operator/_webhooks.gen.tpl deleted file mode 100644 index 3c12e34e7..000000000 --- a/charts/airlock/microgateway/4.2.3/templates/operator/_webhooks.gen.tpl +++ /dev/null @@ -1,299 +0,0 @@ -{{/* AUTOGENERATED FILE DO NOT EDIT */}} - -{{/* -Operator mutating webhooks -*/}} -{{- define "airlock-microgateway-operator.mutatingWebhooks" -}} -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /mutate-v1-pod - failurePolicy: Fail - name: mutate-pod.microgateway.airlock.com - reinvocationPolicy: IfNeeded - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None - objectSelector: - matchLabels: - sidecar.microgateway.airlock.com/inject: "true" -{{- end }} - -{{/* -Operator validating webhooks -*/}} -{{- define "airlock-microgateway-operator.validatingWebhooks" -}} -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol - failurePolicy: Fail - name: validate-accesscontrol.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - accesscontrols - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-denyrules - failurePolicy: Fail - name: validate-denyrules.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - denyrules - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-envoycluster - failurePolicy: Fail - name: validate-envoycluster.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - envoyclusters - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter - failurePolicy: Fail - name: validate-envoyhttpfilter.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - envoyhttpfilters - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites - failurePolicy: Fail - name: validate-headerrewrites.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - headerrewrites - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation - failurePolicy: Fail - name: validate-identitypropagation.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - identitypropagations - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-limits - failurePolicy: Fail - name: validate-limits.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - limits - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider - failurePolicy: Fail - name: validate-oidcprovider.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - oidcproviders - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty - failurePolicy: Fail - name: validate-oidcrelyingparty.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - oidcrelyingparties - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-openapi - failurePolicy: Fail - name: validate-openapi.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - openapis - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-parser - failurePolicy: Fail - name: validate-parser.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - parsers - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway - failurePolicy: Fail - name: validate-sidecargateway.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - sidecargateways - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-v1-pod - failurePolicy: Fail - name: validate-pod.microgateway.airlock.com - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - pods - sideEffects: None - objectSelector: - matchLabels: - sidecar.microgateway.airlock.com/inject: "true" -{{- end }} diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/configmap.yaml b/charts/airlock/microgateway/4.2.3/templates/operator/configmap.yaml deleted file mode 100644 index 113d8a47b..000000000 --- a/charts/airlock/microgateway/4.2.3/templates/operator/configmap.yaml +++ /dev/null @@ -1,322 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-config - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -data: - engine_bootstrap_config_template.yaml: | - # Base configuration, admin interface on port 19000 - admin: - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 - dynamic_resources: - cds_config: - initial_fetch_timeout: 10s - resource_api_version: V3 - api_config_source: - api_type: GRPC - transport_api_version: V3 - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster - set_node_on_first_message_only: true - # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC - rate_limit_settings: - max_tokens: 5 - fill_rate: 0.2 - lds_config: - resource_api_version: V3 - initial_fetch_timeout: 10s - api_config_source: - api_type: GRPC - transport_api_version: V3 - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster - set_node_on_first_message_only: true - # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC - rate_limit_settings: - max_tokens: 5 - fill_rate: 0.2 - static_resources: - listeners: - - name: probe - address: - socket_address: - address: 0.0.0.0 - port_value: 19001 - filter_chains: - - filters: - - name: http_connection_manager - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: http - codec_type: AUTO - http2_protocol_options: - initial_connection_window_size: 1048576 - initial_stream_window_size: 65536 - max_concurrent_streams: 100 - route_config: - name: probe - virtual_hosts: - - name: probe - domains: - - '*' - routes: - - name: ready - match: - path: /ready - headers: - - name: ':method' - string_match: - exact: 'GET' - route: - cluster: airlock_microgateway_engine_admin - http_filters: - - name: envoy.filters.http.router - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - name: metrics - address: - socket_address: - address: 0.0.0.0 - port_value: 19002 - filter_chains: - - filters: - - name: http_connection_manager - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: http - codec_type: AUTO - http2_protocol_options: - initial_connection_window_size: 1048576 - initial_stream_window_size: 65536 - max_concurrent_streams: 100 - route_config: - name: metrics - virtual_hosts: - - name: metrics - domains: - - '*' - routes: - - name: metrics - match: - path: /metrics - headers: - - name: ':method' - string_match: - exact: 'GET' - route: - prefix_rewrite: '/stats/prometheus' - cluster: airlock_microgateway_engine_admin - http_filters: - - name: envoy.filters.http.router - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - clusters: - - name: xds_cluster - connect_timeout: 1s - type: STRICT_DNS - load_assignment: - cluster_name: xds_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local - port_value: 13377 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: - connection_keepalive: - interval: 360s - timeout: 5s - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_minimum_protocol_version: TLSv1_3 - tls_maximum_protocol_version: TLSv1_3 - validation_context_sds_secret_config: - name: validation_context_sds - sds_config: - resource_api_version: V3 - path_config_source: - path: /etc/envoy/validation_context_sds_secret.yaml - watched_directory: - path: /etc/envoy/ - tls_certificate_sds_secret_configs: - - name: tls_certificate_sds - sds_config: - resource_api_version: V3 - path_config_source: - path: /etc/envoy/tls_certificate_sds_secret.yaml - watched_directory: - path: /etc/envoy/ - - name: airlock_microgateway_engine_admin - connect_timeout: 1s - type: STATIC - load_assignment: - cluster_name: airlock_microgateway_engine_admin - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: - connection_keepalive: - interval: 360s - timeout: 5s - stats_config: - stats_tags: - - tag_name: "category" - regex: "\\.(category\\.([^.]+))" - - tag_name: "rule_name" - regex: "\\.(rule\\.([^.]+))" - - tag_name: "limit_name" - regex: "\\.(limit\\.([^.]+))" - - tag_name: "threat_handling_mode" - regex: "\\.(threat_handling_mode\\.([^.]+))" - - tag_name: "envoy_cluster_name" - regex: "\\.(cluster\\.([^.]+))" - - tag_name: "version" - regex: "\\.(version\\.([^.]+))" - use_all_default_tags: true - bootstrap_extensions: - - name: airlock.bootstrap.engine_build_info - typed_config: - '@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats - application_log_config: - log_format: - text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}' - engine_container_template.yaml: | - name: "$(ENGINE_NAME)" - image: "$(ENGINE_IMAGE)" - imagePullPolicy: {{ .Values.engine.image.pullPolicy }} - args: - - "--config-path" - - "/etc/envoy/bootstrap_config.yaml" - - "--base-id" - - "$(BASE_ID)" - - "--file-flush-interval-msec" - - '1000' - - "--drain-time-s" - - '60' - - "--service-node" - - "$(POD_NAME).$(POD_NAMESPACE)" - - "--service-cluster" - - "$(APP_NAME).$(POD_NAMESPACE)" - - "--log-path" - - "/dev/stdout" - - "--log-level" - - "$(LOG_LEVEL)" - volumeMounts: - - name: airlock-microgateway-bootstrap-secret-volume - mountPath: /etc/envoy - readOnly: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - ports: - - containerPort: 13378 - protocol: TCP - - containerPort: 19001 - protocol: TCP - - containerPort: 19002 - protocol: TCP - livenessProbe: - httpGet: - path: /ready - port: 19001 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 5 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - httpGet: - path: /ready - port: 19001 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 3 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} - runAsUser: $(SECURITYCONTEXT_UID) - {{- with .Values.engine.resources }} - resources: - {{- toYaml . | nindent 6 }} - {{- end }} - network_validator_container_template.yaml: | - name: "$(NETWORK_VALIDATOR_NAME)" - image: "$(NETWORK_VALIDATOR_IMAGE)" - imagePullPolicy: {{ .Values.networkValidator.image.pullPolicy }} - command: ["/bin/sh", "-c"] - args: - - |- - echo 'pong' | nc -v -l 127.0.0.1 -p 13378 & - for i in 1 2 3; do - sleep 1s - if r=$(echo 'ping' | nc 127.0.0.1 19003) && [ $r == pong ]; then - echo -n 'Traffic redirection to Airlock Microgateway Engine is working.' > /dev/termination-log - exit 0 - fi - done - echo -en 'Traffic redirection to Airlock Microgateway Engine is not working.\nRestart the pod after ensuring that hostNetwork is disabled and a compatible Airlock Microgateway CNI version is installed on the node.\nCertain environments may also require additional configuration (see docs.airlock.com for more information).' > /dev/termination-log - exit 1 - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} - runAsUser: $(SECURITYCONTEXT_UID) - operator_config.yaml: | - apiVersion: config.airlock.com/v1alpha1 - kind: OperatorConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 0.0.0.0:8080 - webhook: - port: 9443 - deployment: - sidecar: - engineContainerTemplate: "/sidecar/engine_container_template.yaml" - networkValidatorContainerTemplate: "/sidecar/network_validator_container_template.yaml" - engine: - bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml" - log: - level: {{ .Values.operator.config.logLevel }} diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/deployment.yaml b/charts/airlock/microgateway/4.2.3/templates/operator/deployment.yaml deleted file mode 100644 index a14cd9bd3..000000000 --- a/charts/airlock/microgateway/4.2.3/templates/operator/deployment.yaml +++ /dev/null @@ -1,138 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - replicas: {{ .Values.operator.replicaCount }} - {{- with .Values.operator.updateStrategy }} - strategy: - {{- toYaml . | trim | nindent 4 }} - {{- end }} - selector: - matchLabels: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/operator/configmap.yaml") . | sha256sum }} - kubectl.kubernetes.io/default-container: manager - {{- with mustMerge .Values.operator.podAnnotations .Values.commonAnnotations}} - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 8 }} - {{- with .Values.operator.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - containers: - - args: - - --config=operator_config.yaml - env: - - name: ENGINE_IMAGE - value: {{ include "airlock-microgateway.image" .Values.engine.image }} - - name: NETWORK_VALIDATOR_IMAGE - value: {{ include "airlock-microgateway.image" .Values.networkValidator.image }} - - name: OPERATOR_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: {{ include "airlock-microgateway.image" .Values.operator.image }} - imagePullPolicy: {{ .Values.operator.image.pullPolicy }} - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - timeoutSeconds: 5 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - - containerPort: 13377 - name: xds-server - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8081 - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - {{- with .Values.operator.resources }} - resources: - {{- toYaml . | nindent 10 }} - {{- end }} - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 10 }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - mountPath: /opt/airlock/license/ - name: airlock-microgateway-license - readOnly: true - - mountPath: /operator_config.yaml - name: operator-config - subPath: operator_config.yaml - - mountPath: /sidecar/engine_container_template.yaml - name: operator-config - subPath: engine_container_template.yaml - - mountPath: /sidecar/network_validator_container_template.yaml - name: operator-config - subPath: network_validator_container_template.yaml - - mountPath: /engine_bootstrap_config_template.yaml - name: operator-config - subPath: engine_bootstrap_config_template.yaml - securityContext: - runAsNonRoot: true - serviceAccountName: {{ include "airlock-microgateway.operator.serviceAccountName" . }} - terminationGracePeriodSeconds: 10 - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.operator.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.operator.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.operator.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert - - name: airlock-microgateway-license - secret: - defaultMode: 292 - optional: true - secretName: {{ .Values.license.secretName }} - - configMap: - name: {{ include "airlock-microgateway.operator.fullname" . }}-config - name: operator-config diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/manager-clusterrole.yaml b/charts/airlock/microgateway/4.2.3/templates/operator/manager-clusterrole.yaml deleted file mode 100644 index d3ce5540c..000000000 --- a/charts/airlock/microgateway/4.2.3/templates/operator/manager-clusterrole.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- if .Values.operator.rbac.create }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: -{{ include "airlock-microgateway-operator.rbacRules" . -}} -{{- end -}} diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/manager-clusterrolebinding.yaml b/charts/airlock/microgateway/4.2.3/templates/operator/manager-clusterrolebinding.yaml deleted file mode 100644 index 059c161ea..000000000 --- a/charts/airlock/microgateway/4.2.3/templates/operator/manager-clusterrolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.operator.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- end -}} diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/mutating-webhook.yaml b/charts/airlock/microgateway/4.2.3/templates/operator/mutating-webhook.yaml deleted file mode 100644 index 4583e1452..000000000 --- a/charts/airlock/microgateway/4.2.3/templates/operator/mutating-webhook.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert - {{- with .Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -webhooks: -{{ include "airlock-microgateway-operator.mutatingWebhooks" . -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/podmonitor.yaml b/charts/airlock/microgateway/4.2.3/templates/operator/podmonitor.yaml deleted file mode 100644 index f84031633..000000000 --- a/charts/airlock/microgateway/4.2.3/templates/operator/podmonitor.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if .Values.engine.sidecar.podMonitor.create }} -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: {{ include "airlock-microgateway.fullname" . }}-engine - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.engine.sidecar.podMonitor.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - namespaceSelector: - any: true - selector: - matchLabels: - sidecar.microgateway.airlock.com/inject: "true" - podMetricsEndpoints: - - targetPort: 19002 - path: /metrics - scheme: http -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/validating-webhook.yaml b/charts/airlock/microgateway/4.2.3/templates/operator/validating-webhook.yaml deleted file mode 100644 index 6332a0296..000000000 --- a/charts/airlock/microgateway/4.2.3/templates/operator/validating-webhook.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert - {{- with .Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -webhooks: -{{ include "airlock-microgateway-operator.validatingWebhooks" . -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.2.3/templates/scc-role.yaml b/charts/airlock/microgateway/4.2.3/templates/scc-role.yaml new file mode 100644 index 000000000..862748692 --- /dev/null +++ b/charts/airlock/microgateway/4.2.3/templates/scc-role.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.2.3/templates/scc-rolebinding.yaml b/charts/airlock/microgateway/4.2.3/templates/scc-rolebinding.yaml new file mode 100644 index 000000000..ebd02982c --- /dev/null +++ b/charts/airlock/microgateway/4.2.3/templates/scc-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged +subjects: +- kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.2.3/templates/serviceaccount.yaml b/charts/airlock/microgateway/4.2.3/templates/serviceaccount.yaml new file mode 100644 index 000000000..3dc8d58ea --- /dev/null +++ b/charts/airlock/microgateway/4.2.3/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.2.3/templates/tests/rbac.yaml b/charts/airlock/microgateway/4.2.3/templates/tests/rbac.yaml index a067a4304..744799333 100644 --- a/charts/airlock/microgateway/4.2.3/templates/tests/rbac.yaml +++ b/charts/airlock/microgateway/4.2.3/templates/tests/rbac.yaml @@ -2,106 +2,63 @@ apiVersion: v1 kind: ServiceAccount metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" subjects: - kind: ServiceAccount - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests rules: - apiGroups: - - microgateway.airlock.com + - "apps" resources: - - sidecargateways + - daemonsets resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway" + - {{ include "airlock-microgateway-cni.fullname" . }} verbs: - - get - - list - - watch - - delete + - get + - watch + - list - apiGroups: - - microgateway.airlock.com + - "" resources: - - sidecargateways + - pods + - pods/log verbs: - - create + - get + - list +{{- if .Values.rbac.createSCCRole }} - apiGroups: - - "" - resources: - - events - verbs: - - list -- apiGroups: - - "apps" - resources: - - deployments + - security.openshift.io resourceNames: - - "{{ include "airlock-microgateway.operator.fullname" . }}" - verbs: - - get - - list - - watch -- apiGroups: - - "apps" + - privileged resources: - - statefulsets - - statefulsets/scale - resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-backend" + - securitycontextconstraints verbs: - - get - - list - - watch - - patch -- apiGroups: - - "" - resources: - - pods - - pods/log - - pods/status - - pods/attach - resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-backend-0" - - "{{ include "airlock-microgateway.fullname" . }}-test-valid-request" - - "{{ include "airlock-microgateway.fullname" . }}-test-injection-request" - verbs: - - get - - list - - create - - watch - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - create + - use +{{- end -}} {{- end -}} diff --git a/charts/airlock/microgateway/4.2.3/templates/tests/test-install.yaml b/charts/airlock/microgateway/4.2.3/templates/tests/test-install.yaml index 35fd0f4e1..12d8c8de7 100644 --- a/charts/airlock/microgateway/4.2.3/templates/tests/test-install.yaml +++ b/charts/airlock/microgateway/4.2.3/templates/tests/test-install.yaml @@ -2,13 +2,11 @@ apiVersion: v1 kind: Pod metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-install" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install" namespace: {{ .Release.Namespace }} labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} annotations: helm.sh/hook: test helm.sh/hook-delete-policy: before-hook-creation @@ -18,183 +16,88 @@ spec: - name: test image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}" securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + readOnly: true + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + readOnly: true command: - sh - -c - | set -eu - clean_up() { - echo "" - echo "### Clean up test resources" - kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true - echo "" - echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'" - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=30s - sleep 3s - echo "" - } - fail() { + echo "Error: ${1}" echo "" - echo "### Error: ${1}" - echo "" - echo 'Microgateway Sidecargateway status:' - kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true - echo "" - echo "" - echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':" - kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true - echo "" - echo "" - echo 'Logs of Nginx container:' - kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true - echo "" - echo "" - # Wait for engine logs - sleep 10s - echo 'Logs of Microgateway Engine container:' - kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true + echo 'CNI installer logs:' + kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer exit 1 } - create_sidecargateway() { - # create SidecarGateway resource for testing purposes - kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true - kubectl apply -f - </dev/null 2>&1; do sleep 1s; i=$((i+1)); done - kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request - kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request - } - - trap clean_up EXIT - - echo "### Waiting for Microgateway Deployments to be ready" - if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \ - deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then - fail 'Timout occurred' + if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then + fail 'CNI DaemonSet rollout did not complete within timeout' fi - echo "" - echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica" - # scale to zero replicas to ensure no pods are present from previous runs - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s - echo "" - - echo "### Waiting for backend pod" - i=0 - while true; do - if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then - break - elif [ $i -gt 3 ]; then - fail 'Pod not ready' - fi - sleep 2s - i=$((i+1)) - done - - echo "### Checking Microgateway Engine sidecar container was injected" - if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then - fail 'Microgateway Engine sidecar container not injected' + echo "Checking whether CNI binary was installed" + if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then + fail 'CNI binary was not installed' fi - echo "True" - echo "" - echo "### Checking for valid license" - i=0 - while true; do - if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then - break - elif [ $i -gt 30 ]; then - fail 'Microgateway license is missing or invalid' - fi - sleep 2s - i=$((i+1)) - done - echo "True" - echo "" - - echo "### Create SidecarGateway resource for testing" - if ! create_sidecargateway ; then - fail 'Creation of SidecarGateway resource failed' + echo "Checking whether CNI kubeconfig was installed" + if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then + fail 'CNI kubeconfig was not created' fi - echo "" - echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready" - if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then - fail 'Timout occurred' - fi - echo "" + echo "Checking whether CNI configuration was written" + case {{ .Values.config.installMode }} in + "chained") + for file in "/host/etc/cni/net.d/"*.conflist; do + if containsMGWCNIConf "${file}"; then + echo "Success" + exit 0 + fi + done + ;; + "standalone") + if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then + echo "Success" + exit 0 + fi + ;; + "manual") + echo "- Skipping because we are in 'manual' install mode" + echo "Success" + exit 0 + ;; + esac - echo "### Waiting for 'engine-config-valid' condition" - if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then - fail 'Configuration was never accepted by the Microgateway Engine' - fi - sleep 5s - echo "" - echo "" - - echo "### Checking whether a valid request is successful and returns HTTP status code '200'" - out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true) - echo "Response:" - echo "${out}" - if ! echo "${out}" | grep -q "200 OK"; then - fail 'A valid request was not successful' - fi - echo "" - echo "" - - echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'" - out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true) - echo "Response:" - echo "${out}" - if ! echo "${out}" | grep -q "400 Bad Request"; then - fail 'A malicious request was not blocked' - fi - echo "" - echo "" - - echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded" - exit 0 - serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests" + fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found' + serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir {{- end -}} diff --git a/charts/airlock/microgateway/4.2.3/values.schema.json b/charts/airlock/microgateway/4.2.3/values.schema.json index 208521ded..e087bd700 100644 --- a/charts/airlock/microgateway/4.2.3/values.schema.json +++ b/charts/airlock/microgateway/4.2.3/values.schema.json @@ -14,15 +14,6 @@ "commonAnnotations": { "$ref": "#/definitions/StringMap" }, - "crds": { - "type": "object", - "properties": { - "skipVersionCheck": { - "type": "boolean" - } - }, - "additionalProperties": false - }, "imagePullSecrets": { "type": "array", "items": { @@ -39,194 +30,120 @@ "additionalProperties": true } }, - "operator": { + "image": { + "$ref": "#/definitions/Image" + }, + "podAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "podLabels": { + "$ref": "#/definitions/StringMap" + }, + "resources": { + "type": "object" + }, + "nodeSelector": { + "$ref": "#/definitions/StringMap" + }, + "affinity": { + "type": "object" + }, + "rbac": { "type": "object", "properties": { - "replicaCount": { - "type": "integer", - "minimum": 0 + "create": { + "type": "boolean" }, - "updateStrategy": { - "$ref": "#/definitions/UpdateStrategy" - }, - "image": { - "$ref": "#/definitions/Image" - }, - "podAnnotations": { - "$ref": "#/definitions/StringMap" - }, - "podLabels": { - "$ref": "#/definitions/StringMap" - }, - "serviceAnnotations": { - "$ref": "#/definitions/StringMap" - }, - "serviceLabels": { - "$ref": "#/definitions/StringMap" - }, - "resources": { - "type": "object" - }, - "nodeSelector": { - "$ref": "#/definitions/StringMap" - }, - "tolerations": { - "type": "array", - "items": { - "type": "object" - } - }, - "affinity": { - "type": "object" - }, - "config": { - "type": "object", - "properties": { - "logLevel": { - "type": "string", - "enum": [ - "debug", - "info", - "warn", - "error" - ] - } - }, - "required": [ - "logLevel" - ], - "additionalProperties": false - }, - "serviceAccount": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "annotations": { - "$ref": "#/definitions/StringMap" - }, - "name": { - "type": "string" - } - }, - "required": [ - "annotations", - "create", - "name" - ], - "additionalProperties": false - }, - "rbac": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - }, - "serviceMonitor": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "labels": { - "$ref": "#/definitions/StringMap" - } - }, - "required": [ - "create" - ], - "additionalProperties": false + "createSCCRole": { + "type": "boolean" } }, "required": [ - "affinity", - "config", - "image", - "updateStrategy", - "nodeSelector", - "podAnnotations", - "podLabels", - "rbac", - "replicaCount", - "resources", - "serviceAccount", - "serviceAnnotations", - "serviceLabels", - "serviceMonitor", - "tolerations" + "create", + "createSCCRole" ], "additionalProperties": false }, - "engine": { + "privileged": { + "type": "boolean" + }, + "serviceAccount": { "type": "object", "properties": { - "image": { - "$ref": "#/definitions/Image" + "create": { + "type": "boolean" }, - "resources": { - "type": "object" + "annotations": { + "$ref": "#/definitions/StringMap" }, - "sidecar": { - "type": "object", - "properties":{ - "podMonitor": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "labels": { - "$ref": "#/definitions/StringMap" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - } - }, - "required": [ - "podMonitor" - ], - "additionalProperties": false + "name": { + "type": "string" } }, "required": [ - "image", - "resources", - "sidecar" + "annotations", + "create", + "name" ], "additionalProperties": false }, - "networkValidator": { + "multusNetworkAttachmentDefinition": { "type": "object", "properties": { - "image": { - "$ref": "#/definitions/Image" + "create": { + "type": "boolean" + }, + "namespace": { + "type": "string" } }, "required": [ - "image" + "create", + "namespace" ], "additionalProperties": false }, - "license": { + "config": { "type": "object", "properties": { - "secretName": { + "installMode": { + "type": "string", + "enum": [ + "chained", + "standalone", + "manual" + ] + }, + "logLevel": { + "type": "string", + "enum": [ + "debug", + "info", + "warn", + "error" + ] + }, + "cniNetDir": { "type": "string", "minLength": 1 + }, + "cniBinDir": { + "type": "string", + "minLength": 1 + }, + "excludeNamespaces": { + "type": "array", + "items": { + "type": "string" + } } }, "required": [ - "secretName" + "cniBinDir", + "cniNetDir", + "excludeNamespaces", + "installMode", + "logLevel" ], "additionalProperties": false }, @@ -247,16 +164,22 @@ } }, "required": [ + "affinity", "commonAnnotations", "commonLabels", - "crds", - "engine", + "config", "fullnameOverride", + "image", "imagePullSecrets", - "license", + "multusNetworkAttachmentDefinition", "nameOverride", - "operator", - "networkValidator", + "nodeSelector", + "podAnnotations", + "podLabels", + "privileged", + "rbac", + "resources", + "serviceAccount", "tests" ], "additionalProperties": false, @@ -297,68 +220,6 @@ "tag" ], "additionalProperties": false - }, - "UpdateStrategy": { - "type": "object", - "oneOf" : [ - { - "properties": { - "type": { - "$ref": "#/definitions/RecreateType" - } - }, - "required": [ - "type" - ], - "additionalProperties": false - }, - { - "properties": { - "type": { - "$ref": "#/definitions/RollingUpdateType" - }, - "rollingUpdate": { - "$ref": "#/definitions/RollingUpdate" - } - }, - "required": [ - "type" - ], - "additionalProperties": false - } - ] - }, - "RecreateType": { - "type": "string", - "enum": [ - "Recreate" - ] - }, - "RollingUpdateType": { - "type": "string", - "enum": [ - "RollingUpdate" - ] - }, - "RollingUpdate": { - "type": "object", - "properties": { - "maxSurge": { - "type": ["integer", "string"], - "minimum": 0, - "pattern": "^\\d+%?$" - }, - "maxUnavailable": { - "type": ["integer", "string"], - "minimum": 0, - "pattern": "^\\d+%?$" - } - }, - "anyOf": [ - {"required": ["maxSurge"]}, - {"required": ["maxUnavailable"]} - ], - "additionalProperties": false } } } diff --git a/charts/airlock/microgateway/4.2.3/values.yaml b/charts/airlock/microgateway/4.2.3/values.yaml index 24772bb69..ba8acd686 100644 --- a/charts/airlock/microgateway/4.2.3/values.yaml +++ b/charts/airlock/microgateway/4.2.3/values.yaml @@ -1,4 +1,4 @@ -# -- Allows overriding the name to use instead of "microgateway". +# -- Allows overriding the name to use instead of "microgateway-cni". nameOverride: "" # -- Allows overriding the name to use as full name of resources. fullnameOverride: "" @@ -10,127 +10,71 @@ commonAnnotations: {} imagePullSecrets: [] # - name: myRegistryKeySecretName -crds: - # -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. - # The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster - # when performing a "helm install/upgrade". - skipVersionCheck: false -operator: - # -- Number of replicas for the operator Deployment. - replicaCount: 2 - # -- Specifies the operator update strategy. - updateStrategy: - type: RollingUpdate - # Specifies the Airlock Microgateway Operator image. - image: - # -- Image repository from which to pull the Airlock Microgateway Operator image. - repository: "quay.io/airlock/microgateway-operator" - # -- Image tag to pull. - tag: "4.2.3" - # -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). - # Overrides tag when specified. - digest: "sha256:a429dfdb636e76bfbee7c59cfbe53d5f396c1f5603d5cb187f6283301ba4d7ba" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Annotations to add to all Pods. - podAnnotations: {} - # -- Labels to add to all Pods. - podLabels: {} - # -- Annotations to add to the Service. - serviceAnnotations: {} - # prometheus.io/scrape: "true" - # prometheus.io/port: "8080" - - # -- Labels to add to the Service. - serviceLabels: {} - # -- Resource restrictions to apply to the operator container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 1000m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 512Mi - - # -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. - nodeSelector: {} - # -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. - tolerations: [] - # -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling. - affinity: {} - # Parameters for the operator configuration. - config: - # -- Operator application log level. - logLevel: "info" - # Configures the generation of the ServiceAccount. - serviceAccount: - # -- Whether a ServiceAccount should be created. - create: true - # -- Annotations to add to the ServiceAccount. - annotations: {} - # -- Name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - # Configures the generation of Role and RoleBinding as well ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above. - rbac: - # -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. - create: true - # Configures the generation of a Prometheus Operator ServiceMonitor. - serviceMonitor: - # -- Whether to create a ServiceMonitor resource for monitoring. - create: false - # -- Labels to add to the ServiceMonitor. - labels: {} - # release: "" -engine: - # Specifies the Airlock Microgateway Engine image. - image: - # -- Image repository from which to pull the Airlock Microgateway Engine image. - repository: "quay.io/airlock/microgateway-engine" - # -- Image tag to pull. - tag: "4.2.3" - # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). - # Overrides tag when specified. - digest: "sha256:9b0debeef611172aa5ca79c6b8cd045e56a3c883763ec62c0fa211bb86d35304" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Resource restrictions to apply to the Airlock Microgateway Engine container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 500m - # memory: 128Mi - # requests: - # cpu: 10m - # memory: 40Mi - - # Additional configuration when deployed as a sidecar. - sidecar: - # Configures the generation of a Prometheus Operator PodMonitor. - podMonitor: - # -- Whether to create a PodMonitor resource for monitoring. - create: false - # -- Labels to add to the PodMonitor. - labels: {} - # release: "" -networkValidator: - # Specifies the Airlock Microgateway Network Validator image to be injected as an init-container. - image: - # -- Image repository from which to pull the busybox image for the Airlock Microgateway Network Validator init-container. - repository: "cgr.dev/chainguard/busybox" - # -- Image tag to pull. - tag: "" - # -- SHA256 image digest to pull (in the format "sha256:a212cef6665b2464a41307162fa96e9623aa45c3fa32c39d320eae8b730d81e0"). - # Overrides tag when specified. - digest: "sha256:a212cef6665b2464a41307162fa96e9623aa45c3fa32c39d320eae8b730d81e0" - # -- Pull policy for this image. - pullPolicy: IfNotPresent -license: - # -- Name of the secret containing the "microgateway-license.txt" key. - secretName: "airlock-microgateway-license" -# Check whether the installation of the Airlock Microgateway Helm Chart was successful. -# Requires a secret with a valid Airlock Microgateway license key already to be present. +# Specifies the Airlock Microgateway CNI image. +image: + # -- Image repository from which to pull the Airlock Microgateway CNI image. + repository: "quay.io/airlock/microgateway-cni" + # -- Image tag to pull. + tag: "4.2.3" + # -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). + # Overrides tag when specified. + digest: "sha256:82b5924866840f783cce2e9b4095b7710a0e1cbf555498e8723ca811ca916290" + # -- Pull policy for this image. + pullPolicy: IfNotPresent +# -- Annotations to add to all Pods. +podAnnotations: {} +# -- Labels to add to all Pods. +podLabels: {} +# -- Resource restrictions to apply to the CNI installer container. +resources: + requests: + cpu: 10m + memory: 100Mi +# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. +nodeSelector: + kubernetes.io/os: linux +# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. +affinity: {} +# Configures the generation of RBAC Roles and RoleBindings. +rbac: + # -- Whether to create RBAC resources which are required for the CNI plugin to function. + create: true + # -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. + createSCCRole: false +# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). +privileged: false +# Configures the generation of the ServiceAccount. +serviceAccount: + # -- Whether a ServiceAccount should be created. + create: true + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- Name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" +# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift) +multusNetworkAttachmentDefinition: + # -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. + create: false + # -- Namespace in which the NetworkAttachmentDefinition is deployed. + # Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces + # may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation + namespace: default +# Parameters for the CNI installer configuration. +config: + # -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), + # as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) + # or in `manual` mode, where no CNI network configuration is written. + installMode: "chained" + # -- Log level for the CNI installer and plugin. + logLevel: info + # -- Directory where the CNI config files reside on the host. + cniNetDir: "/etc/cni/net.d" + # -- Directory where the CNI plugin binaries reside on the host. + cniBinDir: "/opt/cni/bin" + # -- Namespaces for which this CNI plugin should not apply any modifications. + excludeNamespaces: + - kube-system tests: # -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). # If set to false, `helm test` will not run any tests. diff --git a/charts/airlock/microgateway/4.3.0/.helmignore b/charts/airlock/microgateway/4.3.0/.helmignore index 101ff5ac5..8561d2892 100644 --- a/charts/airlock/microgateway/4.3.0/.helmignore +++ b/charts/airlock/microgateway/4.3.0/.helmignore @@ -21,8 +21,7 @@ .idea/ *.tmproj .vscode/ -# CRDs kustomization.yaml -/crds/kustomization.yaml + # Helm unit tests /tests /validation diff --git a/charts/airlock/microgateway/4.3.0/Chart.yaml b/charts/airlock/microgateway/4.3.0/Chart.yaml index 41659f600..f36cc383b 100644 --- a/charts/airlock/microgateway/4.3.0/Chart.yaml +++ b/charts/airlock/microgateway/4.3.0/Chart.yaml @@ -9,15 +9,15 @@ annotations: - name: Airlock Microgateway Forum url: https://forum.airlock.com/ catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Airlock Microgateway + catalog.cattle.io/display-name: Airlock Microgateway CNI catalog.cattle.io/kube-version: '>=1.25.0-0' - catalog.cattle.io/release-name: microgateway - charts.openshift.io/name: Airlock Microgateway + catalog.cattle.io/release-name: microgateway-cni + charts.openshift.io/name: Airlock Microgateway CNI apiVersion: v2 appVersion: 4.3.0 -description: A Helm chart for deploying the Airlock Microgateway +description: A Helm chart for deploying the Airlock Microgateway CNI plugin home: https://www.airlock.com/en/microgateway -icon: file://assets/icons/microgateway.svg +icon: file://assets/icons/microgateway-cni.svg keywords: - WAF - Web Application Firewall @@ -30,14 +30,13 @@ keywords: - Filtering - DevSecOps - shift left -- control plane -- Operator +- CNI kubeVersion: '>=1.25.0-0' maintainers: - email: support@airlock.com name: Airlock url: https://www.airlock.com/ -name: microgateway +name: microgateway-cni sources: - https://github.com/airlock/microgateway type: application diff --git a/charts/airlock/microgateway/4.3.0/README.md b/charts/airlock/microgateway/4.3.0/README.md index 15ea0012e..2fa8977de 100644 --- a/charts/airlock/microgateway/4.3.0/README.md +++ b/charts/airlock/microgateway/4.3.0/README.md @@ -1,4 +1,4 @@ -# Airlock Microgateway +# Airlock Microgateway CNI ![Version: 4.3.0](https://img.shields.io/badge/Version-4.3.0-informational?style=flat-square) ![AppVersion: 4.3.0](https://img.shields.io/badge/AppVersion-4.3.0-informational?style=flat-square) @@ -40,58 +40,43 @@ Check the official documentation at **[docs.airlock.com](https://docs.airlock.co The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**. ## Prerequisites -* [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) -* [Airlock Microgateway License](#obtain-airlock-microgateway-license) -* [cert-manager](https://cert-manager.io/) * [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0) -In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license. -For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing. -### Obtain Airlock Microgateway License -1. Either request a community or premium license - * Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community) - * Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium) -2. Check your inbox and save the license file microgateway-license.txt locally. - -> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type. -### Deploy cert-manager -```bash -helm repo add jetstack https://charts.jetstack.io -helm install cert-manager jetstack/cert-manager --version '1.15.1' -n cert-manager --create-namespace --set crds.enabled=true --wait -``` - -## Deploy Airlock Microgateway Operator - -> This guide assumes a microgateway-license.txt file is present in the working directory. - -1. Install CRDs and Operator. +## Deploy Airlock Microgateway CNI +1. Install the CNI Plugin with Helm. + > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni). ```bash - # Create namespace - kubectl create namespace airlock-microgateway-system - - # Install License - kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt - - # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades) - helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.3.0' --wait + # Standard setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0' + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni ``` + ```bash + # GKE setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.0/deploy/charts/airlock-microgateway-cni/gke-values.yaml + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + ```bash + # OpenShift setup + helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.0/deploy/charts/airlock-microgateway-cni/openshift-values.yaml + kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details). 2. (Recommended) You can verify the correctness of the installation with `helm test`. ```bash - helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.0' - helm test airlock-microgateway -n airlock-microgateway-system --logs - helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.0' + # Standard and GKE setup + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0' + helm test airlock-microgateway-cni -n kube-system --logs + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0' + ``` + ```bash + # OpenShift setup + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0' + helm test airlock-microgateway-cni -n openshift-operators --logs + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.0' ``` -### Upgrading CRDs - -The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster. -CRDs should instead be manually upgraded before upgrading the Operator itself via the following command: -```bash -kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.3.0 --server-side --force-conflicts -``` - -**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts. + Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error. ## Support @@ -104,61 +89,33 @@ For the community edition, check our **[Airlock community forum](https://forum.a | Key | Type | Default | Description | |-----|------|---------|-------------| +| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. | | commonAnnotations | object | `{}` | Annotations to add to all resources. | | commonLabels | object | `{}` | Labels to add to all resources. | -| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". | -| dashboards.config.grafana.dashboardLabel.name | string | `"grafana_dashboard"` | Name of the label that lets Grafana identify ConfigMaps that represent dashboards. | -| dashboards.config.grafana.dashboardLabel.value | string | `"1"` | Value of the label that lets Grafana identify ConfigMaps that represent dashboards. | -| dashboards.config.grafana.folderAnnotation.name | string | `"grafana_folder"` | Name of the annotation containing the folder name to file dashboards into. | -| dashboards.config.grafana.folderAnnotation.value | string | `"Airlock Microgateway"` | Name of the folder dashboards are filed into within the Grafana UI. | -| dashboards.create | bool | `false` | Whether to create any ConfigMaps containing Grafana dashboards to import. | -| dashboards.instances.blockLogs.create | bool | `true` | Whether to create the block logs dashboard. | -| dashboards.instances.blockMetrics.create | bool | `true` | Whether to create the block metrics dashboard. | -| dashboards.instances.license.create | bool | `true` | Whether to create the license dashboard. | -| dashboards.instances.overview.create | bool | `true` | Whether to create the overview dashboard. | -| engine.image.digest | string | `"sha256:f442143294f3138965c9fa2734cafd39ebebe8e289600332b12f8a59c23dd9ef"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | -| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. | -| engine.image.tag | string | `"4.3.0"` | Image tag to pull. | -| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. | -| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. | -| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. | +| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. | +| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. | +| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. | +| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. | +| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. | | fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. | +| image.digest | string | `"sha256:cb165e34a1ab1a903a9f38b741a7d78946470a118640310a41d2af8153d6e409"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. | +| image.tag | string | `"4.3.0"` | Image tag to pull. | | imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. | -| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. | -| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". | -| networkValidator.image.digest | string | `"sha256:7d87405b123c89058a0b64ca9393c45a1366a6a580aced1def900a812beb29f6"` | SHA256 image digest to pull (in the format "sha256:7d87405b123c89058a0b64ca9393c45a1366a6a580aced1def900a812beb29f6"). Overrides tag when specified. | -| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| networkValidator.image.repository | string | `"cgr.dev/chainguard/busybox"` | Image repository from which to pull the busybox image for the Airlock Microgateway Network Validator init-container. | -| networkValidator.image.tag | string | `""` | Image tag to pull. | -| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. | -| operator.config.logLevel | string | `"info"` | Operator application log level. | -| operator.image.digest | string | `"sha256:dc6f0f9a11d0336c10f6b8a5c7f64d98ac91bd90c49aa1dc4fe7b68cfdea8217"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. | -| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. | -| operator.image.tag | string | `"4.3.0"` | Image tag to pull. | -| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. | -| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. | -| operator.podLabels | object | `{}` | Labels to add to all Pods. | -| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. | -| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. | -| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. | -| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | -| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | -| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | -| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. | -| operator.serviceLabels | object | `{}` | Labels to add to the Service. | -| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. | -| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. | -| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. | -| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. | -| operator.watchNamespaceSelector | object | `{}` | Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. Please note that this feature requires a Premium license. | -| operator.watchNamespaces | list | `[]` | Allows to restrict the operator to specific namespaces, depending on your needs. For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. | -| sessionAgent.image.digest | string | `"sha256:579dfded99145f9c2c1491ff1aeccb08721d63239a8b7f61bb9f455e17e968b2"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | -| sessionAgent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| sessionAgent.image.repository | string | `"quay.io/airlock/microgateway-session-agent"` | Image repository from which to pull the Airlock Microgateway Session Agent image. | -| sessionAgent.image.tag | string | `"4.3.0"` | Image tag to pull. | -| sessionAgent.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Session Agent container. | +| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. | +| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation | +| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. | +| podAnnotations | object | `{}` | Annotations to add to all Pods. | +| podLabels | object | `{}` | Labels to add to all Pods. | +| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). | +| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. | +| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. | +| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. | +| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | +| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | +| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | | tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. | ## License diff --git a/charts/airlock/microgateway/4.3.0/app-readme.md b/charts/airlock/microgateway/4.3.0/app-readme.md deleted file mode 100644 index e32cac025..000000000 --- a/charts/airlock/microgateway/4.3.0/app-readme.md +++ /dev/null @@ -1,28 +0,0 @@ -# Airlock Microgateway - -*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.* - -## Features -* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection. -* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction -* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication -* Content security filters for protecting against known attacks (OWASP Top 10) -* Access control to allow only authenticated users to access the protected services -* API security features like JSON parsing or OpenAPI specification enforcement - -For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**. - -## Requirements -* [Airlock Microgateway CNI Helm Chart](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Also available as Rancher Chart) -* [Airlock Microgateway License](https://github.com/airlock/microgateway?tab=readme-ov-file#obtain-airlock-microgateway-license) (After obtaining the license install it according to the [documentation](https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-operator)) -* [cert-manager](https://cert-manager.io/docs/installation/) - -## Documentation and links - -Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway. - -* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html) -* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html) -* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html) -* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html) -* [GitHub](https://github.com/airlock/microgateway) \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.0/crds/accesscontrols.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.0/crds/accesscontrols.microgateway.airlock.com.yaml deleted file mode 100644 index 5c6215c90..000000000 --- a/charts/airlock/microgateway/4.3.0/crds/accesscontrols.microgateway.airlock.com.yaml +++ /dev/null @@ -1,124 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 - name: accesscontrols.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: AccessControl - listKind: AccessControlList - plural: accesscontrols - singular: accesscontrol - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: AccessControl specifies the options to perform access control with a Microgateway Engine container. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specifies how the Airlock Microgateway Engine performs access control. - properties: - policies: - description: Policies configures access control policies. - items: - properties: - authorization: - description: Authorization configures how requests are authorized. An empty object value {} disables authorization. - properties: - authentication: - description: Authentication specifies that clients need to be authenticated with the provided method. - properties: - oidc: - description: OIDC configures client authentication using OpenID Connect. - properties: - oidcRelyingPartyRef: - description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - oidcRelyingPartyRef - type: object - type: object - type: object - identityPropagation: - description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application. - properties: - actions: - description: Actions specifies the propagation actions. - items: - properties: - identityPropagationRef: - description: IdentityPropagationRef selects an IdentityPropagation to apply. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - identityPropagationRef - type: object - type: array - onFailure: - description: |- - OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values: - _Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations. - enum: - - Pass - type: string - required: - - actions - - onFailure - type: object - required: - - authorization - type: object - maxItems: 1 - minItems: 1 - type: array - required: - - policies - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.0/crds/envoyclusters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.0/crds/envoyclusters.microgateway.airlock.com.yaml deleted file mode 100644 index 07ba25df5..000000000 --- a/charts/airlock/microgateway/4.3.0/crds/envoyclusters.microgateway.airlock.com.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 - name: envoyclusters.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: EnvoyCluster - listKind: EnvoyClusterList - plural: envoyclusters - singular: envoycluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: EnvoyCluster is an additional Envoy Cluster resource which is added to those defined by the Airlock Microgateway. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired additional Envoy cluster. - properties: - value: - description: Value defines the Envoy Cluster which is added to those configured by the Airlock Microgateway. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.0/crds/envoyconfigurations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.0/crds/envoyconfigurations.microgateway.airlock.com.yaml deleted file mode 100644 index cc09fbbb1..000000000 --- a/charts/airlock/microgateway/4.3.0/crds/envoyconfigurations.microgateway.airlock.com.yaml +++ /dev/null @@ -1,185 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 - name: envoyconfigurations.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: EnvoyConfiguration - listKind: EnvoyConfigurationList - plural: envoyconfigurations - singular: envoyconfiguration - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - EnvoyConfiguration is the Schema for the envoyconfigurations API - {{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration - properties: - envoyResources: - properties: - clusters: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - endpoints: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - extensions: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - listeners: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - routes: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - runtimes: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - scopedRoutes: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - secrets: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - envoyResourcesRaw: - description: |- - EnvoyResourcesRaw defines the desired state for each resource type. The resources are stored as zstd compressed JSON bytes. - For debugging purposes, the resources can be inspected with the following command: `kubectl get envoyconfiguration -ojsonpath='{.spec.envoyResourcesRaw}' | base64 -d | zstd -d | jq` - format: byte - type: string - nodeID: - description: '**Deprecated:** This field is now ignored as NodeID is always derived from the resource name.' - type: string - type: object - status: - description: EnvoyConfigurationStatus defines the observed state of EnvoyConfiguration - properties: - conditions: - items: - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status to another. - format: date-time - type: string - message: - description: A human-readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of EnvoyConfiguration condition. - type: string - required: - - status - - type - type: object - type: array - status: - type: string - xds: - properties: - resourceTypes: - additionalProperties: - description: XdsResourceTypeSyncStatus defines the sync status of xDS for a specific resource type - properties: - errorMessage: - description: ErrorMessage defines an optional message why the currently served resources of this resource type are rejected by the client. - type: string - resources: - additionalProperties: - description: XdsResourceStatus defines the status of xDS for a specific resource - properties: - version: - description: Version defines the version which is currently served for this resource. - type: string - required: - - version - type: object - description: Resources defines the resources which are currently served for this resource type. - type: object - status: - description: Status defines the current sync status of this resource type. - type: string - version: - description: Version defines the version which is currently served for this resource type. - type: string - required: - - resources - - status - - version - type: object - description: ResourceTypes defines the sync statuses for each resource type. - type: object - version: - description: Version defines the version of the underlying xDS snapshot. - type: integer - required: - - version - type: object - required: - - status - - xds - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/airlock/microgateway/4.3.0/crds/envoyhttpfilters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.0/crds/envoyhttpfilters.microgateway.airlock.com.yaml deleted file mode 100644 index d6eb787ab..000000000 --- a/charts/airlock/microgateway/4.3.0/crds/envoyhttpfilters.microgateway.airlock.com.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 - name: envoyhttpfilters.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: EnvoyHTTPFilter - listKind: EnvoyHTTPFilterList - plural: envoyhttpfilters - singular: envoyhttpfilter - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource which is added to those defined by the Airlock Microgateway. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired additional Envoy HTTP filter. - properties: - value: - description: Value defines the HTTP filter which is added to those configured by the Airlock Microgateway. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.0/crds/graphqls.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.0/crds/graphqls.microgateway.airlock.com.yaml deleted file mode 100644 index 77f8991e6..000000000 --- a/charts/airlock/microgateway/4.3.0/crds/graphqls.microgateway.airlock.com.yaml +++ /dev/null @@ -1,88 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 - name: graphqls.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: GraphQL - listKind: GraphQLList - plural: graphqls - singular: graphql - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GraphQL contains the configuration for the GraphQL specification. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired GraphQL specification. - properties: - settings: - description: Settings defines the settings to configure GraphQL. - properties: - allowIntrospection: - default: true - description: AllowIntrospection specifies if the introspection system is exposed. - type: boolean - allowMutations: - default: true - description: AllowMutations specifies if mutations are allowed. - type: boolean - schema: - description: Specifies the GraphQL schema. - properties: - source: - description: Source specifies the GraphQL schema to be enforced. - properties: - configMapRef: - description: ConfigMapRef references the configmap by its name containing the well-known key 'schema.graphql'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - required: - - source - type: object - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled. - enum: - - Block - - LogOnly - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.0/crds/headerrewrites.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.0/crds/headerrewrites.microgateway.airlock.com.yaml deleted file mode 100644 index 8fd43dc3a..000000000 --- a/charts/airlock/microgateway/4.3.0/crds/headerrewrites.microgateway.airlock.com.yaml +++ /dev/null @@ -1,759 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 - name: headerrewrites.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: HeaderRewrites - listKind: HeaderRewritesList - plural: headerrewrites - singular: headerrewrites - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: HeaderRewrites is the Schema for the headerrewrites API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired header rewriting behavior. - properties: - request: - description: Request defines manipulations on upstream request headers. - properties: - add: - description: Add defines which request headers will be added before forwarding to the upstream. - properties: - custom: - description: |- - Custom allows configuring additional upstream request headers. - Add selected headers. - items: - properties: - headers: - description: Headers to add. - items: - description: HeaderRewritesHeader specifies a header with a particular value - properties: - name: - description: Name defines the name of a header. - minLength: 1 - type: string - value: - description: Value defines the value of a header. - type: string - required: - - name - - value - type: object - minItems: 1 - type: array - mode: - default: AddIfAbsent - description: Mode defines the header addition strategy. - enum: - - AddIfAbsent - - OverwriteOrAdd - type: string - name: - description: Name describing the configured operation. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - allow: - description: |- - Allow defines which request headers will be forwarded to the upstream. - This can either be allHeaders or matchingHeaders. - Default: matchingHeaders: {...} - properties: - allHeaders: - description: AllHeaders specifies that all request headers should be forwarded. - type: object - matchingHeaders: - description: MatchingHeaders specifies which request headers should be forwarded. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream request headers. - properties: - standardHeaders: - default: true - description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream request headers. - items: - properties: - headers: - description: Headers to allow. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - remove: - description: Remove defines which request headers will be removed before forwarding to the upstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream request headers. - properties: - alternativeForwardedHeaders: - default: true - description: |- - AlternativeForwardedHeaders removes downstream request headers which could potentially - be abused to alter the upstream's view of the remote connection. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream request headers. - items: - properties: - headers: - description: Headers to remove. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - response: - description: Response defines manipulations on upstream response headers. - properties: - add: - description: Add defines which response headers will be added before forwarding to the downstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response headers. - properties: - csp: - default: true - description: |- - CSP sets a content security policy which allows only same-origin requests except for images - if the 'Content-Security-Policy' header is not set by the upstream. - type: boolean - featurePolicy: - default: false - description: |- - FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features - if the 'Feature-Policy' header is not set by the upstream. - **Deprecated:** Use permissionsPolicy instead. - type: boolean - hsts: - default: true - description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream. - type: boolean - hstsPreload: - default: false - description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload. - type: boolean - permissionsPolicy: - default: true - description: |- - PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features - if the 'Permissions-Policy' header is not set by the upstream. - type: boolean - referrerPolicy: - default: true - description: |- - ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests - if the 'Referrer-Policy' header is not set by the upstream. - type: boolean - xContentTypeOptions: - default: true - description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream. - type: boolean - xFrameOptions: - default: true - description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to add. - items: - description: HeaderRewritesHeader specifies a header with a particular value - properties: - name: - description: Name defines the name of a header. - minLength: 1 - type: string - value: - description: Value defines the value of a header. - type: string - required: - - name - - value - type: object - minItems: 1 - type: array - mode: - default: AddIfAbsent - description: Mode defines the header addition strategy. - enum: - - AddIfAbsent - - OverwriteOrAdd - type: string - name: - description: Name describing the configured operation. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - allow: - description: |- - Allow defines which response headers will be forwarded to the downstream. - This can either be allHeaders or matchingHeaders. - Default: allHeaders: {} - properties: - allHeaders: - description: AllHeaders specifies that all response headers should be forwarded. - type: object - matchingHeaders: - description: MatchingHeaders specifies which response headers should be forwarded. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response header. - properties: - standardHeaders: - default: false - description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to allow. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - remove: - description: Remove defines which response headers will be removed before forwarding to the downstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response headers. - properties: - auth: - description: Auth defines the categories of headers concerning authentication. - properties: - basic: - default: false - description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication. - type: boolean - negotiate: - default: true - description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate. - type: boolean - ntlm: - default: true - description: |- - NTLM removes upstream response headers that advise clients to authenticate with NTLM. - By default, these headers are removed, because NTLM pass-through is not supported. - type: boolean - type: object - informationLeakage: - description: InformationLeakage defines the categories of headers concerning information leakage. - properties: - application: - default: true - description: Application removes upstream response headers that leak information about the deployed software. - type: boolean - server: - default: true - description: Server removes upstream response headers that leak information about the server. - type: boolean - type: object - permissiveCors: - default: true - description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to remove. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured remove operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - settings: - description: Settings configures the HeaderRewrites filter. - properties: - operationalMode: - default: Production - description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses. - enum: - - Production - - Integration - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.0/crds/parsers.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.0/crds/parsers.microgateway.airlock.com.yaml deleted file mode 100644 index 4d37c5adb..000000000 --- a/charts/airlock/microgateway/4.3.0/crds/parsers.microgateway.airlock.com.yaml +++ /dev/null @@ -1,358 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 - name: parsers.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: Parser - listKind: ParserList - plural: parsers - singular: parser - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Parser contains the configuration for content parsers (default and custom). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired parser behavior. - properties: - request: - description: Request defines the parsing for downstream requests. - properties: - custom: - description: Custom allows configuring additional rules for parser selection. - properties: - rules: - description: |- - Rules defines a custom set prepended before built-in rules of enabled request parsers. - Disable all built-in parsers to overrule them completely. - items: - properties: - action: - description: |- - Action specifies what should happen when a request condition matches. - Only one of parse or skip can be set. - properties: - parse: - description: Parse activates the configured parser. - properties: - form: - description: Form activates the Form parser. - type: object - json: - description: JSON activates the JSON parser. - type: object - multipart: - description: Multipart activates the multipart parser. - type: object - type: object - skip: - description: Skip disables any content parsing - type: object - type: object - requestConditions: - description: RequestConditions defines additional request properties which must be matched in order for this rule to apply. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - required: - - action - - requestConditions - type: object - type: array - type: object - defaultContentType: - default: application/x-www-form-urlencoded - description: DefaultContentType specifies the content-type header which should be injected into the request before parser selection if it is not already present and the request has a body. - minLength: 1 - type: string - parsers: - description: Parsers defines the configuration for the available content parsers. - properties: - form: - description: Form defines the configuration for the form parser. - properties: - enable: - default: true - description: Enable defines whether form payloads are inspected. - type: boolean - mediaTypePattern: - default: .*urlencoded.* - description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as form arguments. - minLength: 1 - type: string - type: object - json: - description: JSON defines the configuration for the JSON parser. - properties: - enable: - default: true - description: Enable defines whether json payloads are inspected. - type: boolean - mediaTypePattern: - default: .*json.* - description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as JSON. - minLength: 1 - type: string - type: object - multipart: - description: Multipart defines the configuration for the multipart parser. - properties: - enable: - default: true - description: Enable defines whether multipart payloads are inspected. - type: boolean - mediaTypePattern: - default: .*multipart.* - description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as a multipart payload. - minLength: 1 - type: string - type: object - type: object - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.0/crds/sidecargateways.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.0/crds/sidecargateways.microgateway.airlock.com.yaml deleted file mode 100644 index ead724a75..000000000 --- a/charts/airlock/microgateway/4.3.0/crds/sidecargateways.microgateway.airlock.com.yaml +++ /dev/null @@ -1,758 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 - name: sidecargateways.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: SidecarGateway - listKind: SidecarGatewayList - plural: sidecargateways - singular: sidecargateway - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired sidecar gateway behavior. - properties: - applications: - description: Applications defines applications which run on different ports. - items: - properties: - containerPort: - default: 8080 - description: |- - ContainerPort refers to the container port. - This must be a valid port number, 0 < x < 65536. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - downstream: - description: Downstream defines the downstream configuration for this application - properties: - protocol: - description: |- - Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set. - Default: auto: {} - properties: - auto: - description: Auto specifies that the protocol should be inferred. - properties: - http2: - description: HTTP2 specifies the settings for when HTTP/2 is inferred. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - http1: - description: HTTP1 specifies that the client is assumed to speak HTTP/1.1. - type: object - http2: - description: HTTP2 specifies that the client is assumed to speak HTTP/2. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - remoteIP: - description: |- - RemoteIP defines how the remote IP of a client is propagated. - Default: xff: {...} - properties: - connectionIP: - description: ConnectionIP configures to use the source IP address of the direct downstream connection. - type: object - customHeader: - description: CustomHeader specifies to use a custom header for remote IP extraction. - properties: - headerName: - description: HeaderName specifies the name of the custom header containing the remote IP. - minLength: 1 - type: string - required: - default: true - description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403. - type: boolean - required: - - headerName - type: object - xff: - description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction. - properties: - numTrustedHops: - default: 1 - description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry. - format: int32 - minimum: 1 - type: integer - type: object - type: object - requestNormalizations: - description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching. - properties: - mergeSlashes: - default: true - description: MergeSlashes ensures that adjacent slashes in the path are merged into one. - type: boolean - normalizePath: - default: true - description: NormalizePath ensures normalization according to RFC 3986 without case normalization. - type: boolean - type: object - restrictions: - description: Restrictions defines restrictions for downstream. - properties: - http: - description: HTTP defines limits for the HTTP protocol. - properties: - headersLength: - anyOf: - - type: integer - - type: string - default: 60Ki - description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - timeouts: - description: Timeouts defines timeouts for downstream - properties: - http: - description: HTTP defines the settings for HTTP timeouts. - properties: - idle: - default: 5m - description: |- - Idle defines the settings for the idle timeout when no data is sent or received. - A value of 0 will completely disable the timeout. - Default: 5m - type: string - maxDuration: - default: 5m - description: |- - MaxDuration defines the total duration for a HTTP request/response stream. - A value of 0 will completely disable the timeout. - Default: 5m - type: string - requestHeaders: - default: 10s - description: |- - RequestHeaders defines the duration before all request headers must be received. - A value of 0 will completely disable the timeout. - Default: 10s - type: string - type: object - type: object - tls: - description: TLS defines the TLS settings. - properties: - ciphers: - description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. - items: - type: string - minItems: 1 - type: array - clientCertificate: - description: |- - ClientCertificate defines the TLS settings for verification of client certificates. - At most one of ignored, optional and required can be set. - Default: ignored: {} - properties: - ignored: - description: Ignored disables verification of the client certificate. - type: object - optional: - description: |- - Optional enables verification of the client certificate if one is presented. - In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate. - properties: - crl: - description: CRL defines the Certificate Revocation List (CRL) settings. - properties: - lists: - description: Lists defines the list of secretRefs containing Certificate Revocation Lists. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - validationMode: - default: VerifyChain - description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. - enum: - - VerifyLeafCertOnly - - VerifyChain - type: string - type: object - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - verificationDepth: - default: 1 - description: |- - VerificationDepth specifies the hops in the certificate chain at which validation is performed. - 1 means that either the leaf or the signing CA must be in the set of trusted certificates. - format: int32 - type: integer - required: - - certificates - type: object - required: - - trustedCA - type: object - required: - description: |- - Required contains settings for client certificate verification. A client must present a valid certificate. - At least one of trustedCA and certificatePinning must be set. - properties: - allowedSANs: - description: |- - AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, - that is to say, the SAN is verified if at least one matcher is matched. - AllowedSANs requires trustedCA to be set. - items: - description: |- - TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. - properties: - matcher: - description: Matcher defines the string matcher for the SAN value. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - sanType: - description: SanType defines the type of SAN matcher. - enum: - - DNS - - Email - - URI - - IPAddress - type: string - required: - - matcher - - sanType - type: object - minItems: 1 - type: array - certificatePinning: - description: |- - CertificatePinning defines the constraints a client certificate must fulfill. - If more than one constraint is configured only one must be satisfied. - At least one of allowedSPKIs and allowedHashes must be set. - properties: - allowedHashes: - description: |- - AllowedHashes is a list of hex-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - allowedSPKIs: - description: |- - AllowedSPKIs is a list of base64-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - type: object - crl: - description: CRL defines the Certificate Revocation List (CRL) settings. - properties: - lists: - description: Lists defines the list of secretRefs containing Certificate Revocation Lists. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - validationMode: - default: VerifyChain - description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. - enum: - - VerifyLeafCertOnly - - VerifyChain - type: string - type: object - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - verificationDepth: - default: 1 - description: |- - VerificationDepth specifies the hops in the certificate chain at which validation is performed. - 1 means that either the leaf or the signing CA must be in the set of trusted certificates. - format: int32 - type: integer - required: - - certificates - type: object - type: object - type: object - enable: - default: false - description: Enable defines if the downstream connection is encrypted. - type: boolean - protocol: - description: Protocol defines the supported TLS protocol versions. - properties: - maximum: - description: Maximum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - minimum: - description: Minimum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - type: object - secretRef: - description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls). - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - xfcc: - description: |- - XFCC defines the handling of X-Forwarded-Client-Cert header. Meaning of the possible values: - _Sanitize_: Do not send the XFCC header to the next hop. This is the default value. - _ForwardOnly_: When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request. - _AppendAndForward_: When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it. - _SanitizeAndSet_: When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop. - _AlwaysForwardOnly_: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS. - Note: When forwarding the XFCC header in the request you might have to adjust the header length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http) - enum: - - Sanitize - - ForwardOnly - - AppendAndForward - - SanitizeAndSet - - AlwaysForwardOnly - type: string - type: object - type: object - envoyHTTPFilterRefs: - description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters. - properties: - prepend: - description: Prepend selects the relevant EnvoyHTTPFilters which are added before those configured by the Airlock Microgateway. - items: - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - routes: - description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies. - items: - description: |- - SidecarGatewayApplicationRoute defines the security configurations for different paths. - At most one of secured and unsecured can be set. - Default: secured: {...} - properties: - pathPrefix: - default: / - description: PathPrefix defines the path prefix used during route selection. - minLength: 1 - type: string - secured: - description: Secured enables WAF processing for this route. - properties: - accessControlRef: - description: |- - AccessControlRef selects the relevant AccessControl configuration resource. - If undefined, Airlock Microgateway does not perform any access control. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - contentSecurityRef: - description: |- - ContentSecurityRef selects the relevant ContentSecurity configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - unsecured: - description: |- - Unsecured disables all WAF functionality and therefore protection for this route. - WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged. - type: object - type: object - type: array - x-kubernetes-list-map-keys: - - pathPrefix - x-kubernetes-list-type: map - telemetryRef: - description: |- - TelemetryRef selects the relevant Telemetry configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - upstream: - description: Upstream defines the upstream configuration for this application - properties: - protocol: - description: |- - Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set. - Default: auto: {} - properties: - auto: - description: Auto specifies to negotiate the protocol with TLS ALPN (if TLS is enabled) or, as a fallback, use the same protocol that is used by the downstream connection. - properties: - http2: - description: HTTP2 specifies the settings for when HTTP/2 is inferred. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - http1: - description: HTTP1 specifies to use HTTP/1.1. - type: object - http2: - description: HTTP2 specifies to use HTTP/2. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - timeouts: - description: Timeouts defines the timeout settings. - properties: - http: - description: HTTP defines the settings for HTTP timeouts. - properties: - idle: - description: |- - Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited. - A value of 0 will completely disable the timeout. - type: string - maxDuration: - default: 15s - description: |- - MaxDuration defines the total duration for a HTTP request/response stream. - Default: 15s - type: string - type: object - type: object - tls: - description: TLS defines the TLS settings. - properties: - ciphers: - description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. - items: - type: string - minItems: 1 - type: array - enable: - default: false - description: Enable defines if the upstream connection is encrypted. - type: boolean - protocol: - description: Protocol defines the supported TLS protocol versions. - properties: - maximum: - description: Maximum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - minimum: - description: Minimum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - type: object - type: object - type: object - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - containerPort - x-kubernetes-list-type: map - envoyClusterRefs: - description: EnvoyClusterRefs selects the relevant EnvoyClusters. - items: - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - podSelector: - description: PodSelector defines to which Pods the configuration will be applied to. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels. - type: object - type: object - sessionHandlingRef: - description: SessionHandlingRef selects the SessionHandling configuration to apply. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - applications - type: object - status: - description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date. - properties: - conditions: - items: - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status to another. - format: date-time - type: string - message: - description: A human-readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of SidecarGateway condition. - type: string - required: - - status - - type - type: object - type: array - pods: - items: - properties: - envoyConfig: - description: EnvoyConfig indicates the name of the EnvoyConfig CR for the Pod. - type: string - name: - description: Name indicates the name of a Pod selected by the SidecarGateway. - type: string - sessionAgentSecret: - type: string - required: - - name - type: object - type: array - status: - type: string - unmanagedPods: - items: - properties: - managedBy: - description: ManagedBy indicates the Airlock Microgateway Operator instance which manages this Pod. - type: string - name: - description: Name indicates the name of a Pod selected by the SidecarGateway. - type: string - sessionAgentSecret: - type: string - required: - - name - type: object - type: array - required: - - status - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/airlock/microgateway/4.3.0/dashboards/license.json b/charts/airlock/microgateway/4.3.0/dashboards/license.json deleted file mode 100644 index b9d5777e2..000000000 --- a/charts/airlock/microgateway/4.3.0/dashboards/license.json +++ /dev/null @@ -1,521 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__elements": {}, - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "10.2.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "1.0.0" - }, - { - "type": "panel", - "id": "stat", - "name": "Stat", - "version": "" - }, - { - "type": "panel", - "id": "timeseries", - "name": "Time series", - "version": "" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "grafana", - "uid": "-- Grafana --" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": true, - "fiscalYearStartMonth": 0, - "graphTooltip": 0, - "id": null, - "links": [ - { - "asDropdown": true, - "icon": "external link", - "includeVars": true, - "keepTime": true, - "tags": [ - "airlock-microgateway" - ], - "targetBlank": true, - "title": "Airlock Microgateway", - "tooltip": "", - "type": "dashboards", - "url": "" - } - ], - "panels": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "License status of Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [ - { - "options": { - "0": { - "color": "red", - "index": 1, - "text": "Invalid" - }, - "1": { - "color": "green", - "index": 0, - "text": "Valid" - } - }, - "type": "value" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 0, - "y": 0 - }, - "id": 1, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "License Status", - "range": false, - "refId": "Licenses" - } - ], - "title": "License Status", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Expiry date of the Airlock Microgateway license associated with the selected operator.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "time: L" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 3, - "y": 0 - }, - "id": 4, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "min(microgateway_license_expiry_timestamp_seconds{namespace=~\"${operator_namespace.regex}\"})*1000", - "instant": true, - "legendFormat": "Expiry Date (MM/DD/YYYY)", - "range": false, - "refId": "A" - } - ], - "title": "License Expiry Date", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Number of licensed requests for applications protected by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 7, - "y": 0 - }, - "id": 6, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(microgateway_license_max_rq_count_per_month{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "Licensed Requests", - "range": false, - "refId": "A" - } - ], - "title": "Licensed Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Estimated number of requests protected by Airlock Microgateway over 30 days based on the last 7 days.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 5, - "x": 11, - "y": 0 - }, - "id": 2, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d]))/7*30", - "instant": true, - "legendFormat": "Estimated Requests", - "range": false, - "refId": "A" - } - ], - "title": "Requests over 30 days (estimated)", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Number of requests per week processed by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "blue", - "mode": "fixed" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 12, - "w": 16, - "x": 0, - "y": 4 - }, - "id": 5, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(avg_over_time(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d])[2m:30s]))", - "instant": false, - "legendFormat": "# Requests per week", - "range": true, - "refId": "A" - } - ], - "title": "Processed Requests per week", - "type": "timeseries" - } - ], - "schemaVersion": 39, - "tags": [ - "airlock-microgateway" - ], - "templating": { - "list": [ - { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, - "hide": 2, - "includeAll": false, - "label": "DS_PROMETHEUS", - "multi": false, - "name": "DS_PROMETHEUS", - "options": [], - "query": "prometheus", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_valid,namespace)", - "description": "", - "hide": 0, - "includeAll": false, - "label": "Operator Namespace", - "multi": false, - "name": "operator_namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_valid,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "type": "query" - } - ] - }, - "time": { - "from": "now-7d", - "to": "now" - }, - "timeRangeUpdatedDuringEditOrView": false, - "timepicker": {}, - "timezone": "browser", - "title": "Airlock Microgateway License", - "uid": "cdpq79bzrr01se", - "version": 2, - "weekStart": "" -} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.0/dashboards/overview.json b/charts/airlock/microgateway/4.3.0/dashboards/overview.json deleted file mode 100644 index 094276621..000000000 --- a/charts/airlock/microgateway/4.3.0/dashboards/overview.json +++ /dev/null @@ -1,1138 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__elements": {}, - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "10.2.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "1.0.0" - }, - { - "type": "panel", - "id": "stat", - "name": "Stat", - "version": "" - }, - { - "type": "panel", - "id": "table", - "name": "Table", - "version": "" - }, - { - "type": "panel", - "id": "timeseries", - "name": "Time series", - "version": "" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "grafana", - "uid": "-- Grafana --" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": true, - "fiscalYearStartMonth": 0, - "graphTooltip": 0, - "id": null, - "links": [ - { - "asDropdown": true, - "icon": "external link", - "includeVars": true, - "keepTime": true, - "tags": [ - "airlock-microgateway" - ], - "targetBlank": true, - "title": "Airlock Microgateway", - "tooltip": "", - "type": "dashboards", - "url": "" - } - ], - "panels": [ - { - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 3, - "title": "Overview", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Number of pods that are protected by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "text", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 0, - "y": 1 - }, - "id": 11, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(microgateway_sidecars{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "Protected Pods", - "range": false, - "refId": "A" - } - ], - "title": "Protected Pods", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Total number of requests processed by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 3, - "y": 1 - }, - "id": 4, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": false, - "expr": "round(sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", - "format": "time_series", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": true, - "legendFormat": "Processed Requests", - "range": false, - "refId": "A", - "useBackend": false - } - ], - "title": "Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [ - { - "options": { - "match": "nan", - "result": { - "index": 0, - "text": "n/a" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "percentunit" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 6, - "y": 1 - }, - "id": 5, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": false, - "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])) / sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range]))", - "fullMetaSearch": false, - "includeNullMetadata": true, - "instant": true, - "legendFormat": "Blocked Requests (%)", - "range": false, - "refId": "A", - "useBackend": false - } - ], - "title": "% Blocked Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "License status of Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [ - { - "options": { - "0": { - "color": "red", - "index": 1, - "text": "Invalid" - }, - "1": { - "color": "green", - "index": 0, - "text": "Valid" - } - }, - "type": "value" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 9, - "y": 1 - }, - "id": 10, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "License Status", - "range": false, - "refId": "Licenses" - } - ], - "title": "License", - "type": "stat" - }, - { - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 5 - }, - "id": 2, - "title": "Blocks", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "blue", - "mode": "fixed" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "left", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "blue", - "value": null - } - ] - } - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "% Blocks" - }, - "properties": [ - { - "id": "custom.axisPlacement", - "value": "right" - }, - { - "id": "unit", - "value": "percentunit" - }, - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - }, - { - "id": "max", - "value": 1 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Requests per second" - }, - "properties": [ - { - "id": "unit", - "value": "short" - }, - { - "id": "custom.fillOpacity", - "value": 25 - } - ] - } - ] - }, - "gridPos": { - "h": 10, - "w": 12, - "x": 0, - "y": 6 - }, - "id": 6, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "timezone": [ - "" - ], - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", - "instant": false, - "legendFormat": "Requests per second", - "range": true, - "refId": "Requests per Second" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) / sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", - "hide": false, - "instant": false, - "legendFormat": "% Blocks", - "range": true, - "refId": "Blocks" - } - ], - "title": "Requests vs. % Blocks", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Requests blocked by Airlock Microgateway categorized by their corresponding type.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "custom": { - "align": "auto", - "cellOptions": { - "barAlignment": 0, - "drawStyle": "line", - "gradientMode": "none", - "hideValue": false, - "lineInterpolation": "linear", - "lineStyle": { - "dash": [ - 10, - 10 - ], - "fill": "solid" - }, - "showPoints": "never", - "spanNulls": false, - "type": "sparkline" - }, - "inspect": false - }, - "displayName": "Block Type", - "fieldMinMax": false, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "block_type" - }, - "properties": [ - { - "id": "custom.width", - "value": 153 - }, - { - "id": "custom.cellOptions", - "value": { - "type": "auto" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Trend #Block Types" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 10, - "w": 12, - "x": 12, - "y": 6 - }, - "id": 7, - "options": { - "cellHeight": "lg", - "footer": { - "countRows": false, - "enablePagination": false, - "fields": [ - "Value" - ], - "reducer": [ - "sum" - ], - "show": false - }, - "showHeader": false, - "sortBy": [ - { - "desc": true, - "displayName": "block_type" - } - ] - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m] offset -1m))/(60000/$__interval_ms)", - "format": "time_series", - "instant": false, - "legendFormat": "__auto", - "range": true, - "refId": "Block Types" - } - ], - "title": "Blocked Requests by Type", - "transformations": [ - { - "id": "timeSeriesTable", - "options": { - "A": { - "timeField": "Time" - }, - "Block Types": { - "stat": "sum", - "timeField": "Time" - } - } - } - ], - "type": "table" - }, - { - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 16 - }, - "id": 1, - "title": "Latency", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Percentiles of the application downstream latency over one minute.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "ms" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "25th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "super-light-purple", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "50th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "purple", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "95th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "dark-purple", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 9, - "w": 12, - "x": 0, - "y": 17 - }, - "id": 8, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.25, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "instant": false, - "legendFormat": "25th Percentile", - "range": true, - "refId": "25th Percentile" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.5, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "hide": false, - "instant": false, - "legendFormat": "50th Percentile", - "range": true, - "refId": "50th Percentile" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.95, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "hide": false, - "instant": false, - "legendFormat": "95th Percentile", - "range": true, - "refId": "95th Percentile" - } - ], - "title": "Application Downstream Latency", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Percentiles of the Airlock Microgateway processing time over one minute.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "ms" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "25th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "super-light-purple", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "50th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "purple", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "95th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "dark-purple", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 9, - "w": 12, - "x": 12, - "y": 17 - }, - "id": 9, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.25, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "instant": false, - "legendFormat": "25th Percentile", - "range": true, - "refId": "0.25 Percentile" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.5, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "hide": false, - "instant": false, - "legendFormat": "50th Percentile", - "range": true, - "refId": "0.5 Percentile" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.95, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "hide": false, - "instant": false, - "legendFormat": "95th Percentile", - "range": true, - "refId": "0.95 Percentile" - } - ], - "title": "Airlock Microgateway Processing Time", - "type": "timeseries" - } - ], - "refresh": "", - "schemaVersion": 39, - "tags": [ - "airlock-microgateway" - ], - "templating": { - "list": [ - { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, - "hide": 2, - "includeAll": false, - "label": "DS_PROMETHEUS", - "multi": false, - "name": "DS_PROMETHEUS", - "options": [], - "query": "prometheus", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_valid,namespace)", - "hide": 0, - "includeAll": true, - "label": "Operator Namespace", - "multi": true, - "name": "operator_namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_valid,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": ".*", - "skipUrlSync": false, - "sort": 0, - "type": "query" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_http_rq_total,namespace)", - "hide": 0, - "includeAll": true, - "label": "Application Namespace", - "multi": true, - "name": "namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_http_rq_total,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "type": "query" - } - ] - }, - "time": { - "from": "now-24h", - "to": "now" - }, - "timeRangeUpdatedDuringEditOrView": false, - "timepicker": {}, - "timezone": "browser", - "title": "Airlock Microgateway Overview", - "uid": "fdp5jb8fnrmyoa", - "version": 1, - "weekStart": "" -} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.0/gke-values.yaml b/charts/airlock/microgateway/4.3.0/gke-values.yaml new file mode 100644 index 000000000..d6d5c21d1 --- /dev/null +++ b/charts/airlock/microgateway/4.3.0/gke-values.yaml @@ -0,0 +1,4 @@ +# values for deploying on GKE + +config: + cniBinDir: "/home/kubernetes/bin" diff --git a/charts/airlock/microgateway/4.3.0/openshift-values.yaml b/charts/airlock/microgateway/4.3.0/openshift-values.yaml new file mode 100644 index 000000000..3b1d6cccd --- /dev/null +++ b/charts/airlock/microgateway/4.3.0/openshift-values.yaml @@ -0,0 +1,15 @@ +# values for deploying on OpenShift + +rbac: + createSCCRole: true + +privileged: true + +multusNetworkAttachmentDefinition: + create: true + namespace: default + +config: + installMode: "standalone" + cniNetDir: "/etc/cni/multus/net.d" + cniBinDir: "/var/lib/cni/bin" diff --git a/charts/airlock/microgateway/4.3.0/questions.yml b/charts/airlock/microgateway/4.3.0/questions.yml new file mode 100644 index 000000000..73ed44d64 --- /dev/null +++ b/charts/airlock/microgateway/4.3.0/questions.yml @@ -0,0 +1,18 @@ +questions: + - variable: config.cniNetDir + required: true + type: string + label: CNI Network Configuration Directory + group: "CNI Settings" + description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host." + - variable: config.cniBinDir + required: true + type: string + label: CNI Plugin Binaries Directory + group: "CNI Settings" + description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host." + - variable: config.installMode + required: true + label: CNI Plugin Installation Mode + group: "CNI Settings" + description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment." diff --git a/charts/airlock/microgateway/4.3.0/templates/NOTES.txt b/charts/airlock/microgateway/4.3.0/templates/NOTES.txt index e38e3caa0..e8aa45888 100644 --- a/charts/airlock/microgateway/4.3.0/templates/NOTES.txt +++ b/charts/airlock/microgateway/4.3.0/templates/NOTES.txt @@ -1,34 +1,3 @@ -Thank you for installing Airlock Microgateway. -If you have not already done so, make sure that Airlock Microgateway CNI is also installed on the cluster. +Thank you for installing Airlock Microgateway CNI. -For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" .}}. -Detailed CRD API reference documentation is also available at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" .}}/api/crds. -{{ if .Values.crds.skipVersionCheck }} -- CRD version check skipped -{{- else }} -{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}} -{{- if $outdatedCRDs -}} - {{- fail (printf ` - -Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'. -Therefore, the CRDs must be manually upgraded with the following command before deploying this chart: - -kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts - -If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.` - .Chart.AppVersion) - -}} -{{- end -}} -{{- end -}} -{{- if .Values.tests.enabled }} - {{- if .Values.operator.watchNamespaces -}} - {{- if not (has .Release.Namespace .Values.operator.watchNamespaces) }} - {{- fail (printf ` - -To execute 'helm test', it is necessary that the release namespace '%s' is part of the operator's watch scope. Either disable the tests or ensure that the release namespace is added to watch namspace list ('operator.watchNamespaces') in the helm values. -` - .Release.Namespace) - -}} - {{- end -}} - {{- end -}} -{{- end }} \ No newline at end of file +For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" .}}. diff --git a/charts/airlock/microgateway/4.3.0/templates/_helpers.tpl b/charts/airlock/microgateway/4.3.0/templates/_helpers.tpl index 733ba9648..996491a87 100644 --- a/charts/airlock/microgateway/4.3.0/templates/_helpers.tpl +++ b/charts/airlock/microgateway/4.3.0/templates/_helpers.tpl @@ -1,16 +1,14 @@ {{/* Expand the name of the chart. -We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) -and the longest explicit suffix is 14 characters. */}} -{{- define "airlock-microgateway.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }} +{{- define "airlock-microgateway-cni.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Convert an image configuration object into an image ref string. */}} -{{- define "airlock-microgateway.image" -}} +{{- define "airlock-microgateway-cni.image" -}} {{- if .digest -}} {{- printf "%s@%s" .repository .digest -}} {{- else if .tag -}} @@ -22,19 +20,19 @@ Convert an image configuration object into an image ref string. {{/* Create a default fully qualified app name. -We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) -and the longest implicit suffix is 27 characters. +We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) +and the longest suffix is 13 characters. If release name contains chart name it will be used as a full name. */}} -{{- define "airlock-microgateway.fullname" -}} +{{- define "airlock-microgateway-cni.fullname" -}} {{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }} +{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }} {{- else }} {{- $name := default .Chart.Name .Values.nameOverride }} {{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 36 | trimSuffix "-" }} +{{- .Release.Name | trunc 50 | trimSuffix "-" }} {{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }} +{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }} {{- end }} {{- end }} {{- end }} @@ -42,112 +40,62 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "airlock-microgateway.chart" -}} +{{- define "airlock-microgateway-cni.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "airlock-microgateway.sharedLabels" -}} -helm.sh/chart: {{ include "airlock-microgateway.chart" . }} +{{- define "airlock-microgateway-cni.labels" -}} +helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }} +{{ include "airlock-microgateway-cni.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/part-of: {{ .Chart.Name }} {{- with .Values.commonLabels }} {{ toYaml .}} {{- end }} {{- end }} {{/* -Common Selector labels +Common labels without component */}} -{{- define "airlock-microgateway.sharedSelectorLabels" -}} -app.kubernetes.io/instance: {{ .Release.Name }} +{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}} +{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}} +{{ unset $labels "app.kubernetes.io/component" | toYaml }} {{- end }} {{/* -Restricted Container Security Context +Selector labels */}} -{{- define "airlock-microgateway.restrictedSecurityContext" -}} -allowPrivilegeEscalation: false -privileged: false -runAsNonRoot: true -capabilities: - drop: ["ALL"] -readOnlyRootFilesystem: true -seccompProfile: - type: RuntimeDefault +{{- define "airlock-microgateway-cni.selectorLabels" -}} +app.kubernetes.io/component: cni-plugin-installer +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }} {{- end }} -{{/* Precondition: May only be used if AppVersion is isSemver */}} -{{- define "airlock-microgateway.supportedCRDVersionPattern" -}} -{{- $version := (semver .Chart.AppVersion) -}} -{{- if $version.Prerelease -}} ->= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }} -{{- else -}} ->= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0 -{{- end -}} -{{- end -}} +{{/* +Create the name of the service account to use for the CNI Plugin +*/}} +{{- define "airlock-microgateway-cni.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} -{{- define "airlock-microgateway.outdatedCRDs" -}} -{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}} - {{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}} - {{- range $path, $_ := .Files.Glob "crds/*.yaml" -}} - {{- $api := ($.Files.Get $path | fromYaml).metadata.name -}} - {{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}} - {{- $isOutdated := false -}} - {{- if $crd -}} - {{/* If CRD is already present in the cluster, it must have the minimum supported version */}} - {{- $isOutdated = true -}} - {{- if hasKey $crd.metadata "labels" -}} - {{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}} - {{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}} - {{- if (semverCompare $supportedVersion $crdVersion) }} - {{- $isOutdated = false -}} - {{- end }} - {{- end -}} - {{- end -}} - {{- end -}} - {{- if $isOutdated }} -{{ base $path }} - {{- end }} - {{- end -}} -{{- end -}} -{{- end -}} - -{{- define "airlock-microgateway.isSemver" -}} +{{- define "airlock-microgateway-cni.isSemver" -}} {{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}} {{- end -}} -{{- define "airlock-microgateway.docsVersion" -}} -{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} +{{- define "airlock-microgateway-cni.docsVersion" -}} +{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} {{- $version := (semver .Chart.AppVersion) -}} {{- $version.Major }}.{{ $version.Minor -}} {{- else -}} {{- print "latest" -}} {{- end -}} {{- end -}} - -{{- define "airlock-microgateway.watchNamespaceSelector.labelQuery" -}} -{{- $list := list -}} -{{- with .matchLabels -}} - {{- range $key, $value := . -}} - {{- $list = append $list (printf "%s=%s" $key $value) -}} - {{- end -}} -{{- end -}} -{{- with .matchExpressions -}} - {{- range . -}} - {{- if has .operator (list "In" "NotIn") -}} - {{- $list = append $list (printf "%s %s (%s)" .key (lower .operator) (join "," .values)) -}} - {{- else if eq .operator "Exists" -}} - {{- $list = append $list .key -}} - {{- else if eq .operator "DoesNotExist" -}} - {{- $list = append $list (printf "!%s" .key) -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- join "," $list -}} -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.0/templates/clusterrole.yaml b/charts/airlock/microgateway/4.3.0/templates/clusterrole.yaml new file mode 100644 index 000000000..ef88ac783 --- /dev/null +++ b/charts/airlock/microgateway/4.3.0/templates/clusterrole.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - patch +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.0/templates/clusterrolebinding.yaml b/charts/airlock/microgateway/4.3.0/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..04f87cb0f --- /dev/null +++ b/charts/airlock/microgateway/4.3.0/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "airlock-microgateway-cni.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.0/templates/configmap.yaml b/charts/airlock/microgateway/4.3.0/templates/configmap.yaml new file mode 100644 index 000000000..b880116ef --- /dev/null +++ b/charts/airlock/microgateway/4.3.0/templates/configmap.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + plugin-conf.json: |- + { + "type": "{{ include "airlock-microgateway-cni.fullname" . }}", + "debug": {{ eq .Values.config.logLevel "debug" }}, + "logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log", + "kubernetes": { + "kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig", + "excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }} + } + } diff --git a/charts/airlock/microgateway/4.3.0/templates/daemonset.yaml b/charts/airlock/microgateway/4.3.0/templates/daemonset.yaml new file mode 100644 index 000000000..4ba9f2669 --- /dev/null +++ b/charts/airlock/microgateway/4.3.0/templates/daemonset.yaml @@ -0,0 +1,136 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + kubectl.kubernetes.io/default-container: cni-installer + {{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - args: + - --log-level + - "{{ .Values.config.logLevel }}" + env: + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + key: plugin-conf.json + name: {{ include "airlock-microgateway-cni.fullname" . }} + - name: CNI_BIN_DIR + value: /host/opt/cni/bin + - name: CNI_NET_DIR + value: /host/etc/cni/net.d + - name: KUBECONFIG_FILE_NAME + value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" + - name: INSTALL_MODE + value: {{ .Values.config.installMode }} + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: {{ include "airlock-microgateway-cni.image" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cni-installer + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + startupProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 5 + initialDelaySeconds: 3 + periodSeconds: 3 + timeoutSeconds: 3 + readinessProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 1 + periodSeconds: 60 + timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /run/cni-installer + name: cni-installer-status + hostNetwork: true + priorityClassName: system-node-critical + restartPolicy: Always + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + terminationGracePeriodSeconds: 5 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir + - emptyDir: {} + name: cni-installer-status diff --git a/charts/airlock/microgateway/4.3.0/templates/network-attachment-definition.yaml b/charts/airlock/microgateway/4.3.0/templates/network-attachment-definition.yaml new file mode 100644 index 000000000..5d657e309 --- /dev/null +++ b/charts/airlock/microgateway/4.3.0/templates/network-attachment-definition.yaml @@ -0,0 +1,13 @@ +{{- if .Values.multusNetworkAttachmentDefinition.create -}} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/_operator_helpers.tpl b/charts/airlock/microgateway/4.3.0/templates/operator/_operator_helpers.tpl deleted file mode 100644 index a540ff9f4..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/_operator_helpers.tpl +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -Create a default fully qualified name for operator components. -*/}} -{{- define "airlock-microgateway.operator.fullname" -}} -{{ include "airlock-microgateway.fullname" . }}-operator -{{- end }} - - -{{/* -Common operator labels -*/}} -{{- define "airlock-microgateway.operator.labels" -}} -{{ include "airlock-microgateway.sharedLabels" . }} -{{ include "airlock-microgateway.operator.selectorLabels" . }} -{{- end }} - -{{/* -Operator Selector labels -*/}} -{{- define "airlock-microgateway.operator.selectorLabels" -}} -{{ include "airlock-microgateway.sharedSelectorLabels" . }} -app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-operator -app.kubernetes.io/component: controller -{{- end }} - -{{/* -Create the name of the service account to use for the operator -*/}} -{{- define "airlock-microgateway.operator.serviceAccountName" -}} -{{- if .Values.operator.serviceAccount.create }} -{{- default (include "airlock-microgateway.operator.fullname" .) .Values.operator.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.operator.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -ServiceMonitor metrics regex pattern for leader only metrics -*/}} -{{- define "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" -}} -^(microgateway_license|microgateway_sidecars).*$ -{{- end }} diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/_rbac.gen.tpl b/charts/airlock/microgateway/4.3.0/templates/operator/_rbac.gen.tpl deleted file mode 100644 index 83b314cbc..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/_rbac.gen.tpl +++ /dev/null @@ -1,237 +0,0 @@ -{{/* AUTOGENERATED FILE DO NOT EDIT */}} - -{{/* -Operator rbac permission rules -*/}} -{{- define "airlock-microgateway-operator.rbacRules" -}} -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - update - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - accesscontrols - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - contentsecurities - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - denyrules - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - envoyclusters - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - envoyconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - envoyconfigurations/status - verbs: - - get - - patch - - update -- apiGroups: - - microgateway.airlock.com - resources: - - envoyhttpfilters - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - graphqls - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - headerrewrites - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - identitypropagations - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - limits - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - oidcproviders - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - oidcrelyingparties - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - openapis - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - parsers - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - redisproviders - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - sessionhandlings - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways/finalizers - verbs: - - update -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways/status - verbs: - - get - - patch - - update -- apiGroups: - - microgateway.airlock.com - resources: - - telemetries - verbs: - - get - - list - - watch -{{- end }} diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/_webhooks.gen.tpl b/charts/airlock/microgateway/4.3.0/templates/operator/_webhooks.gen.tpl deleted file mode 100644 index 02e304890..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/_webhooks.gen.tpl +++ /dev/null @@ -1,339 +0,0 @@ -{{/* AUTOGENERATED FILE DO NOT EDIT */}} - -{{/* -Operator mutating webhooks -*/}} -{{- define "airlock-microgateway-operator.mutatingWebhooks" -}} -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /mutate-v1-pod - failurePolicy: Fail - name: mutate-pod.microgateway.airlock.com - reinvocationPolicy: IfNeeded - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None - objectSelector: - matchLabels: - sidecar.microgateway.airlock.com/inject: "true" -{{- end }} - -{{/* -Operator validating webhooks -*/}} -{{- define "airlock-microgateway-operator.validatingWebhooks" -}} -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-v1-pod - failurePolicy: Fail - name: validate-pod.microgateway.airlock.com - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - pods - sideEffects: None - objectSelector: - matchLabels: - sidecar.microgateway.airlock.com/inject: "true" -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol - failurePolicy: Fail - name: validate-accesscontrol.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - accesscontrols - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-denyrules - failurePolicy: Fail - name: validate-denyrules.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - denyrules - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-envoycluster - failurePolicy: Fail - name: validate-envoycluster.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - envoyclusters - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter - failurePolicy: Fail - name: validate-envoyhttpfilter.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - envoyhttpfilters - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-graphql - failurePolicy: Fail - name: validate-graphql.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - graphqls - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites - failurePolicy: Fail - name: validate-headerrewrites.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - headerrewrites - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation - failurePolicy: Fail - name: validate-identitypropagation.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - identitypropagations - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-limits - failurePolicy: Fail - name: validate-limits.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - limits - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider - failurePolicy: Fail - name: validate-oidcprovider.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - oidcproviders - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty - failurePolicy: Fail - name: validate-oidcrelyingparty.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - oidcrelyingparties - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-openapi - failurePolicy: Fail - name: validate-openapi.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - openapis - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-parser - failurePolicy: Fail - name: validate-parser.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - parsers - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-redisprovider - failurePolicy: Fail - name: validate-redisprovider.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - redisproviders - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway - failurePolicy: Fail - name: validate-sidecargateway.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - sidecargateways - sideEffects: None -{{- end }} diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/configmap.yaml b/charts/airlock/microgateway/4.3.0/templates/operator/configmap.yaml deleted file mode 100644 index e86208023..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/configmap.yaml +++ /dev/null @@ -1,394 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-config - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -data: - engine_bootstrap_config_template.yaml: | - # Base configuration, admin interface on port 19000 - admin: - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 - dynamic_resources: - cds_config: - initial_fetch_timeout: 10s - resource_api_version: V3 - api_config_source: - api_type: GRPC - transport_api_version: V3 - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster - set_node_on_first_message_only: true - # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC - rate_limit_settings: - max_tokens: 5 - fill_rate: 0.2 - lds_config: - resource_api_version: V3 - initial_fetch_timeout: 10s - api_config_source: - api_type: GRPC - transport_api_version: V3 - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster - set_node_on_first_message_only: true - # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC - rate_limit_settings: - max_tokens: 5 - fill_rate: 0.2 - static_resources: - listeners: - - name: probe - address: - socket_address: - address: 0.0.0.0 - port_value: 19001 - filter_chains: - - filters: - - name: http_connection_manager - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: probe - codec_type: AUTO - http2_protocol_options: - initial_connection_window_size: 1048576 - initial_stream_window_size: 65536 - max_concurrent_streams: 100 - route_config: - name: probe - virtual_hosts: - - name: probe - domains: - - '*' - routes: - - name: ready - match: - path: /ready - headers: - - name: ':method' - string_match: - exact: 'GET' - route: - cluster: airlock_microgateway_engine_admin - http_filters: - - name: envoy.filters.http.router - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - name: metrics - address: - socket_address: - address: 0.0.0.0 - port_value: 19002 - filter_chains: - - filters: - - name: http_connection_manager - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: metrics - codec_type: AUTO - http2_protocol_options: - initial_connection_window_size: 1048576 - initial_stream_window_size: 65536 - max_concurrent_streams: 100 - route_config: - name: metrics - virtual_hosts: - - name: metrics - domains: - - '*' - routes: - - name: metrics - match: - path: /metrics - headers: - - name: ':method' - string_match: - exact: 'GET' - route: - prefix_rewrite: '/stats/prometheus' - cluster: airlock_microgateway_engine_admin - http_filters: - - name: envoy.filters.http.router - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - clusters: - - name: xds_cluster - connect_timeout: 1s - type: STRICT_DNS - load_assignment: - cluster_name: xds_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local - port_value: 13377 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: - connection_keepalive: - interval: 360s - timeout: 5s - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_minimum_protocol_version: TLSv1_3 - tls_maximum_protocol_version: TLSv1_3 - validation_context_sds_secret_config: - name: validation_context_sds - sds_config: - resource_api_version: V3 - path_config_source: - path: /etc/envoy/validation_context_sds_secret.yaml - watched_directory: - path: /etc/envoy/ - tls_certificate_sds_secret_configs: - - name: tls_certificate_sds - sds_config: - resource_api_version: V3 - path_config_source: - path: /etc/envoy/tls_certificate_sds_secret.yaml - watched_directory: - path: /etc/envoy/ - - name: airlock_microgateway_engine_admin - connect_timeout: 1s - type: STATIC - load_assignment: - cluster_name: airlock_microgateway_engine_admin - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: - connection_keepalive: - interval: 360s - timeout: 5s - stats_config: - stats_tags: - - tag_name: "block_type" - regex: "\\.(block_type\\.([^.]+))" - - tag_name: "attack_type" - regex: "\\.(attack_type\\.([^.]+))" - - tag_name: "envoy_cluster_name" - regex: "\\.(cluster\\.([^.]+))" - - tag_name: "version" - regex: "\\.(version\\.([^.]+))" - use_all_default_tags: true - overload_manager: - resource_monitors: - - name: "envoy.resource_monitors.global_downstream_max_connections" - typed_config: - "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig - max_active_downstream_connections: 50000 - bootstrap_extensions: - - name: airlock.bootstrap.engine_build_info - typed_config: - '@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats - application_log_config: - log_format: - text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}' - engine_container_template.yaml: | - name: "$(ENGINE_NAME)" - image: "$(ENGINE_IMAGE)" - imagePullPolicy: {{ .Values.engine.image.pullPolicy }} - args: - - "--config-path" - - "/etc/envoy/bootstrap_config.yaml" - - "--base-id" - - "$(BASE_ID)" - - "--file-flush-interval-msec" - - '1000' - - "--drain-time-s" - - '60' - - "--service-node" - - "$(POD_NAME).$(POD_NAMESPACE)" - - "--service-cluster" - - "$(APP_NAME).$(POD_NAMESPACE)" - - "--log-path" - - "/dev/stdout" - - "--log-level" - - "$(LOG_LEVEL)" - volumeMounts: - - name: airlock-microgateway-bootstrap-secret-volume - mountPath: /etc/envoy - readOnly: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - ports: - - containerPort: 13378 - protocol: TCP - - containerPort: 19001 - protocol: TCP - - containerPort: 19002 - protocol: TCP - livenessProbe: - httpGet: - path: /ready - port: 19001 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 5 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - httpGet: - path: /ready - port: 19001 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 3 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} - runAsUser: $(SECURITYCONTEXT_UID) - {{- with .Values.engine.resources }} - resources: - {{- toYaml . | nindent 6 }} - {{- end }} - session_agent_container_template.yaml: | - name: "$(SESSION_AGENT_NAME)" - image: "$(SESSION_AGENT_IMAGE)" - imagePullPolicy: {{ .Values.sessionAgent.image.pullPolicy }} - args: - - "--port" - - "19004" - - "--config-path" - - "/etc/microgateway-session-agent/config.json" - volumeMounts: - - name: airlock-microgateway-session-agent-volume - mountPath: /etc/microgateway-session-agent - readOnly: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - ports: - - containerPort: 19004 - livenessProbe: - {{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}} - grpc: - port: 19004 - {{- else }} - tcpSocket: - port: 19004 - {{- end }} - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 5 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - {{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}} - grpc: - port: 19004 - {{- else }} - tcpSocket: - port: 19004 - {{- end }} - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 3 - successThreshold: 1 - timeoutSeconds: 5 - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} - runAsUser: $(SECURITYCONTEXT_UID) - {{- with .Values.sessionAgent.resources }} - resources: - {{- toYaml . | nindent 6 }} - {{- end }} - network_validator_container_template.yaml: | - name: "$(NETWORK_VALIDATOR_NAME)" - image: "$(NETWORK_VALIDATOR_IMAGE)" - imagePullPolicy: {{ .Values.networkValidator.image.pullPolicy }} - command: ["/bin/sh", "-c"] - args: - - |- - echo 'pong' | nc -v -l 127.0.0.1 -p 13378 & - for i in 1 2 3; do - sleep 1s - if r=$(echo 'ping' | nc 127.0.0.1 19003) && [ $r == pong ]; then - echo -n 'Traffic redirection to Airlock Microgateway Engine is working.' > /dev/termination-log - exit 0 - fi - done - echo -en 'Traffic redirection to Airlock Microgateway Engine is not working.\nRestart the pod after ensuring that hostNetwork is disabled and a compatible Airlock Microgateway CNI version is installed on the node.\nCertain environments may also require additional configuration (see docs.airlock.com for more information).' > /dev/termination-log - exit 1 - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} - runAsUser: $(SECURITYCONTEXT_UID) - operator_config.yaml: | - apiVersion: config.airlock.com/v1alpha1 - kind: OperatorConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 0.0.0.0:8080 - webhook: - port: 9443 - deployment: - sidecar: - engineContainerTemplate: "/sidecar/engine_container_template.yaml" - networkValidatorContainerTemplate: "/sidecar/network_validator_container_template.yaml" - sessionAgentContainerTemplate: "/sidecar/session_agent_container_template.yaml" - engine: - bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml" - log: - level: {{ .Values.operator.config.logLevel }} - {{- with $.Values.operator.watchNamespaceSelector }} - namespaces: - selector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $.Values.operator.watchNamespaces }} - namespaces: - list: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/metrics-service.yaml b/charts/airlock/microgateway/4.3.0/templates/operator/metrics-service.yaml deleted file mode 100644 index 34d23f6d6..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/metrics-service.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-metrics - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: http - name: metrics - port: 8080 - protocol: TCP - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} ---- -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-leader-metrics - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - operator.microgateway.airlock.com/isLeader: "true" - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: http - name: metrics - port: 8080 - protocol: TCP - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} - operator.microgateway.airlock.com/isLeader: "true" \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/role.yaml b/charts/airlock/microgateway/4.3.0/templates/operator/role.yaml deleted file mode 100644 index 5378be8ef..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/role.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.operator.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/rolebinding.yaml b/charts/airlock/microgateway/4.3.0/templates/operator/rolebinding.yaml deleted file mode 100644 index bafec1015..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/rolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.operator.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election -subjects: - - kind: ServiceAccount - name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/selfsigned-issuer.yaml b/charts/airlock/microgateway/4.3.0/templates/operator/selfsigned-issuer.yaml deleted file mode 100644 index 466c56338..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/selfsigned-issuer.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - selfSigned: {} diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/serviceaccount.yaml b/charts/airlock/microgateway/4.3.0/templates/operator/serviceaccount.yaml deleted file mode 100644 index 434d7e9d3..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.operator.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with mustMerge .Values.operator.serviceAccount.annotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/servicemonitor.yaml b/charts/airlock/microgateway/4.3.0/templates/operator/servicemonitor.yaml deleted file mode 100644 index ff85a9a31..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/servicemonitor.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if .Values.operator.serviceMonitor.create }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceMonitor.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} - matchExpressions: - - { key: "operator.microgateway.airlock.com/isLeader", operator: DoesNotExist } - endpoints: - - path: /metrics - port: metrics - scheme: http - metricRelabelings: - - sourceLabels: - - __name__ - regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }} - action: drop ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceMonitor.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} - operator.microgateway.airlock.com/isLeader: "true" - endpoints: - - path: /metrics - port: metrics - scheme: http - metricRelabelings: - - sourceLabels: - - __name__ - regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }} - action: keep -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/serving-certificate.yaml b/charts/airlock/microgateway/4.3.0/templates/operator/serving-certificate.yaml deleted file mode 100644 index 60b92e1e2..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/serving-certificate.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-serving-cert - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - dnsNames: - - airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc - - airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc.cluster.local - issuerRef: - kind: Issuer - name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer - secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/webhook-service.yaml b/charts/airlock/microgateway/4.3.0/templates/operator/webhook-service.yaml deleted file mode 100644 index 477ea839f..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/webhook-service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: https - name: webhook - port: 443 - protocol: TCP - targetPort: 9443 - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/xds-service.yaml b/charts/airlock/microgateway/4.3.0/templates/operator/xds-service.yaml deleted file mode 100644 index 81b41acf5..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/operator/xds-service.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-xds - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: grpc - name: xds - port: 13377 - protocol: TCP - targetPort: 13377 - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} - operator.microgateway.airlock.com/isLeader: "true" diff --git a/charts/airlock/microgateway/4.3.0/templates/scc-role.yaml b/charts/airlock/microgateway/4.3.0/templates/scc-role.yaml new file mode 100644 index 000000000..862748692 --- /dev/null +++ b/charts/airlock/microgateway/4.3.0/templates/scc-role.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.0/templates/scc-rolebinding.yaml b/charts/airlock/microgateway/4.3.0/templates/scc-rolebinding.yaml new file mode 100644 index 000000000..ebd02982c --- /dev/null +++ b/charts/airlock/microgateway/4.3.0/templates/scc-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged +subjects: +- kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.0/templates/serviceaccount.yaml b/charts/airlock/microgateway/4.3.0/templates/serviceaccount.yaml new file mode 100644 index 000000000..3dc8d58ea --- /dev/null +++ b/charts/airlock/microgateway/4.3.0/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.0/templates/tests/rbac.yaml b/charts/airlock/microgateway/4.3.0/templates/tests/rbac.yaml index 93bd4cd1b..744799333 100644 --- a/charts/airlock/microgateway/4.3.0/templates/tests/rbac.yaml +++ b/charts/airlock/microgateway/4.3.0/templates/tests/rbac.yaml @@ -2,142 +2,63 @@ apiVersion: v1 kind: ServiceAccount metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" subjects: - kind: ServiceAccount - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests rules: - apiGroups: - - microgateway.airlock.com + - "apps" resources: - - sidecargateways + - daemonsets resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway" + - {{ include "airlock-microgateway-cni.fullname" . }} verbs: - - get - - list - - watch - - delete + - get + - watch + - list - apiGroups: - - microgateway.airlock.com + - "" resources: - - sidecargateways + - pods + - pods/log verbs: - - create + - get + - list +{{- if .Values.rbac.createSCCRole }} - apiGroups: - - "" - resources: - - events - verbs: - - list -- apiGroups: - - "apps" - resources: - - deployments + - security.openshift.io resourceNames: - - "{{ include "airlock-microgateway.operator.fullname" . }}" - verbs: - - get - - list - - watch -- apiGroups: - - "apps" + - privileged resources: - - statefulsets - - statefulsets/scale - resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-backend" + - securitycontextconstraints verbs: - - get - - list - - watch - - patch -- apiGroups: - - "" - resources: - - pods - - pods/log - - pods/status - - pods/attach - resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-backend-0" - - "{{ include "airlock-microgateway.fullname" . }}-test-valid-request" - - "{{ include "airlock-microgateway.fullname" . }}-test-injection-request" - verbs: - - get - - list - - create - - watch - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - create -{{- if .Values.operator.watchNamespaceSelector }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" -subjects: - - kind: ServiceAccount - name: "{{ include "airlock-microgateway.fullname" . }}-tests" - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list -{{- end }} + - use +{{- end -}} {{- end -}} diff --git a/charts/airlock/microgateway/4.3.0/templates/tests/service.yaml b/charts/airlock/microgateway/4.3.0/templates/tests/service.yaml deleted file mode 100644 index 30ddc278d..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/tests/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.tests.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-service" - namespace: {{ .Release.Namespace }} - labels: - app: test-service - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} -spec: - selector: - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} - ports: - - name: http - port: 8080 - targetPort: 8080 -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.0/templates/tests/statefulset.yaml b/charts/airlock/microgateway/4.3.0/templates/tests/statefulset.yaml deleted file mode 100644 index 710a7b9f6..000000000 --- a/charts/airlock/microgateway/4.3.0/templates/tests/statefulset.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if .Values.tests.enabled -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} -spec: - serviceName: nginx - replicas: 0 - selector: - matchLabels: - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 6 }} - template: - metadata: - annotations: - k8s.v1.cni.cncf.io/networks: default/airlock-microgateway-cni - labels: - sidecar.microgateway.airlock.com/inject: "true" - sidecar.istio.io/inject: "false" - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedLabels" . | nindent 8 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 8 }} - spec: - containers: - - image: cgr.dev/chainguard/nginx - name: nginx - ports: - - containerPort: 8080 - volumeMounts: - - mountPath: /var/lib/nginx/tmp/ - name: nginx-tmp - - mountPath: /var/run - name: nginx-run - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 12 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - emptyDir: {} - name: nginx-tmp - - emptyDir: {} - name: nginx-run -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.0/templates/tests/test-install.yaml b/charts/airlock/microgateway/4.3.0/templates/tests/test-install.yaml index ab82abea7..12d8c8de7 100644 --- a/charts/airlock/microgateway/4.3.0/templates/tests/test-install.yaml +++ b/charts/airlock/microgateway/4.3.0/templates/tests/test-install.yaml @@ -2,14 +2,11 @@ apiVersion: v1 kind: Pod metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-install" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install" namespace: {{ .Release.Namespace }} labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - sidecar.istio.io/inject: "false" - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} annotations: helm.sh/hook: test helm.sh/hook-delete-policy: before-hook-creation @@ -19,209 +16,88 @@ spec: - name: test image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}" securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + readOnly: true + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + readOnly: true command: - sh - -c - | set -eu - clean_up() { - echo "" - echo "### Clean up test resources" - kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true - echo "" - echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'" - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=60s - sleep 3s - echo "" - } - fail() { + echo "Error: ${1}" echo "" - echo "### Error: ${1}" - echo "" - - if kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway >/dev/null 2>&1; then - echo "" - echo 'Microgateway Sidecargateway status:' - kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true - echo "" - echo "" - fi - - if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 >/dev/null 2>&1; then - echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':" - kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true - echo "" - echo "" - echo 'Logs of Nginx container:' - kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true - echo "" - echo "" - # Wait for engine logs - sleep 10s - echo 'Logs of Microgateway Engine container:' - kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true - fi - + echo 'CNI installer logs:' + kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer exit 1 } - create_sidecargateway() { - # create SidecarGateway resource for testing purposes - kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true - kubectl apply -f - </dev/null 2>&1; do sleep 1s; i=$((i+1)); done - kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request - kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request - } - - {{- if .Values.operator.watchNamespaceSelector }} - echo "### Verify that Namespace Selector matches Namespace '{{ .Release.Namespace }}'" - if ! kubectl get namespace -l '{{ include "airlock-microgateway.watchNamespaceSelector.labelQuery" .Values.operator.watchNamespaceSelector }}' | grep -q {{ .Release.Namespace }}; then - labels=$(kubectl get namespace {{ .Release.Namespace }} -o jsonpath={.metadata.labels} | jq | awk '{print " " $0}') - fail {{printf `"Operator namespace '%s' is not part of the operator's watch scope. To execute 'helm test', the selector configured in the helm value 'operator.watchNamespaceSelector' must match the namespace's labels:\n* Current selector:\n%s\n\n* Current labels:\n$labels\n###"` - .Release.Namespace - (replace "\"" "\\\"" (replace "\n" "\\n" (.Values.operator.watchNamespaceSelector | toPrettyJson | indent 2))) - }} + if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then + fail 'CNI DaemonSet rollout did not complete within timeout' fi - echo "" - {{- end }} - trap clean_up EXIT - echo "" - - echo "### Waiting for Microgateway Operator Deployments to be ready" - if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \ - deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then - fail 'Timout occurred' + echo "Checking whether CNI binary was installed" + if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then + fail 'CNI binary was not installed' fi - echo "" - echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica" - # scale to zero replicas to ensure no pods are present from previous runs - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s - echo "" - - echo "### Waiting for backend pod" - i=0 - while true; do - if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then - break - elif [ $i -gt 3 ]; then - fail 'Pod not ready' - fi - sleep 2s - i=$((i+1)) - done - - echo "### Checking Microgateway Engine sidecar container was injected" - if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then - fail 'Microgateway Engine sidecar container not injected' + echo "Checking whether CNI kubeconfig was installed" + if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then + fail 'CNI kubeconfig was not created' fi - echo "True" - echo "" - echo "### Checking for valid license" - i=0 - while true; do - if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then - break - elif [ $i -gt 30 ]; then - fail 'Microgateway license is missing or invalid' - fi - sleep 2s - i=$((i+1)) - done - echo "True" - echo "" + echo "Checking whether CNI configuration was written" + case {{ .Values.config.installMode }} in + "chained") + for file in "/host/etc/cni/net.d/"*.conflist; do + if containsMGWCNIConf "${file}"; then + echo "Success" + exit 0 + fi + done + ;; + "standalone") + if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then + echo "Success" + exit 0 + fi + ;; + "manual") + echo "- Skipping because we are in 'manual' install mode" + echo "Success" + exit 0 + ;; + esac - echo "### Create SidecarGateway resource for testing" - if ! create_sidecargateway ; then - fail 'Creation of SidecarGateway resource failed' - fi - echo "" - - echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready" - if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then - fail 'Timout occurred' - fi - echo "" - - echo "### Waiting for 'engine-config-valid' condition" - if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then - fail 'Configuration was never accepted by the Microgateway Engine' - fi - sleep 5s - echo "" - echo "" - - echo "### Checking whether a valid request is successful and returns HTTP status code '200'" - out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true) - echo "Response:" - echo "${out}" - if ! echo "${out}" | grep -q "200 OK"; then - fail 'A valid request was not successful' - fi - echo "" - echo "" - - echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'" - out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true) - echo "Response:" - echo "${out}" - if ! echo "${out}" | grep -q "400 Bad Request"; then - fail 'A malicious request was not blocked' - fi - echo "" - echo "" - - echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded" - exit 0 - serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests" + fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found' + serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir {{- end -}} diff --git a/charts/airlock/microgateway/4.3.0/values.schema.json b/charts/airlock/microgateway/4.3.0/values.schema.json index 173d6b084..e087bd700 100644 --- a/charts/airlock/microgateway/4.3.0/values.schema.json +++ b/charts/airlock/microgateway/4.3.0/values.schema.json @@ -14,15 +14,6 @@ "commonAnnotations": { "$ref": "#/definitions/StringMap" }, - "crds": { - "type": "object", - "properties": { - "skipVersionCheck": { - "type": "boolean" - } - }, - "additionalProperties": false - }, "imagePullSecrets": { "type": "array", "items": { @@ -39,304 +30,120 @@ "additionalProperties": true } }, - "operator": { + "image": { + "$ref": "#/definitions/Image" + }, + "podAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "podLabels": { + "$ref": "#/definitions/StringMap" + }, + "resources": { + "type": "object" + }, + "nodeSelector": { + "$ref": "#/definitions/StringMap" + }, + "affinity": { + "type": "object" + }, + "rbac": { "type": "object", "properties": { - "replicaCount": { - "type": "integer", - "minimum": 0 - }, - "updateStrategy": { - "$ref": "#/definitions/UpdateStrategy" - }, - "image": { - "$ref": "#/definitions/Image" - }, - "podAnnotations": { - "$ref": "#/definitions/StringMap" - }, - "podLabels": { - "$ref": "#/definitions/StringMap" - }, - "serviceAnnotations": { - "$ref": "#/definitions/StringMap" - }, - "serviceLabels": { - "$ref": "#/definitions/StringMap" - }, - "resources": { - "type": "object" - }, - "nodeSelector": { - "$ref": "#/definitions/StringMap" - }, - "tolerations": { - "type": "array", - "items": { - "type": "object" - } - }, - "affinity": { - "type": "object" - }, - "config": { - "type": "object", - "properties": { - "logLevel": { - "type": "string", - "enum": [ - "debug", - "info", - "warn", - "error" - ] - } - }, - "required": [ - "logLevel" - ], - "additionalProperties": false - }, - "serviceAccount": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "annotations": { - "$ref": "#/definitions/StringMap" - }, - "name": { - "type": "string" - } - }, - "required": [ - "annotations", - "create", - "name" - ], - "additionalProperties": false - }, - "watchNamespaces": { - "type": "array", - "items": { - "type": "string" - } - }, - "watchNamespaceSelector": { - "$ref": "#/definitions/LabelSelector" - }, - "rbac": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - }, - "serviceMonitor": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "labels": { - "$ref": "#/definitions/StringMap" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - } - }, - "oneOf": [ - { - "properties": { - "watchNamespaces": { - "minItems": 1 - }, - "watchNamespaceSelector": { - "additionalProperties": false - } - } - }, - { - "properties": { - "watchNamespaces": { - "maxItems": 0 - }, - "watchNamespaceSelector": { - "$ref": "#/definitions/LabelSelector" - } - } - } - ], - "required": [ - "affinity", - "config", - "image", - "updateStrategy", - "nodeSelector", - "podAnnotations", - "podLabels", - "rbac", - "replicaCount", - "resources", - "serviceAccount", - "serviceAnnotations", - "serviceLabels", - "serviceMonitor", - "tolerations" - ], - "additionalProperties": false - }, - "engine": { - "type": "object", - "properties": { - "image": { - "$ref": "#/definitions/Image" - }, - "resources": { - "type": "object" - }, - "sidecar": { - "type": "object", - "properties":{ - "podMonitor": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "labels": { - "$ref": "#/definitions/StringMap" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - } - }, - "required": [ - "podMonitor" - ], - "additionalProperties": false - } - }, - "required": [ - "image", - "resources", - "sidecar" - ], - "additionalProperties": false - }, - "networkValidator": { - "type": "object", - "properties": { - "image": { - "$ref": "#/definitions/Image" - } - }, - "required": [ - "image" - ], - "additionalProperties": false - }, - "sessionAgent": { - "type": "object", - "properties": { - "image": { - "$ref": "#/definitions/Image" - }, - "resources": { - "type": "object" - } - }, - "required": [ - "image", - "resources" - ], - "additionalProperties": false - }, - "license": { - "type": "object", - "properties": { - "secretName": { - "type": "string", - "minLength": 1 - } - }, - "required": [ - "secretName" - ], - "additionalProperties": false - }, - "dashboards": { - "type": "object", - "properties" : { "create": { "type": "boolean" }, - "config": { - "type": "object", - "properties": { - "grafana": { - "type": "object", - "properties": { - "folderAnnotation": { - "$ref": "#/definitions/NameValuePair" - }, - "dashboardLabel": { - "$ref": "#/definitions/NameValuePair" - } - }, - "required": [ - "folderAnnotation", - "dashboardLabel" - ], - "additionalProperties": false - } - }, - "required": [ - "grafana" - ], - "additionalProperties": false - }, - "instances": { - "type": "object", - "properties": { - "overview": { - "$ref": "#/definitions/DashboardInstance" - }, - "license" : { - "$ref": "#/definitions/DashboardInstance" - }, - "blockMetrics" : { - "$ref": "#/definitions/DashboardInstance" - }, - "blockLogs" : { - "$ref": "#/definitions/DashboardInstance" - } - }, - "required": [ - "overview", - "license", - "blockMetrics", - "blockLogs" - ], - "additionalProperties": false + "createSCCRole": { + "type": "boolean" } }, "required": [ "create", - "config", - "instances" + "createSCCRole" + ], + "additionalProperties": false + }, + "privileged": { + "type": "boolean" + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "annotations": { + "$ref": "#/definitions/StringMap" + }, + "name": { + "type": "string" + } + }, + "required": [ + "annotations", + "create", + "name" + ], + "additionalProperties": false + }, + "multusNetworkAttachmentDefinition": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "namespace": { + "type": "string" + } + }, + "required": [ + "create", + "namespace" + ], + "additionalProperties": false + }, + "config": { + "type": "object", + "properties": { + "installMode": { + "type": "string", + "enum": [ + "chained", + "standalone", + "manual" + ] + }, + "logLevel": { + "type": "string", + "enum": [ + "debug", + "info", + "warn", + "error" + ] + }, + "cniNetDir": { + "type": "string", + "minLength": 1 + }, + "cniBinDir": { + "type": "string", + "minLength": 1 + }, + "excludeNamespaces": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "cniBinDir", + "cniNetDir", + "excludeNamespaces", + "installMode", + "logLevel" ], "additionalProperties": false }, @@ -357,18 +164,22 @@ } }, "required": [ + "affinity", "commonAnnotations", "commonLabels", - "crds", - "engine", + "config", "fullnameOverride", + "image", "imagePullSecrets", - "license", + "multusNetworkAttachmentDefinition", "nameOverride", - "operator", - "networkValidator", - "sessionAgent", - "dashboards", + "nodeSelector", + "podAnnotations", + "podLabels", + "privileged", + "rbac", + "resources", + "serviceAccount", "tests" ], "additionalProperties": false, @@ -409,132 +220,6 @@ "tag" ], "additionalProperties": false - }, - "LabelSelector": { - "type": "object", - "properties": { - "matchExpressions": { - "type": "array", - "items": { - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "type": "string" - }, - "operator": { - "type": "string" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "additionalProperties": false - } - }, - "matchLabels": { - "$ref": "#/definitions/StringMap" - } - }, - "additionalProperties": false - }, - "UpdateStrategy": { - "type": "object", - "oneOf" : [ - { - "properties": { - "type": { - "$ref": "#/definitions/RecreateType" - } - }, - "required": [ - "type" - ], - "additionalProperties": false - }, - { - "properties": { - "type": { - "$ref": "#/definitions/RollingUpdateType" - }, - "rollingUpdate": { - "$ref": "#/definitions/RollingUpdate" - } - }, - "required": [ - "type" - ], - "additionalProperties": false - } - ] - }, - "RecreateType": { - "type": "string", - "enum": [ - "Recreate" - ] - }, - "RollingUpdateType": { - "type": "string", - "enum": [ - "RollingUpdate" - ] - }, - "RollingUpdate": { - "type": "object", - "properties": { - "maxSurge": { - "type": ["integer", "string"], - "minimum": 0, - "pattern": "^\\d+%?$" - }, - "maxUnavailable": { - "type": ["integer", "string"], - "minimum": 0, - "pattern": "^\\d+%?$" - } - }, - "anyOf": [ - {"required": ["maxSurge"]}, - {"required": ["maxUnavailable"]} - ], - "additionalProperties": false - }, - "DashboardInstance" : { - "type" : "object", - "properties" : { - "create" : { - "type" : "boolean" - } - }, - "required" : [ - "create" - ], - "additionalProperties": false - }, - "NameValuePair" : { - "type" : "object", - "properties" : { - "name" : { - "type": "string", - "minLength": 1 - }, - "value" : { - "type" : "string", - "minLength": 1 - } - }, - "required" : [ - "name", - "value" - ], - "additionalProperties": false } } } diff --git a/charts/airlock/microgateway/4.3.0/values.yaml b/charts/airlock/microgateway/4.3.0/values.yaml index b13232aa9..a5bf5dac5 100644 --- a/charts/airlock/microgateway/4.3.0/values.yaml +++ b/charts/airlock/microgateway/4.3.0/values.yaml @@ -1,4 +1,4 @@ -# -- Allows overriding the name to use instead of "microgateway". +# -- Allows overriding the name to use instead of "microgateway-cni". nameOverride: "" # -- Allows overriding the name to use as full name of resources. fullnameOverride: "" @@ -10,203 +10,75 @@ commonAnnotations: {} imagePullSecrets: [] # - name: myRegistryKeySecretName -crds: - # -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. - # The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster - # when performing a "helm install/upgrade". - skipVersionCheck: false -operator: - # -- Number of replicas for the operator Deployment. - replicaCount: 2 - # -- Specifies the operator update strategy. - updateStrategy: - type: RollingUpdate - # Specifies the Airlock Microgateway Operator image. - image: - # -- Image repository from which to pull the Airlock Microgateway Operator image. - repository: "quay.io/airlock/microgateway-operator" - # -- Image tag to pull. - tag: "4.3.0" - # -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). - # Overrides tag when specified. - digest: "sha256:dc6f0f9a11d0336c10f6b8a5c7f64d98ac91bd90c49aa1dc4fe7b68cfdea8217" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Annotations to add to all Pods. - podAnnotations: {} - # -- Labels to add to all Pods. - podLabels: {} - # -- Annotations to add to the Service. - serviceAnnotations: {} - # prometheus.io/scrape: "true" - # prometheus.io/port: "8080" - - # -- Labels to add to the Service. - serviceLabels: {} - # -- Resource restrictions to apply to the operator container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 1000m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 512Mi - - # -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. - nodeSelector: {} - # -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. - tolerations: [] - # -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling. - affinity: {} - # Parameters for the operator configuration. - config: - # -- Operator application log level. - logLevel: "info" - # Configures the generation of the ServiceAccount. - serviceAccount: - # -- Whether a ServiceAccount should be created. - create: true - # -- Annotations to add to the ServiceAccount. - annotations: {} - # -- Name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - # -- Allows to restrict the operator to specific namespaces, depending on your needs. - # For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). - # In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. - # For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. - # An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. - # Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. - # Please note that this feature requires a Premium license. - watchNamespaces: [] - # -- Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. - # It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. - # This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). - # An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. - # Please note that this feature requires a Premium license. - watchNamespaceSelector: {} - # For further examples, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements. - # matchLabels: - # microgateway.airlock.com/enable: "true" - # matchExpressions: - # - { key: environment, operator: NotIn, values: [dev] } - - # Configures the generation of Role and RoleBinding as well as ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above. - rbac: - # -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. - create: true - # Configures the generation of a Prometheus Operator ServiceMonitor. - serviceMonitor: - # -- Whether to create a ServiceMonitor resource for monitoring. - create: false - # -- Labels to add to the ServiceMonitor. - labels: {} - # release: "" -engine: - # Specifies the Airlock Microgateway Engine image. - image: - # -- Image repository from which to pull the Airlock Microgateway Engine image. - repository: "quay.io/airlock/microgateway-engine" - # -- Image tag to pull. - tag: "4.3.0" - # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). - # Overrides tag when specified. - digest: "sha256:f442143294f3138965c9fa2734cafd39ebebe8e289600332b12f8a59c23dd9ef" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Resource restrictions to apply to the Airlock Microgateway Engine container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 500m - # memory: 128Mi - # requests: - # cpu: 10m - # memory: 40Mi - - # Additional configuration when deployed as a sidecar. - sidecar: - # Configures the generation of a Prometheus Operator PodMonitor. - podMonitor: - # -- Whether to create a PodMonitor resource for monitoring. - create: false - # -- Labels to add to the PodMonitor. - labels: {} - # release: "" -networkValidator: - # Specifies the Airlock Microgateway Network Validator image to be injected as an init-container. - image: - # -- Image repository from which to pull the busybox image for the Airlock Microgateway Network Validator init-container. - repository: "cgr.dev/chainguard/busybox" - # -- Image tag to pull. - tag: "" - # -- SHA256 image digest to pull (in the format "sha256:7d87405b123c89058a0b64ca9393c45a1366a6a580aced1def900a812beb29f6"). - # Overrides tag when specified. - digest: "sha256:7d87405b123c89058a0b64ca9393c45a1366a6a580aced1def900a812beb29f6" - # -- Pull policy for this image. - pullPolicy: IfNotPresent -sessionAgent: - # Specifies the Airlock Microgateway Session Agent image. - image: - # -- Image repository from which to pull the Airlock Microgateway Session Agent image. - repository: "quay.io/airlock/microgateway-session-agent" - # -- Image tag to pull. - tag: "4.3.0" - # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). - # Overrides tag when specified. - digest: "sha256:579dfded99145f9c2c1491ff1aeccb08721d63239a8b7f61bb9f455e17e968b2" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Resource restrictions to apply to the Airlock Microgateway Session Agent container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 150m - # memory: 32Mi - # requests: - # cpu: 10m - # memory: 8Mi -license: - # -- Name of the secret containing the "microgateway-license.txt" key. - secretName: "airlock-microgateway-license" -# Creates dashboards in the form of ConfigMaps that can be imported -# by Grafana using its sidecar setup. -dashboards: - # -- Whether to create any ConfigMaps containing Grafana dashboards to import. +# Specifies the Airlock Microgateway CNI image. +image: + # -- Image repository from which to pull the Airlock Microgateway CNI image. + repository: "quay.io/airlock/microgateway-cni" + # -- Image tag to pull. + tag: "4.3.0" + # -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). + # Overrides tag when specified. + digest: "sha256:cb165e34a1ab1a903a9f38b741a7d78946470a118640310a41d2af8153d6e409" + # -- Pull policy for this image. + pullPolicy: IfNotPresent +# -- Annotations to add to all Pods. +podAnnotations: {} +# -- Labels to add to all Pods. +podLabels: {} +# -- Resource restrictions to apply to the CNI installer container. +resources: + requests: + cpu: 10m + memory: 100Mi +# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. +nodeSelector: + kubernetes.io/os: linux +# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. +affinity: {} +# Configures the generation of RBAC Roles and RoleBindings. +rbac: + # -- Whether to create RBAC resources which are required for the CNI plugin to function. + create: true + # -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. + createSCCRole: false +# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). +privileged: false +# Configures the generation of the ServiceAccount. +serviceAccount: + # -- Whether a ServiceAccount should be created. + create: true + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- Name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" +# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift) +multusNetworkAttachmentDefinition: + # -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. create: false - config: - # Configures the necessary label and annotations along with their values - # to enable Grafana to correctly identify the ConfigMaps containing - # dashboards and file them within a dedicated folder in the dashboard overview. - # These settings need to match the Grafana sidecar configuration. - grafana: - folderAnnotation: - # -- Name of the annotation containing the folder name to file dashboards into. - name: "grafana_folder" - # -- Name of the folder dashboards are filed into within the Grafana UI. - value: "Airlock Microgateway" - dashboardLabel: - # -- Name of the label that lets Grafana identify ConfigMaps that represent dashboards. - name: "grafana_dashboard" - # -- Value of the label that lets Grafana identify ConfigMaps that represent dashboards. - value: "1" - instances: - # Available dashboard instances that can be individually created/deployed. - overview: - # -- Whether to create the overview dashboard. - create: true - license: - # -- Whether to create the license dashboard. - create: true - blockMetrics: - # -- Whether to create the block metrics dashboard. - create: true - blockLogs: - # -- Whether to create the block logs dashboard. - create: true -# Check whether the installation of the Airlock Microgateway Helm Chart was successful. -# Requires a secret with a valid Airlock Microgateway license key already to be present. + # -- Namespace in which the NetworkAttachmentDefinition is deployed. + # Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces + # may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation + namespace: default +# Parameters for the CNI installer configuration. +config: + # -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), + # as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) + # or in `manual` mode, where no CNI network configuration is written. + installMode: "chained" + # -- Log level for the CNI installer and plugin. + logLevel: info + # -- Directory where the CNI config files reside on the host. + # This path can either be found in the documentation of your Kubernetes distribution or CNI provider. + # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. + cniNetDir: "/etc/cni/net.d" + # -- Directory where the CNI plugin binaries reside on the host. + # This path can either be found in the documentation of your Kubernetes distribution or CNI provider. + # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. + cniBinDir: "/opt/cni/bin" + # -- Namespaces for which this CNI plugin should not apply any modifications. + excludeNamespaces: + - kube-system tests: # -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). # If set to false, `helm test` will not run any tests. diff --git a/charts/airlock/microgateway/4.3.1/.helmignore b/charts/airlock/microgateway/4.3.1/.helmignore index 101ff5ac5..8561d2892 100644 --- a/charts/airlock/microgateway/4.3.1/.helmignore +++ b/charts/airlock/microgateway/4.3.1/.helmignore @@ -21,8 +21,7 @@ .idea/ *.tmproj .vscode/ -# CRDs kustomization.yaml -/crds/kustomization.yaml + # Helm unit tests /tests /validation diff --git a/charts/airlock/microgateway/4.3.1/Chart.yaml b/charts/airlock/microgateway/4.3.1/Chart.yaml index fefe5ea40..64a5a0387 100644 --- a/charts/airlock/microgateway/4.3.1/Chart.yaml +++ b/charts/airlock/microgateway/4.3.1/Chart.yaml @@ -9,15 +9,15 @@ annotations: - name: Airlock Microgateway Forum url: https://forum.airlock.com/ catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Airlock Microgateway + catalog.cattle.io/display-name: Airlock Microgateway CNI catalog.cattle.io/kube-version: '>=1.25.0-0' - catalog.cattle.io/release-name: microgateway - charts.openshift.io/name: Airlock Microgateway + catalog.cattle.io/release-name: microgateway-cni + charts.openshift.io/name: Airlock Microgateway CNI apiVersion: v2 appVersion: 4.3.1 -description: A Helm chart for deploying the Airlock Microgateway +description: A Helm chart for deploying the Airlock Microgateway CNI plugin home: https://www.airlock.com/en/microgateway -icon: file://assets/icons/microgateway.svg +icon: file://assets/icons/microgateway-cni.svg keywords: - WAF - Web Application Firewall @@ -30,14 +30,13 @@ keywords: - Filtering - DevSecOps - shift left -- control plane -- Operator +- CNI kubeVersion: '>=1.25.0-0' maintainers: - email: support@airlock.com name: Airlock url: https://www.airlock.com/ -name: microgateway +name: microgateway-cni sources: - https://github.com/airlock/microgateway type: application diff --git a/charts/airlock/microgateway/4.3.1/README.md b/charts/airlock/microgateway/4.3.1/README.md index f9a4c34e6..06e8e26ab 100644 --- a/charts/airlock/microgateway/4.3.1/README.md +++ b/charts/airlock/microgateway/4.3.1/README.md @@ -1,4 +1,4 @@ -# Airlock Microgateway +# Airlock Microgateway CNI ![Version: 4.3.1](https://img.shields.io/badge/Version-4.3.1-informational?style=flat-square) ![AppVersion: 4.3.1](https://img.shields.io/badge/AppVersion-4.3.1-informational?style=flat-square) @@ -40,58 +40,43 @@ Check the official documentation at **[docs.airlock.com](https://docs.airlock.co The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**. ## Prerequisites -* [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) -* [Airlock Microgateway License](#obtain-airlock-microgateway-license) -* [cert-manager](https://cert-manager.io/) * [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0) -In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license. -For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing. -### Obtain Airlock Microgateway License -1. Either request a community or premium license - * Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community) - * Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium) -2. Check your inbox and save the license file microgateway-license.txt locally. - -> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type. -### Deploy cert-manager -```bash -helm repo add jetstack https://charts.jetstack.io -helm install cert-manager jetstack/cert-manager --version '1.15.1' -n cert-manager --create-namespace --set crds.enabled=true --wait -``` - -## Deploy Airlock Microgateway Operator - -> This guide assumes a microgateway-license.txt file is present in the working directory. - -1. Install CRDs and Operator. +## Deploy Airlock Microgateway CNI +1. Install the CNI Plugin with Helm. + > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni). ```bash - # Create namespace - kubectl create namespace airlock-microgateway-system - - # Install License - kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt - - # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades) - helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.3.1' --wait + # Standard setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.1' + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni ``` + ```bash + # GKE setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.1' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.1/deploy/charts/airlock-microgateway-cni/gke-values.yaml + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + ```bash + # OpenShift setup + helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.3.1' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.1/deploy/charts/airlock-microgateway-cni/openshift-values.yaml + kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details). 2. (Recommended) You can verify the correctness of the installation with `helm test`. ```bash - helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.1' - helm test airlock-microgateway -n airlock-microgateway-system --logs - helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.1' + # Standard and GKE setup + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.1' + helm test airlock-microgateway-cni -n kube-system --logs + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.1' + ``` + ```bash + # OpenShift setup + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.1' + helm test airlock-microgateway-cni -n openshift-operators --logs + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.1' ``` -### Upgrading CRDs - -The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster. -CRDs should instead be manually upgraded before upgrading the Operator itself via the following command: -```bash -kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.3.1 --server-side --force-conflicts -``` - -**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts. + Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error. ## Support @@ -104,61 +89,33 @@ For the community edition, check our **[Airlock community forum](https://forum.a | Key | Type | Default | Description | |-----|------|---------|-------------| +| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. | | commonAnnotations | object | `{}` | Annotations to add to all resources. | | commonLabels | object | `{}` | Labels to add to all resources. | -| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". | -| dashboards.config.grafana.dashboardLabel.name | string | `"grafana_dashboard"` | Name of the label that lets Grafana identify ConfigMaps that represent dashboards. | -| dashboards.config.grafana.dashboardLabel.value | string | `"1"` | Value of the label that lets Grafana identify ConfigMaps that represent dashboards. | -| dashboards.config.grafana.folderAnnotation.name | string | `"grafana_folder"` | Name of the annotation containing the folder name to file dashboards into. | -| dashboards.config.grafana.folderAnnotation.value | string | `"Airlock Microgateway"` | Name of the folder dashboards are filed into within the Grafana UI. | -| dashboards.create | bool | `false` | Whether to create any ConfigMaps containing Grafana dashboards to import. | -| dashboards.instances.blockLogs.create | bool | `true` | Whether to create the block logs dashboard. | -| dashboards.instances.blockMetrics.create | bool | `true` | Whether to create the block metrics dashboard. | -| dashboards.instances.license.create | bool | `true` | Whether to create the license dashboard. | -| dashboards.instances.overview.create | bool | `true` | Whether to create the overview dashboard. | -| engine.image.digest | string | `"sha256:6be782cc3f3206bfa61f462812d2a495e114ae13c59a7cdaed7ca406d5bc1b01"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | -| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. | -| engine.image.tag | string | `"4.3.1"` | Image tag to pull. | -| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. | -| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. | -| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. | +| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. | +| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. | +| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. | +| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. | +| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. | | fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. | +| image.digest | string | `"sha256:bdd216c8a8c56a0eee0134f67772cbd75358640a0685cf5d71add653abb2c53b"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. | +| image.tag | string | `"4.3.1"` | Image tag to pull. | | imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. | -| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. | -| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". | -| networkValidator.image.digest | string | `"sha256:6626ab44066867687baa7bfcabedafce5adc50446be1207c90c3b211bd922f84"` | SHA256 image digest to pull (in the format "sha256:6626ab44066867687baa7bfcabedafce5adc50446be1207c90c3b211bd922f84"). Overrides tag when specified. | -| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| networkValidator.image.repository | string | `"cgr.dev/chainguard/netcat"` | Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. | -| networkValidator.image.tag | string | `""` | Image tag to pull. | -| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. | -| operator.config.logLevel | string | `"info"` | Operator application log level. | -| operator.image.digest | string | `"sha256:84b6eb914103d4c62024d9f761b7dd4371ea3ba8996fb04095d87ebfaf3db2bb"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. | -| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. | -| operator.image.tag | string | `"4.3.1"` | Image tag to pull. | -| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. | -| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. | -| operator.podLabels | object | `{}` | Labels to add to all Pods. | -| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. | -| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. | -| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. | -| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | -| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | -| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | -| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. | -| operator.serviceLabels | object | `{}` | Labels to add to the Service. | -| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. | -| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. | -| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. | -| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. | -| operator.watchNamespaceSelector | object | `{}` | Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. Please note that this feature requires a Premium license. | -| operator.watchNamespaces | list | `[]` | Allows to restrict the operator to specific namespaces, depending on your needs. For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. | -| sessionAgent.image.digest | string | `"sha256:d62bdb16c74d340a81791be1696d620950d8232437676910bb6e5548411f2afd"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | -| sessionAgent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| sessionAgent.image.repository | string | `"quay.io/airlock/microgateway-session-agent"` | Image repository from which to pull the Airlock Microgateway Session Agent image. | -| sessionAgent.image.tag | string | `"4.3.1"` | Image tag to pull. | -| sessionAgent.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Session Agent container. | +| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. | +| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation | +| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. | +| podAnnotations | object | `{}` | Annotations to add to all Pods. | +| podLabels | object | `{}` | Labels to add to all Pods. | +| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). | +| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. | +| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. | +| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. | +| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | +| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | +| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | | tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. | ## License diff --git a/charts/airlock/microgateway/4.3.1/app-readme.md b/charts/airlock/microgateway/4.3.1/app-readme.md deleted file mode 100644 index e32cac025..000000000 --- a/charts/airlock/microgateway/4.3.1/app-readme.md +++ /dev/null @@ -1,28 +0,0 @@ -# Airlock Microgateway - -*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.* - -## Features -* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection. -* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction -* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication -* Content security filters for protecting against known attacks (OWASP Top 10) -* Access control to allow only authenticated users to access the protected services -* API security features like JSON parsing or OpenAPI specification enforcement - -For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**. - -## Requirements -* [Airlock Microgateway CNI Helm Chart](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Also available as Rancher Chart) -* [Airlock Microgateway License](https://github.com/airlock/microgateway?tab=readme-ov-file#obtain-airlock-microgateway-license) (After obtaining the license install it according to the [documentation](https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-operator)) -* [cert-manager](https://cert-manager.io/docs/installation/) - -## Documentation and links - -Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway. - -* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html) -* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html) -* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html) -* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html) -* [GitHub](https://github.com/airlock/microgateway) \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/crds/accesscontrols.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/accesscontrols.microgateway.airlock.com.yaml deleted file mode 100644 index bdca25f86..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/accesscontrols.microgateway.airlock.com.yaml +++ /dev/null @@ -1,124 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: accesscontrols.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: AccessControl - listKind: AccessControlList - plural: accesscontrols - singular: accesscontrol - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: AccessControl specifies the options to perform access control with a Microgateway Engine container. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specifies how the Airlock Microgateway Engine performs access control. - properties: - policies: - description: Policies configures access control policies. - items: - properties: - authorization: - description: Authorization configures how requests are authorized. An empty object value {} disables authorization. - properties: - authentication: - description: Authentication specifies that clients need to be authenticated with the provided method. - properties: - oidc: - description: OIDC configures client authentication using OpenID Connect. - properties: - oidcRelyingPartyRef: - description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - oidcRelyingPartyRef - type: object - type: object - type: object - identityPropagation: - description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application. - properties: - actions: - description: Actions specifies the propagation actions. - items: - properties: - identityPropagationRef: - description: IdentityPropagationRef selects an IdentityPropagation to apply. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - identityPropagationRef - type: object - type: array - onFailure: - description: |- - OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values: - _Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations. - enum: - - Pass - type: string - required: - - actions - - onFailure - type: object - required: - - authorization - type: object - maxItems: 1 - minItems: 1 - type: array - required: - - policies - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.1/crds/contentsecurities.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/contentsecurities.microgateway.airlock.com.yaml deleted file mode 100644 index 0172657b5..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/contentsecurities.microgateway.airlock.com.yaml +++ /dev/null @@ -1,139 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: contentsecurities.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: ContentSecurity - listKind: ContentSecurityList - plural: contentsecurities - singular: contentsecurity - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ContentSecurity specifies the options to secure an upstream web application with a Microgateway Engine container. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specifies the options to secure an upstream web application with a Microgateway Engine container. - properties: - apiProtection: - description: |- - APIProtection defines the relevant configurations to protect APIs. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - graphQLRef: - description: |- - GraphQLRef selects the relevant GraphQL configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - openAPIRef: - description: |- - OpenAPIRef selects the relevant OpenAPI configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - filter: - description: |- - Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests - to protect against various attack patterns. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - denyRulesRef: - description: |- - DenyRulesRef selects the relevant DenyRules configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - headerRewritesRef: - description: |- - HeaderRewritesRef selects the relevant HeaderRewrites. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - limitsRef: - description: |- - LimitsRef selects the relevant Limits configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - parserRef: - description: |- - ParserRef selects the relevant Parser configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.1/crds/denyrules.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/denyrules.microgateway.airlock.com.yaml deleted file mode 100644 index 6a73d53db..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/denyrules.microgateway.airlock.com.yaml +++ /dev/null @@ -1,1804 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: denyrules.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: DenyRules - listKind: DenyRulesList - plural: denyrules - singular: denyrules - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - DenyRules configures request filtering using Airlock built-in and custom deny rules. - Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application. - To handle possible false positives, lower the security level or define fine-granular deny rule exceptions - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired deny rules behavior. - properties: - request: - description: Request configures deny rules for downstream requests. - properties: - builtIn: - description: BuiltIn configures the built-in deny rules. - properties: - exceptions: - description: Exceptions allows to define exceptions for specific requests and deny rules. - items: - description: |- - DenyRulesException defines an exception for deny rules. Exceptions may be defined by any or a combination of the following elements: blockedData (the request data causing a block) or requestConditions (properties of a request without taking into consideration the reason why a request has been blocked). - At least one of blockedData and requestConditions must be set. - properties: - blockedData: - description: BlockedData defines an exception based on the request data causing the block. - properties: - graphQL: - description: |- - GraphQL defines an exception based on a blocked GraphQL query. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - argument: - description: |- - Argument defines an argument of a field of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - field: - description: |- - Field defines a field of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value defines the value of an argument of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - header: - description: |- - Header defines an exception based on a blocked header. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - json: - description: |- - JSON defines an exception based on a blocked JSON property. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - jsonPath: - description: |- - JSONPath defines the JSONPath pattern to match the path within the JSON. - Expressions in JSONPath i.e. `?(expr)` are not supported. - minLength: 1 - type: string - key: - description: |- - Key defines the key of the JSON property. - At most one of key and value can be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value defines the value of the JSON property. - At most one of key and value can be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - parameter: - description: |- - Parameter defines an exception based on a blocked parameter. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - name: - description: Name defines the name of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - source: - default: Any - description: Source defines the source of the parameter. - enum: - - Query - - Post - - Any - type: string - value: - description: Value defines the value of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - path: - description: |- - Path defines an exception based on the blocked path. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - pathSegment: - description: |- - PathSegment defines an exception based on a blocked path segment. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - segments: - description: Segments defines the position of a segment within the path. - properties: - index: - description: Index specifies an exact path segment position by index (0-based). - minimum: 0 - type: integer - type: object - value: - description: Value defines the value of a path segment. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - type: object - requestConditions: - description: RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - ruleKeys: - description: RuleKeys restricts the exception to a set of deny rules. - items: - description: |- - A deny rule name can be any of the following values: - ENCODING | - EXPLOIT | - HPP | - HTML | - IDOR | - LDAP | - NOSQL | - OGNL | - PHP | - PROTOCOL | - SANITY | - SCANNING | - SQL | - TEMPLATE | - UNIXCMD | - WINCMD | - XSS - enum: - - ENCODING - - EXPLOIT - - HPP - - HTML - - IDOR - - LDAP - - NOSQL - - OGNL - - PHP - - PROTOCOL - - SANITY - - SCANNING - - SQL - - TEMPLATE - - UNIXCMD - - WINCMD - - XSS - type: string - minItems: 1 - type: array - type: object - type: array - overrides: - description: Overrides allows to override the builtIn settings for specific deny rules. - items: - description: DenyRulesOverride allows to override the builtIn settings for specific deny rules. - properties: - conditions: - description: Conditions select which built-in deny rules' settings will be adjusted. - properties: - ruleKeys: - description: RuleKeys is a list of built-in deny rule names. - items: - description: |- - A deny rule name can be any of the following values: - ENCODING | - EXPLOIT | - HPP | - HTML | - IDOR | - LDAP | - NOSQL | - OGNL | - PHP | - PROTOCOL | - SANITY | - SCANNING | - SQL | - TEMPLATE | - UNIXCMD | - WINCMD | - XSS - enum: - - ENCODING - - EXPLOIT - - HPP - - HTML - - IDOR - - LDAP - - NOSQL - - OGNL - - PHP - - PROTOCOL - - SANITY - - SCANNING - - SQL - - TEMPLATE - - UNIXCMD - - WINCMD - - XSS - type: string - minItems: 1 - type: array - types: - description: Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules. - items: - description: |- - A deny rule override type name can be any of the following values: - Header | - Parameter | - Path | - JSON | - GraphQL - enum: - - Header - - Parameter - - Path - - PathSegment - - JSON - - GraphQL - type: string - minItems: 0 - type: array - type: object - settings: - description: Settings override the corresponding properties for the selected rules. - properties: - level: - description: Level specifies the filter strength. - enum: - - Unfiltered - - Basic - - Standard - - Strict - type: string - threatHandlingMode: - description: ThreatHandlingMode specifies how threats should be handled. - enum: - - Block - - LogOnly - type: string - type: object - type: object - type: array - settings: - description: Settings contains the keys which will be adjusted. - properties: - level: - default: Standard - description: Level represents a set of deny rules with different filter strengths. - enum: - - Unfiltered - - Basic - - Standard - - Strict - type: string - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches. - enum: - - Block - - LogOnly - type: string - type: object - type: object - custom: - description: Custom allows configuring additional deny rules. - properties: - rules: - description: Rules defines list of additional deny rules. - items: - properties: - blockData: - description: BlockData specifies the request data which should cause a block. - properties: - graphQL: - description: |- - GraphQL specifies to block requests containing a matching GraphQL property. - At least one of field, argument and value must be set. - properties: - argument: - description: |- - Argument defines an argument of a field of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - field: - description: |- - Field defines a field of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value defines the value of an argument of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - header: - description: |- - Header specifies to block requests containing a matching header. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - json: - description: |- - JSON specifies to block requests containing a matching JSON property in the body. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - key: - description: Key defines the key of a JSON object. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a JSON object. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - parameter: - description: |- - Parameter specifies to block requests containing a matching parameter. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - name: - description: Name defines the name of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - path: - description: |- - Path specifies to block requests with a matching path. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - matcher: - description: Matcher specifies which path to block. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - pathSegment: - description: |- - PathSegment specifies to block requests containing a matching path segment. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - segments: - description: |- - Segments restricts which path segments are filtered by this rule. - If not specified, all segments of a path are filtered. - properties: - index: - description: Index restricts the rule to the path segment at this index (0-based). - minimum: 0 - type: integer - type: object - value: - description: Value specifies which path segment values to block. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - required: - - value - type: object - type: object - requestConditions: - description: RequestConditions defines additional request properties which must be matched in order for this rule to apply. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - ruleKey: - description: RuleKey defines a technical key for the deny rule. Must be unique. - minLength: 1 - pattern: ^[A-Z][A-Z0-9_]*$ - type: string - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches. - enum: - - Block - - LogOnly - type: string - required: - - blockData - - ruleKey - type: object - type: array - x-kubernetes-list-map-keys: - - ruleKey - x-kubernetes-list-type: map - type: object - type: object - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.1/crds/envoyhttpfilters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/envoyhttpfilters.microgateway.airlock.com.yaml deleted file mode 100644 index e0b7bb9fb..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/envoyhttpfilters.microgateway.airlock.com.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: envoyhttpfilters.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: EnvoyHTTPFilter - listKind: EnvoyHTTPFilterList - plural: envoyhttpfilters - singular: envoyhttpfilter - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource which is added to those defined by the Airlock Microgateway. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired additional Envoy HTTP filter. - properties: - value: - description: Value defines the HTTP filter which is added to those configured by the Airlock Microgateway. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.1/crds/graphqls.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/graphqls.microgateway.airlock.com.yaml deleted file mode 100644 index 43a8b6fc3..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/graphqls.microgateway.airlock.com.yaml +++ /dev/null @@ -1,88 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: graphqls.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: GraphQL - listKind: GraphQLList - plural: graphqls - singular: graphql - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GraphQL contains the configuration for the GraphQL specification. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired GraphQL specification. - properties: - settings: - description: Settings defines the settings to configure GraphQL. - properties: - allowIntrospection: - default: true - description: AllowIntrospection specifies if the introspection system is exposed. - type: boolean - allowMutations: - default: true - description: AllowMutations specifies if mutations are allowed. - type: boolean - schema: - description: Specifies the GraphQL schema. - properties: - source: - description: Source specifies the GraphQL schema to be enforced. - properties: - configMapRef: - description: ConfigMapRef references the configmap by its name containing the well-known key 'schema.graphql'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - required: - - source - type: object - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled. - enum: - - Block - - LogOnly - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.1/crds/headerrewrites.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/headerrewrites.microgateway.airlock.com.yaml deleted file mode 100644 index 0916edd28..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/headerrewrites.microgateway.airlock.com.yaml +++ /dev/null @@ -1,759 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: headerrewrites.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: HeaderRewrites - listKind: HeaderRewritesList - plural: headerrewrites - singular: headerrewrites - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: HeaderRewrites is the Schema for the headerrewrites API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired header rewriting behavior. - properties: - request: - description: Request defines manipulations on upstream request headers. - properties: - add: - description: Add defines which request headers will be added before forwarding to the upstream. - properties: - custom: - description: |- - Custom allows configuring additional upstream request headers. - Add selected headers. - items: - properties: - headers: - description: Headers to add. - items: - description: HeaderRewritesHeader specifies a header with a particular value - properties: - name: - description: Name defines the name of a header. - minLength: 1 - type: string - value: - description: Value defines the value of a header. - type: string - required: - - name - - value - type: object - minItems: 1 - type: array - mode: - default: AddIfAbsent - description: Mode defines the header addition strategy. - enum: - - AddIfAbsent - - OverwriteOrAdd - type: string - name: - description: Name describing the configured operation. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - allow: - description: |- - Allow defines which request headers will be forwarded to the upstream. - This can either be allHeaders or matchingHeaders. - Default: matchingHeaders: {...} - properties: - allHeaders: - description: AllHeaders specifies that all request headers should be forwarded. - type: object - matchingHeaders: - description: MatchingHeaders specifies which request headers should be forwarded. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream request headers. - properties: - standardHeaders: - default: true - description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream request headers. - items: - properties: - headers: - description: Headers to allow. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - remove: - description: Remove defines which request headers will be removed before forwarding to the upstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream request headers. - properties: - alternativeForwardedHeaders: - default: true - description: |- - AlternativeForwardedHeaders removes downstream request headers which could potentially - be abused to alter the upstream's view of the remote connection. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream request headers. - items: - properties: - headers: - description: Headers to remove. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - response: - description: Response defines manipulations on upstream response headers. - properties: - add: - description: Add defines which response headers will be added before forwarding to the downstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response headers. - properties: - csp: - default: true - description: |- - CSP sets a content security policy which allows only same-origin requests except for images - if the 'Content-Security-Policy' header is not set by the upstream. - type: boolean - featurePolicy: - default: false - description: |- - FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features - if the 'Feature-Policy' header is not set by the upstream. - **Deprecated:** Use permissionsPolicy instead. - type: boolean - hsts: - default: true - description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream. - type: boolean - hstsPreload: - default: false - description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload. - type: boolean - permissionsPolicy: - default: true - description: |- - PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features - if the 'Permissions-Policy' header is not set by the upstream. - type: boolean - referrerPolicy: - default: true - description: |- - ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests - if the 'Referrer-Policy' header is not set by the upstream. - type: boolean - xContentTypeOptions: - default: true - description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream. - type: boolean - xFrameOptions: - default: true - description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to add. - items: - description: HeaderRewritesHeader specifies a header with a particular value - properties: - name: - description: Name defines the name of a header. - minLength: 1 - type: string - value: - description: Value defines the value of a header. - type: string - required: - - name - - value - type: object - minItems: 1 - type: array - mode: - default: AddIfAbsent - description: Mode defines the header addition strategy. - enum: - - AddIfAbsent - - OverwriteOrAdd - type: string - name: - description: Name describing the configured operation. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - allow: - description: |- - Allow defines which response headers will be forwarded to the downstream. - This can either be allHeaders or matchingHeaders. - Default: allHeaders: {} - properties: - allHeaders: - description: AllHeaders specifies that all response headers should be forwarded. - type: object - matchingHeaders: - description: MatchingHeaders specifies which response headers should be forwarded. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response header. - properties: - standardHeaders: - default: false - description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to allow. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - remove: - description: Remove defines which response headers will be removed before forwarding to the downstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response headers. - properties: - auth: - description: Auth defines the categories of headers concerning authentication. - properties: - basic: - default: false - description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication. - type: boolean - negotiate: - default: true - description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate. - type: boolean - ntlm: - default: true - description: |- - NTLM removes upstream response headers that advise clients to authenticate with NTLM. - By default, these headers are removed, because NTLM pass-through is not supported. - type: boolean - type: object - informationLeakage: - description: InformationLeakage defines the categories of headers concerning information leakage. - properties: - application: - default: true - description: Application removes upstream response headers that leak information about the deployed software. - type: boolean - server: - default: true - description: Server removes upstream response headers that leak information about the server. - type: boolean - type: object - permissiveCors: - default: true - description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to remove. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured remove operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - settings: - description: Settings configures the HeaderRewrites filter. - properties: - operationalMode: - default: Production - description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses. - enum: - - Production - - Integration - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.1/crds/identitypropagations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/identitypropagations.microgateway.airlock.com.yaml deleted file mode 100644 index 7cf5a5ce7..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/identitypropagations.microgateway.airlock.com.yaml +++ /dev/null @@ -1,108 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: identitypropagations.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: IdentityPropagation - listKind: IdentityPropagationList - plural: identitypropagations - singular: identitypropagation - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: IdentityPropagation specifies the desired identity propagation. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired identity propagation. - properties: - header: - description: Header configures identity propagation via a request header. - properties: - name: - description: Name of the header to set. - minLength: 1 - type: string - value: - description: Value to propagate to the application. - properties: - source: - description: Source from which to extract the value. - properties: - metadata: - description: Metadata specifies to extract a value from an Envoy dynamic filter metadata key. - properties: - key: - description: Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`. - minLength: 1 - type: string - namespace: - description: Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`. - minLength: 1 - type: string - required: - - key - - namespace - type: object - oidc: - description: OIDC specifies to extract a value from the result of an OpenID Connect flow. - properties: - idToken: - description: IDToken specifies to extract the value from the OpenID Connect ID Token. - properties: - claim: - description: Claim selects the JWT claim from which to extract the value. - minLength: 1 - type: string - required: - - claim - type: object - required: - - idToken - type: object - type: object - required: - - source - type: object - required: - - name - - value - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.1/crds/limits.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/limits.microgateway.airlock.com.yaml deleted file mode 100644 index 894573dc5..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/limits.microgateway.airlock.com.yaml +++ /dev/null @@ -1,651 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: limits.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: Limits - listKind: LimitsList - plural: limits - singular: limits - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Limits contains the configuration for limits. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired limits behavior. - properties: - request: - description: Request defines the limits for requests. - properties: - limited: - description: Limited enables limits on request scope. - properties: - exceptions: - description: Exceptions defines limit exceptions. - items: - description: LimitsException defines an exception for limits. - properties: - length: - description: Length defines an exception for length limits based on the data element exceeding the limit. - properties: - graphQL: - description: GraphQL defines a field, argument or value length limit exception for a GraphQL query. - properties: - argument: - description: |- - Argument restricts the exception to GraphQL queries with a matching argument of a field. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - field: - description: |- - Field restricts the exception to GraphQL queries with a matching field. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value restricts the exception to GraphQL queries with a matching argument value. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - json: - description: JSON defines a key and value length limit exception for a JSON property. - properties: - jsonPath: - description: |- - JSONPath restricts the exception to JSON properties with a matching JSONPath. - Expressions in JSONPath i.e. `?(expr)` are not supported. - minLength: 1 - type: string - required: - - jsonPath - type: object - parameter: - description: Parameter defines a name and value length limit exception for a parameter. - properties: - name: - description: Name restricts the exception to parameters with a matching name. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - source: - default: Any - description: Source restricts the exception to parameters of this kind. - enum: - - Query - - Post - - Any - type: string - required: - - name - type: object - type: object - requestConditions: - description: RequestConditions defines additional request properties which must be matched in order for this exception to apply. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - type: object - type: array - general: - description: General defines general request limits. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Mi - description: BodySize limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective for any request not processed by one of the content parsers (e.g. json) as configured in the Parser CRD. **Note** This limit does not apply to WebSocket or gRPC traffic. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - pathLength: - anyOf: - - type: integer - - type: string - default: 1Ki - description: PathLength defines the maximum path length for all requests (parsed and unparsed). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - graphQL: - description: GraphQL defines the limits for GraphQL requests. - properties: - nestingDepth: - default: 10 - description: NestingDepth defines the maximum depth of nesting for GraphQL objects. - format: int64 - type: integer - querySize: - anyOf: - - type: integer - - type: string - default: 1Ki - description: QuerySize defines the maximum size for GraphQL queries. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - valueLength: - anyOf: - - type: integer - - type: string - default: "256" - description: ValueLength defines the maximum length for GraphQL values. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - json: - description: JSON defines the limits for JSON requests. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Ki - description: BodySize limits the total size of the JSON request body. It specifies the number of bytes (0 = unlimited). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - elementCount: - default: 10000 - description: ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive). - format: int64 - type: integer - keyCount: - default: 250 - description: KeyCount defines the maximum number of keys of a single JSON object (non-recursive). - format: int64 - type: integer - keyLength: - anyOf: - - type: integer - - type: string - default: "128" - description: KeyLength defines the maximum length for JSON keys. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - nestingDepth: - default: 100 - description: NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays. - format: int64 - type: integer - valueLength: - anyOf: - - type: integer - - type: string - default: 8Ki - description: ValueLength defines the maximum length for JSON values. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - multipart: - description: Multipart defines the limits for Multipart requests. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Mi - description: BodySize limits the total size of the Multipart request body. It specifies the number of bytes (0 = unlimited). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - parameter: - description: Parameter defines the limits for request parameters. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Ki - description: BodySize limits the total size of the form data body. It specifies the number of bytes (0 = unlimited). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - count: - default: 128 - description: Count defines the maximum number of request parameters. - format: int64 - type: integer - nameLength: - anyOf: - - type: integer - - type: string - default: "128" - description: NameLength defines the maximum length for parameter names. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - valueLength: - anyOf: - - type: integer - - type: string - default: 8Ki - description: ValueLength defines the maximum length for parameter values. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - unlimited: - description: Unlimited disables all limits on request scope. - type: object - type: object - settings: - description: Settings configures the limits filter. - properties: - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled when a limit hits. - enum: - - Block - - LogOnly - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.1/crds/oidcproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/oidcproviders.microgateway.airlock.com.yaml deleted file mode 100644 index eba2dbf7c..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/oidcproviders.microgateway.airlock.com.yaml +++ /dev/null @@ -1,305 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: oidcproviders.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: OIDCProvider - listKind: OIDCProviderList - plural: oidcproviders - singular: oidcprovider - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - OIDCProvider specifies an OpenID Provider (OP). - - - {{% notice warning %}} The OIDC feature is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened. - In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases: - - The state parameter is guessable. - - Sessions are always shared across all Microgateway Engines using the same Redis instance. - I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A - may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs. - - - {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of an OpenID Provider. - properties: - static: - description: Static configures an OpenID Provider by explicitly specifying all endpoints. - properties: - endpoints: - description: Endpoints specifies the OpenID Provider endpoints. - properties: - authorization: - description: Authorization specifies the endpoint to which the authorization request is sent. - properties: - uri: - description: URI specifies the endpoint address. - format: uri - minLength: 1 - pattern: ^(http|https)://.*$ - type: string - required: - - uri - type: object - token: - description: Token configures the endpoint from which the access, ID and refresh tokens are obtained. - properties: - tls: - description: TLS defines TLS settings. - properties: - certificateVerification: - description: CertificateVerification specifies how the certificate presented by the server is verified. - properties: - custom: - description: |- - Custom explicitly specifies how the server certificate should be verified. - Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key. - properties: - allowedSANs: - description: |- - AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, - that is to say, the SAN is verified if at least one matcher is matched. - AllowedSANs requires trustedCA to be set. - items: - description: |- - TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. - properties: - matcher: - description: Matcher defines the string matcher for the SAN value. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - sanType: - description: SanType defines the type of SAN matcher. - enum: - - DNS - - Email - - URI - - IPAddress - type: string - required: - - matcher - - sanType - type: object - minItems: 1 - type: array - certificatePinning: - description: |- - CertificatePinning defines constraints the presented certificate must fulfill. - If more than one constraint is configured only one must be satisfied. - At least one of allowedSPKIs and allowedHashes must be set. - properties: - allowedHashes: - description: |- - AllowedHashes is a list of hex-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - allowedSPKIs: - description: |- - AllowedSPKIs is a list of base64-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - type: object - crl: - description: CRL defines the Certificate Revocation List (CRL) settings. - properties: - lists: - description: Lists defines the list of secretRefs containing Certificate Revocation Lists. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - validationMode: - default: VerifyChain - description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. - enum: - - VerifyLeafCertOnly - - VerifyChain - type: string - type: object - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - verificationDepth: - default: 1 - description: |- - VerificationDepth specifies the hops in the certificate chain at which validation is performed. - 1 means that either the leaf or the signing CA must be in the set of trusted certificates. - format: int32 - type: integer - required: - - certificates - type: object - type: object - disabled: - description: |- - Disabled specifies to trust any certificate without verification. - THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. - type: object - publicCAs: - description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image. - type: object - type: object - ciphers: - description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. - items: - type: string - minItems: 1 - type: array - protocol: - description: Protocol defines the supported TLS protocol versions. - properties: - maximum: - description: Maximum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - minimum: - description: Minimum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - type: object - type: object - uri: - description: URI specifies the endpoint address. - format: uri - minLength: 1 - pattern: ^(http|https)://.*$ - type: string - required: - - uri - type: object - required: - - authorization - - token - type: object - required: - - endpoints - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.1/crds/oidcrelyingparties.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/oidcrelyingparties.microgateway.airlock.com.yaml deleted file mode 100644 index 863f039ef..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/oidcrelyingparties.microgateway.airlock.com.yaml +++ /dev/null @@ -1,224 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: oidcrelyingparties.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: OIDCRelyingParty - listKind: OIDCRelyingPartyList - plural: oidcrelyingparties - singular: oidcrelyingparty - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP). - - - {{% notice warning %}} The OIDC feature is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened. - In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases: - - The state parameter is guessable. - - Sessions are always shared across all Microgateway Engines using the same Redis instance. - I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A - may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs. - - - {{% /notice %}} - {{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the OIDC Relying Party configuration. - properties: - clientID: - description: ClientID specifies the OIDCRelyingParty "client_id". - minLength: 1 - type: string - credentials: - description: Credentials used for client authentication on the back-channel with the authorization server. - properties: - clientSecret: - description: ClientSecret authenticates with the client password issued by the OpenID Provider (OP). - properties: - method: - default: BasicAuth - description: Method specifies in which format the client secret is sent with the authorization request. - enum: - - BasicAuth - - FormURLEncoded - type: string - secretRef: - description: SecretRef specifies the kubernetes secret containing the client password with key "client.secret". - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - required: - - clientSecret - type: object - oidcProviderRef: - description: OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - pathMapping: - description: PathMapping configures the action matching. - properties: - logoutPath: - description: LogoutPath specifies which request paths should initiate a logout. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - redirectPath: - description: RedirectPath specifies which request paths should be interpreted as a response from the authorization endpoint. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - required: - - logoutPath - - redirectPath - type: object - redirectURI: - description: |- - RedirectURI configures the "redirect_uri" parameter included in the authorization request. - May contain envoy command operators, e.g. '%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback'. - minLength: 1 - type: string - required: - - clientID - - credentials - - oidcProviderRef - - pathMapping - - redirectURI - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.1/crds/openapis.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/openapis.microgateway.airlock.com.yaml deleted file mode 100644 index 5f16d2993..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/openapis.microgateway.airlock.com.yaml +++ /dev/null @@ -1,167 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: openapis.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: OpenAPI - listKind: OpenAPIList - plural: openapis - singular: openapi - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: OpenAPI contains the configuration for the OpenAPI specification. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired OpenAPI specification. - properties: - response: - description: Response defines the validation behaviour for responses. - properties: - secured: - description: Secured enables response checking. - properties: - validation: - default: Lax - description: Validation defines the validation mode for responses. - enum: - - Lax - - Strict - type: string - type: object - unsecured: - description: Unsecured disables response checking. - type: object - type: object - settings: - description: Settings defines the settings to configure OpenAPI specification enforcement. - properties: - logging: - description: Logging specifies the access log behavior. - properties: - maxFailedSubvalidations: - default: 10 - description: MaxFailedSubvalidations defines the maximum number of failed subvalidations being logged. - format: int64 - type: integer - type: object - schema: - description: Schema configures the OpenAPI specification. - properties: - source: - description: Source specifies the OpenAPI specification to be enforced. - properties: - configMapRef: - description: ConfigMapRef references the configmap by its name containing the well-known key 'openapi.json'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - required: - - source - type: object - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled. - enum: - - Block - - LogOnly - type: string - validation: - description: Validation specifies the patterns for the validation behavior. - properties: - authentication: - description: Authentication defines the settings for the authentication scheme. - properties: - oAuth2: - description: OAuth2 specifies the OAuth2 parameters. - properties: - allowedParameters: - description: AllowedParameters specifies the allowed parameters for the authentication scheme. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined allowed parameters. - properties: - standardParameters: - default: true - description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters. - type: boolean - type: object - custom: - description: Custom allows configuring additional allowed parameters. - items: - minLength: 1 - type: string - minItems: 1 - type: array - type: object - type: object - oidc: - description: Oidc specifies the OIDC parameters. - properties: - allowedParameters: - description: AllowedParameters specifies the allowed parameters for the authentication scheme. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined allowed parameters. - properties: - standardParameters: - default: true - description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters. - type: boolean - type: object - custom: - description: Custom allows configuring additional allowed parameters. - items: - minLength: 1 - type: string - minItems: 1 - type: array - type: object - type: object - type: object - type: object - required: - - schema - type: object - required: - - settings - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.1/crds/parsers.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/parsers.microgateway.airlock.com.yaml deleted file mode 100644 index 61e46f6cf..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/parsers.microgateway.airlock.com.yaml +++ /dev/null @@ -1,358 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: parsers.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: Parser - listKind: ParserList - plural: parsers - singular: parser - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Parser contains the configuration for content parsers (default and custom). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired parser behavior. - properties: - request: - description: Request defines the parsing for downstream requests. - properties: - custom: - description: Custom allows configuring additional rules for parser selection. - properties: - rules: - description: |- - Rules defines a custom set prepended before built-in rules of enabled request parsers. - Disable all built-in parsers to overrule them completely. - items: - properties: - action: - description: |- - Action specifies what should happen when a request condition matches. - Only one of parse or skip can be set. - properties: - parse: - description: Parse activates the configured parser. - properties: - form: - description: Form activates the Form parser. - type: object - json: - description: JSON activates the JSON parser. - type: object - multipart: - description: Multipart activates the multipart parser. - type: object - type: object - skip: - description: Skip disables any content parsing - type: object - type: object - requestConditions: - description: RequestConditions defines additional request properties which must be matched in order for this rule to apply. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - required: - - action - - requestConditions - type: object - type: array - type: object - defaultContentType: - default: application/x-www-form-urlencoded - description: DefaultContentType specifies the content-type header which should be injected into the request before parser selection if it is not already present and the request has a body. - minLength: 1 - type: string - parsers: - description: Parsers defines the configuration for the available content parsers. - properties: - form: - description: Form defines the configuration for the form parser. - properties: - enable: - default: true - description: Enable defines whether form payloads are inspected. - type: boolean - mediaTypePattern: - default: .*urlencoded.* - description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as form arguments. - minLength: 1 - type: string - type: object - json: - description: JSON defines the configuration for the JSON parser. - properties: - enable: - default: true - description: Enable defines whether json payloads are inspected. - type: boolean - mediaTypePattern: - default: .*json.* - description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as JSON. - minLength: 1 - type: string - type: object - multipart: - description: Multipart defines the configuration for the multipart parser. - properties: - enable: - default: true - description: Enable defines whether multipart payloads are inspected. - type: boolean - mediaTypePattern: - default: .*multipart.* - description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as a multipart payload. - minLength: 1 - type: string - type: object - type: object - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.1/crds/redisproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/redisproviders.microgateway.airlock.com.yaml deleted file mode 100644 index d7d37a5ae..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/redisproviders.microgateway.airlock.com.yaml +++ /dev/null @@ -1,159 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: redisproviders.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: RedisProvider - listKind: RedisProviderList - plural: redisproviders - singular: redisprovider - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: RedisProvider contains a client configuration for connecting to a Redis database. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of a Redis database client configuration. - properties: - auth: - description: Auth specifies the Redis credentials. - properties: - password: - description: Password specifies the Redis password. - properties: - secretRef: - description: SecretRef selects the secret containing the Redis password under the key 'redis.password'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - username: - default: default - description: Username specifies the Redis username to authenticate with. - minLength: 1 - pattern: ^[^\s]+$ - type: string - required: - - password - type: object - mode: - description: Mode configures the redis deployment mode. - properties: - standalone: - description: Standalone specifies the standalone Redis instance to connect to. - properties: - host: - description: Host specifies the IP or hostname. - minLength: 1 - pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$ - type: string - port: - default: 6379 - description: Port specifies the port. - maximum: 65535 - minimum: 1 - type: integer - required: - - host - type: object - type: object - timeouts: - description: Timeouts specifies the timeouts when interacting with the Redis endpoint. - properties: - connect: - default: 5s - description: Connect specifies the timeout for establishing a connection. - type: string - maxDuration: - default: 2s - description: MaxDuration specifies the response timeout. - type: string - type: object - tls: - description: TLS defines TLS settings. If not specified, TLS is disabled i.e. unencrypted TCP is used when connecting to the Redis instance. - properties: - certificateVerification: - description: CertificateVerification specifies how the certificate presented by the server is verified. - properties: - custom: - description: Custom explicitly specifies how the server certificate should be verified. - properties: - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - required: - - certificates - type: object - required: - - trustedCA - type: object - disabled: - description: 'Disabled specifies to trust any certificate without verification. THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. Note: This setting currently also disables TLS SNI.' - type: object - publicCAs: - description: PublicCAs specifies to only accept certificates with a SAN matching the host and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Session Agent’s base image. - type: object - type: object - type: object - required: - - mode - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.1/crds/sessionhandlings.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/sessionhandlings.microgateway.airlock.com.yaml deleted file mode 100644 index c4b51ef6c..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/sessionhandlings.microgateway.airlock.com.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: sessionhandlings.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: SessionHandling - listKind: SessionHandlingList - plural: sessionhandlings - singular: sessionhandling - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - SessionHandling contains the configuration for session handling. - - - {{% notice warning %}} The Session Handling feature (required for OIDC) is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as high-availability Redis configurations (e.g. Sentinel/Cluster) are not yet supported. - {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired session handling behavior. - properties: - persistence: - description: Persistence configures where to store the session state. - properties: - redisProviderRef: - description: RedisProviderRef specifies to cache session information in the provided Redis instance. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - redisProviderRef - type: object - required: - - persistence - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.1/crds/telemetries.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.1/crds/telemetries.microgateway.airlock.com.yaml deleted file mode 100644 index 8f911d3d2..000000000 --- a/charts/airlock/microgateway/4.3.1/crds/telemetries.microgateway.airlock.com.yaml +++ /dev/null @@ -1,96 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 - name: telemetries.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: Telemetry - listKind: TelemetryList - plural: telemetries - singular: telemetry - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Telemetry contains the configuration for telemetry (logging, metrics & tracing). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired telemetry behavior. - properties: - correlation: - description: Correlation defines the correlation aspects of Telemetry. - properties: - idSource: - description: IDSource specifies how an external correlation ID should be obtained for a request. If not specified, no correlation ID will be logged. - properties: - header: - description: Header specifies to extract the correlation ID from a request header. If the header is absent from a request, no correlation ID will be logged. - properties: - name: - default: X-Correlation-Id - description: Name of the header (case-insensitive) from which to extract the correlation ID. - minLength: 1 - type: string - type: object - required: - - header - type: object - request: - description: Request defines the request related correlation settings of Telemetry. - properties: - allowDownstreamRequestID: - default: true - description: AllowDownstreamRequestID defines whether trace sampling will consider a provided x-request-id. - type: boolean - alterRequestID: - default: true - description: AlterRequestID defines whether to alter the UUID to reflect the trace sampling decision. If disabled no modification to the UUID will be performed, this may break tracing in the upstream. - type: boolean - type: object - type: object - logging: - description: Logging defines the logging aspects of Telemetry. - properties: - accessLog: - description: AccessLog defines the access log settings of Telemetry. - properties: - format: - description: Format defines the Access Log format of the sidecar. - properties: - json: - description: JSON defines the Access Log format as JSON. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.1/dashboards/license.json b/charts/airlock/microgateway/4.3.1/dashboards/license.json deleted file mode 100644 index b9d5777e2..000000000 --- a/charts/airlock/microgateway/4.3.1/dashboards/license.json +++ /dev/null @@ -1,521 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__elements": {}, - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "10.2.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "1.0.0" - }, - { - "type": "panel", - "id": "stat", - "name": "Stat", - "version": "" - }, - { - "type": "panel", - "id": "timeseries", - "name": "Time series", - "version": "" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "grafana", - "uid": "-- Grafana --" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": true, - "fiscalYearStartMonth": 0, - "graphTooltip": 0, - "id": null, - "links": [ - { - "asDropdown": true, - "icon": "external link", - "includeVars": true, - "keepTime": true, - "tags": [ - "airlock-microgateway" - ], - "targetBlank": true, - "title": "Airlock Microgateway", - "tooltip": "", - "type": "dashboards", - "url": "" - } - ], - "panels": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "License status of Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [ - { - "options": { - "0": { - "color": "red", - "index": 1, - "text": "Invalid" - }, - "1": { - "color": "green", - "index": 0, - "text": "Valid" - } - }, - "type": "value" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 0, - "y": 0 - }, - "id": 1, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "License Status", - "range": false, - "refId": "Licenses" - } - ], - "title": "License Status", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Expiry date of the Airlock Microgateway license associated with the selected operator.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "time: L" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 3, - "y": 0 - }, - "id": 4, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "min(microgateway_license_expiry_timestamp_seconds{namespace=~\"${operator_namespace.regex}\"})*1000", - "instant": true, - "legendFormat": "Expiry Date (MM/DD/YYYY)", - "range": false, - "refId": "A" - } - ], - "title": "License Expiry Date", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Number of licensed requests for applications protected by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 7, - "y": 0 - }, - "id": 6, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(microgateway_license_max_rq_count_per_month{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "Licensed Requests", - "range": false, - "refId": "A" - } - ], - "title": "Licensed Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Estimated number of requests protected by Airlock Microgateway over 30 days based on the last 7 days.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 5, - "x": 11, - "y": 0 - }, - "id": 2, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d]))/7*30", - "instant": true, - "legendFormat": "Estimated Requests", - "range": false, - "refId": "A" - } - ], - "title": "Requests over 30 days (estimated)", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Number of requests per week processed by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "blue", - "mode": "fixed" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 12, - "w": 16, - "x": 0, - "y": 4 - }, - "id": 5, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(avg_over_time(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d])[2m:30s]))", - "instant": false, - "legendFormat": "# Requests per week", - "range": true, - "refId": "A" - } - ], - "title": "Processed Requests per week", - "type": "timeseries" - } - ], - "schemaVersion": 39, - "tags": [ - "airlock-microgateway" - ], - "templating": { - "list": [ - { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, - "hide": 2, - "includeAll": false, - "label": "DS_PROMETHEUS", - "multi": false, - "name": "DS_PROMETHEUS", - "options": [], - "query": "prometheus", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_valid,namespace)", - "description": "", - "hide": 0, - "includeAll": false, - "label": "Operator Namespace", - "multi": false, - "name": "operator_namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_valid,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "type": "query" - } - ] - }, - "time": { - "from": "now-7d", - "to": "now" - }, - "timeRangeUpdatedDuringEditOrView": false, - "timepicker": {}, - "timezone": "browser", - "title": "Airlock Microgateway License", - "uid": "cdpq79bzrr01se", - "version": 2, - "weekStart": "" -} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/dashboards/overview.json b/charts/airlock/microgateway/4.3.1/dashboards/overview.json deleted file mode 100644 index 094276621..000000000 --- a/charts/airlock/microgateway/4.3.1/dashboards/overview.json +++ /dev/null @@ -1,1138 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__elements": {}, - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "10.2.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "1.0.0" - }, - { - "type": "panel", - "id": "stat", - "name": "Stat", - "version": "" - }, - { - "type": "panel", - "id": "table", - "name": "Table", - "version": "" - }, - { - "type": "panel", - "id": "timeseries", - "name": "Time series", - "version": "" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "grafana", - "uid": "-- Grafana --" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": true, - "fiscalYearStartMonth": 0, - "graphTooltip": 0, - "id": null, - "links": [ - { - "asDropdown": true, - "icon": "external link", - "includeVars": true, - "keepTime": true, - "tags": [ - "airlock-microgateway" - ], - "targetBlank": true, - "title": "Airlock Microgateway", - "tooltip": "", - "type": "dashboards", - "url": "" - } - ], - "panels": [ - { - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 3, - "title": "Overview", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Number of pods that are protected by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "text", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 0, - "y": 1 - }, - "id": 11, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(microgateway_sidecars{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "Protected Pods", - "range": false, - "refId": "A" - } - ], - "title": "Protected Pods", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Total number of requests processed by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 3, - "y": 1 - }, - "id": 4, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": false, - "expr": "round(sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", - "format": "time_series", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": true, - "legendFormat": "Processed Requests", - "range": false, - "refId": "A", - "useBackend": false - } - ], - "title": "Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [ - { - "options": { - "match": "nan", - "result": { - "index": 0, - "text": "n/a" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "percentunit" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 6, - "y": 1 - }, - "id": 5, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": false, - "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])) / sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range]))", - "fullMetaSearch": false, - "includeNullMetadata": true, - "instant": true, - "legendFormat": "Blocked Requests (%)", - "range": false, - "refId": "A", - "useBackend": false - } - ], - "title": "% Blocked Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "License status of Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [ - { - "options": { - "0": { - "color": "red", - "index": 1, - "text": "Invalid" - }, - "1": { - "color": "green", - "index": 0, - "text": "Valid" - } - }, - "type": "value" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 9, - "y": 1 - }, - "id": 10, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "License Status", - "range": false, - "refId": "Licenses" - } - ], - "title": "License", - "type": "stat" - }, - { - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 5 - }, - "id": 2, - "title": "Blocks", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "blue", - "mode": "fixed" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "left", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "blue", - "value": null - } - ] - } - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "% Blocks" - }, - "properties": [ - { - "id": "custom.axisPlacement", - "value": "right" - }, - { - "id": "unit", - "value": "percentunit" - }, - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - }, - { - "id": "max", - "value": 1 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Requests per second" - }, - "properties": [ - { - "id": "unit", - "value": "short" - }, - { - "id": "custom.fillOpacity", - "value": 25 - } - ] - } - ] - }, - "gridPos": { - "h": 10, - "w": 12, - "x": 0, - "y": 6 - }, - "id": 6, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "timezone": [ - "" - ], - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", - "instant": false, - "legendFormat": "Requests per second", - "range": true, - "refId": "Requests per Second" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) / sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", - "hide": false, - "instant": false, - "legendFormat": "% Blocks", - "range": true, - "refId": "Blocks" - } - ], - "title": "Requests vs. % Blocks", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Requests blocked by Airlock Microgateway categorized by their corresponding type.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "custom": { - "align": "auto", - "cellOptions": { - "barAlignment": 0, - "drawStyle": "line", - "gradientMode": "none", - "hideValue": false, - "lineInterpolation": "linear", - "lineStyle": { - "dash": [ - 10, - 10 - ], - "fill": "solid" - }, - "showPoints": "never", - "spanNulls": false, - "type": "sparkline" - }, - "inspect": false - }, - "displayName": "Block Type", - "fieldMinMax": false, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "block_type" - }, - "properties": [ - { - "id": "custom.width", - "value": 153 - }, - { - "id": "custom.cellOptions", - "value": { - "type": "auto" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Trend #Block Types" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 10, - "w": 12, - "x": 12, - "y": 6 - }, - "id": 7, - "options": { - "cellHeight": "lg", - "footer": { - "countRows": false, - "enablePagination": false, - "fields": [ - "Value" - ], - "reducer": [ - "sum" - ], - "show": false - }, - "showHeader": false, - "sortBy": [ - { - "desc": true, - "displayName": "block_type" - } - ] - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m] offset -1m))/(60000/$__interval_ms)", - "format": "time_series", - "instant": false, - "legendFormat": "__auto", - "range": true, - "refId": "Block Types" - } - ], - "title": "Blocked Requests by Type", - "transformations": [ - { - "id": "timeSeriesTable", - "options": { - "A": { - "timeField": "Time" - }, - "Block Types": { - "stat": "sum", - "timeField": "Time" - } - } - } - ], - "type": "table" - }, - { - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 16 - }, - "id": 1, - "title": "Latency", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Percentiles of the application downstream latency over one minute.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "ms" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "25th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "super-light-purple", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "50th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "purple", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "95th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "dark-purple", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 9, - "w": 12, - "x": 0, - "y": 17 - }, - "id": 8, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.25, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "instant": false, - "legendFormat": "25th Percentile", - "range": true, - "refId": "25th Percentile" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.5, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "hide": false, - "instant": false, - "legendFormat": "50th Percentile", - "range": true, - "refId": "50th Percentile" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.95, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "hide": false, - "instant": false, - "legendFormat": "95th Percentile", - "range": true, - "refId": "95th Percentile" - } - ], - "title": "Application Downstream Latency", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Percentiles of the Airlock Microgateway processing time over one minute.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "ms" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "25th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "super-light-purple", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "50th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "purple", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "95th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "dark-purple", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 9, - "w": 12, - "x": 12, - "y": 17 - }, - "id": 9, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.25, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "instant": false, - "legendFormat": "25th Percentile", - "range": true, - "refId": "0.25 Percentile" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.5, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "hide": false, - "instant": false, - "legendFormat": "50th Percentile", - "range": true, - "refId": "0.5 Percentile" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.95, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "hide": false, - "instant": false, - "legendFormat": "95th Percentile", - "range": true, - "refId": "0.95 Percentile" - } - ], - "title": "Airlock Microgateway Processing Time", - "type": "timeseries" - } - ], - "refresh": "", - "schemaVersion": 39, - "tags": [ - "airlock-microgateway" - ], - "templating": { - "list": [ - { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, - "hide": 2, - "includeAll": false, - "label": "DS_PROMETHEUS", - "multi": false, - "name": "DS_PROMETHEUS", - "options": [], - "query": "prometheus", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_valid,namespace)", - "hide": 0, - "includeAll": true, - "label": "Operator Namespace", - "multi": true, - "name": "operator_namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_valid,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": ".*", - "skipUrlSync": false, - "sort": 0, - "type": "query" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_http_rq_total,namespace)", - "hide": 0, - "includeAll": true, - "label": "Application Namespace", - "multi": true, - "name": "namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_http_rq_total,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "type": "query" - } - ] - }, - "time": { - "from": "now-24h", - "to": "now" - }, - "timeRangeUpdatedDuringEditOrView": false, - "timepicker": {}, - "timezone": "browser", - "title": "Airlock Microgateway Overview", - "uid": "fdp5jb8fnrmyoa", - "version": 1, - "weekStart": "" -} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/gke-values.yaml b/charts/airlock/microgateway/4.3.1/gke-values.yaml new file mode 100644 index 000000000..d6d5c21d1 --- /dev/null +++ b/charts/airlock/microgateway/4.3.1/gke-values.yaml @@ -0,0 +1,4 @@ +# values for deploying on GKE + +config: + cniBinDir: "/home/kubernetes/bin" diff --git a/charts/airlock/microgateway/4.3.1/openshift-values.yaml b/charts/airlock/microgateway/4.3.1/openshift-values.yaml new file mode 100644 index 000000000..3b1d6cccd --- /dev/null +++ b/charts/airlock/microgateway/4.3.1/openshift-values.yaml @@ -0,0 +1,15 @@ +# values for deploying on OpenShift + +rbac: + createSCCRole: true + +privileged: true + +multusNetworkAttachmentDefinition: + create: true + namespace: default + +config: + installMode: "standalone" + cniNetDir: "/etc/cni/multus/net.d" + cniBinDir: "/var/lib/cni/bin" diff --git a/charts/airlock/microgateway/4.3.1/questions.yml b/charts/airlock/microgateway/4.3.1/questions.yml new file mode 100644 index 000000000..73ed44d64 --- /dev/null +++ b/charts/airlock/microgateway/4.3.1/questions.yml @@ -0,0 +1,18 @@ +questions: + - variable: config.cniNetDir + required: true + type: string + label: CNI Network Configuration Directory + group: "CNI Settings" + description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host." + - variable: config.cniBinDir + required: true + type: string + label: CNI Plugin Binaries Directory + group: "CNI Settings" + description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host." + - variable: config.installMode + required: true + label: CNI Plugin Installation Mode + group: "CNI Settings" + description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment." diff --git a/charts/airlock/microgateway/4.3.1/templates/NOTES.txt b/charts/airlock/microgateway/4.3.1/templates/NOTES.txt index e38e3caa0..e8aa45888 100644 --- a/charts/airlock/microgateway/4.3.1/templates/NOTES.txt +++ b/charts/airlock/microgateway/4.3.1/templates/NOTES.txt @@ -1,34 +1,3 @@ -Thank you for installing Airlock Microgateway. -If you have not already done so, make sure that Airlock Microgateway CNI is also installed on the cluster. +Thank you for installing Airlock Microgateway CNI. -For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" .}}. -Detailed CRD API reference documentation is also available at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" .}}/api/crds. -{{ if .Values.crds.skipVersionCheck }} -- CRD version check skipped -{{- else }} -{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}} -{{- if $outdatedCRDs -}} - {{- fail (printf ` - -Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'. -Therefore, the CRDs must be manually upgraded with the following command before deploying this chart: - -kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts - -If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.` - .Chart.AppVersion) - -}} -{{- end -}} -{{- end -}} -{{- if .Values.tests.enabled }} - {{- if .Values.operator.watchNamespaces -}} - {{- if not (has .Release.Namespace .Values.operator.watchNamespaces) }} - {{- fail (printf ` - -To execute 'helm test', it is necessary that the release namespace '%s' is part of the operator's watch scope. Either disable the tests or ensure that the release namespace is added to watch namspace list ('operator.watchNamespaces') in the helm values. -` - .Release.Namespace) - -}} - {{- end -}} - {{- end -}} -{{- end }} \ No newline at end of file +For further information, please visit our documentation at https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" .}}. diff --git a/charts/airlock/microgateway/4.3.1/templates/_helpers.tpl b/charts/airlock/microgateway/4.3.1/templates/_helpers.tpl index 733ba9648..996491a87 100644 --- a/charts/airlock/microgateway/4.3.1/templates/_helpers.tpl +++ b/charts/airlock/microgateway/4.3.1/templates/_helpers.tpl @@ -1,16 +1,14 @@ {{/* Expand the name of the chart. -We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) -and the longest explicit suffix is 14 characters. */}} -{{- define "airlock-microgateway.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }} +{{- define "airlock-microgateway-cni.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Convert an image configuration object into an image ref string. */}} -{{- define "airlock-microgateway.image" -}} +{{- define "airlock-microgateway-cni.image" -}} {{- if .digest -}} {{- printf "%s@%s" .repository .digest -}} {{- else if .tag -}} @@ -22,19 +20,19 @@ Convert an image configuration object into an image ref string. {{/* Create a default fully qualified app name. -We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) -and the longest implicit suffix is 27 characters. +We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) +and the longest suffix is 13 characters. If release name contains chart name it will be used as a full name. */}} -{{- define "airlock-microgateway.fullname" -}} +{{- define "airlock-microgateway-cni.fullname" -}} {{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }} +{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }} {{- else }} {{- $name := default .Chart.Name .Values.nameOverride }} {{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 36 | trimSuffix "-" }} +{{- .Release.Name | trunc 50 | trimSuffix "-" }} {{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }} +{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }} {{- end }} {{- end }} {{- end }} @@ -42,112 +40,62 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "airlock-microgateway.chart" -}} +{{- define "airlock-microgateway-cni.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "airlock-microgateway.sharedLabels" -}} -helm.sh/chart: {{ include "airlock-microgateway.chart" . }} +{{- define "airlock-microgateway-cni.labels" -}} +helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }} +{{ include "airlock-microgateway-cni.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/part-of: {{ .Chart.Name }} {{- with .Values.commonLabels }} {{ toYaml .}} {{- end }} {{- end }} {{/* -Common Selector labels +Common labels without component */}} -{{- define "airlock-microgateway.sharedSelectorLabels" -}} -app.kubernetes.io/instance: {{ .Release.Name }} +{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}} +{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}} +{{ unset $labels "app.kubernetes.io/component" | toYaml }} {{- end }} {{/* -Restricted Container Security Context +Selector labels */}} -{{- define "airlock-microgateway.restrictedSecurityContext" -}} -allowPrivilegeEscalation: false -privileged: false -runAsNonRoot: true -capabilities: - drop: ["ALL"] -readOnlyRootFilesystem: true -seccompProfile: - type: RuntimeDefault +{{- define "airlock-microgateway-cni.selectorLabels" -}} +app.kubernetes.io/component: cni-plugin-installer +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }} {{- end }} -{{/* Precondition: May only be used if AppVersion is isSemver */}} -{{- define "airlock-microgateway.supportedCRDVersionPattern" -}} -{{- $version := (semver .Chart.AppVersion) -}} -{{- if $version.Prerelease -}} ->= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }} -{{- else -}} ->= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0 -{{- end -}} -{{- end -}} +{{/* +Create the name of the service account to use for the CNI Plugin +*/}} +{{- define "airlock-microgateway-cni.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} -{{- define "airlock-microgateway.outdatedCRDs" -}} -{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}} - {{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}} - {{- range $path, $_ := .Files.Glob "crds/*.yaml" -}} - {{- $api := ($.Files.Get $path | fromYaml).metadata.name -}} - {{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}} - {{- $isOutdated := false -}} - {{- if $crd -}} - {{/* If CRD is already present in the cluster, it must have the minimum supported version */}} - {{- $isOutdated = true -}} - {{- if hasKey $crd.metadata "labels" -}} - {{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}} - {{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}} - {{- if (semverCompare $supportedVersion $crdVersion) }} - {{- $isOutdated = false -}} - {{- end }} - {{- end -}} - {{- end -}} - {{- end -}} - {{- if $isOutdated }} -{{ base $path }} - {{- end }} - {{- end -}} -{{- end -}} -{{- end -}} - -{{- define "airlock-microgateway.isSemver" -}} +{{- define "airlock-microgateway-cni.isSemver" -}} {{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}} {{- end -}} -{{- define "airlock-microgateway.docsVersion" -}} -{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} +{{- define "airlock-microgateway-cni.docsVersion" -}} +{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} {{- $version := (semver .Chart.AppVersion) -}} {{- $version.Major }}.{{ $version.Minor -}} {{- else -}} {{- print "latest" -}} {{- end -}} {{- end -}} - -{{- define "airlock-microgateway.watchNamespaceSelector.labelQuery" -}} -{{- $list := list -}} -{{- with .matchLabels -}} - {{- range $key, $value := . -}} - {{- $list = append $list (printf "%s=%s" $key $value) -}} - {{- end -}} -{{- end -}} -{{- with .matchExpressions -}} - {{- range . -}} - {{- if has .operator (list "In" "NotIn") -}} - {{- $list = append $list (printf "%s %s (%s)" .key (lower .operator) (join "," .values)) -}} - {{- else if eq .operator "Exists" -}} - {{- $list = append $list .key -}} - {{- else if eq .operator "DoesNotExist" -}} - {{- $list = append $list (printf "!%s" .key) -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- join "," $list -}} -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/templates/clusterrole.yaml b/charts/airlock/microgateway/4.3.1/templates/clusterrole.yaml new file mode 100644 index 000000000..ef88ac783 --- /dev/null +++ b/charts/airlock/microgateway/4.3.1/templates/clusterrole.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - patch +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.1/templates/clusterrolebinding.yaml b/charts/airlock/microgateway/4.3.1/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..04f87cb0f --- /dev/null +++ b/charts/airlock/microgateway/4.3.1/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "airlock-microgateway-cni.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.1/templates/configmap.yaml b/charts/airlock/microgateway/4.3.1/templates/configmap.yaml new file mode 100644 index 000000000..b880116ef --- /dev/null +++ b/charts/airlock/microgateway/4.3.1/templates/configmap.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + plugin-conf.json: |- + { + "type": "{{ include "airlock-microgateway-cni.fullname" . }}", + "debug": {{ eq .Values.config.logLevel "debug" }}, + "logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log", + "kubernetes": { + "kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig", + "excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }} + } + } diff --git a/charts/airlock/microgateway/4.3.1/templates/daemonset.yaml b/charts/airlock/microgateway/4.3.1/templates/daemonset.yaml new file mode 100644 index 000000000..4ba9f2669 --- /dev/null +++ b/charts/airlock/microgateway/4.3.1/templates/daemonset.yaml @@ -0,0 +1,136 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + kubectl.kubernetes.io/default-container: cni-installer + {{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - args: + - --log-level + - "{{ .Values.config.logLevel }}" + env: + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + key: plugin-conf.json + name: {{ include "airlock-microgateway-cni.fullname" . }} + - name: CNI_BIN_DIR + value: /host/opt/cni/bin + - name: CNI_NET_DIR + value: /host/etc/cni/net.d + - name: KUBECONFIG_FILE_NAME + value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" + - name: INSTALL_MODE + value: {{ .Values.config.installMode }} + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: {{ include "airlock-microgateway-cni.image" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cni-installer + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + startupProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 5 + initialDelaySeconds: 3 + periodSeconds: 3 + timeoutSeconds: 3 + readinessProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 1 + periodSeconds: 60 + timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /run/cni-installer + name: cni-installer-status + hostNetwork: true + priorityClassName: system-node-critical + restartPolicy: Always + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + terminationGracePeriodSeconds: 5 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir + - emptyDir: {} + name: cni-installer-status diff --git a/charts/airlock/microgateway/4.3.1/templates/network-attachment-definition.yaml b/charts/airlock/microgateway/4.3.1/templates/network-attachment-definition.yaml new file mode 100644 index 000000000..5d657e309 --- /dev/null +++ b/charts/airlock/microgateway/4.3.1/templates/network-attachment-definition.yaml @@ -0,0 +1,13 @@ +{{- if .Values.multusNetworkAttachmentDefinition.create -}} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/_operator_helpers.tpl b/charts/airlock/microgateway/4.3.1/templates/operator/_operator_helpers.tpl deleted file mode 100644 index a540ff9f4..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/_operator_helpers.tpl +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -Create a default fully qualified name for operator components. -*/}} -{{- define "airlock-microgateway.operator.fullname" -}} -{{ include "airlock-microgateway.fullname" . }}-operator -{{- end }} - - -{{/* -Common operator labels -*/}} -{{- define "airlock-microgateway.operator.labels" -}} -{{ include "airlock-microgateway.sharedLabels" . }} -{{ include "airlock-microgateway.operator.selectorLabels" . }} -{{- end }} - -{{/* -Operator Selector labels -*/}} -{{- define "airlock-microgateway.operator.selectorLabels" -}} -{{ include "airlock-microgateway.sharedSelectorLabels" . }} -app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-operator -app.kubernetes.io/component: controller -{{- end }} - -{{/* -Create the name of the service account to use for the operator -*/}} -{{- define "airlock-microgateway.operator.serviceAccountName" -}} -{{- if .Values.operator.serviceAccount.create }} -{{- default (include "airlock-microgateway.operator.fullname" .) .Values.operator.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.operator.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -ServiceMonitor metrics regex pattern for leader only metrics -*/}} -{{- define "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" -}} -^(microgateway_license|microgateway_sidecars).*$ -{{- end }} diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/_rbac.gen.tpl b/charts/airlock/microgateway/4.3.1/templates/operator/_rbac.gen.tpl deleted file mode 100644 index 83b314cbc..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/_rbac.gen.tpl +++ /dev/null @@ -1,237 +0,0 @@ -{{/* AUTOGENERATED FILE DO NOT EDIT */}} - -{{/* -Operator rbac permission rules -*/}} -{{- define "airlock-microgateway-operator.rbacRules" -}} -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - update - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - accesscontrols - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - contentsecurities - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - denyrules - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - envoyclusters - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - envoyconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - envoyconfigurations/status - verbs: - - get - - patch - - update -- apiGroups: - - microgateway.airlock.com - resources: - - envoyhttpfilters - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - graphqls - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - headerrewrites - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - identitypropagations - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - limits - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - oidcproviders - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - oidcrelyingparties - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - openapis - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - parsers - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - redisproviders - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - sessionhandlings - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways/finalizers - verbs: - - update -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways/status - verbs: - - get - - patch - - update -- apiGroups: - - microgateway.airlock.com - resources: - - telemetries - verbs: - - get - - list - - watch -{{- end }} diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/dashboard-configmap.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/dashboard-configmap.yaml deleted file mode 100644 index b71ac89b6..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/dashboard-configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.dashboards.create -}} -{{- range $instance := (keys .Values.dashboards.instances | sortAlpha) -}} -{{- $dashboard := get $.Values.dashboards.instances $instance -}} -{{- if $dashboard.create }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "airlock-microgateway.fullname" $ }}-dashboard-{{ $instance | lower }} - namespace: {{ $.Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }} - {{- with $.Values.dashboards.config.grafana.dashboardLabel -}} - {{- .name | nindent 4 -}}: {{ .value | quote }} - {{- end }} - annotations: - {{- with $.Values.dashboards.config.grafana.folderAnnotation -}} - {{- .name | nindent 4 -}}: {{ .value | quote }} - {{- end }} - {{- with $.Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -data: - {{- printf "%s.json" $instance | nindent 2 }}: |- - {{- ($.Files.Get (printf "dashboards/%s.json" $instance)) | nindent 4 -}} -{{- end -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/deployment.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/deployment.yaml deleted file mode 100644 index db340cdec..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/deployment.yaml +++ /dev/null @@ -1,143 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - replicas: {{ .Values.operator.replicaCount }} - {{- with .Values.operator.updateStrategy }} - strategy: - {{- toYaml . | trim | nindent 4 }} - {{- end }} - selector: - matchLabels: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/operator/configmap.yaml") . | sha256sum }} - kubectl.kubernetes.io/default-container: manager - {{- with mustMerge .Values.operator.podAnnotations .Values.commonAnnotations}} - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 8 }} - {{- with .Values.operator.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - containers: - - args: - - --config=operator_config.yaml - env: - - name: ENGINE_IMAGE - value: {{ include "airlock-microgateway.image" .Values.engine.image }} - - name: NETWORK_VALIDATOR_IMAGE - value: {{ include "airlock-microgateway.image" .Values.networkValidator.image }} - - name: SESSION_AGENT_IMAGE - value: {{ include "airlock-microgateway.image" .Values.sessionAgent.image }} - - name: OPERATOR_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: {{ include "airlock-microgateway.image" .Values.operator.image }} - imagePullPolicy: {{ .Values.operator.image.pullPolicy }} - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - timeoutSeconds: 5 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - - containerPort: 13377 - name: xds-server - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8081 - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - {{- with .Values.operator.resources }} - resources: - {{- toYaml . | nindent 10 }} - {{- end }} - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 10 }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - mountPath: /opt/airlock/license/ - name: airlock-microgateway-license - readOnly: true - - mountPath: /operator_config.yaml - name: operator-config - subPath: operator_config.yaml - - mountPath: /sidecar/engine_container_template.yaml - name: operator-config - subPath: engine_container_template.yaml - - mountPath: /sidecar/network_validator_container_template.yaml - name: operator-config - subPath: network_validator_container_template.yaml - - mountPath: /sidecar/session_agent_container_template.yaml - name: operator-config - subPath: session_agent_container_template.yaml - - mountPath: /engine_bootstrap_config_template.yaml - name: operator-config - subPath: engine_bootstrap_config_template.yaml - securityContext: - runAsNonRoot: true - serviceAccountName: {{ include "airlock-microgateway.operator.serviceAccountName" . }} - terminationGracePeriodSeconds: 10 - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.operator.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.operator.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.operator.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert - - name: airlock-microgateway-license - secret: - defaultMode: 292 - optional: true - secretName: {{ .Values.license.secretName }} - - configMap: - name: {{ include "airlock-microgateway.operator.fullname" . }}-config - name: operator-config diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/manager-role.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/manager-role.yaml deleted file mode 100644 index 90335bcfe..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/manager-role.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.operator.rbac.create }} -{{- if empty .Values.operator.watchNamespaces }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: -{{ include "airlock-microgateway-operator.rbacRules" . -}} -{{- else }} -{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager - namespace: {{ $namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }} - {{- with $.Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: -{{ include "airlock-microgateway-operator.rbacRules" $ }} ---- -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/manager-rolebinding.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/manager-rolebinding.yaml deleted file mode 100644 index ae99cfb7b..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/manager-rolebinding.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.operator.rbac.create }} -{{- if empty .Values.operator.watchNamespaces }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- else }} -{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager - namespace: {{ $namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }} - {{- with $.Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager -subjects: - - kind: ServiceAccount - name: {{ include "airlock-microgateway.operator.serviceAccountName" $ }} - namespace: {{ $.Release.Namespace }} ---- -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/metrics-service.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/metrics-service.yaml deleted file mode 100644 index 34d23f6d6..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/metrics-service.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-metrics - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: http - name: metrics - port: 8080 - protocol: TCP - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} ---- -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-leader-metrics - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - operator.microgateway.airlock.com/isLeader: "true" - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: http - name: metrics - port: 8080 - protocol: TCP - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} - operator.microgateway.airlock.com/isLeader: "true" \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/mutating-webhook.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/mutating-webhook.yaml deleted file mode 100644 index 311f9726a..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/mutating-webhook.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert - {{- with .Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -webhooks: -{{- range $webhook := (include "airlock-microgateway-operator.mutatingWebhooks" .) | fromYamlArray }} -- {{ toYaml $webhook | indent 2 | trim }} - {{- with $.Values.operator.watchNamespaceSelector }} - namespaceSelector: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with $.Values.operator.watchNamespaces }} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/podmonitor.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/podmonitor.yaml deleted file mode 100644 index 1fe34fcb3..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/podmonitor.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if .Values.engine.sidecar.podMonitor.create }} -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: {{ include "airlock-microgateway.fullname" . }}-engine - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.engine.sidecar.podMonitor.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - namespaceSelector: - any: true - selector: - matchLabels: - sidecar.microgateway.airlock.com/inject: "true" - microgateway.airlock.com/managedBy: {{ .Release.Namespace }} - podMetricsEndpoints: - - targetPort: 19002 - path: /metrics - scheme: http -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/role.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/role.yaml deleted file mode 100644 index 5378be8ef..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/role.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.operator.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/rolebinding.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/rolebinding.yaml deleted file mode 100644 index bafec1015..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/rolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.operator.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election -subjects: - - kind: ServiceAccount - name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/selfsigned-issuer.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/selfsigned-issuer.yaml deleted file mode 100644 index 466c56338..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/selfsigned-issuer.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - selfSigned: {} diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/serviceaccount.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/serviceaccount.yaml deleted file mode 100644 index 434d7e9d3..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.operator.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with mustMerge .Values.operator.serviceAccount.annotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/servicemonitor.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/servicemonitor.yaml deleted file mode 100644 index ff85a9a31..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/servicemonitor.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if .Values.operator.serviceMonitor.create }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceMonitor.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} - matchExpressions: - - { key: "operator.microgateway.airlock.com/isLeader", operator: DoesNotExist } - endpoints: - - path: /metrics - port: metrics - scheme: http - metricRelabelings: - - sourceLabels: - - __name__ - regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }} - action: drop ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceMonitor.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} - operator.microgateway.airlock.com/isLeader: "true" - endpoints: - - path: /metrics - port: metrics - scheme: http - metricRelabelings: - - sourceLabels: - - __name__ - regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }} - action: keep -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/serving-certificate.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/serving-certificate.yaml deleted file mode 100644 index 60b92e1e2..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/serving-certificate.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-serving-cert - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - dnsNames: - - airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc - - airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc.cluster.local - issuerRef: - kind: Issuer - name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer - secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/validating-webhook.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/validating-webhook.yaml deleted file mode 100644 index 5d6b4396b..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/validating-webhook.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert - {{- with .Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -webhooks: -{{- range $webhook := (include "airlock-microgateway-operator.validatingWebhooks" .) | fromYamlArray }} -- {{ toYaml $webhook | indent 2 | trim }} - {{- with $.Values.operator.watchNamespaceSelector }} - namespaceSelector: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with $.Values.operator.watchNamespaces }} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/webhook-service.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/webhook-service.yaml deleted file mode 100644 index 477ea839f..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/webhook-service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: https - name: webhook - port: 443 - protocol: TCP - targetPort: 9443 - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/xds-service.yaml b/charts/airlock/microgateway/4.3.1/templates/operator/xds-service.yaml deleted file mode 100644 index 81b41acf5..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/operator/xds-service.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-xds - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: grpc - name: xds - port: 13377 - protocol: TCP - targetPort: 13377 - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} - operator.microgateway.airlock.com/isLeader: "true" diff --git a/charts/airlock/microgateway/4.3.1/templates/scc-role.yaml b/charts/airlock/microgateway/4.3.1/templates/scc-role.yaml new file mode 100644 index 000000000..862748692 --- /dev/null +++ b/charts/airlock/microgateway/4.3.1/templates/scc-role.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/templates/scc-rolebinding.yaml b/charts/airlock/microgateway/4.3.1/templates/scc-rolebinding.yaml new file mode 100644 index 000000000..ebd02982c --- /dev/null +++ b/charts/airlock/microgateway/4.3.1/templates/scc-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged +subjects: +- kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.1/templates/serviceaccount.yaml b/charts/airlock/microgateway/4.3.1/templates/serviceaccount.yaml new file mode 100644 index 000000000..3dc8d58ea --- /dev/null +++ b/charts/airlock/microgateway/4.3.1/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.1/templates/tests/rbac.yaml b/charts/airlock/microgateway/4.3.1/templates/tests/rbac.yaml index 93bd4cd1b..744799333 100644 --- a/charts/airlock/microgateway/4.3.1/templates/tests/rbac.yaml +++ b/charts/airlock/microgateway/4.3.1/templates/tests/rbac.yaml @@ -2,142 +2,63 @@ apiVersion: v1 kind: ServiceAccount metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" subjects: - kind: ServiceAccount - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests rules: - apiGroups: - - microgateway.airlock.com + - "apps" resources: - - sidecargateways + - daemonsets resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway" + - {{ include "airlock-microgateway-cni.fullname" . }} verbs: - - get - - list - - watch - - delete + - get + - watch + - list - apiGroups: - - microgateway.airlock.com + - "" resources: - - sidecargateways + - pods + - pods/log verbs: - - create + - get + - list +{{- if .Values.rbac.createSCCRole }} - apiGroups: - - "" - resources: - - events - verbs: - - list -- apiGroups: - - "apps" - resources: - - deployments + - security.openshift.io resourceNames: - - "{{ include "airlock-microgateway.operator.fullname" . }}" - verbs: - - get - - list - - watch -- apiGroups: - - "apps" + - privileged resources: - - statefulsets - - statefulsets/scale - resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-backend" + - securitycontextconstraints verbs: - - get - - list - - watch - - patch -- apiGroups: - - "" - resources: - - pods - - pods/log - - pods/status - - pods/attach - resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-backend-0" - - "{{ include "airlock-microgateway.fullname" . }}-test-valid-request" - - "{{ include "airlock-microgateway.fullname" . }}-test-injection-request" - verbs: - - get - - list - - create - - watch - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - create -{{- if .Values.operator.watchNamespaceSelector }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" -subjects: - - kind: ServiceAccount - name: "{{ include "airlock-microgateway.fullname" . }}-tests" - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list -{{- end }} + - use +{{- end -}} {{- end -}} diff --git a/charts/airlock/microgateway/4.3.1/templates/tests/service.yaml b/charts/airlock/microgateway/4.3.1/templates/tests/service.yaml deleted file mode 100644 index 30ddc278d..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/tests/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.tests.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-service" - namespace: {{ .Release.Namespace }} - labels: - app: test-service - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} -spec: - selector: - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} - ports: - - name: http - port: 8080 - targetPort: 8080 -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/templates/tests/statefulset.yaml b/charts/airlock/microgateway/4.3.1/templates/tests/statefulset.yaml deleted file mode 100644 index 710a7b9f6..000000000 --- a/charts/airlock/microgateway/4.3.1/templates/tests/statefulset.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if .Values.tests.enabled -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} -spec: - serviceName: nginx - replicas: 0 - selector: - matchLabels: - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 6 }} - template: - metadata: - annotations: - k8s.v1.cni.cncf.io/networks: default/airlock-microgateway-cni - labels: - sidecar.microgateway.airlock.com/inject: "true" - sidecar.istio.io/inject: "false" - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedLabels" . | nindent 8 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 8 }} - spec: - containers: - - image: cgr.dev/chainguard/nginx - name: nginx - ports: - - containerPort: 8080 - volumeMounts: - - mountPath: /var/lib/nginx/tmp/ - name: nginx-tmp - - mountPath: /var/run - name: nginx-run - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 12 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - emptyDir: {} - name: nginx-tmp - - emptyDir: {} - name: nginx-run -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/templates/tests/test-install.yaml b/charts/airlock/microgateway/4.3.1/templates/tests/test-install.yaml index ab82abea7..12d8c8de7 100644 --- a/charts/airlock/microgateway/4.3.1/templates/tests/test-install.yaml +++ b/charts/airlock/microgateway/4.3.1/templates/tests/test-install.yaml @@ -2,14 +2,11 @@ apiVersion: v1 kind: Pod metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-install" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install" namespace: {{ .Release.Namespace }} labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - sidecar.istio.io/inject: "false" - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} annotations: helm.sh/hook: test helm.sh/hook-delete-policy: before-hook-creation @@ -19,209 +16,88 @@ spec: - name: test image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}" securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + readOnly: true + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + readOnly: true command: - sh - -c - | set -eu - clean_up() { - echo "" - echo "### Clean up test resources" - kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true - echo "" - echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'" - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=60s - sleep 3s - echo "" - } - fail() { + echo "Error: ${1}" echo "" - echo "### Error: ${1}" - echo "" - - if kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway >/dev/null 2>&1; then - echo "" - echo 'Microgateway Sidecargateway status:' - kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true - echo "" - echo "" - fi - - if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 >/dev/null 2>&1; then - echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':" - kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true - echo "" - echo "" - echo 'Logs of Nginx container:' - kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true - echo "" - echo "" - # Wait for engine logs - sleep 10s - echo 'Logs of Microgateway Engine container:' - kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true - fi - + echo 'CNI installer logs:' + kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer exit 1 } - create_sidecargateway() { - # create SidecarGateway resource for testing purposes - kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true - kubectl apply -f - </dev/null 2>&1; do sleep 1s; i=$((i+1)); done - kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request - kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request - } - - {{- if .Values.operator.watchNamespaceSelector }} - echo "### Verify that Namespace Selector matches Namespace '{{ .Release.Namespace }}'" - if ! kubectl get namespace -l '{{ include "airlock-microgateway.watchNamespaceSelector.labelQuery" .Values.operator.watchNamespaceSelector }}' | grep -q {{ .Release.Namespace }}; then - labels=$(kubectl get namespace {{ .Release.Namespace }} -o jsonpath={.metadata.labels} | jq | awk '{print " " $0}') - fail {{printf `"Operator namespace '%s' is not part of the operator's watch scope. To execute 'helm test', the selector configured in the helm value 'operator.watchNamespaceSelector' must match the namespace's labels:\n* Current selector:\n%s\n\n* Current labels:\n$labels\n###"` - .Release.Namespace - (replace "\"" "\\\"" (replace "\n" "\\n" (.Values.operator.watchNamespaceSelector | toPrettyJson | indent 2))) - }} + if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then + fail 'CNI DaemonSet rollout did not complete within timeout' fi - echo "" - {{- end }} - trap clean_up EXIT - echo "" - - echo "### Waiting for Microgateway Operator Deployments to be ready" - if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \ - deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then - fail 'Timout occurred' + echo "Checking whether CNI binary was installed" + if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then + fail 'CNI binary was not installed' fi - echo "" - echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica" - # scale to zero replicas to ensure no pods are present from previous runs - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s - echo "" - - echo "### Waiting for backend pod" - i=0 - while true; do - if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then - break - elif [ $i -gt 3 ]; then - fail 'Pod not ready' - fi - sleep 2s - i=$((i+1)) - done - - echo "### Checking Microgateway Engine sidecar container was injected" - if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then - fail 'Microgateway Engine sidecar container not injected' + echo "Checking whether CNI kubeconfig was installed" + if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then + fail 'CNI kubeconfig was not created' fi - echo "True" - echo "" - echo "### Checking for valid license" - i=0 - while true; do - if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then - break - elif [ $i -gt 30 ]; then - fail 'Microgateway license is missing or invalid' - fi - sleep 2s - i=$((i+1)) - done - echo "True" - echo "" + echo "Checking whether CNI configuration was written" + case {{ .Values.config.installMode }} in + "chained") + for file in "/host/etc/cni/net.d/"*.conflist; do + if containsMGWCNIConf "${file}"; then + echo "Success" + exit 0 + fi + done + ;; + "standalone") + if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then + echo "Success" + exit 0 + fi + ;; + "manual") + echo "- Skipping because we are in 'manual' install mode" + echo "Success" + exit 0 + ;; + esac - echo "### Create SidecarGateway resource for testing" - if ! create_sidecargateway ; then - fail 'Creation of SidecarGateway resource failed' - fi - echo "" - - echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready" - if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then - fail 'Timout occurred' - fi - echo "" - - echo "### Waiting for 'engine-config-valid' condition" - if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then - fail 'Configuration was never accepted by the Microgateway Engine' - fi - sleep 5s - echo "" - echo "" - - echo "### Checking whether a valid request is successful and returns HTTP status code '200'" - out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true) - echo "Response:" - echo "${out}" - if ! echo "${out}" | grep -q "200 OK"; then - fail 'A valid request was not successful' - fi - echo "" - echo "" - - echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'" - out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true) - echo "Response:" - echo "${out}" - if ! echo "${out}" | grep -q "400 Bad Request"; then - fail 'A malicious request was not blocked' - fi - echo "" - echo "" - - echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded" - exit 0 - serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests" + fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found' + serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir {{- end -}} diff --git a/charts/airlock/microgateway/4.3.1/values.schema.json b/charts/airlock/microgateway/4.3.1/values.schema.json index 173d6b084..e087bd700 100644 --- a/charts/airlock/microgateway/4.3.1/values.schema.json +++ b/charts/airlock/microgateway/4.3.1/values.schema.json @@ -14,15 +14,6 @@ "commonAnnotations": { "$ref": "#/definitions/StringMap" }, - "crds": { - "type": "object", - "properties": { - "skipVersionCheck": { - "type": "boolean" - } - }, - "additionalProperties": false - }, "imagePullSecrets": { "type": "array", "items": { @@ -39,304 +30,120 @@ "additionalProperties": true } }, - "operator": { + "image": { + "$ref": "#/definitions/Image" + }, + "podAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "podLabels": { + "$ref": "#/definitions/StringMap" + }, + "resources": { + "type": "object" + }, + "nodeSelector": { + "$ref": "#/definitions/StringMap" + }, + "affinity": { + "type": "object" + }, + "rbac": { "type": "object", "properties": { - "replicaCount": { - "type": "integer", - "minimum": 0 - }, - "updateStrategy": { - "$ref": "#/definitions/UpdateStrategy" - }, - "image": { - "$ref": "#/definitions/Image" - }, - "podAnnotations": { - "$ref": "#/definitions/StringMap" - }, - "podLabels": { - "$ref": "#/definitions/StringMap" - }, - "serviceAnnotations": { - "$ref": "#/definitions/StringMap" - }, - "serviceLabels": { - "$ref": "#/definitions/StringMap" - }, - "resources": { - "type": "object" - }, - "nodeSelector": { - "$ref": "#/definitions/StringMap" - }, - "tolerations": { - "type": "array", - "items": { - "type": "object" - } - }, - "affinity": { - "type": "object" - }, - "config": { - "type": "object", - "properties": { - "logLevel": { - "type": "string", - "enum": [ - "debug", - "info", - "warn", - "error" - ] - } - }, - "required": [ - "logLevel" - ], - "additionalProperties": false - }, - "serviceAccount": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "annotations": { - "$ref": "#/definitions/StringMap" - }, - "name": { - "type": "string" - } - }, - "required": [ - "annotations", - "create", - "name" - ], - "additionalProperties": false - }, - "watchNamespaces": { - "type": "array", - "items": { - "type": "string" - } - }, - "watchNamespaceSelector": { - "$ref": "#/definitions/LabelSelector" - }, - "rbac": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - }, - "serviceMonitor": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "labels": { - "$ref": "#/definitions/StringMap" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - } - }, - "oneOf": [ - { - "properties": { - "watchNamespaces": { - "minItems": 1 - }, - "watchNamespaceSelector": { - "additionalProperties": false - } - } - }, - { - "properties": { - "watchNamespaces": { - "maxItems": 0 - }, - "watchNamespaceSelector": { - "$ref": "#/definitions/LabelSelector" - } - } - } - ], - "required": [ - "affinity", - "config", - "image", - "updateStrategy", - "nodeSelector", - "podAnnotations", - "podLabels", - "rbac", - "replicaCount", - "resources", - "serviceAccount", - "serviceAnnotations", - "serviceLabels", - "serviceMonitor", - "tolerations" - ], - "additionalProperties": false - }, - "engine": { - "type": "object", - "properties": { - "image": { - "$ref": "#/definitions/Image" - }, - "resources": { - "type": "object" - }, - "sidecar": { - "type": "object", - "properties":{ - "podMonitor": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "labels": { - "$ref": "#/definitions/StringMap" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - } - }, - "required": [ - "podMonitor" - ], - "additionalProperties": false - } - }, - "required": [ - "image", - "resources", - "sidecar" - ], - "additionalProperties": false - }, - "networkValidator": { - "type": "object", - "properties": { - "image": { - "$ref": "#/definitions/Image" - } - }, - "required": [ - "image" - ], - "additionalProperties": false - }, - "sessionAgent": { - "type": "object", - "properties": { - "image": { - "$ref": "#/definitions/Image" - }, - "resources": { - "type": "object" - } - }, - "required": [ - "image", - "resources" - ], - "additionalProperties": false - }, - "license": { - "type": "object", - "properties": { - "secretName": { - "type": "string", - "minLength": 1 - } - }, - "required": [ - "secretName" - ], - "additionalProperties": false - }, - "dashboards": { - "type": "object", - "properties" : { "create": { "type": "boolean" }, - "config": { - "type": "object", - "properties": { - "grafana": { - "type": "object", - "properties": { - "folderAnnotation": { - "$ref": "#/definitions/NameValuePair" - }, - "dashboardLabel": { - "$ref": "#/definitions/NameValuePair" - } - }, - "required": [ - "folderAnnotation", - "dashboardLabel" - ], - "additionalProperties": false - } - }, - "required": [ - "grafana" - ], - "additionalProperties": false - }, - "instances": { - "type": "object", - "properties": { - "overview": { - "$ref": "#/definitions/DashboardInstance" - }, - "license" : { - "$ref": "#/definitions/DashboardInstance" - }, - "blockMetrics" : { - "$ref": "#/definitions/DashboardInstance" - }, - "blockLogs" : { - "$ref": "#/definitions/DashboardInstance" - } - }, - "required": [ - "overview", - "license", - "blockMetrics", - "blockLogs" - ], - "additionalProperties": false + "createSCCRole": { + "type": "boolean" } }, "required": [ "create", - "config", - "instances" + "createSCCRole" + ], + "additionalProperties": false + }, + "privileged": { + "type": "boolean" + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "annotations": { + "$ref": "#/definitions/StringMap" + }, + "name": { + "type": "string" + } + }, + "required": [ + "annotations", + "create", + "name" + ], + "additionalProperties": false + }, + "multusNetworkAttachmentDefinition": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "namespace": { + "type": "string" + } + }, + "required": [ + "create", + "namespace" + ], + "additionalProperties": false + }, + "config": { + "type": "object", + "properties": { + "installMode": { + "type": "string", + "enum": [ + "chained", + "standalone", + "manual" + ] + }, + "logLevel": { + "type": "string", + "enum": [ + "debug", + "info", + "warn", + "error" + ] + }, + "cniNetDir": { + "type": "string", + "minLength": 1 + }, + "cniBinDir": { + "type": "string", + "minLength": 1 + }, + "excludeNamespaces": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "cniBinDir", + "cniNetDir", + "excludeNamespaces", + "installMode", + "logLevel" ], "additionalProperties": false }, @@ -357,18 +164,22 @@ } }, "required": [ + "affinity", "commonAnnotations", "commonLabels", - "crds", - "engine", + "config", "fullnameOverride", + "image", "imagePullSecrets", - "license", + "multusNetworkAttachmentDefinition", "nameOverride", - "operator", - "networkValidator", - "sessionAgent", - "dashboards", + "nodeSelector", + "podAnnotations", + "podLabels", + "privileged", + "rbac", + "resources", + "serviceAccount", "tests" ], "additionalProperties": false, @@ -409,132 +220,6 @@ "tag" ], "additionalProperties": false - }, - "LabelSelector": { - "type": "object", - "properties": { - "matchExpressions": { - "type": "array", - "items": { - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "type": "string" - }, - "operator": { - "type": "string" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "additionalProperties": false - } - }, - "matchLabels": { - "$ref": "#/definitions/StringMap" - } - }, - "additionalProperties": false - }, - "UpdateStrategy": { - "type": "object", - "oneOf" : [ - { - "properties": { - "type": { - "$ref": "#/definitions/RecreateType" - } - }, - "required": [ - "type" - ], - "additionalProperties": false - }, - { - "properties": { - "type": { - "$ref": "#/definitions/RollingUpdateType" - }, - "rollingUpdate": { - "$ref": "#/definitions/RollingUpdate" - } - }, - "required": [ - "type" - ], - "additionalProperties": false - } - ] - }, - "RecreateType": { - "type": "string", - "enum": [ - "Recreate" - ] - }, - "RollingUpdateType": { - "type": "string", - "enum": [ - "RollingUpdate" - ] - }, - "RollingUpdate": { - "type": "object", - "properties": { - "maxSurge": { - "type": ["integer", "string"], - "minimum": 0, - "pattern": "^\\d+%?$" - }, - "maxUnavailable": { - "type": ["integer", "string"], - "minimum": 0, - "pattern": "^\\d+%?$" - } - }, - "anyOf": [ - {"required": ["maxSurge"]}, - {"required": ["maxUnavailable"]} - ], - "additionalProperties": false - }, - "DashboardInstance" : { - "type" : "object", - "properties" : { - "create" : { - "type" : "boolean" - } - }, - "required" : [ - "create" - ], - "additionalProperties": false - }, - "NameValuePair" : { - "type" : "object", - "properties" : { - "name" : { - "type": "string", - "minLength": 1 - }, - "value" : { - "type" : "string", - "minLength": 1 - } - }, - "required" : [ - "name", - "value" - ], - "additionalProperties": false } } } diff --git a/charts/airlock/microgateway/4.3.1/values.yaml b/charts/airlock/microgateway/4.3.1/values.yaml index 120df1946..8f518138a 100644 --- a/charts/airlock/microgateway/4.3.1/values.yaml +++ b/charts/airlock/microgateway/4.3.1/values.yaml @@ -1,4 +1,4 @@ -# -- Allows overriding the name to use instead of "microgateway". +# -- Allows overriding the name to use instead of "microgateway-cni". nameOverride: "" # -- Allows overriding the name to use as full name of resources. fullnameOverride: "" @@ -10,203 +10,75 @@ commonAnnotations: {} imagePullSecrets: [] # - name: myRegistryKeySecretName -crds: - # -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. - # The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster - # when performing a "helm install/upgrade". - skipVersionCheck: false -operator: - # -- Number of replicas for the operator Deployment. - replicaCount: 2 - # -- Specifies the operator update strategy. - updateStrategy: - type: RollingUpdate - # Specifies the Airlock Microgateway Operator image. - image: - # -- Image repository from which to pull the Airlock Microgateway Operator image. - repository: "quay.io/airlock/microgateway-operator" - # -- Image tag to pull. - tag: "4.3.1" - # -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). - # Overrides tag when specified. - digest: "sha256:84b6eb914103d4c62024d9f761b7dd4371ea3ba8996fb04095d87ebfaf3db2bb" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Annotations to add to all Pods. - podAnnotations: {} - # -- Labels to add to all Pods. - podLabels: {} - # -- Annotations to add to the Service. - serviceAnnotations: {} - # prometheus.io/scrape: "true" - # prometheus.io/port: "8080" - - # -- Labels to add to the Service. - serviceLabels: {} - # -- Resource restrictions to apply to the operator container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 1000m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 512Mi - - # -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. - nodeSelector: {} - # -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. - tolerations: [] - # -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling. - affinity: {} - # Parameters for the operator configuration. - config: - # -- Operator application log level. - logLevel: "info" - # Configures the generation of the ServiceAccount. - serviceAccount: - # -- Whether a ServiceAccount should be created. - create: true - # -- Annotations to add to the ServiceAccount. - annotations: {} - # -- Name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - # -- Allows to restrict the operator to specific namespaces, depending on your needs. - # For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). - # In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. - # For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. - # An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. - # Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. - # Please note that this feature requires a Premium license. - watchNamespaces: [] - # -- Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. - # It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. - # This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). - # An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. - # Please note that this feature requires a Premium license. - watchNamespaceSelector: {} - # For further examples, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements. - # matchLabels: - # microgateway.airlock.com/enable: "true" - # matchExpressions: - # - { key: environment, operator: NotIn, values: [dev] } - - # Configures the generation of Role and RoleBinding as well as ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above. - rbac: - # -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. - create: true - # Configures the generation of a Prometheus Operator ServiceMonitor. - serviceMonitor: - # -- Whether to create a ServiceMonitor resource for monitoring. - create: false - # -- Labels to add to the ServiceMonitor. - labels: {} - # release: "" -engine: - # Specifies the Airlock Microgateway Engine image. - image: - # -- Image repository from which to pull the Airlock Microgateway Engine image. - repository: "quay.io/airlock/microgateway-engine" - # -- Image tag to pull. - tag: "4.3.1" - # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). - # Overrides tag when specified. - digest: "sha256:6be782cc3f3206bfa61f462812d2a495e114ae13c59a7cdaed7ca406d5bc1b01" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Resource restrictions to apply to the Airlock Microgateway Engine container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 500m - # memory: 128Mi - # requests: - # cpu: 10m - # memory: 40Mi - - # Additional configuration when deployed as a sidecar. - sidecar: - # Configures the generation of a Prometheus Operator PodMonitor. - podMonitor: - # -- Whether to create a PodMonitor resource for monitoring. - create: false - # -- Labels to add to the PodMonitor. - labels: {} - # release: "" -networkValidator: - # Specifies the Airlock Microgateway Network Validator image to be injected as an init-container. - image: - # -- Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. - repository: "cgr.dev/chainguard/netcat" - # -- Image tag to pull. - tag: "" - # -- SHA256 image digest to pull (in the format "sha256:6626ab44066867687baa7bfcabedafce5adc50446be1207c90c3b211bd922f84"). - # Overrides tag when specified. - digest: "sha256:6626ab44066867687baa7bfcabedafce5adc50446be1207c90c3b211bd922f84" - # -- Pull policy for this image. - pullPolicy: IfNotPresent -sessionAgent: - # Specifies the Airlock Microgateway Session Agent image. - image: - # -- Image repository from which to pull the Airlock Microgateway Session Agent image. - repository: "quay.io/airlock/microgateway-session-agent" - # -- Image tag to pull. - tag: "4.3.1" - # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). - # Overrides tag when specified. - digest: "sha256:d62bdb16c74d340a81791be1696d620950d8232437676910bb6e5548411f2afd" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Resource restrictions to apply to the Airlock Microgateway Session Agent container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 150m - # memory: 32Mi - # requests: - # cpu: 10m - # memory: 8Mi -license: - # -- Name of the secret containing the "microgateway-license.txt" key. - secretName: "airlock-microgateway-license" -# Creates dashboards in the form of ConfigMaps that can be imported -# by Grafana using its sidecar setup. -dashboards: - # -- Whether to create any ConfigMaps containing Grafana dashboards to import. +# Specifies the Airlock Microgateway CNI image. +image: + # -- Image repository from which to pull the Airlock Microgateway CNI image. + repository: "quay.io/airlock/microgateway-cni" + # -- Image tag to pull. + tag: "4.3.1" + # -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). + # Overrides tag when specified. + digest: "sha256:bdd216c8a8c56a0eee0134f67772cbd75358640a0685cf5d71add653abb2c53b" + # -- Pull policy for this image. + pullPolicy: IfNotPresent +# -- Annotations to add to all Pods. +podAnnotations: {} +# -- Labels to add to all Pods. +podLabels: {} +# -- Resource restrictions to apply to the CNI installer container. +resources: + requests: + cpu: 10m + memory: 100Mi +# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. +nodeSelector: + kubernetes.io/os: linux +# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. +affinity: {} +# Configures the generation of RBAC Roles and RoleBindings. +rbac: + # -- Whether to create RBAC resources which are required for the CNI plugin to function. + create: true + # -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. + createSCCRole: false +# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). +privileged: false +# Configures the generation of the ServiceAccount. +serviceAccount: + # -- Whether a ServiceAccount should be created. + create: true + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- Name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" +# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift) +multusNetworkAttachmentDefinition: + # -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. create: false - config: - # Configures the necessary label and annotations along with their values - # to enable Grafana to correctly identify the ConfigMaps containing - # dashboards and file them within a dedicated folder in the dashboard overview. - # These settings need to match the Grafana sidecar configuration. - grafana: - folderAnnotation: - # -- Name of the annotation containing the folder name to file dashboards into. - name: "grafana_folder" - # -- Name of the folder dashboards are filed into within the Grafana UI. - value: "Airlock Microgateway" - dashboardLabel: - # -- Name of the label that lets Grafana identify ConfigMaps that represent dashboards. - name: "grafana_dashboard" - # -- Value of the label that lets Grafana identify ConfigMaps that represent dashboards. - value: "1" - instances: - # Available dashboard instances that can be individually created/deployed. - overview: - # -- Whether to create the overview dashboard. - create: true - license: - # -- Whether to create the license dashboard. - create: true - blockMetrics: - # -- Whether to create the block metrics dashboard. - create: true - blockLogs: - # -- Whether to create the block logs dashboard. - create: true -# Check whether the installation of the Airlock Microgateway Helm Chart was successful. -# Requires a secret with a valid Airlock Microgateway license key already to be present. + # -- Namespace in which the NetworkAttachmentDefinition is deployed. + # Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces + # may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation + namespace: default +# Parameters for the CNI installer configuration. +config: + # -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), + # as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) + # or in `manual` mode, where no CNI network configuration is written. + installMode: "chained" + # -- Log level for the CNI installer and plugin. + logLevel: info + # -- Directory where the CNI config files reside on the host. + # This path can either be found in the documentation of your Kubernetes distribution or CNI provider. + # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. + cniNetDir: "/etc/cni/net.d" + # -- Directory where the CNI plugin binaries reside on the host. + # This path can either be found in the documentation of your Kubernetes distribution or CNI provider. + # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. + cniBinDir: "/opt/cni/bin" + # -- Namespaces for which this CNI plugin should not apply any modifications. + excludeNamespaces: + - kube-system tests: # -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). # If set to false, `helm test` will not run any tests. diff --git a/charts/airlock/microgateway/4.3.3/.helmignore b/charts/airlock/microgateway/4.3.3/.helmignore index 101ff5ac5..8561d2892 100644 --- a/charts/airlock/microgateway/4.3.3/.helmignore +++ b/charts/airlock/microgateway/4.3.3/.helmignore @@ -21,8 +21,7 @@ .idea/ *.tmproj .vscode/ -# CRDs kustomization.yaml -/crds/kustomization.yaml + # Helm unit tests /tests /validation diff --git a/charts/airlock/microgateway/4.3.3/Chart.yaml b/charts/airlock/microgateway/4.3.3/Chart.yaml index c168f9d77..f22c19bb6 100644 --- a/charts/airlock/microgateway/4.3.3/Chart.yaml +++ b/charts/airlock/microgateway/4.3.3/Chart.yaml @@ -9,15 +9,15 @@ annotations: - name: Airlock Microgateway Forum url: https://forum.airlock.com/ catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Airlock Microgateway + catalog.cattle.io/display-name: Airlock Microgateway CNI catalog.cattle.io/kube-version: '>=1.25.0-0' - catalog.cattle.io/release-name: microgateway - charts.openshift.io/name: Airlock Microgateway + catalog.cattle.io/release-name: microgateway-cni + charts.openshift.io/name: Airlock Microgateway CNI apiVersion: v2 appVersion: 4.3.3 -description: A Helm chart for deploying the Airlock Microgateway +description: A Helm chart for deploying the Airlock Microgateway CNI plugin home: https://www.airlock.com/en/microgateway -icon: file://assets/icons/microgateway.svg +icon: file://assets/icons/microgateway-cni.svg keywords: - WAF - Web Application Firewall @@ -30,14 +30,13 @@ keywords: - Filtering - DevSecOps - shift left -- control plane -- Operator +- CNI kubeVersion: '>=1.25.0-0' maintainers: - email: support@airlock.com name: Airlock url: https://www.airlock.com/ -name: microgateway +name: microgateway-cni sources: - https://github.com/airlock/microgateway type: application diff --git a/charts/airlock/microgateway/4.3.3/README.md b/charts/airlock/microgateway/4.3.3/README.md index c98085da1..685c4f1f8 100644 --- a/charts/airlock/microgateway/4.3.3/README.md +++ b/charts/airlock/microgateway/4.3.3/README.md @@ -1,4 +1,4 @@ -# Airlock Microgateway +# Airlock Microgateway CNI ![Version: 4.3.3](https://img.shields.io/badge/Version-4.3.3-informational?style=flat-square) ![AppVersion: 4.3.3](https://img.shields.io/badge/AppVersion-4.3.3-informational?style=flat-square) @@ -40,58 +40,43 @@ Check the official documentation at **[docs.airlock.com](https://docs.airlock.co The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**. ## Prerequisites -* [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) -* [Airlock Microgateway License](#obtain-airlock-microgateway-license) -* [cert-manager](https://cert-manager.io/) * [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0) -In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license. -For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing. -### Obtain Airlock Microgateway License -1. Either request a community or premium license - * Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community) - * Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium) -2. Check your inbox and save the license file microgateway-license.txt locally. - -> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type. -### Deploy cert-manager -```bash -helm repo add jetstack https://charts.jetstack.io -helm install cert-manager jetstack/cert-manager --version '1.15.1' -n cert-manager --create-namespace --set crds.enabled=true --wait -``` - -## Deploy Airlock Microgateway Operator - -> This guide assumes a microgateway-license.txt file is present in the working directory. - -1. Install CRDs and Operator. +## Deploy Airlock Microgateway CNI +1. Install the CNI Plugin with Helm. + > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni). ```bash - # Create namespace - kubectl create namespace airlock-microgateway-system - - # Install License - kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt - - # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades) - helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.3.3' --wait + # Standard setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.3' + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni ``` + ```bash + # GKE setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.3' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.3/deploy/charts/airlock-microgateway-cni/gke-values.yaml + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + ```bash + # OpenShift setup + helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.3.3' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.3/deploy/charts/airlock-microgateway-cni/openshift-values.yaml + kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details). 2. (Recommended) You can verify the correctness of the installation with `helm test`. ```bash - helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.3' - helm test airlock-microgateway -n airlock-microgateway-system --logs - helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.3' + # Standard and GKE setup + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.3' + helm test airlock-microgateway-cni -n kube-system --logs + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.3' + ``` + ```bash + # OpenShift setup + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.3' + helm test airlock-microgateway-cni -n openshift-operators --logs + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.3' ``` -### Upgrading CRDs - -The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster. -CRDs should instead be manually upgraded before upgrading the Operator itself via the following command: -```bash -kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.3.3 --server-side --force-conflicts -``` - -**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts. + Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error. ## Support @@ -104,61 +89,33 @@ For the community edition, check our **[Airlock community forum](https://forum.a | Key | Type | Default | Description | |-----|------|---------|-------------| +| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. | | commonAnnotations | object | `{}` | Annotations to add to all resources. | | commonLabels | object | `{}` | Labels to add to all resources. | -| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". | -| dashboards.config.grafana.dashboardLabel.name | string | `"grafana_dashboard"` | Name of the label that lets Grafana identify ConfigMaps that represent dashboards. | -| dashboards.config.grafana.dashboardLabel.value | string | `"1"` | Value of the label that lets Grafana identify ConfigMaps that represent dashboards. | -| dashboards.config.grafana.folderAnnotation.name | string | `"grafana_folder"` | Name of the annotation containing the folder name to file dashboards into. | -| dashboards.config.grafana.folderAnnotation.value | string | `"Airlock Microgateway"` | Name of the folder dashboards are filed into within the Grafana UI. | -| dashboards.create | bool | `false` | Whether to create any ConfigMaps containing Grafana dashboards to import. | -| dashboards.instances.blockLogs.create | bool | `true` | Whether to create the block logs dashboard. | -| dashboards.instances.blockMetrics.create | bool | `true` | Whether to create the block metrics dashboard. | -| dashboards.instances.license.create | bool | `true` | Whether to create the license dashboard. | -| dashboards.instances.overview.create | bool | `true` | Whether to create the overview dashboard. | -| engine.image.digest | string | `"sha256:3c0ebee0b560c8699723bfa433cd601b04b190c384e031d3789b83287fab7a9b"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | -| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. | -| engine.image.tag | string | `"4.3.3"` | Image tag to pull. | -| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. | -| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. | -| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. | +| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. | +| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. | +| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. | +| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. | +| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. | | fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. | +| image.digest | string | `"sha256:16317b9a8430059c15175673ad53e31d9e882a1d1af6576214eb1534d8ea6937"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. | +| image.tag | string | `"4.3.3"` | Image tag to pull. | | imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. | -| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. | -| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". | -| networkValidator.image.digest | string | `"sha256:6051975a14c51b9d3b525a06004d62a4d323c08ca58e3468343095a55a42fff2"` | SHA256 image digest to pull (in the format "sha256:6051975a14c51b9d3b525a06004d62a4d323c08ca58e3468343095a55a42fff2"). Overrides tag when specified. | -| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| networkValidator.image.repository | string | `"cgr.dev/chainguard/netcat"` | Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. | -| networkValidator.image.tag | string | `""` | Image tag to pull. | -| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. | -| operator.config.logLevel | string | `"info"` | Operator application log level. | -| operator.image.digest | string | `"sha256:6d3ebca355de0a67f0bf5f088a15b9410564e500033d3e1f534a2f49a05bf4c3"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. | -| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. | -| operator.image.tag | string | `"4.3.3"` | Image tag to pull. | -| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. | -| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. | -| operator.podLabels | object | `{}` | Labels to add to all Pods. | -| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. | -| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. | -| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. | -| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | -| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | -| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | -| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. | -| operator.serviceLabels | object | `{}` | Labels to add to the Service. | -| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. | -| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. | -| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. | -| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. | -| operator.watchNamespaceSelector | object | `{}` | Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. Please note that this feature requires a Premium license. | -| operator.watchNamespaces | list | `[]` | Allows to restrict the operator to specific namespaces, depending on your needs. For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. | -| sessionAgent.image.digest | string | `"sha256:994bf4117adb74da4e05c22ffc168d9844bc68efa6a7fb96d73e849d1ef67b56"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | -| sessionAgent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| sessionAgent.image.repository | string | `"quay.io/airlock/microgateway-session-agent"` | Image repository from which to pull the Airlock Microgateway Session Agent image. | -| sessionAgent.image.tag | string | `"4.3.3"` | Image tag to pull. | -| sessionAgent.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Session Agent container. | +| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. | +| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation | +| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. | +| podAnnotations | object | `{}` | Annotations to add to all Pods. | +| podLabels | object | `{}` | Labels to add to all Pods. | +| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). | +| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. | +| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. | +| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. | +| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | +| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | +| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | | tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. | ## License diff --git a/charts/airlock/microgateway/4.3.3/app-readme.md b/charts/airlock/microgateway/4.3.3/app-readme.md deleted file mode 100644 index e32cac025..000000000 --- a/charts/airlock/microgateway/4.3.3/app-readme.md +++ /dev/null @@ -1,28 +0,0 @@ -# Airlock Microgateway - -*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.* - -## Features -* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection. -* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction -* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication -* Content security filters for protecting against known attacks (OWASP Top 10) -* Access control to allow only authenticated users to access the protected services -* API security features like JSON parsing or OpenAPI specification enforcement - -For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**. - -## Requirements -* [Airlock Microgateway CNI Helm Chart](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Also available as Rancher Chart) -* [Airlock Microgateway License](https://github.com/airlock/microgateway?tab=readme-ov-file#obtain-airlock-microgateway-license) (After obtaining the license install it according to the [documentation](https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-operator)) -* [cert-manager](https://cert-manager.io/docs/installation/) - -## Documentation and links - -Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway. - -* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html) -* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html) -* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html) -* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html) -* [GitHub](https://github.com/airlock/microgateway) \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/crds/accesscontrols.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/accesscontrols.microgateway.airlock.com.yaml deleted file mode 100644 index b6f1ab384..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/accesscontrols.microgateway.airlock.com.yaml +++ /dev/null @@ -1,124 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: accesscontrols.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: AccessControl - listKind: AccessControlList - plural: accesscontrols - singular: accesscontrol - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: AccessControl specifies the options to perform access control with a Microgateway Engine container. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specifies how the Airlock Microgateway Engine performs access control. - properties: - policies: - description: Policies configures access control policies. - items: - properties: - authorization: - description: Authorization configures how requests are authorized. An empty object value {} disables authorization. - properties: - authentication: - description: Authentication specifies that clients need to be authenticated with the provided method. - properties: - oidc: - description: OIDC configures client authentication using OpenID Connect. - properties: - oidcRelyingPartyRef: - description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - oidcRelyingPartyRef - type: object - type: object - type: object - identityPropagation: - description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application. - properties: - actions: - description: Actions specifies the propagation actions. - items: - properties: - identityPropagationRef: - description: IdentityPropagationRef selects an IdentityPropagation to apply. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - identityPropagationRef - type: object - type: array - onFailure: - description: |- - OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values: - _Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations. - enum: - - Pass - type: string - required: - - actions - - onFailure - type: object - required: - - authorization - type: object - maxItems: 1 - minItems: 1 - type: array - required: - - policies - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.3/crds/contentsecurities.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/contentsecurities.microgateway.airlock.com.yaml deleted file mode 100644 index 05e059f8a..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/contentsecurities.microgateway.airlock.com.yaml +++ /dev/null @@ -1,139 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: contentsecurities.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: ContentSecurity - listKind: ContentSecurityList - plural: contentsecurities - singular: contentsecurity - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ContentSecurity specifies the options to secure an upstream web application with a Microgateway Engine container. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specifies the options to secure an upstream web application with a Microgateway Engine container. - properties: - apiProtection: - description: |- - APIProtection defines the relevant configurations to protect APIs. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - graphQLRef: - description: |- - GraphQLRef selects the relevant GraphQL configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - openAPIRef: - description: |- - OpenAPIRef selects the relevant OpenAPI configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - filter: - description: |- - Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests - to protect against various attack patterns. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - denyRulesRef: - description: |- - DenyRulesRef selects the relevant DenyRules configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - headerRewritesRef: - description: |- - HeaderRewritesRef selects the relevant HeaderRewrites. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - limitsRef: - description: |- - LimitsRef selects the relevant Limits configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - parserRef: - description: |- - ParserRef selects the relevant Parser configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.3/crds/denyrules.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/denyrules.microgateway.airlock.com.yaml deleted file mode 100644 index fddaa375d..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/denyrules.microgateway.airlock.com.yaml +++ /dev/null @@ -1,1804 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: denyrules.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: DenyRules - listKind: DenyRulesList - plural: denyrules - singular: denyrules - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - DenyRules configures request filtering using Airlock built-in and custom deny rules. - Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application. - To handle possible false positives, lower the security level or define fine-granular deny rule exceptions - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired deny rules behavior. - properties: - request: - description: Request configures deny rules for downstream requests. - properties: - builtIn: - description: BuiltIn configures the built-in deny rules. - properties: - exceptions: - description: Exceptions allows to define exceptions for specific requests and deny rules. - items: - description: |- - DenyRulesException defines an exception for deny rules. Exceptions may be defined by any or a combination of the following elements: blockedData (the request data causing a block) or requestConditions (properties of a request without taking into consideration the reason why a request has been blocked). - At least one of blockedData and requestConditions must be set. - properties: - blockedData: - description: BlockedData defines an exception based on the request data causing the block. - properties: - graphQL: - description: |- - GraphQL defines an exception based on a blocked GraphQL query. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - argument: - description: |- - Argument defines an argument of a field of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - field: - description: |- - Field defines a field of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value defines the value of an argument of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - header: - description: |- - Header defines an exception based on a blocked header. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - json: - description: |- - JSON defines an exception based on a blocked JSON property. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - jsonPath: - description: |- - JSONPath defines the JSONPath pattern to match the path within the JSON. - Expressions in JSONPath i.e. `?(expr)` are not supported. - minLength: 1 - type: string - key: - description: |- - Key defines the key of the JSON property. - At most one of key and value can be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value defines the value of the JSON property. - At most one of key and value can be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - parameter: - description: |- - Parameter defines an exception based on a blocked parameter. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - name: - description: Name defines the name of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - source: - default: Any - description: Source defines the source of the parameter. - enum: - - Query - - Post - - Any - type: string - value: - description: Value defines the value of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - path: - description: |- - Path defines an exception based on the blocked path. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - pathSegment: - description: |- - PathSegment defines an exception based on a blocked path segment. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - segments: - description: Segments defines the position of a segment within the path. - properties: - index: - description: Index specifies an exact path segment position by index (0-based). - minimum: 0 - type: integer - type: object - value: - description: Value defines the value of a path segment. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - type: object - requestConditions: - description: RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - ruleKeys: - description: RuleKeys restricts the exception to a set of deny rules. - items: - description: |- - A deny rule name can be any of the following values: - ENCODING | - EXPLOIT | - HPP | - HTML | - IDOR | - LDAP | - NOSQL | - OGNL | - PHP | - PROTOCOL | - SANITY | - SCANNING | - SQL | - TEMPLATE | - UNIXCMD | - WINCMD | - XSS - enum: - - ENCODING - - EXPLOIT - - HPP - - HTML - - IDOR - - LDAP - - NOSQL - - OGNL - - PHP - - PROTOCOL - - SANITY - - SCANNING - - SQL - - TEMPLATE - - UNIXCMD - - WINCMD - - XSS - type: string - minItems: 1 - type: array - type: object - type: array - overrides: - description: Overrides allows to override the builtIn settings for specific deny rules. - items: - description: DenyRulesOverride allows to override the builtIn settings for specific deny rules. - properties: - conditions: - description: Conditions select which built-in deny rules' settings will be adjusted. - properties: - ruleKeys: - description: RuleKeys is a list of built-in deny rule names. - items: - description: |- - A deny rule name can be any of the following values: - ENCODING | - EXPLOIT | - HPP | - HTML | - IDOR | - LDAP | - NOSQL | - OGNL | - PHP | - PROTOCOL | - SANITY | - SCANNING | - SQL | - TEMPLATE | - UNIXCMD | - WINCMD | - XSS - enum: - - ENCODING - - EXPLOIT - - HPP - - HTML - - IDOR - - LDAP - - NOSQL - - OGNL - - PHP - - PROTOCOL - - SANITY - - SCANNING - - SQL - - TEMPLATE - - UNIXCMD - - WINCMD - - XSS - type: string - minItems: 1 - type: array - types: - description: Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules. - items: - description: |- - A deny rule override type name can be any of the following values: - Header | - Parameter | - Path | - JSON | - GraphQL - enum: - - Header - - Parameter - - Path - - PathSegment - - JSON - - GraphQL - type: string - minItems: 0 - type: array - type: object - settings: - description: Settings override the corresponding properties for the selected rules. - properties: - level: - description: Level specifies the filter strength. - enum: - - Unfiltered - - Basic - - Standard - - Strict - type: string - threatHandlingMode: - description: ThreatHandlingMode specifies how threats should be handled. - enum: - - Block - - LogOnly - type: string - type: object - type: object - type: array - settings: - description: Settings contains the keys which will be adjusted. - properties: - level: - default: Standard - description: Level represents a set of deny rules with different filter strengths. - enum: - - Unfiltered - - Basic - - Standard - - Strict - type: string - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches. - enum: - - Block - - LogOnly - type: string - type: object - type: object - custom: - description: Custom allows configuring additional deny rules. - properties: - rules: - description: Rules defines list of additional deny rules. - items: - properties: - blockData: - description: BlockData specifies the request data which should cause a block. - properties: - graphQL: - description: |- - GraphQL specifies to block requests containing a matching GraphQL property. - At least one of field, argument and value must be set. - properties: - argument: - description: |- - Argument defines an argument of a field of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - field: - description: |- - Field defines a field of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value defines the value of an argument of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - header: - description: |- - Header specifies to block requests containing a matching header. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - json: - description: |- - JSON specifies to block requests containing a matching JSON property in the body. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - key: - description: Key defines the key of a JSON object. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a JSON object. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - parameter: - description: |- - Parameter specifies to block requests containing a matching parameter. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - name: - description: Name defines the name of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - path: - description: |- - Path specifies to block requests with a matching path. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - matcher: - description: Matcher specifies which path to block. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - pathSegment: - description: |- - PathSegment specifies to block requests containing a matching path segment. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - segments: - description: |- - Segments restricts which path segments are filtered by this rule. - If not specified, all segments of a path are filtered. - properties: - index: - description: Index restricts the rule to the path segment at this index (0-based). - minimum: 0 - type: integer - type: object - value: - description: Value specifies which path segment values to block. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - required: - - value - type: object - type: object - requestConditions: - description: RequestConditions defines additional request properties which must be matched in order for this rule to apply. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - ruleKey: - description: RuleKey defines a technical key for the deny rule. Must be unique. - minLength: 1 - pattern: ^[A-Z][A-Z0-9_]*$ - type: string - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches. - enum: - - Block - - LogOnly - type: string - required: - - blockData - - ruleKey - type: object - type: array - x-kubernetes-list-map-keys: - - ruleKey - x-kubernetes-list-type: map - type: object - type: object - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.3/crds/envoyclusters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/envoyclusters.microgateway.airlock.com.yaml deleted file mode 100644 index bb564f942..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/envoyclusters.microgateway.airlock.com.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: envoyclusters.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: EnvoyCluster - listKind: EnvoyClusterList - plural: envoyclusters - singular: envoycluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: EnvoyCluster is an additional Envoy Cluster resource which is added to those defined by the Airlock Microgateway. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired additional Envoy cluster. - properties: - value: - description: Value defines the Envoy Cluster which is added to those configured by the Airlock Microgateway. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.3/crds/envoyconfigurations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/envoyconfigurations.microgateway.airlock.com.yaml deleted file mode 100644 index b6147ae08..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/envoyconfigurations.microgateway.airlock.com.yaml +++ /dev/null @@ -1,185 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: envoyconfigurations.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: EnvoyConfiguration - listKind: EnvoyConfigurationList - plural: envoyconfigurations - singular: envoyconfiguration - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - EnvoyConfiguration is the Schema for the envoyconfigurations API - {{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration - properties: - envoyResources: - properties: - clusters: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - endpoints: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - extensions: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - listeners: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - routes: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - runtimes: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - scopedRoutes: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - secrets: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - envoyResourcesRaw: - description: |- - EnvoyResourcesRaw defines the desired state for each resource type. The resources are stored as zstd compressed JSON bytes. - For debugging purposes, the resources can be inspected with the following command: `kubectl get envoyconfiguration -ojsonpath='{.spec.envoyResourcesRaw}' | base64 -d | zstd -d | jq` - format: byte - type: string - nodeID: - description: '**Deprecated:** This field is now ignored as NodeID is always derived from the resource name.' - type: string - type: object - status: - description: EnvoyConfigurationStatus defines the observed state of EnvoyConfiguration - properties: - conditions: - items: - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status to another. - format: date-time - type: string - message: - description: A human-readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of EnvoyConfiguration condition. - type: string - required: - - status - - type - type: object - type: array - status: - type: string - xds: - properties: - resourceTypes: - additionalProperties: - description: XdsResourceTypeSyncStatus defines the sync status of xDS for a specific resource type - properties: - errorMessage: - description: ErrorMessage defines an optional message why the currently served resources of this resource type are rejected by the client. - type: string - resources: - additionalProperties: - description: XdsResourceStatus defines the status of xDS for a specific resource - properties: - version: - description: Version defines the version which is currently served for this resource. - type: string - required: - - version - type: object - description: Resources defines the resources which are currently served for this resource type. - type: object - status: - description: Status defines the current sync status of this resource type. - type: string - version: - description: Version defines the version which is currently served for this resource type. - type: string - required: - - resources - - status - - version - type: object - description: ResourceTypes defines the sync statuses for each resource type. - type: object - version: - description: Version defines the version of the underlying xDS snapshot. - type: integer - required: - - version - type: object - required: - - status - - xds - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/airlock/microgateway/4.3.3/crds/envoyhttpfilters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/envoyhttpfilters.microgateway.airlock.com.yaml deleted file mode 100644 index c5eaad364..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/envoyhttpfilters.microgateway.airlock.com.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: envoyhttpfilters.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: EnvoyHTTPFilter - listKind: EnvoyHTTPFilterList - plural: envoyhttpfilters - singular: envoyhttpfilter - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource which is added to those defined by the Airlock Microgateway. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired additional Envoy HTTP filter. - properties: - value: - description: Value defines the HTTP filter which is added to those configured by the Airlock Microgateway. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.3/crds/headerrewrites.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/headerrewrites.microgateway.airlock.com.yaml deleted file mode 100644 index a9f832a2b..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/headerrewrites.microgateway.airlock.com.yaml +++ /dev/null @@ -1,759 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: headerrewrites.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: HeaderRewrites - listKind: HeaderRewritesList - plural: headerrewrites - singular: headerrewrites - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: HeaderRewrites is the Schema for the headerrewrites API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired header rewriting behavior. - properties: - request: - description: Request defines manipulations on upstream request headers. - properties: - add: - description: Add defines which request headers will be added before forwarding to the upstream. - properties: - custom: - description: |- - Custom allows configuring additional upstream request headers. - Add selected headers. - items: - properties: - headers: - description: Headers to add. - items: - description: HeaderRewritesHeader specifies a header with a particular value - properties: - name: - description: Name defines the name of a header. - minLength: 1 - type: string - value: - description: Value defines the value of a header. - type: string - required: - - name - - value - type: object - minItems: 1 - type: array - mode: - default: AddIfAbsent - description: Mode defines the header addition strategy. - enum: - - AddIfAbsent - - OverwriteOrAdd - type: string - name: - description: Name describing the configured operation. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - allow: - description: |- - Allow defines which request headers will be forwarded to the upstream. - This can either be allHeaders or matchingHeaders. - Default: matchingHeaders: {...} - properties: - allHeaders: - description: AllHeaders specifies that all request headers should be forwarded. - type: object - matchingHeaders: - description: MatchingHeaders specifies which request headers should be forwarded. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream request headers. - properties: - standardHeaders: - default: true - description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream request headers. - items: - properties: - headers: - description: Headers to allow. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - remove: - description: Remove defines which request headers will be removed before forwarding to the upstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream request headers. - properties: - alternativeForwardedHeaders: - default: true - description: |- - AlternativeForwardedHeaders removes downstream request headers which could potentially - be abused to alter the upstream's view of the remote connection. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream request headers. - items: - properties: - headers: - description: Headers to remove. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - response: - description: Response defines manipulations on upstream response headers. - properties: - add: - description: Add defines which response headers will be added before forwarding to the downstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response headers. - properties: - csp: - default: true - description: |- - CSP sets a content security policy which allows only same-origin requests except for images - if the 'Content-Security-Policy' header is not set by the upstream. - type: boolean - featurePolicy: - default: false - description: |- - FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features - if the 'Feature-Policy' header is not set by the upstream. - **Deprecated:** Use permissionsPolicy instead. - type: boolean - hsts: - default: true - description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream. - type: boolean - hstsPreload: - default: false - description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload. - type: boolean - permissionsPolicy: - default: true - description: |- - PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features - if the 'Permissions-Policy' header is not set by the upstream. - type: boolean - referrerPolicy: - default: true - description: |- - ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests - if the 'Referrer-Policy' header is not set by the upstream. - type: boolean - xContentTypeOptions: - default: true - description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream. - type: boolean - xFrameOptions: - default: true - description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to add. - items: - description: HeaderRewritesHeader specifies a header with a particular value - properties: - name: - description: Name defines the name of a header. - minLength: 1 - type: string - value: - description: Value defines the value of a header. - type: string - required: - - name - - value - type: object - minItems: 1 - type: array - mode: - default: AddIfAbsent - description: Mode defines the header addition strategy. - enum: - - AddIfAbsent - - OverwriteOrAdd - type: string - name: - description: Name describing the configured operation. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - allow: - description: |- - Allow defines which response headers will be forwarded to the downstream. - This can either be allHeaders or matchingHeaders. - Default: allHeaders: {} - properties: - allHeaders: - description: AllHeaders specifies that all response headers should be forwarded. - type: object - matchingHeaders: - description: MatchingHeaders specifies which response headers should be forwarded. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response header. - properties: - standardHeaders: - default: false - description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to allow. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - remove: - description: Remove defines which response headers will be removed before forwarding to the downstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response headers. - properties: - auth: - description: Auth defines the categories of headers concerning authentication. - properties: - basic: - default: false - description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication. - type: boolean - negotiate: - default: true - description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate. - type: boolean - ntlm: - default: true - description: |- - NTLM removes upstream response headers that advise clients to authenticate with NTLM. - By default, these headers are removed, because NTLM pass-through is not supported. - type: boolean - type: object - informationLeakage: - description: InformationLeakage defines the categories of headers concerning information leakage. - properties: - application: - default: true - description: Application removes upstream response headers that leak information about the deployed software. - type: boolean - server: - default: true - description: Server removes upstream response headers that leak information about the server. - type: boolean - type: object - permissiveCors: - default: true - description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to remove. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured remove operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - settings: - description: Settings configures the HeaderRewrites filter. - properties: - operationalMode: - default: Production - description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses. - enum: - - Production - - Integration - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.3/crds/identitypropagations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/identitypropagations.microgateway.airlock.com.yaml deleted file mode 100644 index 4610fe8b8..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/identitypropagations.microgateway.airlock.com.yaml +++ /dev/null @@ -1,108 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: identitypropagations.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: IdentityPropagation - listKind: IdentityPropagationList - plural: identitypropagations - singular: identitypropagation - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: IdentityPropagation specifies the desired identity propagation. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired identity propagation. - properties: - header: - description: Header configures identity propagation via a request header. - properties: - name: - description: Name of the header to set. - minLength: 1 - type: string - value: - description: Value to propagate to the application. - properties: - source: - description: Source from which to extract the value. - properties: - metadata: - description: Metadata specifies to extract a value from an Envoy dynamic filter metadata key. - properties: - key: - description: Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`. - minLength: 1 - type: string - namespace: - description: Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`. - minLength: 1 - type: string - required: - - key - - namespace - type: object - oidc: - description: OIDC specifies to extract a value from the result of an OpenID Connect flow. - properties: - idToken: - description: IDToken specifies to extract the value from the OpenID Connect ID Token. - properties: - claim: - description: Claim selects the JWT claim from which to extract the value. - minLength: 1 - type: string - required: - - claim - type: object - required: - - idToken - type: object - type: object - required: - - source - type: object - required: - - name - - value - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.3/crds/limits.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/limits.microgateway.airlock.com.yaml deleted file mode 100644 index 727b02496..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/limits.microgateway.airlock.com.yaml +++ /dev/null @@ -1,651 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: limits.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: Limits - listKind: LimitsList - plural: limits - singular: limits - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Limits contains the configuration for limits. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired limits behavior. - properties: - request: - description: Request defines the limits for requests. - properties: - limited: - description: Limited enables limits on request scope. - properties: - exceptions: - description: Exceptions defines limit exceptions. - items: - description: LimitsException defines an exception for limits. - properties: - length: - description: Length defines an exception for length limits based on the data element exceeding the limit. - properties: - graphQL: - description: GraphQL defines a field, argument or value length limit exception for a GraphQL query. - properties: - argument: - description: |- - Argument restricts the exception to GraphQL queries with a matching argument of a field. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - field: - description: |- - Field restricts the exception to GraphQL queries with a matching field. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value restricts the exception to GraphQL queries with a matching argument value. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - json: - description: JSON defines a key and value length limit exception for a JSON property. - properties: - jsonPath: - description: |- - JSONPath restricts the exception to JSON properties with a matching JSONPath. - Expressions in JSONPath i.e. `?(expr)` are not supported. - minLength: 1 - type: string - required: - - jsonPath - type: object - parameter: - description: Parameter defines a name and value length limit exception for a parameter. - properties: - name: - description: Name restricts the exception to parameters with a matching name. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - source: - default: Any - description: Source restricts the exception to parameters of this kind. - enum: - - Query - - Post - - Any - type: string - required: - - name - type: object - type: object - requestConditions: - description: RequestConditions defines additional request properties which must be matched in order for this exception to apply. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - type: object - type: array - general: - description: General defines general request limits. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Mi - description: BodySize limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective for any request not processed by one of the content parsers (e.g. json) as configured in the Parser CRD. **Note** This limit does not apply to WebSocket or gRPC traffic. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - pathLength: - anyOf: - - type: integer - - type: string - default: 1Ki - description: PathLength defines the maximum path length for all requests (parsed and unparsed). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - graphQL: - description: GraphQL defines the limits for GraphQL requests. - properties: - nestingDepth: - default: 10 - description: NestingDepth defines the maximum depth of nesting for GraphQL objects. - format: int64 - type: integer - querySize: - anyOf: - - type: integer - - type: string - default: 1Ki - description: QuerySize defines the maximum size for GraphQL queries. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - valueLength: - anyOf: - - type: integer - - type: string - default: "256" - description: ValueLength defines the maximum length for GraphQL values. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - json: - description: JSON defines the limits for JSON requests. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Ki - description: BodySize limits the total size of the JSON request body. It specifies the number of bytes (0 = unlimited). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - elementCount: - default: 10000 - description: ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive). - format: int64 - type: integer - keyCount: - default: 250 - description: KeyCount defines the maximum number of keys of a single JSON object (non-recursive). - format: int64 - type: integer - keyLength: - anyOf: - - type: integer - - type: string - default: "128" - description: KeyLength defines the maximum length for JSON keys. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - nestingDepth: - default: 100 - description: NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays. - format: int64 - type: integer - valueLength: - anyOf: - - type: integer - - type: string - default: 8Ki - description: ValueLength defines the maximum length for JSON values. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - multipart: - description: Multipart defines the limits for Multipart requests. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Mi - description: BodySize limits the total size of the Multipart request body. It specifies the number of bytes (0 = unlimited). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - parameter: - description: Parameter defines the limits for request parameters. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Ki - description: BodySize limits the total size of the form data body. It specifies the number of bytes (0 = unlimited). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - count: - default: 128 - description: Count defines the maximum number of request parameters. - format: int64 - type: integer - nameLength: - anyOf: - - type: integer - - type: string - default: "128" - description: NameLength defines the maximum length for parameter names. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - valueLength: - anyOf: - - type: integer - - type: string - default: 8Ki - description: ValueLength defines the maximum length for parameter values. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - unlimited: - description: Unlimited disables all limits on request scope. - type: object - type: object - settings: - description: Settings configures the limits filter. - properties: - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled when a limit hits. - enum: - - Block - - LogOnly - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.3/crds/oidcproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/oidcproviders.microgateway.airlock.com.yaml deleted file mode 100644 index 74acbf4da..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/oidcproviders.microgateway.airlock.com.yaml +++ /dev/null @@ -1,305 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: oidcproviders.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: OIDCProvider - listKind: OIDCProviderList - plural: oidcproviders - singular: oidcprovider - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - OIDCProvider specifies an OpenID Provider (OP). - - - {{% notice warning %}} The OIDC feature is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened. - In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases: - - The state parameter is guessable. - - Sessions are always shared across all Microgateway Engines using the same Redis instance. - I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A - may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs. - - - {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of an OpenID Provider. - properties: - static: - description: Static configures an OpenID Provider by explicitly specifying all endpoints. - properties: - endpoints: - description: Endpoints specifies the OpenID Provider endpoints. - properties: - authorization: - description: Authorization specifies the endpoint to which the authorization request is sent. - properties: - uri: - description: URI specifies the endpoint address. - format: uri - minLength: 1 - pattern: ^(http|https)://.*$ - type: string - required: - - uri - type: object - token: - description: Token configures the endpoint from which the access, ID and refresh tokens are obtained. - properties: - tls: - description: TLS defines TLS settings. - properties: - certificateVerification: - description: CertificateVerification specifies how the certificate presented by the server is verified. - properties: - custom: - description: |- - Custom explicitly specifies how the server certificate should be verified. - Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key. - properties: - allowedSANs: - description: |- - AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, - that is to say, the SAN is verified if at least one matcher is matched. - AllowedSANs requires trustedCA to be set. - items: - description: |- - TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. - properties: - matcher: - description: Matcher defines the string matcher for the SAN value. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - sanType: - description: SanType defines the type of SAN matcher. - enum: - - DNS - - Email - - URI - - IPAddress - type: string - required: - - matcher - - sanType - type: object - minItems: 1 - type: array - certificatePinning: - description: |- - CertificatePinning defines constraints the presented certificate must fulfill. - If more than one constraint is configured only one must be satisfied. - At least one of allowedSPKIs and allowedHashes must be set. - properties: - allowedHashes: - description: |- - AllowedHashes is a list of hex-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - allowedSPKIs: - description: |- - AllowedSPKIs is a list of base64-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - type: object - crl: - description: CRL defines the Certificate Revocation List (CRL) settings. - properties: - lists: - description: Lists defines the list of secretRefs containing Certificate Revocation Lists. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - validationMode: - default: VerifyChain - description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. - enum: - - VerifyLeafCertOnly - - VerifyChain - type: string - type: object - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - verificationDepth: - default: 1 - description: |- - VerificationDepth specifies the hops in the certificate chain at which validation is performed. - 1 means that either the leaf or the signing CA must be in the set of trusted certificates. - format: int32 - type: integer - required: - - certificates - type: object - type: object - disabled: - description: |- - Disabled specifies to trust any certificate without verification. - THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. - type: object - publicCAs: - description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image. - type: object - type: object - ciphers: - description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. - items: - type: string - minItems: 1 - type: array - protocol: - description: Protocol defines the supported TLS protocol versions. - properties: - maximum: - description: Maximum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - minimum: - description: Minimum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - type: object - type: object - uri: - description: URI specifies the endpoint address. - format: uri - minLength: 1 - pattern: ^(http|https)://.*$ - type: string - required: - - uri - type: object - required: - - authorization - - token - type: object - required: - - endpoints - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.3/crds/oidcrelyingparties.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/oidcrelyingparties.microgateway.airlock.com.yaml deleted file mode 100644 index baa26ebcc..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/oidcrelyingparties.microgateway.airlock.com.yaml +++ /dev/null @@ -1,224 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: oidcrelyingparties.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: OIDCRelyingParty - listKind: OIDCRelyingPartyList - plural: oidcrelyingparties - singular: oidcrelyingparty - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP). - - - {{% notice warning %}} The OIDC feature is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened. - In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases: - - The state parameter is guessable. - - Sessions are always shared across all Microgateway Engines using the same Redis instance. - I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A - may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs. - - - {{% /notice %}} - {{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the OIDC Relying Party configuration. - properties: - clientID: - description: ClientID specifies the OIDCRelyingParty "client_id". - minLength: 1 - type: string - credentials: - description: Credentials used for client authentication on the back-channel with the authorization server. - properties: - clientSecret: - description: ClientSecret authenticates with the client password issued by the OpenID Provider (OP). - properties: - method: - default: BasicAuth - description: Method specifies in which format the client secret is sent with the authorization request. - enum: - - BasicAuth - - FormURLEncoded - type: string - secretRef: - description: SecretRef specifies the kubernetes secret containing the client password with key "client.secret". - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - required: - - clientSecret - type: object - oidcProviderRef: - description: OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - pathMapping: - description: PathMapping configures the action matching. - properties: - logoutPath: - description: LogoutPath specifies which request paths should initiate a logout. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - redirectPath: - description: RedirectPath specifies which request paths should be interpreted as a response from the authorization endpoint. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - required: - - logoutPath - - redirectPath - type: object - redirectURI: - description: |- - RedirectURI configures the "redirect_uri" parameter included in the authorization request. - May contain envoy command operators, e.g. '%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback'. - minLength: 1 - type: string - required: - - clientID - - credentials - - oidcProviderRef - - pathMapping - - redirectURI - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.3/crds/openapis.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/openapis.microgateway.airlock.com.yaml deleted file mode 100644 index 1c0928710..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/openapis.microgateway.airlock.com.yaml +++ /dev/null @@ -1,167 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: openapis.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: OpenAPI - listKind: OpenAPIList - plural: openapis - singular: openapi - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: OpenAPI contains the configuration for the OpenAPI specification. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired OpenAPI specification. - properties: - response: - description: Response defines the validation behaviour for responses. - properties: - secured: - description: Secured enables response checking. - properties: - validation: - default: Lax - description: Validation defines the validation mode for responses. - enum: - - Lax - - Strict - type: string - type: object - unsecured: - description: Unsecured disables response checking. - type: object - type: object - settings: - description: Settings defines the settings to configure OpenAPI specification enforcement. - properties: - logging: - description: Logging specifies the access log behavior. - properties: - maxFailedSubvalidations: - default: 10 - description: MaxFailedSubvalidations defines the maximum number of failed subvalidations being logged. - format: int64 - type: integer - type: object - schema: - description: Schema configures the OpenAPI specification. - properties: - source: - description: Source specifies the OpenAPI specification to be enforced. - properties: - configMapRef: - description: ConfigMapRef references the configmap by its name containing the well-known key 'openapi.json'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - required: - - source - type: object - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled. - enum: - - Block - - LogOnly - type: string - validation: - description: Validation specifies the patterns for the validation behavior. - properties: - authentication: - description: Authentication defines the settings for the authentication scheme. - properties: - oAuth2: - description: OAuth2 specifies the OAuth2 parameters. - properties: - allowedParameters: - description: AllowedParameters specifies the allowed parameters for the authentication scheme. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined allowed parameters. - properties: - standardParameters: - default: true - description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters. - type: boolean - type: object - custom: - description: Custom allows configuring additional allowed parameters. - items: - minLength: 1 - type: string - minItems: 1 - type: array - type: object - type: object - oidc: - description: Oidc specifies the OIDC parameters. - properties: - allowedParameters: - description: AllowedParameters specifies the allowed parameters for the authentication scheme. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined allowed parameters. - properties: - standardParameters: - default: true - description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters. - type: boolean - type: object - custom: - description: Custom allows configuring additional allowed parameters. - items: - minLength: 1 - type: string - minItems: 1 - type: array - type: object - type: object - type: object - type: object - required: - - schema - type: object - required: - - settings - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.3/crds/redisproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/redisproviders.microgateway.airlock.com.yaml deleted file mode 100644 index 8c662a2d0..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/redisproviders.microgateway.airlock.com.yaml +++ /dev/null @@ -1,159 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: redisproviders.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: RedisProvider - listKind: RedisProviderList - plural: redisproviders - singular: redisprovider - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: RedisProvider contains a client configuration for connecting to a Redis database. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of a Redis database client configuration. - properties: - auth: - description: Auth specifies the Redis credentials. - properties: - password: - description: Password specifies the Redis password. - properties: - secretRef: - description: SecretRef selects the secret containing the Redis password under the key 'redis.password'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - username: - default: default - description: Username specifies the Redis username to authenticate with. - minLength: 1 - pattern: ^[^\s]+$ - type: string - required: - - password - type: object - mode: - description: Mode configures the redis deployment mode. - properties: - standalone: - description: Standalone specifies the standalone Redis instance to connect to. - properties: - host: - description: Host specifies the IP or hostname. - minLength: 1 - pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$ - type: string - port: - default: 6379 - description: Port specifies the port. - maximum: 65535 - minimum: 1 - type: integer - required: - - host - type: object - type: object - timeouts: - description: Timeouts specifies the timeouts when interacting with the Redis endpoint. - properties: - connect: - default: 5s - description: Connect specifies the timeout for establishing a connection. - type: string - maxDuration: - default: 2s - description: MaxDuration specifies the response timeout. - type: string - type: object - tls: - description: TLS defines TLS settings. If not specified, TLS is disabled i.e. unencrypted TCP is used when connecting to the Redis instance. - properties: - certificateVerification: - description: CertificateVerification specifies how the certificate presented by the server is verified. - properties: - custom: - description: Custom explicitly specifies how the server certificate should be verified. - properties: - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - required: - - certificates - type: object - required: - - trustedCA - type: object - disabled: - description: 'Disabled specifies to trust any certificate without verification. THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. Note: This setting currently also disables TLS SNI.' - type: object - publicCAs: - description: PublicCAs specifies to only accept certificates with a SAN matching the host and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Session Agent’s base image. - type: object - type: object - type: object - required: - - mode - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.3/crds/sessionhandlings.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/sessionhandlings.microgateway.airlock.com.yaml deleted file mode 100644 index 72747df77..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/sessionhandlings.microgateway.airlock.com.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: sessionhandlings.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: SessionHandling - listKind: SessionHandlingList - plural: sessionhandlings - singular: sessionhandling - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - SessionHandling contains the configuration for session handling. - - - {{% notice warning %}} The Session Handling feature (required for OIDC) is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as high-availability Redis configurations (e.g. Sentinel/Cluster) are not yet supported. - {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired session handling behavior. - properties: - persistence: - description: Persistence configures where to store the session state. - properties: - redisProviderRef: - description: RedisProviderRef specifies to cache session information in the provided Redis instance. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - redisProviderRef - type: object - required: - - persistence - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.3/crds/sidecargateways.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/sidecargateways.microgateway.airlock.com.yaml deleted file mode 100644 index 6e1c04a48..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/sidecargateways.microgateway.airlock.com.yaml +++ /dev/null @@ -1,758 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: sidecargateways.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: SidecarGateway - listKind: SidecarGatewayList - plural: sidecargateways - singular: sidecargateway - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired sidecar gateway behavior. - properties: - applications: - description: Applications defines applications which run on different ports. - items: - properties: - containerPort: - default: 8080 - description: |- - ContainerPort refers to the container port. - This must be a valid port number, 0 < x < 65536. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - downstream: - description: Downstream defines the downstream configuration for this application - properties: - protocol: - description: |- - Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set. - Default: auto: {} - properties: - auto: - description: Auto specifies that the protocol should be inferred. - properties: - http2: - description: HTTP2 specifies the settings for when HTTP/2 is inferred. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - http1: - description: HTTP1 specifies that the client is assumed to speak HTTP/1.1. - type: object - http2: - description: HTTP2 specifies that the client is assumed to speak HTTP/2. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - remoteIP: - description: |- - RemoteIP defines how the remote IP of a client is propagated. - Default: xff: {...} - properties: - connectionIP: - description: ConnectionIP configures to use the source IP address of the direct downstream connection. - type: object - customHeader: - description: CustomHeader specifies to use a custom header for remote IP extraction. - properties: - headerName: - description: HeaderName specifies the name of the custom header containing the remote IP. - minLength: 1 - type: string - required: - default: true - description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403. - type: boolean - required: - - headerName - type: object - xff: - description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction. - properties: - numTrustedHops: - default: 1 - description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry. - format: int32 - minimum: 1 - type: integer - type: object - type: object - requestNormalizations: - description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching. - properties: - mergeSlashes: - default: true - description: MergeSlashes ensures that adjacent slashes in the path are merged into one. - type: boolean - normalizePath: - default: true - description: NormalizePath ensures normalization according to RFC 3986 without case normalization. - type: boolean - type: object - restrictions: - description: Restrictions defines restrictions for downstream. - properties: - http: - description: HTTP defines limits for the HTTP protocol. - properties: - headersLength: - anyOf: - - type: integer - - type: string - default: 60Ki - description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - timeouts: - description: Timeouts defines timeouts for downstream - properties: - http: - description: HTTP defines the settings for HTTP timeouts. - properties: - idle: - default: 5m - description: |- - Idle defines the settings for the idle timeout when no data is sent or received. - A value of 0 will completely disable the timeout. - Default: 5m - type: string - maxDuration: - default: 5m - description: |- - MaxDuration defines the total duration for a HTTP request/response stream. - A value of 0 will completely disable the timeout. - Default: 5m - type: string - requestHeaders: - default: 10s - description: |- - RequestHeaders defines the duration before all request headers must be received. - A value of 0 will completely disable the timeout. - Default: 10s - type: string - type: object - type: object - tls: - description: TLS defines the TLS settings. - properties: - ciphers: - description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. - items: - type: string - minItems: 1 - type: array - clientCertificate: - description: |- - ClientCertificate defines the TLS settings for verification of client certificates. - At most one of ignored, optional and required can be set. - Default: ignored: {} - properties: - ignored: - description: Ignored disables verification of the client certificate. - type: object - optional: - description: |- - Optional enables verification of the client certificate if one is presented. - In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate. - properties: - crl: - description: CRL defines the Certificate Revocation List (CRL) settings. - properties: - lists: - description: Lists defines the list of secretRefs containing Certificate Revocation Lists. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - validationMode: - default: VerifyChain - description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. - enum: - - VerifyLeafCertOnly - - VerifyChain - type: string - type: object - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - verificationDepth: - default: 1 - description: |- - VerificationDepth specifies the hops in the certificate chain at which validation is performed. - 1 means that either the leaf or the signing CA must be in the set of trusted certificates. - format: int32 - type: integer - required: - - certificates - type: object - required: - - trustedCA - type: object - required: - description: |- - Required contains settings for client certificate verification. A client must present a valid certificate. - At least one of trustedCA and certificatePinning must be set. - properties: - allowedSANs: - description: |- - AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, - that is to say, the SAN is verified if at least one matcher is matched. - AllowedSANs requires trustedCA to be set. - items: - description: |- - TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. - properties: - matcher: - description: Matcher defines the string matcher for the SAN value. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - sanType: - description: SanType defines the type of SAN matcher. - enum: - - DNS - - Email - - URI - - IPAddress - type: string - required: - - matcher - - sanType - type: object - minItems: 1 - type: array - certificatePinning: - description: |- - CertificatePinning defines the constraints a client certificate must fulfill. - If more than one constraint is configured only one must be satisfied. - At least one of allowedSPKIs and allowedHashes must be set. - properties: - allowedHashes: - description: |- - AllowedHashes is a list of hex-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - allowedSPKIs: - description: |- - AllowedSPKIs is a list of base64-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - type: object - crl: - description: CRL defines the Certificate Revocation List (CRL) settings. - properties: - lists: - description: Lists defines the list of secretRefs containing Certificate Revocation Lists. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - validationMode: - default: VerifyChain - description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. - enum: - - VerifyLeafCertOnly - - VerifyChain - type: string - type: object - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - verificationDepth: - default: 1 - description: |- - VerificationDepth specifies the hops in the certificate chain at which validation is performed. - 1 means that either the leaf or the signing CA must be in the set of trusted certificates. - format: int32 - type: integer - required: - - certificates - type: object - type: object - type: object - enable: - default: false - description: Enable defines if the downstream connection is encrypted. - type: boolean - protocol: - description: Protocol defines the supported TLS protocol versions. - properties: - maximum: - description: Maximum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - minimum: - description: Minimum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - type: object - secretRef: - description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls). - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - xfcc: - description: |- - XFCC defines the handling of X-Forwarded-Client-Cert header. Meaning of the possible values: - _Sanitize_: Do not send the XFCC header to the next hop. This is the default value. - _ForwardOnly_: When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request. - _AppendAndForward_: When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it. - _SanitizeAndSet_: When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop. - _AlwaysForwardOnly_: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS. - Note: When forwarding the XFCC header in the request you might have to adjust the header length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http) - enum: - - Sanitize - - ForwardOnly - - AppendAndForward - - SanitizeAndSet - - AlwaysForwardOnly - type: string - type: object - type: object - envoyHTTPFilterRefs: - description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters. - properties: - prepend: - description: Prepend selects the relevant EnvoyHTTPFilters which are added before those configured by the Airlock Microgateway. - items: - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - routes: - description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies. - items: - description: |- - SidecarGatewayApplicationRoute defines the security configurations for different paths. - At most one of secured and unsecured can be set. - Default: secured: {...} - properties: - pathPrefix: - default: / - description: PathPrefix defines the path prefix used during route selection. - minLength: 1 - type: string - secured: - description: Secured enables WAF processing for this route. - properties: - accessControlRef: - description: |- - AccessControlRef selects the relevant AccessControl configuration resource. - If undefined, Airlock Microgateway does not perform any access control. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - contentSecurityRef: - description: |- - ContentSecurityRef selects the relevant ContentSecurity configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - unsecured: - description: |- - Unsecured disables all WAF functionality and therefore protection for this route. - WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged. - type: object - type: object - type: array - x-kubernetes-list-map-keys: - - pathPrefix - x-kubernetes-list-type: map - telemetryRef: - description: |- - TelemetryRef selects the relevant Telemetry configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - upstream: - description: Upstream defines the upstream configuration for this application - properties: - protocol: - description: |- - Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set. - Default: auto: {} - properties: - auto: - description: Auto specifies to negotiate the protocol with TLS ALPN (if TLS is enabled) or, as a fallback, use the same protocol that is used by the downstream connection. - properties: - http2: - description: HTTP2 specifies the settings for when HTTP/2 is inferred. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - http1: - description: HTTP1 specifies to use HTTP/1.1. - type: object - http2: - description: HTTP2 specifies to use HTTP/2. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - timeouts: - description: Timeouts defines the timeout settings. - properties: - http: - description: HTTP defines the settings for HTTP timeouts. - properties: - idle: - description: |- - Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited. - A value of 0 will completely disable the timeout. - type: string - maxDuration: - default: 15s - description: |- - MaxDuration defines the total duration for a HTTP request/response stream. - Default: 15s - type: string - type: object - type: object - tls: - description: TLS defines the TLS settings. - properties: - ciphers: - description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. - items: - type: string - minItems: 1 - type: array - enable: - default: false - description: Enable defines if the upstream connection is encrypted. - type: boolean - protocol: - description: Protocol defines the supported TLS protocol versions. - properties: - maximum: - description: Maximum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - minimum: - description: Minimum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - type: object - type: object - type: object - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - containerPort - x-kubernetes-list-type: map - envoyClusterRefs: - description: EnvoyClusterRefs selects the relevant EnvoyClusters. - items: - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - podSelector: - description: PodSelector defines to which Pods the configuration will be applied to. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels. - type: object - type: object - sessionHandlingRef: - description: SessionHandlingRef selects the SessionHandling configuration to apply. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - applications - type: object - status: - description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date. - properties: - conditions: - items: - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status to another. - format: date-time - type: string - message: - description: A human-readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of SidecarGateway condition. - type: string - required: - - status - - type - type: object - type: array - pods: - items: - properties: - envoyConfig: - description: EnvoyConfig indicates the name of the EnvoyConfig CR for the Pod. - type: string - name: - description: Name indicates the name of a Pod selected by the SidecarGateway. - type: string - sessionAgentSecret: - type: string - required: - - name - type: object - type: array - status: - type: string - unmanagedPods: - items: - properties: - managedBy: - description: ManagedBy indicates the Airlock Microgateway Operator instance which manages this Pod. - type: string - name: - description: Name indicates the name of a Pod selected by the SidecarGateway. - type: string - sessionAgentSecret: - type: string - required: - - name - type: object - type: array - required: - - status - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/airlock/microgateway/4.3.3/crds/telemetries.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.3/crds/telemetries.microgateway.airlock.com.yaml deleted file mode 100644 index 3262cb1f0..000000000 --- a/charts/airlock/microgateway/4.3.3/crds/telemetries.microgateway.airlock.com.yaml +++ /dev/null @@ -1,96 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 - name: telemetries.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: Telemetry - listKind: TelemetryList - plural: telemetries - singular: telemetry - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Telemetry contains the configuration for telemetry (logging, metrics & tracing). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired telemetry behavior. - properties: - correlation: - description: Correlation defines the correlation aspects of Telemetry. - properties: - idSource: - description: IDSource specifies how an external correlation ID should be obtained for a request. If not specified, no correlation ID will be logged. - properties: - header: - description: Header specifies to extract the correlation ID from a request header. If the header is absent from a request, no correlation ID will be logged. - properties: - name: - default: X-Correlation-Id - description: Name of the header (case-insensitive) from which to extract the correlation ID. - minLength: 1 - type: string - type: object - required: - - header - type: object - request: - description: Request defines the request related correlation settings of Telemetry. - properties: - allowDownstreamRequestID: - default: true - description: AllowDownstreamRequestID defines whether trace sampling will consider a provided x-request-id. - type: boolean - alterRequestID: - default: true - description: AlterRequestID defines whether to alter the UUID to reflect the trace sampling decision. If disabled no modification to the UUID will be performed, this may break tracing in the upstream. - type: boolean - type: object - type: object - logging: - description: Logging defines the logging aspects of Telemetry. - properties: - accessLog: - description: AccessLog defines the access log settings of Telemetry. - properties: - format: - description: Format defines the Access Log format of the sidecar. - properties: - json: - description: JSON defines the Access Log format as JSON. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.3/dashboards/blockMetrics.json b/charts/airlock/microgateway/4.3.3/dashboards/blockMetrics.json deleted file mode 100644 index ba383d22e..000000000 --- a/charts/airlock/microgateway/4.3.3/dashboards/blockMetrics.json +++ /dev/null @@ -1,758 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__elements": {}, - "__requires": [ - { - "type": "panel", - "id": "barchart", - "name": "Bar chart", - "version": "" - }, - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "10.2.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "1.0.0" - }, - { - "type": "panel", - "id": "stat", - "name": "Stat", - "version": "" - }, - { - "type": "panel", - "id": "timeseries", - "name": "Time series", - "version": "" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "grafana", - "uid": "-- Grafana --" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "description": "Metrics on requests blocked by Airlock Microgateway.\n\nDashboard can be filtered by namespaces as well as block types.", - "editable": true, - "fiscalYearStartMonth": 0, - "graphTooltip": 0, - "id": null, - "links": [ - { - "asDropdown": true, - "icon": "external link", - "includeVars": true, - "keepTime": true, - "tags": [ - "airlock-microgateway" - ], - "targetBlank": true, - "title": "Airlock Microgateway", - "tooltip": "", - "type": "dashboards", - "url": "" - } - ], - "panels": [ - { - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 6, - "title": "Airlock Microgateway Block Metrics", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Total number of requests processed by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 0, - "y": 1 - }, - "id": 1, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": false, - "expr": "round(sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", - "format": "time_series", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": true, - "legendFormat": "Processed Requests", - "range": false, - "refId": "A", - "useBackend": false - } - ], - "title": "Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [ - { - "options": { - "match": "nan", - "result": { - "index": 0, - "text": "n/a" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "percentunit" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 4, - "y": 1 - }, - "id": 2, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": false, - "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])) / sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range]))", - "fullMetaSearch": false, - "includeNullMetadata": true, - "instant": true, - "legendFormat": "Blocked Requests (%)", - "range": false, - "refId": "A", - "useBackend": false - } - ], - "title": "% Blocked Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "blue", - "mode": "fixed" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "left", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "blue", - "value": null - } - ] - } - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "% Blocks" - }, - "properties": [ - { - "id": "custom.axisPlacement", - "value": "right" - }, - { - "id": "unit", - "value": "percentunit" - }, - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - }, - { - "id": "max", - "value": 1 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Requests per second" - }, - "properties": [ - { - "id": "unit", - "value": "short" - }, - { - "id": "custom.fillOpacity", - "value": 25 - } - ] - } - ] - }, - "gridPos": { - "h": 10, - "w": 20, - "x": 0, - "y": 5 - }, - "id": 3, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "timezone": [ - "" - ], - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", - "instant": false, - "legendFormat": "Requests per second", - "range": true, - "refId": "Requests per Second" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) / sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", - "hide": false, - "instant": false, - "legendFormat": "% Blocks", - "range": true, - "refId": "Blocks" - } - ], - "title": "Requests vs. % Blocks", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Blocked requests by block type.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "super-light-orange", - "mode": "fixed" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisGridShow": true, - "axisLabel": "", - "axisPlacement": "auto", - "fillOpacity": 80, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineWidth": 0, - "scaleDistribution": { - "type": "linear" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "fieldMinMax": false, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "none" - }, - "overrides": [] - }, - "gridPos": { - "h": 11, - "w": 10, - "x": 0, - "y": 15 - }, - "id": 4, - "options": { - "barRadius": 0, - "barWidth": 0.8, - "fullHighlight": false, - "groupWidth": 0.7, - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": false - }, - "orientation": "horizontal", - "showValue": "never", - "stacking": "none", - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "asc" - }, - "xField": "block_type", - "xTickLabelRotation": 0, - "xTickLabelSpacing": 0 - }, - "pluginVersion": "10.4.3", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", - "format": "time_series", - "instant": true, - "legendFormat": "__auto", - "range": false, - "refId": "A" - } - ], - "title": "Block Type", - "transformations": [ - { - "id": "reduce", - "options": { - "includeTimeField": false, - "labelsToFields": true, - "mode": "seriesToRows", - "reducers": [ - "sum" - ] - } - } - ], - "type": "barchart" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Blocked requests by attack type, which are subsets of the various block types.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "light-orange", - "mode": "fixed" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "fillOpacity": 80, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineWidth": 1, - "scaleDistribution": { - "type": "linear" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 11, - "w": 10, - "x": 10, - "y": 15 - }, - "id": 5, - "options": { - "barRadius": 0, - "barWidth": 0.8, - "fullHighlight": false, - "groupWidth": 0.7, - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": false - }, - "orientation": "horizontal", - "showValue": "never", - "stacking": "none", - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - }, - "xField": "attack_type", - "xTickLabelRotation": 0, - "xTickLabelSpacing": 0 - }, - "pluginVersion": "10.4.3", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "round(sum by (attack_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", - "instant": true, - "legendFormat": "__auto", - "range": false, - "refId": "A" - } - ], - "title": "Attack Type", - "transformations": [ - { - "id": "reduce", - "options": { - "labelsToFields": true, - "reducers": [ - "sum" - ] - } - } - ], - "type": "barchart" - } - ], - "refresh": "", - "schemaVersion": 39, - "tags": [ - "airlock-microgateway" - ], - "templating": { - "list": [ - { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, - "hide": 2, - "includeAll": false, - "label": "Datasource Prometheus", - "multi": false, - "name": "DS_PROMETHEUS", - "options": [], - "query": "prometheus", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "current": { - "selected": false, - "text": "Loki", - "value": "P8E80F9AEF21F6940" - }, - "hide": 2, - "includeAll": false, - "label": "DS_LOKI", - "multi": false, - "name": "DS_LOKI", - "options": [], - "query": "loki", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_valid,namespace)", - "hide": 0, - "includeAll": true, - "label": "Operator Namespace", - "multi": true, - "name": "operator_namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_valid,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": ".*", - "skipUrlSync": false, - "sort": 0, - "type": "query" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_http_rq_total,namespace)", - "hide": 0, - "includeAll": true, - "label": "Application Namespace", - "multi": true, - "name": "namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_http_rq_total,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 5, - "type": "query" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", - "hide": 0, - "includeAll": true, - "label": "Block Type", - "multi": true, - "name": "blockType", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 5, - "type": "query" - } - ] - }, - "time": { - "from": "now-24h", - "to": "now" - }, - "timeRangeUpdatedDuringEditOrView": false, - "timepicker": { - "hidden": false - }, - "timezone": "browser", - "title": "Airlock Microgateway Block Metrics", - "uid": "ddnqoczu7qvb4cdd3dd", - "version": 3, - "weekStart": "" -} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/dashboards/license.json b/charts/airlock/microgateway/4.3.3/dashboards/license.json deleted file mode 100644 index b9d5777e2..000000000 --- a/charts/airlock/microgateway/4.3.3/dashboards/license.json +++ /dev/null @@ -1,521 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__elements": {}, - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "10.2.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "1.0.0" - }, - { - "type": "panel", - "id": "stat", - "name": "Stat", - "version": "" - }, - { - "type": "panel", - "id": "timeseries", - "name": "Time series", - "version": "" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "grafana", - "uid": "-- Grafana --" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": true, - "fiscalYearStartMonth": 0, - "graphTooltip": 0, - "id": null, - "links": [ - { - "asDropdown": true, - "icon": "external link", - "includeVars": true, - "keepTime": true, - "tags": [ - "airlock-microgateway" - ], - "targetBlank": true, - "title": "Airlock Microgateway", - "tooltip": "", - "type": "dashboards", - "url": "" - } - ], - "panels": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "License status of Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [ - { - "options": { - "0": { - "color": "red", - "index": 1, - "text": "Invalid" - }, - "1": { - "color": "green", - "index": 0, - "text": "Valid" - } - }, - "type": "value" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 0, - "y": 0 - }, - "id": 1, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "License Status", - "range": false, - "refId": "Licenses" - } - ], - "title": "License Status", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Expiry date of the Airlock Microgateway license associated with the selected operator.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "time: L" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 3, - "y": 0 - }, - "id": 4, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "min(microgateway_license_expiry_timestamp_seconds{namespace=~\"${operator_namespace.regex}\"})*1000", - "instant": true, - "legendFormat": "Expiry Date (MM/DD/YYYY)", - "range": false, - "refId": "A" - } - ], - "title": "License Expiry Date", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Number of licensed requests for applications protected by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 7, - "y": 0 - }, - "id": 6, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(microgateway_license_max_rq_count_per_month{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "Licensed Requests", - "range": false, - "refId": "A" - } - ], - "title": "Licensed Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Estimated number of requests protected by Airlock Microgateway over 30 days based on the last 7 days.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 5, - "x": 11, - "y": 0 - }, - "id": 2, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d]))/7*30", - "instant": true, - "legendFormat": "Estimated Requests", - "range": false, - "refId": "A" - } - ], - "title": "Requests over 30 days (estimated)", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Number of requests per week processed by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "blue", - "mode": "fixed" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 12, - "w": 16, - "x": 0, - "y": 4 - }, - "id": 5, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(avg_over_time(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d])[2m:30s]))", - "instant": false, - "legendFormat": "# Requests per week", - "range": true, - "refId": "A" - } - ], - "title": "Processed Requests per week", - "type": "timeseries" - } - ], - "schemaVersion": 39, - "tags": [ - "airlock-microgateway" - ], - "templating": { - "list": [ - { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, - "hide": 2, - "includeAll": false, - "label": "DS_PROMETHEUS", - "multi": false, - "name": "DS_PROMETHEUS", - "options": [], - "query": "prometheus", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_valid,namespace)", - "description": "", - "hide": 0, - "includeAll": false, - "label": "Operator Namespace", - "multi": false, - "name": "operator_namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_valid,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "type": "query" - } - ] - }, - "time": { - "from": "now-7d", - "to": "now" - }, - "timeRangeUpdatedDuringEditOrView": false, - "timepicker": {}, - "timezone": "browser", - "title": "Airlock Microgateway License", - "uid": "cdpq79bzrr01se", - "version": 2, - "weekStart": "" -} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/gke-values.yaml b/charts/airlock/microgateway/4.3.3/gke-values.yaml new file mode 100644 index 000000000..d6d5c21d1 --- /dev/null +++ b/charts/airlock/microgateway/4.3.3/gke-values.yaml @@ -0,0 +1,4 @@ +# values for deploying on GKE + +config: + cniBinDir: "/home/kubernetes/bin" diff --git a/charts/airlock/microgateway/4.3.3/openshift-values.yaml b/charts/airlock/microgateway/4.3.3/openshift-values.yaml new file mode 100644 index 000000000..3b1d6cccd --- /dev/null +++ b/charts/airlock/microgateway/4.3.3/openshift-values.yaml @@ -0,0 +1,15 @@ +# values for deploying on OpenShift + +rbac: + createSCCRole: true + +privileged: true + +multusNetworkAttachmentDefinition: + create: true + namespace: default + +config: + installMode: "standalone" + cniNetDir: "/etc/cni/multus/net.d" + cniBinDir: "/var/lib/cni/bin" diff --git a/charts/airlock/microgateway/4.3.3/questions.yml b/charts/airlock/microgateway/4.3.3/questions.yml new file mode 100644 index 000000000..73ed44d64 --- /dev/null +++ b/charts/airlock/microgateway/4.3.3/questions.yml @@ -0,0 +1,18 @@ +questions: + - variable: config.cniNetDir + required: true + type: string + label: CNI Network Configuration Directory + group: "CNI Settings" + description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host." + - variable: config.cniBinDir + required: true + type: string + label: CNI Plugin Binaries Directory + group: "CNI Settings" + description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host." + - variable: config.installMode + required: true + label: CNI Plugin Installation Mode + group: "CNI Settings" + description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment." diff --git a/charts/airlock/microgateway/4.3.3/templates/NOTES.txt b/charts/airlock/microgateway/4.3.3/templates/NOTES.txt index 6e5ce218a..bb94ff521 100644 --- a/charts/airlock/microgateway/4.3.3/templates/NOTES.txt +++ b/charts/airlock/microgateway/4.3.3/templates/NOTES.txt @@ -1,47 +1,15 @@ -Thank you for installing Airlock Microgateway. +Thank you for installing Airlock Microgateway CNI. -Please ensure the following prerequisites are fulfilled: -* Cert-Manager is installed. - https://cert-manager.io/docs/installation/helm/ -* Airlock Microgateway CNI is also installed on the cluster. - https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni -* A valid Airlock Microgateway license is deployed in the Kubernetes secret 'airlock-microgateway-license'. - * Get a free Community license: https://airlock.com/en/microgateway-community - * Order a Premium license: https://airlock.com/en/microgateway-premium +Please ensure that the helm values'.config.cniNetDir' and '.config.cniBinDir' are configured for your Kubernetes distribution. +For further information, consider our manual https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}. +The chapter 'Setup > Installation' describes how to set those settings correctly. Further information: -* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }} -* CRD API reference documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/api/crds +* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }} * Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm -{{- if .Values.crds.skipVersionCheck }} -Warning: CRD version check skipped -{{- else -}} -{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}} -{{- if $outdatedCRDs -}} - {{- fail (printf ` - -Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'. -Therefore, the CRDs must be manually upgraded with the following command before deploying this chart: - -kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts - -If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.` - .Chart.AppVersion) - -}} -{{- end -}} -{{- end -}} -{{- if .Values.tests.enabled -}} - {{- if .Values.operator.watchNamespaces -}} - {{- if not (has .Release.Namespace .Values.operator.watchNamespaces) -}} - {{- fail (printf ` - -To execute 'helm test', it is necessary that the release namespace '%s' is part of the operator's watch scope. Either disable the tests or ensure that the release namespace is added to watch namspace list ('operator.watchNamespaces') in the helm values. -` - .Release.Namespace) - -}} - {{- end -}} - {{- end -}} -{{- end }} +Next steps: +* Install Airlock Microgateway (if not done already) + https://artifacthub.io/packages/helm/airlock-microgateway/microgateway Your release version is {{ .Chart.Version }}. \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/_helpers.tpl b/charts/airlock/microgateway/4.3.3/templates/_helpers.tpl index 733ba9648..996491a87 100644 --- a/charts/airlock/microgateway/4.3.3/templates/_helpers.tpl +++ b/charts/airlock/microgateway/4.3.3/templates/_helpers.tpl @@ -1,16 +1,14 @@ {{/* Expand the name of the chart. -We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) -and the longest explicit suffix is 14 characters. */}} -{{- define "airlock-microgateway.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }} +{{- define "airlock-microgateway-cni.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Convert an image configuration object into an image ref string. */}} -{{- define "airlock-microgateway.image" -}} +{{- define "airlock-microgateway-cni.image" -}} {{- if .digest -}} {{- printf "%s@%s" .repository .digest -}} {{- else if .tag -}} @@ -22,19 +20,19 @@ Convert an image configuration object into an image ref string. {{/* Create a default fully qualified app name. -We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) -and the longest implicit suffix is 27 characters. +We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) +and the longest suffix is 13 characters. If release name contains chart name it will be used as a full name. */}} -{{- define "airlock-microgateway.fullname" -}} +{{- define "airlock-microgateway-cni.fullname" -}} {{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }} +{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }} {{- else }} {{- $name := default .Chart.Name .Values.nameOverride }} {{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 36 | trimSuffix "-" }} +{{- .Release.Name | trunc 50 | trimSuffix "-" }} {{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }} +{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }} {{- end }} {{- end }} {{- end }} @@ -42,112 +40,62 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "airlock-microgateway.chart" -}} +{{- define "airlock-microgateway-cni.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "airlock-microgateway.sharedLabels" -}} -helm.sh/chart: {{ include "airlock-microgateway.chart" . }} +{{- define "airlock-microgateway-cni.labels" -}} +helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }} +{{ include "airlock-microgateway-cni.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/part-of: {{ .Chart.Name }} {{- with .Values.commonLabels }} {{ toYaml .}} {{- end }} {{- end }} {{/* -Common Selector labels +Common labels without component */}} -{{- define "airlock-microgateway.sharedSelectorLabels" -}} -app.kubernetes.io/instance: {{ .Release.Name }} +{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}} +{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}} +{{ unset $labels "app.kubernetes.io/component" | toYaml }} {{- end }} {{/* -Restricted Container Security Context +Selector labels */}} -{{- define "airlock-microgateway.restrictedSecurityContext" -}} -allowPrivilegeEscalation: false -privileged: false -runAsNonRoot: true -capabilities: - drop: ["ALL"] -readOnlyRootFilesystem: true -seccompProfile: - type: RuntimeDefault +{{- define "airlock-microgateway-cni.selectorLabels" -}} +app.kubernetes.io/component: cni-plugin-installer +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }} {{- end }} -{{/* Precondition: May only be used if AppVersion is isSemver */}} -{{- define "airlock-microgateway.supportedCRDVersionPattern" -}} -{{- $version := (semver .Chart.AppVersion) -}} -{{- if $version.Prerelease -}} ->= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }} -{{- else -}} ->= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0 -{{- end -}} -{{- end -}} +{{/* +Create the name of the service account to use for the CNI Plugin +*/}} +{{- define "airlock-microgateway-cni.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} -{{- define "airlock-microgateway.outdatedCRDs" -}} -{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}} - {{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}} - {{- range $path, $_ := .Files.Glob "crds/*.yaml" -}} - {{- $api := ($.Files.Get $path | fromYaml).metadata.name -}} - {{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}} - {{- $isOutdated := false -}} - {{- if $crd -}} - {{/* If CRD is already present in the cluster, it must have the minimum supported version */}} - {{- $isOutdated = true -}} - {{- if hasKey $crd.metadata "labels" -}} - {{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}} - {{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}} - {{- if (semverCompare $supportedVersion $crdVersion) }} - {{- $isOutdated = false -}} - {{- end }} - {{- end -}} - {{- end -}} - {{- end -}} - {{- if $isOutdated }} -{{ base $path }} - {{- end }} - {{- end -}} -{{- end -}} -{{- end -}} - -{{- define "airlock-microgateway.isSemver" -}} +{{- define "airlock-microgateway-cni.isSemver" -}} {{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}} {{- end -}} -{{- define "airlock-microgateway.docsVersion" -}} -{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} +{{- define "airlock-microgateway-cni.docsVersion" -}} +{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} {{- $version := (semver .Chart.AppVersion) -}} {{- $version.Major }}.{{ $version.Minor -}} {{- else -}} {{- print "latest" -}} {{- end -}} {{- end -}} - -{{- define "airlock-microgateway.watchNamespaceSelector.labelQuery" -}} -{{- $list := list -}} -{{- with .matchLabels -}} - {{- range $key, $value := . -}} - {{- $list = append $list (printf "%s=%s" $key $value) -}} - {{- end -}} -{{- end -}} -{{- with .matchExpressions -}} - {{- range . -}} - {{- if has .operator (list "In" "NotIn") -}} - {{- $list = append $list (printf "%s %s (%s)" .key (lower .operator) (join "," .values)) -}} - {{- else if eq .operator "Exists" -}} - {{- $list = append $list .key -}} - {{- else if eq .operator "DoesNotExist" -}} - {{- $list = append $list (printf "!%s" .key) -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- join "," $list -}} -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/clusterrole.yaml b/charts/airlock/microgateway/4.3.3/templates/clusterrole.yaml new file mode 100644 index 000000000..ef88ac783 --- /dev/null +++ b/charts/airlock/microgateway/4.3.3/templates/clusterrole.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - patch +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.3/templates/clusterrolebinding.yaml b/charts/airlock/microgateway/4.3.3/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..04f87cb0f --- /dev/null +++ b/charts/airlock/microgateway/4.3.3/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "airlock-microgateway-cni.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.3/templates/configmap.yaml b/charts/airlock/microgateway/4.3.3/templates/configmap.yaml new file mode 100644 index 000000000..b880116ef --- /dev/null +++ b/charts/airlock/microgateway/4.3.3/templates/configmap.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + plugin-conf.json: |- + { + "type": "{{ include "airlock-microgateway-cni.fullname" . }}", + "debug": {{ eq .Values.config.logLevel "debug" }}, + "logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log", + "kubernetes": { + "kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig", + "excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }} + } + } diff --git a/charts/airlock/microgateway/4.3.3/templates/daemonset.yaml b/charts/airlock/microgateway/4.3.3/templates/daemonset.yaml new file mode 100644 index 000000000..4ba9f2669 --- /dev/null +++ b/charts/airlock/microgateway/4.3.3/templates/daemonset.yaml @@ -0,0 +1,136 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + kubectl.kubernetes.io/default-container: cni-installer + {{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - args: + - --log-level + - "{{ .Values.config.logLevel }}" + env: + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + key: plugin-conf.json + name: {{ include "airlock-microgateway-cni.fullname" . }} + - name: CNI_BIN_DIR + value: /host/opt/cni/bin + - name: CNI_NET_DIR + value: /host/etc/cni/net.d + - name: KUBECONFIG_FILE_NAME + value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" + - name: INSTALL_MODE + value: {{ .Values.config.installMode }} + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: {{ include "airlock-microgateway-cni.image" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cni-installer + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + startupProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 5 + initialDelaySeconds: 3 + periodSeconds: 3 + timeoutSeconds: 3 + readinessProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 1 + periodSeconds: 60 + timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /run/cni-installer + name: cni-installer-status + hostNetwork: true + priorityClassName: system-node-critical + restartPolicy: Always + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + terminationGracePeriodSeconds: 5 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir + - emptyDir: {} + name: cni-installer-status diff --git a/charts/airlock/microgateway/4.3.3/templates/network-attachment-definition.yaml b/charts/airlock/microgateway/4.3.3/templates/network-attachment-definition.yaml new file mode 100644 index 000000000..5d657e309 --- /dev/null +++ b/charts/airlock/microgateway/4.3.3/templates/network-attachment-definition.yaml @@ -0,0 +1,13 @@ +{{- if .Values.multusNetworkAttachmentDefinition.create -}} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/_operator_helpers.tpl b/charts/airlock/microgateway/4.3.3/templates/operator/_operator_helpers.tpl deleted file mode 100644 index a540ff9f4..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/_operator_helpers.tpl +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -Create a default fully qualified name for operator components. -*/}} -{{- define "airlock-microgateway.operator.fullname" -}} -{{ include "airlock-microgateway.fullname" . }}-operator -{{- end }} - - -{{/* -Common operator labels -*/}} -{{- define "airlock-microgateway.operator.labels" -}} -{{ include "airlock-microgateway.sharedLabels" . }} -{{ include "airlock-microgateway.operator.selectorLabels" . }} -{{- end }} - -{{/* -Operator Selector labels -*/}} -{{- define "airlock-microgateway.operator.selectorLabels" -}} -{{ include "airlock-microgateway.sharedSelectorLabels" . }} -app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-operator -app.kubernetes.io/component: controller -{{- end }} - -{{/* -Create the name of the service account to use for the operator -*/}} -{{- define "airlock-microgateway.operator.serviceAccountName" -}} -{{- if .Values.operator.serviceAccount.create }} -{{- default (include "airlock-microgateway.operator.fullname" .) .Values.operator.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.operator.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -ServiceMonitor metrics regex pattern for leader only metrics -*/}} -{{- define "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" -}} -^(microgateway_license|microgateway_sidecars).*$ -{{- end }} diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/_rbac.gen.tpl b/charts/airlock/microgateway/4.3.3/templates/operator/_rbac.gen.tpl deleted file mode 100644 index 83b314cbc..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/_rbac.gen.tpl +++ /dev/null @@ -1,237 +0,0 @@ -{{/* AUTOGENERATED FILE DO NOT EDIT */}} - -{{/* -Operator rbac permission rules -*/}} -{{- define "airlock-microgateway-operator.rbacRules" -}} -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - update - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - accesscontrols - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - contentsecurities - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - denyrules - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - envoyclusters - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - envoyconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - envoyconfigurations/status - verbs: - - get - - patch - - update -- apiGroups: - - microgateway.airlock.com - resources: - - envoyhttpfilters - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - graphqls - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - headerrewrites - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - identitypropagations - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - limits - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - oidcproviders - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - oidcrelyingparties - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - openapis - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - parsers - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - redisproviders - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - sessionhandlings - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways/finalizers - verbs: - - update -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways/status - verbs: - - get - - patch - - update -- apiGroups: - - microgateway.airlock.com - resources: - - telemetries - verbs: - - get - - list - - watch -{{- end }} diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/_webhooks.gen.tpl b/charts/airlock/microgateway/4.3.3/templates/operator/_webhooks.gen.tpl deleted file mode 100644 index 02e304890..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/_webhooks.gen.tpl +++ /dev/null @@ -1,339 +0,0 @@ -{{/* AUTOGENERATED FILE DO NOT EDIT */}} - -{{/* -Operator mutating webhooks -*/}} -{{- define "airlock-microgateway-operator.mutatingWebhooks" -}} -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /mutate-v1-pod - failurePolicy: Fail - name: mutate-pod.microgateway.airlock.com - reinvocationPolicy: IfNeeded - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None - objectSelector: - matchLabels: - sidecar.microgateway.airlock.com/inject: "true" -{{- end }} - -{{/* -Operator validating webhooks -*/}} -{{- define "airlock-microgateway-operator.validatingWebhooks" -}} -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-v1-pod - failurePolicy: Fail - name: validate-pod.microgateway.airlock.com - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - pods - sideEffects: None - objectSelector: - matchLabels: - sidecar.microgateway.airlock.com/inject: "true" -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol - failurePolicy: Fail - name: validate-accesscontrol.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - accesscontrols - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-denyrules - failurePolicy: Fail - name: validate-denyrules.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - denyrules - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-envoycluster - failurePolicy: Fail - name: validate-envoycluster.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - envoyclusters - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter - failurePolicy: Fail - name: validate-envoyhttpfilter.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - envoyhttpfilters - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-graphql - failurePolicy: Fail - name: validate-graphql.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - graphqls - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites - failurePolicy: Fail - name: validate-headerrewrites.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - headerrewrites - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation - failurePolicy: Fail - name: validate-identitypropagation.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - identitypropagations - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-limits - failurePolicy: Fail - name: validate-limits.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - limits - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider - failurePolicy: Fail - name: validate-oidcprovider.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - oidcproviders - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty - failurePolicy: Fail - name: validate-oidcrelyingparty.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - oidcrelyingparties - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-openapi - failurePolicy: Fail - name: validate-openapi.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - openapis - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-parser - failurePolicy: Fail - name: validate-parser.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - parsers - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-redisprovider - failurePolicy: Fail - name: validate-redisprovider.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - redisproviders - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway - failurePolicy: Fail - name: validate-sidecargateway.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - sidecargateways - sideEffects: None -{{- end }} diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/configmap.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/configmap.yaml deleted file mode 100644 index 95e52d7df..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/configmap.yaml +++ /dev/null @@ -1,394 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-config - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -data: - engine_bootstrap_config_template.yaml: | - # Base configuration, admin interface on port 19000 - admin: - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 - dynamic_resources: - cds_config: - initial_fetch_timeout: 10s - resource_api_version: V3 - api_config_source: - api_type: GRPC - transport_api_version: V3 - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster - set_node_on_first_message_only: true - # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC - rate_limit_settings: - max_tokens: 5 - fill_rate: 0.2 - lds_config: - resource_api_version: V3 - initial_fetch_timeout: 10s - api_config_source: - api_type: GRPC - transport_api_version: V3 - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster - set_node_on_first_message_only: true - # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC - rate_limit_settings: - max_tokens: 5 - fill_rate: 0.2 - static_resources: - listeners: - - name: probe - address: - socket_address: - address: 0.0.0.0 - port_value: 19001 - filter_chains: - - filters: - - name: http_connection_manager - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: probe - codec_type: AUTO - http2_protocol_options: - initial_connection_window_size: 1048576 - initial_stream_window_size: 65536 - max_concurrent_streams: 100 - route_config: - name: probe - virtual_hosts: - - name: probe - domains: - - '*' - routes: - - name: ready - match: - path: /ready - headers: - - name: ':method' - string_match: - exact: 'GET' - route: - cluster: airlock_microgateway_engine_admin - http_filters: - - name: envoy.filters.http.router - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - name: metrics - address: - socket_address: - address: 0.0.0.0 - port_value: 19002 - filter_chains: - - filters: - - name: http_connection_manager - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: metrics - codec_type: AUTO - http2_protocol_options: - initial_connection_window_size: 1048576 - initial_stream_window_size: 65536 - max_concurrent_streams: 100 - route_config: - name: metrics - virtual_hosts: - - name: metrics - domains: - - '*' - routes: - - name: metrics - match: - path: /metrics - headers: - - name: ':method' - string_match: - exact: 'GET' - route: - prefix_rewrite: '/stats/prometheus' - cluster: airlock_microgateway_engine_admin - http_filters: - - name: envoy.filters.http.router - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - clusters: - - name: xds_cluster - connect_timeout: 1s - type: STRICT_DNS - load_assignment: - cluster_name: xds_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local - port_value: 13377 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: - connection_keepalive: - interval: 360s - timeout: 5s - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_minimum_protocol_version: TLSv1_3 - tls_maximum_protocol_version: TLSv1_3 - validation_context_sds_secret_config: - name: validation_context_sds - sds_config: - resource_api_version: V3 - path_config_source: - path: /etc/envoy/validation_context_sds_secret.yaml - watched_directory: - path: /etc/envoy/ - tls_certificate_sds_secret_configs: - - name: tls_certificate_sds - sds_config: - resource_api_version: V3 - path_config_source: - path: /etc/envoy/tls_certificate_sds_secret.yaml - watched_directory: - path: /etc/envoy/ - - name: airlock_microgateway_engine_admin - connect_timeout: 1s - type: STATIC - load_assignment: - cluster_name: airlock_microgateway_engine_admin - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: - connection_keepalive: - interval: 360s - timeout: 5s - stats_config: - stats_tags: - - tag_name: "block_type" - regex: "\\.(block_type\\.([^.]+))" - - tag_name: "attack_type" - regex: "\\.(attack_type\\.([^.]+))" - - tag_name: "envoy_cluster_name" - regex: "\\.(cluster\\.([^.]+))" - - tag_name: "version" - regex: "\\.(version\\.([^.]+))" - use_all_default_tags: true - overload_manager: - resource_monitors: - - name: "envoy.resource_monitors.global_downstream_max_connections" - typed_config: - "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig - max_active_downstream_connections: 50000 - bootstrap_extensions: - - name: airlock.bootstrap.engine_build_info - typed_config: - '@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats - application_log_config: - log_format: - text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}' - engine_container_template.yaml: | - name: "$(ENGINE_NAME)" - image: "$(ENGINE_IMAGE)" - imagePullPolicy: {{ .Values.engine.image.pullPolicy }} - args: - - "--config-path" - - "/etc/envoy/bootstrap_config.yaml" - - "--base-id" - - "$(BASE_ID)" - - "--file-flush-interval-msec" - - '1000' - - "--drain-time-s" - - '60' - - "--service-node" - - "$(POD_NAME).$(POD_NAMESPACE)" - - "--service-cluster" - - "$(APP_NAME).$(POD_NAMESPACE)" - - "--log-path" - - "/dev/stdout" - - "--log-level" - - "$(LOG_LEVEL)" - volumeMounts: - - name: airlock-microgateway-bootstrap-secret-volume - mountPath: /etc/envoy - readOnly: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - ports: - - containerPort: 13378 - protocol: TCP - - containerPort: 19001 - protocol: TCP - - containerPort: 19002 - protocol: TCP - livenessProbe: - httpGet: - path: /ready - port: 19001 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 5 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - httpGet: - path: /ready - port: 19001 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 3 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} - runAsUser: $(SECURITYCONTEXT_UID) - {{- with .Values.engine.resources }} - resources: - {{- toYaml . | nindent 6 }} - {{- end }} - session_agent_container_template.yaml: | - name: "$(SESSION_AGENT_NAME)" - image: "$(SESSION_AGENT_IMAGE)" - imagePullPolicy: {{ .Values.sessionAgent.image.pullPolicy }} - args: - - "--port" - - "19004" - - "--config-path" - - "/etc/microgateway-session-agent/config.json" - volumeMounts: - - name: airlock-microgateway-session-agent-volume - mountPath: /etc/microgateway-session-agent - readOnly: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - ports: - - containerPort: 19004 - livenessProbe: - {{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}} - grpc: - port: 19004 - {{- else }} - tcpSocket: - port: 19004 - {{- end }} - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 5 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - {{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}} - grpc: - port: 19004 - {{- else }} - tcpSocket: - port: 19004 - {{- end }} - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 3 - successThreshold: 1 - timeoutSeconds: 5 - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} - runAsUser: $(SECURITYCONTEXT_UID) - {{- with .Values.sessionAgent.resources }} - resources: - {{- toYaml . | nindent 6 }} - {{- end }} - network_validator_container_template.yaml: | - name: "$(NETWORK_VALIDATOR_NAME)" - image: "$(NETWORK_VALIDATOR_IMAGE)" - imagePullPolicy: {{ .Values.networkValidator.image.pullPolicy }} - command: ["/bin/sh", "-c"] - args: - - |- - echo 'pong' | nc -v -l 127.0.0.1 13378 & - for i in 1 2 3; do - sleep 1s - if r=$(echo 'ping' | nc -v -q 0 127.0.0.1 19003) && [ $r == pong ]; then - echo -n 'Traffic redirection to Airlock Microgateway Engine is working.' > /dev/termination-log - exit 0 - fi - done - echo -en 'Traffic redirection to Airlock Microgateway Engine is not working.\nRestart the pod after ensuring that hostNetwork is disabled and a compatible Airlock Microgateway CNI version is installed on the node.\nCertain environments may also require additional configuration (see docs.airlock.com for more information).' > /dev/termination-log - exit 1 - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} - runAsUser: $(SECURITYCONTEXT_UID) - operator_config.yaml: | - apiVersion: config.airlock.com/v1alpha1 - kind: OperatorConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 0.0.0.0:8080 - webhook: - port: 9443 - deployment: - sidecar: - engineContainerTemplate: "/sidecar/engine_container_template.yaml" - networkValidatorContainerTemplate: "/sidecar/network_validator_container_template.yaml" - sessionAgentContainerTemplate: "/sidecar/session_agent_container_template.yaml" - engine: - bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml" - log: - level: {{ .Values.operator.config.logLevel }} - {{- with $.Values.operator.watchNamespaceSelector }} - namespaces: - selector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $.Values.operator.watchNamespaces }} - namespaces: - list: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/dashboard-configmap.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/dashboard-configmap.yaml deleted file mode 100644 index b71ac89b6..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/dashboard-configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.dashboards.create -}} -{{- range $instance := (keys .Values.dashboards.instances | sortAlpha) -}} -{{- $dashboard := get $.Values.dashboards.instances $instance -}} -{{- if $dashboard.create }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "airlock-microgateway.fullname" $ }}-dashboard-{{ $instance | lower }} - namespace: {{ $.Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }} - {{- with $.Values.dashboards.config.grafana.dashboardLabel -}} - {{- .name | nindent 4 -}}: {{ .value | quote }} - {{- end }} - annotations: - {{- with $.Values.dashboards.config.grafana.folderAnnotation -}} - {{- .name | nindent 4 -}}: {{ .value | quote }} - {{- end }} - {{- with $.Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -data: - {{- printf "%s.json" $instance | nindent 2 }}: |- - {{- ($.Files.Get (printf "dashboards/%s.json" $instance)) | nindent 4 -}} -{{- end -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/deployment.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/deployment.yaml deleted file mode 100644 index db340cdec..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/deployment.yaml +++ /dev/null @@ -1,143 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - replicas: {{ .Values.operator.replicaCount }} - {{- with .Values.operator.updateStrategy }} - strategy: - {{- toYaml . | trim | nindent 4 }} - {{- end }} - selector: - matchLabels: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/operator/configmap.yaml") . | sha256sum }} - kubectl.kubernetes.io/default-container: manager - {{- with mustMerge .Values.operator.podAnnotations .Values.commonAnnotations}} - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 8 }} - {{- with .Values.operator.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - containers: - - args: - - --config=operator_config.yaml - env: - - name: ENGINE_IMAGE - value: {{ include "airlock-microgateway.image" .Values.engine.image }} - - name: NETWORK_VALIDATOR_IMAGE - value: {{ include "airlock-microgateway.image" .Values.networkValidator.image }} - - name: SESSION_AGENT_IMAGE - value: {{ include "airlock-microgateway.image" .Values.sessionAgent.image }} - - name: OPERATOR_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: {{ include "airlock-microgateway.image" .Values.operator.image }} - imagePullPolicy: {{ .Values.operator.image.pullPolicy }} - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - timeoutSeconds: 5 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - - containerPort: 13377 - name: xds-server - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8081 - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - {{- with .Values.operator.resources }} - resources: - {{- toYaml . | nindent 10 }} - {{- end }} - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 10 }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - mountPath: /opt/airlock/license/ - name: airlock-microgateway-license - readOnly: true - - mountPath: /operator_config.yaml - name: operator-config - subPath: operator_config.yaml - - mountPath: /sidecar/engine_container_template.yaml - name: operator-config - subPath: engine_container_template.yaml - - mountPath: /sidecar/network_validator_container_template.yaml - name: operator-config - subPath: network_validator_container_template.yaml - - mountPath: /sidecar/session_agent_container_template.yaml - name: operator-config - subPath: session_agent_container_template.yaml - - mountPath: /engine_bootstrap_config_template.yaml - name: operator-config - subPath: engine_bootstrap_config_template.yaml - securityContext: - runAsNonRoot: true - serviceAccountName: {{ include "airlock-microgateway.operator.serviceAccountName" . }} - terminationGracePeriodSeconds: 10 - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.operator.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.operator.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.operator.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert - - name: airlock-microgateway-license - secret: - defaultMode: 292 - optional: true - secretName: {{ .Values.license.secretName }} - - configMap: - name: {{ include "airlock-microgateway.operator.fullname" . }}-config - name: operator-config diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/manager-role.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/manager-role.yaml deleted file mode 100644 index 90335bcfe..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/manager-role.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.operator.rbac.create }} -{{- if empty .Values.operator.watchNamespaces }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: -{{ include "airlock-microgateway-operator.rbacRules" . -}} -{{- else }} -{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager - namespace: {{ $namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }} - {{- with $.Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: -{{ include "airlock-microgateway-operator.rbacRules" $ }} ---- -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/manager-rolebinding.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/manager-rolebinding.yaml deleted file mode 100644 index ae99cfb7b..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/manager-rolebinding.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.operator.rbac.create }} -{{- if empty .Values.operator.watchNamespaces }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- else }} -{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager - namespace: {{ $namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }} - {{- with $.Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager -subjects: - - kind: ServiceAccount - name: {{ include "airlock-microgateway.operator.serviceAccountName" $ }} - namespace: {{ $.Release.Namespace }} ---- -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/metrics-service.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/metrics-service.yaml deleted file mode 100644 index 34d23f6d6..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/metrics-service.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-metrics - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: http - name: metrics - port: 8080 - protocol: TCP - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} ---- -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-leader-metrics - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - operator.microgateway.airlock.com/isLeader: "true" - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: http - name: metrics - port: 8080 - protocol: TCP - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} - operator.microgateway.airlock.com/isLeader: "true" \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/mutating-webhook.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/mutating-webhook.yaml deleted file mode 100644 index 311f9726a..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/mutating-webhook.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert - {{- with .Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -webhooks: -{{- range $webhook := (include "airlock-microgateway-operator.mutatingWebhooks" .) | fromYamlArray }} -- {{ toYaml $webhook | indent 2 | trim }} - {{- with $.Values.operator.watchNamespaceSelector }} - namespaceSelector: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with $.Values.operator.watchNamespaces }} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/podmonitor.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/podmonitor.yaml deleted file mode 100644 index 1fe34fcb3..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/podmonitor.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if .Values.engine.sidecar.podMonitor.create }} -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: {{ include "airlock-microgateway.fullname" . }}-engine - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.engine.sidecar.podMonitor.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - namespaceSelector: - any: true - selector: - matchLabels: - sidecar.microgateway.airlock.com/inject: "true" - microgateway.airlock.com/managedBy: {{ .Release.Namespace }} - podMetricsEndpoints: - - targetPort: 19002 - path: /metrics - scheme: http -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/role.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/role.yaml deleted file mode 100644 index 5378be8ef..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/role.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.operator.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/rolebinding.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/rolebinding.yaml deleted file mode 100644 index bafec1015..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/rolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.operator.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election -subjects: - - kind: ServiceAccount - name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/selfsigned-issuer.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/selfsigned-issuer.yaml deleted file mode 100644 index 466c56338..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/selfsigned-issuer.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - selfSigned: {} diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/serviceaccount.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/serviceaccount.yaml deleted file mode 100644 index 434d7e9d3..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.operator.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with mustMerge .Values.operator.serviceAccount.annotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/servicemonitor.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/servicemonitor.yaml deleted file mode 100644 index ff85a9a31..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/servicemonitor.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if .Values.operator.serviceMonitor.create }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceMonitor.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} - matchExpressions: - - { key: "operator.microgateway.airlock.com/isLeader", operator: DoesNotExist } - endpoints: - - path: /metrics - port: metrics - scheme: http - metricRelabelings: - - sourceLabels: - - __name__ - regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }} - action: drop ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceMonitor.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} - operator.microgateway.airlock.com/isLeader: "true" - endpoints: - - path: /metrics - port: metrics - scheme: http - metricRelabelings: - - sourceLabels: - - __name__ - regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }} - action: keep -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/serving-certificate.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/serving-certificate.yaml deleted file mode 100644 index 60b92e1e2..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/serving-certificate.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-serving-cert - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - dnsNames: - - airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc - - airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc.cluster.local - issuerRef: - kind: Issuer - name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer - secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/validating-webhook.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/validating-webhook.yaml deleted file mode 100644 index 5d6b4396b..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/validating-webhook.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert - {{- with .Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -webhooks: -{{- range $webhook := (include "airlock-microgateway-operator.validatingWebhooks" .) | fromYamlArray }} -- {{ toYaml $webhook | indent 2 | trim }} - {{- with $.Values.operator.watchNamespaceSelector }} - namespaceSelector: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with $.Values.operator.watchNamespaces }} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/webhook-service.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/webhook-service.yaml deleted file mode 100644 index 477ea839f..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/webhook-service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: https - name: webhook - port: 443 - protocol: TCP - targetPort: 9443 - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/operator/xds-service.yaml b/charts/airlock/microgateway/4.3.3/templates/operator/xds-service.yaml deleted file mode 100644 index 81b41acf5..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/operator/xds-service.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-xds - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: grpc - name: xds - port: 13377 - protocol: TCP - targetPort: 13377 - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} - operator.microgateway.airlock.com/isLeader: "true" diff --git a/charts/airlock/microgateway/4.3.3/templates/scc-role.yaml b/charts/airlock/microgateway/4.3.3/templates/scc-role.yaml new file mode 100644 index 000000000..862748692 --- /dev/null +++ b/charts/airlock/microgateway/4.3.3/templates/scc-role.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/scc-rolebinding.yaml b/charts/airlock/microgateway/4.3.3/templates/scc-rolebinding.yaml new file mode 100644 index 000000000..ebd02982c --- /dev/null +++ b/charts/airlock/microgateway/4.3.3/templates/scc-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged +subjects: +- kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.3/templates/serviceaccount.yaml b/charts/airlock/microgateway/4.3.3/templates/serviceaccount.yaml new file mode 100644 index 000000000..3dc8d58ea --- /dev/null +++ b/charts/airlock/microgateway/4.3.3/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.3/templates/tests/rbac.yaml b/charts/airlock/microgateway/4.3.3/templates/tests/rbac.yaml index 93bd4cd1b..744799333 100644 --- a/charts/airlock/microgateway/4.3.3/templates/tests/rbac.yaml +++ b/charts/airlock/microgateway/4.3.3/templates/tests/rbac.yaml @@ -2,142 +2,63 @@ apiVersion: v1 kind: ServiceAccount metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" subjects: - kind: ServiceAccount - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests rules: - apiGroups: - - microgateway.airlock.com + - "apps" resources: - - sidecargateways + - daemonsets resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway" + - {{ include "airlock-microgateway-cni.fullname" . }} verbs: - - get - - list - - watch - - delete + - get + - watch + - list - apiGroups: - - microgateway.airlock.com + - "" resources: - - sidecargateways + - pods + - pods/log verbs: - - create + - get + - list +{{- if .Values.rbac.createSCCRole }} - apiGroups: - - "" - resources: - - events - verbs: - - list -- apiGroups: - - "apps" - resources: - - deployments + - security.openshift.io resourceNames: - - "{{ include "airlock-microgateway.operator.fullname" . }}" - verbs: - - get - - list - - watch -- apiGroups: - - "apps" + - privileged resources: - - statefulsets - - statefulsets/scale - resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-backend" + - securitycontextconstraints verbs: - - get - - list - - watch - - patch -- apiGroups: - - "" - resources: - - pods - - pods/log - - pods/status - - pods/attach - resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-backend-0" - - "{{ include "airlock-microgateway.fullname" . }}-test-valid-request" - - "{{ include "airlock-microgateway.fullname" . }}-test-injection-request" - verbs: - - get - - list - - create - - watch - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - create -{{- if .Values.operator.watchNamespaceSelector }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" -subjects: - - kind: ServiceAccount - name: "{{ include "airlock-microgateway.fullname" . }}-tests" - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list -{{- end }} + - use +{{- end -}} {{- end -}} diff --git a/charts/airlock/microgateway/4.3.3/templates/tests/service.yaml b/charts/airlock/microgateway/4.3.3/templates/tests/service.yaml deleted file mode 100644 index 30ddc278d..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/tests/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.tests.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-service" - namespace: {{ .Release.Namespace }} - labels: - app: test-service - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} -spec: - selector: - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} - ports: - - name: http - port: 8080 - targetPort: 8080 -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/tests/statefulset.yaml b/charts/airlock/microgateway/4.3.3/templates/tests/statefulset.yaml deleted file mode 100644 index 710a7b9f6..000000000 --- a/charts/airlock/microgateway/4.3.3/templates/tests/statefulset.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if .Values.tests.enabled -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} -spec: - serviceName: nginx - replicas: 0 - selector: - matchLabels: - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 6 }} - template: - metadata: - annotations: - k8s.v1.cni.cncf.io/networks: default/airlock-microgateway-cni - labels: - sidecar.microgateway.airlock.com/inject: "true" - sidecar.istio.io/inject: "false" - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedLabels" . | nindent 8 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 8 }} - spec: - containers: - - image: cgr.dev/chainguard/nginx - name: nginx - ports: - - containerPort: 8080 - volumeMounts: - - mountPath: /var/lib/nginx/tmp/ - name: nginx-tmp - - mountPath: /var/run - name: nginx-run - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 12 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - emptyDir: {} - name: nginx-tmp - - emptyDir: {} - name: nginx-run -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/templates/tests/test-install.yaml b/charts/airlock/microgateway/4.3.3/templates/tests/test-install.yaml index ab82abea7..12d8c8de7 100644 --- a/charts/airlock/microgateway/4.3.3/templates/tests/test-install.yaml +++ b/charts/airlock/microgateway/4.3.3/templates/tests/test-install.yaml @@ -2,14 +2,11 @@ apiVersion: v1 kind: Pod metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-install" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install" namespace: {{ .Release.Namespace }} labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - sidecar.istio.io/inject: "false" - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} annotations: helm.sh/hook: test helm.sh/hook-delete-policy: before-hook-creation @@ -19,209 +16,88 @@ spec: - name: test image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}" securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + readOnly: true + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + readOnly: true command: - sh - -c - | set -eu - clean_up() { - echo "" - echo "### Clean up test resources" - kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true - echo "" - echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'" - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=60s - sleep 3s - echo "" - } - fail() { + echo "Error: ${1}" echo "" - echo "### Error: ${1}" - echo "" - - if kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway >/dev/null 2>&1; then - echo "" - echo 'Microgateway Sidecargateway status:' - kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true - echo "" - echo "" - fi - - if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 >/dev/null 2>&1; then - echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':" - kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true - echo "" - echo "" - echo 'Logs of Nginx container:' - kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true - echo "" - echo "" - # Wait for engine logs - sleep 10s - echo 'Logs of Microgateway Engine container:' - kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true - fi - + echo 'CNI installer logs:' + kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer exit 1 } - create_sidecargateway() { - # create SidecarGateway resource for testing purposes - kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true - kubectl apply -f - </dev/null 2>&1; do sleep 1s; i=$((i+1)); done - kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request - kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request - } - - {{- if .Values.operator.watchNamespaceSelector }} - echo "### Verify that Namespace Selector matches Namespace '{{ .Release.Namespace }}'" - if ! kubectl get namespace -l '{{ include "airlock-microgateway.watchNamespaceSelector.labelQuery" .Values.operator.watchNamespaceSelector }}' | grep -q {{ .Release.Namespace }}; then - labels=$(kubectl get namespace {{ .Release.Namespace }} -o jsonpath={.metadata.labels} | jq | awk '{print " " $0}') - fail {{printf `"Operator namespace '%s' is not part of the operator's watch scope. To execute 'helm test', the selector configured in the helm value 'operator.watchNamespaceSelector' must match the namespace's labels:\n* Current selector:\n%s\n\n* Current labels:\n$labels\n###"` - .Release.Namespace - (replace "\"" "\\\"" (replace "\n" "\\n" (.Values.operator.watchNamespaceSelector | toPrettyJson | indent 2))) - }} + if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then + fail 'CNI DaemonSet rollout did not complete within timeout' fi - echo "" - {{- end }} - trap clean_up EXIT - echo "" - - echo "### Waiting for Microgateway Operator Deployments to be ready" - if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \ - deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then - fail 'Timout occurred' + echo "Checking whether CNI binary was installed" + if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then + fail 'CNI binary was not installed' fi - echo "" - echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica" - # scale to zero replicas to ensure no pods are present from previous runs - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s - echo "" - - echo "### Waiting for backend pod" - i=0 - while true; do - if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then - break - elif [ $i -gt 3 ]; then - fail 'Pod not ready' - fi - sleep 2s - i=$((i+1)) - done - - echo "### Checking Microgateway Engine sidecar container was injected" - if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then - fail 'Microgateway Engine sidecar container not injected' + echo "Checking whether CNI kubeconfig was installed" + if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then + fail 'CNI kubeconfig was not created' fi - echo "True" - echo "" - echo "### Checking for valid license" - i=0 - while true; do - if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then - break - elif [ $i -gt 30 ]; then - fail 'Microgateway license is missing or invalid' - fi - sleep 2s - i=$((i+1)) - done - echo "True" - echo "" + echo "Checking whether CNI configuration was written" + case {{ .Values.config.installMode }} in + "chained") + for file in "/host/etc/cni/net.d/"*.conflist; do + if containsMGWCNIConf "${file}"; then + echo "Success" + exit 0 + fi + done + ;; + "standalone") + if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then + echo "Success" + exit 0 + fi + ;; + "manual") + echo "- Skipping because we are in 'manual' install mode" + echo "Success" + exit 0 + ;; + esac - echo "### Create SidecarGateway resource for testing" - if ! create_sidecargateway ; then - fail 'Creation of SidecarGateway resource failed' - fi - echo "" - - echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready" - if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then - fail 'Timout occurred' - fi - echo "" - - echo "### Waiting for 'engine-config-valid' condition" - if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then - fail 'Configuration was never accepted by the Microgateway Engine' - fi - sleep 5s - echo "" - echo "" - - echo "### Checking whether a valid request is successful and returns HTTP status code '200'" - out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true) - echo "Response:" - echo "${out}" - if ! echo "${out}" | grep -q "200 OK"; then - fail 'A valid request was not successful' - fi - echo "" - echo "" - - echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'" - out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true) - echo "Response:" - echo "${out}" - if ! echo "${out}" | grep -q "400 Bad Request"; then - fail 'A malicious request was not blocked' - fi - echo "" - echo "" - - echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded" - exit 0 - serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests" + fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found' + serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir {{- end -}} diff --git a/charts/airlock/microgateway/4.3.3/values.schema.json b/charts/airlock/microgateway/4.3.3/values.schema.json index 173d6b084..e087bd700 100644 --- a/charts/airlock/microgateway/4.3.3/values.schema.json +++ b/charts/airlock/microgateway/4.3.3/values.schema.json @@ -14,15 +14,6 @@ "commonAnnotations": { "$ref": "#/definitions/StringMap" }, - "crds": { - "type": "object", - "properties": { - "skipVersionCheck": { - "type": "boolean" - } - }, - "additionalProperties": false - }, "imagePullSecrets": { "type": "array", "items": { @@ -39,304 +30,120 @@ "additionalProperties": true } }, - "operator": { + "image": { + "$ref": "#/definitions/Image" + }, + "podAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "podLabels": { + "$ref": "#/definitions/StringMap" + }, + "resources": { + "type": "object" + }, + "nodeSelector": { + "$ref": "#/definitions/StringMap" + }, + "affinity": { + "type": "object" + }, + "rbac": { "type": "object", "properties": { - "replicaCount": { - "type": "integer", - "minimum": 0 - }, - "updateStrategy": { - "$ref": "#/definitions/UpdateStrategy" - }, - "image": { - "$ref": "#/definitions/Image" - }, - "podAnnotations": { - "$ref": "#/definitions/StringMap" - }, - "podLabels": { - "$ref": "#/definitions/StringMap" - }, - "serviceAnnotations": { - "$ref": "#/definitions/StringMap" - }, - "serviceLabels": { - "$ref": "#/definitions/StringMap" - }, - "resources": { - "type": "object" - }, - "nodeSelector": { - "$ref": "#/definitions/StringMap" - }, - "tolerations": { - "type": "array", - "items": { - "type": "object" - } - }, - "affinity": { - "type": "object" - }, - "config": { - "type": "object", - "properties": { - "logLevel": { - "type": "string", - "enum": [ - "debug", - "info", - "warn", - "error" - ] - } - }, - "required": [ - "logLevel" - ], - "additionalProperties": false - }, - "serviceAccount": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "annotations": { - "$ref": "#/definitions/StringMap" - }, - "name": { - "type": "string" - } - }, - "required": [ - "annotations", - "create", - "name" - ], - "additionalProperties": false - }, - "watchNamespaces": { - "type": "array", - "items": { - "type": "string" - } - }, - "watchNamespaceSelector": { - "$ref": "#/definitions/LabelSelector" - }, - "rbac": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - }, - "serviceMonitor": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "labels": { - "$ref": "#/definitions/StringMap" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - } - }, - "oneOf": [ - { - "properties": { - "watchNamespaces": { - "minItems": 1 - }, - "watchNamespaceSelector": { - "additionalProperties": false - } - } - }, - { - "properties": { - "watchNamespaces": { - "maxItems": 0 - }, - "watchNamespaceSelector": { - "$ref": "#/definitions/LabelSelector" - } - } - } - ], - "required": [ - "affinity", - "config", - "image", - "updateStrategy", - "nodeSelector", - "podAnnotations", - "podLabels", - "rbac", - "replicaCount", - "resources", - "serviceAccount", - "serviceAnnotations", - "serviceLabels", - "serviceMonitor", - "tolerations" - ], - "additionalProperties": false - }, - "engine": { - "type": "object", - "properties": { - "image": { - "$ref": "#/definitions/Image" - }, - "resources": { - "type": "object" - }, - "sidecar": { - "type": "object", - "properties":{ - "podMonitor": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "labels": { - "$ref": "#/definitions/StringMap" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - } - }, - "required": [ - "podMonitor" - ], - "additionalProperties": false - } - }, - "required": [ - "image", - "resources", - "sidecar" - ], - "additionalProperties": false - }, - "networkValidator": { - "type": "object", - "properties": { - "image": { - "$ref": "#/definitions/Image" - } - }, - "required": [ - "image" - ], - "additionalProperties": false - }, - "sessionAgent": { - "type": "object", - "properties": { - "image": { - "$ref": "#/definitions/Image" - }, - "resources": { - "type": "object" - } - }, - "required": [ - "image", - "resources" - ], - "additionalProperties": false - }, - "license": { - "type": "object", - "properties": { - "secretName": { - "type": "string", - "minLength": 1 - } - }, - "required": [ - "secretName" - ], - "additionalProperties": false - }, - "dashboards": { - "type": "object", - "properties" : { "create": { "type": "boolean" }, - "config": { - "type": "object", - "properties": { - "grafana": { - "type": "object", - "properties": { - "folderAnnotation": { - "$ref": "#/definitions/NameValuePair" - }, - "dashboardLabel": { - "$ref": "#/definitions/NameValuePair" - } - }, - "required": [ - "folderAnnotation", - "dashboardLabel" - ], - "additionalProperties": false - } - }, - "required": [ - "grafana" - ], - "additionalProperties": false - }, - "instances": { - "type": "object", - "properties": { - "overview": { - "$ref": "#/definitions/DashboardInstance" - }, - "license" : { - "$ref": "#/definitions/DashboardInstance" - }, - "blockMetrics" : { - "$ref": "#/definitions/DashboardInstance" - }, - "blockLogs" : { - "$ref": "#/definitions/DashboardInstance" - } - }, - "required": [ - "overview", - "license", - "blockMetrics", - "blockLogs" - ], - "additionalProperties": false + "createSCCRole": { + "type": "boolean" } }, "required": [ "create", - "config", - "instances" + "createSCCRole" + ], + "additionalProperties": false + }, + "privileged": { + "type": "boolean" + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "annotations": { + "$ref": "#/definitions/StringMap" + }, + "name": { + "type": "string" + } + }, + "required": [ + "annotations", + "create", + "name" + ], + "additionalProperties": false + }, + "multusNetworkAttachmentDefinition": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "namespace": { + "type": "string" + } + }, + "required": [ + "create", + "namespace" + ], + "additionalProperties": false + }, + "config": { + "type": "object", + "properties": { + "installMode": { + "type": "string", + "enum": [ + "chained", + "standalone", + "manual" + ] + }, + "logLevel": { + "type": "string", + "enum": [ + "debug", + "info", + "warn", + "error" + ] + }, + "cniNetDir": { + "type": "string", + "minLength": 1 + }, + "cniBinDir": { + "type": "string", + "minLength": 1 + }, + "excludeNamespaces": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "cniBinDir", + "cniNetDir", + "excludeNamespaces", + "installMode", + "logLevel" ], "additionalProperties": false }, @@ -357,18 +164,22 @@ } }, "required": [ + "affinity", "commonAnnotations", "commonLabels", - "crds", - "engine", + "config", "fullnameOverride", + "image", "imagePullSecrets", - "license", + "multusNetworkAttachmentDefinition", "nameOverride", - "operator", - "networkValidator", - "sessionAgent", - "dashboards", + "nodeSelector", + "podAnnotations", + "podLabels", + "privileged", + "rbac", + "resources", + "serviceAccount", "tests" ], "additionalProperties": false, @@ -409,132 +220,6 @@ "tag" ], "additionalProperties": false - }, - "LabelSelector": { - "type": "object", - "properties": { - "matchExpressions": { - "type": "array", - "items": { - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "type": "string" - }, - "operator": { - "type": "string" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "additionalProperties": false - } - }, - "matchLabels": { - "$ref": "#/definitions/StringMap" - } - }, - "additionalProperties": false - }, - "UpdateStrategy": { - "type": "object", - "oneOf" : [ - { - "properties": { - "type": { - "$ref": "#/definitions/RecreateType" - } - }, - "required": [ - "type" - ], - "additionalProperties": false - }, - { - "properties": { - "type": { - "$ref": "#/definitions/RollingUpdateType" - }, - "rollingUpdate": { - "$ref": "#/definitions/RollingUpdate" - } - }, - "required": [ - "type" - ], - "additionalProperties": false - } - ] - }, - "RecreateType": { - "type": "string", - "enum": [ - "Recreate" - ] - }, - "RollingUpdateType": { - "type": "string", - "enum": [ - "RollingUpdate" - ] - }, - "RollingUpdate": { - "type": "object", - "properties": { - "maxSurge": { - "type": ["integer", "string"], - "minimum": 0, - "pattern": "^\\d+%?$" - }, - "maxUnavailable": { - "type": ["integer", "string"], - "minimum": 0, - "pattern": "^\\d+%?$" - } - }, - "anyOf": [ - {"required": ["maxSurge"]}, - {"required": ["maxUnavailable"]} - ], - "additionalProperties": false - }, - "DashboardInstance" : { - "type" : "object", - "properties" : { - "create" : { - "type" : "boolean" - } - }, - "required" : [ - "create" - ], - "additionalProperties": false - }, - "NameValuePair" : { - "type" : "object", - "properties" : { - "name" : { - "type": "string", - "minLength": 1 - }, - "value" : { - "type" : "string", - "minLength": 1 - } - }, - "required" : [ - "name", - "value" - ], - "additionalProperties": false } } } diff --git a/charts/airlock/microgateway/4.3.3/values.yaml b/charts/airlock/microgateway/4.3.3/values.yaml index 03fc87d21..3dc707bae 100644 --- a/charts/airlock/microgateway/4.3.3/values.yaml +++ b/charts/airlock/microgateway/4.3.3/values.yaml @@ -1,4 +1,4 @@ -# -- Allows overriding the name to use instead of "microgateway". +# -- Allows overriding the name to use instead of "microgateway-cni". nameOverride: "" # -- Allows overriding the name to use as full name of resources. fullnameOverride: "" @@ -10,203 +10,75 @@ commonAnnotations: {} imagePullSecrets: [] # - name: myRegistryKeySecretName -crds: - # -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. - # The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster - # when performing a "helm install/upgrade". - skipVersionCheck: false -operator: - # -- Number of replicas for the operator Deployment. - replicaCount: 2 - # -- Specifies the operator update strategy. - updateStrategy: - type: RollingUpdate - # Specifies the Airlock Microgateway Operator image. - image: - # -- Image repository from which to pull the Airlock Microgateway Operator image. - repository: "quay.io/airlock/microgateway-operator" - # -- Image tag to pull. - tag: "4.3.3" - # -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). - # Overrides tag when specified. - digest: "sha256:6d3ebca355de0a67f0bf5f088a15b9410564e500033d3e1f534a2f49a05bf4c3" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Annotations to add to all Pods. - podAnnotations: {} - # -- Labels to add to all Pods. - podLabels: {} - # -- Annotations to add to the Service. - serviceAnnotations: {} - # prometheus.io/scrape: "true" - # prometheus.io/port: "8080" - - # -- Labels to add to the Service. - serviceLabels: {} - # -- Resource restrictions to apply to the operator container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 1000m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 512Mi - - # -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. - nodeSelector: {} - # -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. - tolerations: [] - # -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling. - affinity: {} - # Parameters for the operator configuration. - config: - # -- Operator application log level. - logLevel: "info" - # Configures the generation of the ServiceAccount. - serviceAccount: - # -- Whether a ServiceAccount should be created. - create: true - # -- Annotations to add to the ServiceAccount. - annotations: {} - # -- Name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - # -- Allows to restrict the operator to specific namespaces, depending on your needs. - # For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). - # In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. - # For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. - # An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. - # Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. - # Please note that this feature requires a Premium license. - watchNamespaces: [] - # -- Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. - # It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. - # This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). - # An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. - # Please note that this feature requires a Premium license. - watchNamespaceSelector: {} - # For further examples, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements. - # matchLabels: - # microgateway.airlock.com/enable: "true" - # matchExpressions: - # - { key: environment, operator: NotIn, values: [dev] } - - # Configures the generation of Role and RoleBinding as well as ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above. - rbac: - # -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. - create: true - # Configures the generation of a Prometheus Operator ServiceMonitor. - serviceMonitor: - # -- Whether to create a ServiceMonitor resource for monitoring. - create: false - # -- Labels to add to the ServiceMonitor. - labels: {} - # release: "" -engine: - # Specifies the Airlock Microgateway Engine image. - image: - # -- Image repository from which to pull the Airlock Microgateway Engine image. - repository: "quay.io/airlock/microgateway-engine" - # -- Image tag to pull. - tag: "4.3.3" - # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). - # Overrides tag when specified. - digest: "sha256:3c0ebee0b560c8699723bfa433cd601b04b190c384e031d3789b83287fab7a9b" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Resource restrictions to apply to the Airlock Microgateway Engine container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 500m - # memory: 128Mi - # requests: - # cpu: 10m - # memory: 40Mi - - # Additional configuration when deployed as a sidecar. - sidecar: - # Configures the generation of a Prometheus Operator PodMonitor. - podMonitor: - # -- Whether to create a PodMonitor resource for monitoring. - create: false - # -- Labels to add to the PodMonitor. - labels: {} - # release: "" -networkValidator: - # Specifies the Airlock Microgateway Network Validator image to be injected as an init-container. - image: - # -- Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. - repository: "cgr.dev/chainguard/netcat" - # -- Image tag to pull. - tag: "" - # -- SHA256 image digest to pull (in the format "sha256:6051975a14c51b9d3b525a06004d62a4d323c08ca58e3468343095a55a42fff2"). - # Overrides tag when specified. - digest: "sha256:6051975a14c51b9d3b525a06004d62a4d323c08ca58e3468343095a55a42fff2" - # -- Pull policy for this image. - pullPolicy: IfNotPresent -sessionAgent: - # Specifies the Airlock Microgateway Session Agent image. - image: - # -- Image repository from which to pull the Airlock Microgateway Session Agent image. - repository: "quay.io/airlock/microgateway-session-agent" - # -- Image tag to pull. - tag: "4.3.3" - # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). - # Overrides tag when specified. - digest: "sha256:994bf4117adb74da4e05c22ffc168d9844bc68efa6a7fb96d73e849d1ef67b56" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Resource restrictions to apply to the Airlock Microgateway Session Agent container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 150m - # memory: 32Mi - # requests: - # cpu: 10m - # memory: 8Mi -license: - # -- Name of the secret containing the "microgateway-license.txt" key. - secretName: "airlock-microgateway-license" -# Creates dashboards in the form of ConfigMaps that can be imported -# by Grafana using its sidecar setup. -dashboards: - # -- Whether to create any ConfigMaps containing Grafana dashboards to import. +# Specifies the Airlock Microgateway CNI image. +image: + # -- Image repository from which to pull the Airlock Microgateway CNI image. + repository: "quay.io/airlock/microgateway-cni" + # -- Image tag to pull. + tag: "4.3.3" + # -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). + # Overrides tag when specified. + digest: "sha256:16317b9a8430059c15175673ad53e31d9e882a1d1af6576214eb1534d8ea6937" + # -- Pull policy for this image. + pullPolicy: IfNotPresent +# -- Annotations to add to all Pods. +podAnnotations: {} +# -- Labels to add to all Pods. +podLabels: {} +# -- Resource restrictions to apply to the CNI installer container. +resources: + requests: + cpu: 10m + memory: 100Mi +# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. +nodeSelector: + kubernetes.io/os: linux +# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. +affinity: {} +# Configures the generation of RBAC Roles and RoleBindings. +rbac: + # -- Whether to create RBAC resources which are required for the CNI plugin to function. + create: true + # -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. + createSCCRole: false +# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). +privileged: false +# Configures the generation of the ServiceAccount. +serviceAccount: + # -- Whether a ServiceAccount should be created. + create: true + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- Name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" +# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift) +multusNetworkAttachmentDefinition: + # -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. create: false - config: - # Configures the necessary label and annotations along with their values - # to enable Grafana to correctly identify the ConfigMaps containing - # dashboards and file them within a dedicated folder in the dashboard overview. - # These settings need to match the Grafana sidecar configuration. - grafana: - folderAnnotation: - # -- Name of the annotation containing the folder name to file dashboards into. - name: "grafana_folder" - # -- Name of the folder dashboards are filed into within the Grafana UI. - value: "Airlock Microgateway" - dashboardLabel: - # -- Name of the label that lets Grafana identify ConfigMaps that represent dashboards. - name: "grafana_dashboard" - # -- Value of the label that lets Grafana identify ConfigMaps that represent dashboards. - value: "1" - instances: - # Available dashboard instances that can be individually created/deployed. - overview: - # -- Whether to create the overview dashboard. - create: true - license: - # -- Whether to create the license dashboard. - create: true - blockMetrics: - # -- Whether to create the block metrics dashboard. - create: true - blockLogs: - # -- Whether to create the block logs dashboard. - create: true -# Check whether the installation of the Airlock Microgateway Helm Chart was successful. -# Requires a secret with a valid Airlock Microgateway license key already to be present. + # -- Namespace in which the NetworkAttachmentDefinition is deployed. + # Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces + # may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation + namespace: default +# Parameters for the CNI installer configuration. +config: + # -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), + # as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) + # or in `manual` mode, where no CNI network configuration is written. + installMode: "chained" + # -- Log level for the CNI installer and plugin. + logLevel: info + # -- Directory where the CNI config files reside on the host. + # This path can either be found in the documentation of your Kubernetes distribution or CNI provider. + # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. + cniNetDir: "/etc/cni/net.d" + # -- Directory where the CNI plugin binaries reside on the host. + # This path can either be found in the documentation of your Kubernetes distribution or CNI provider. + # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. + cniBinDir: "/opt/cni/bin" + # -- Namespaces for which this CNI plugin should not apply any modifications. + excludeNamespaces: + - kube-system tests: # -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). # If set to false, `helm test` will not run any tests. diff --git a/charts/airlock/microgateway/4.3.4/.helmignore b/charts/airlock/microgateway/4.3.4/.helmignore index 101ff5ac5..8561d2892 100644 --- a/charts/airlock/microgateway/4.3.4/.helmignore +++ b/charts/airlock/microgateway/4.3.4/.helmignore @@ -21,8 +21,7 @@ .idea/ *.tmproj .vscode/ -# CRDs kustomization.yaml -/crds/kustomization.yaml + # Helm unit tests /tests /validation diff --git a/charts/airlock/microgateway/4.3.4/Chart.yaml b/charts/airlock/microgateway/4.3.4/Chart.yaml index afc603857..002c30798 100644 --- a/charts/airlock/microgateway/4.3.4/Chart.yaml +++ b/charts/airlock/microgateway/4.3.4/Chart.yaml @@ -9,15 +9,15 @@ annotations: - name: Airlock Microgateway Forum url: https://forum.airlock.com/ catalog.cattle.io/certified: partner - catalog.cattle.io/display-name: Airlock Microgateway + catalog.cattle.io/display-name: Airlock Microgateway CNI catalog.cattle.io/kube-version: '>=1.25.0-0' - catalog.cattle.io/release-name: microgateway - charts.openshift.io/name: Airlock Microgateway + catalog.cattle.io/release-name: microgateway-cni + charts.openshift.io/name: Airlock Microgateway CNI apiVersion: v2 appVersion: 4.3.4 -description: A Helm chart for deploying the Airlock Microgateway +description: A Helm chart for deploying the Airlock Microgateway CNI plugin home: https://www.airlock.com/en/microgateway -icon: file://assets/icons/microgateway.svg +icon: file://assets/icons/microgateway-cni.svg keywords: - WAF - Web Application Firewall @@ -30,14 +30,13 @@ keywords: - Filtering - DevSecOps - shift left -- control plane -- Operator +- CNI kubeVersion: '>=1.25.0-0' maintainers: - email: support@airlock.com name: Airlock url: https://www.airlock.com/ -name: microgateway +name: microgateway-cni sources: - https://github.com/airlock/microgateway type: application diff --git a/charts/airlock/microgateway/4.3.4/README.md b/charts/airlock/microgateway/4.3.4/README.md index 5028932b1..1559e00a4 100644 --- a/charts/airlock/microgateway/4.3.4/README.md +++ b/charts/airlock/microgateway/4.3.4/README.md @@ -1,4 +1,4 @@ -# Airlock Microgateway +# Airlock Microgateway CNI ![Version: 4.3.4](https://img.shields.io/badge/Version-4.3.4-informational?style=flat-square) ![AppVersion: 4.3.4](https://img.shields.io/badge/AppVersion-4.3.4-informational?style=flat-square) @@ -40,58 +40,43 @@ Check the official documentation at **[docs.airlock.com](https://docs.airlock.co The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**. ## Prerequisites -* [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) -* [Airlock Microgateway License](#obtain-airlock-microgateway-license) -* [cert-manager](https://cert-manager.io/) * [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0) -In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license. -For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing. -### Obtain Airlock Microgateway License -1. Either request a community or premium license - * Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community) - * Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium) -2. Check your inbox and save the license file microgateway-license.txt locally. - -> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type. -### Deploy cert-manager -```bash -helm repo add jetstack https://charts.jetstack.io -helm install cert-manager jetstack/cert-manager --version '1.15.1' -n cert-manager --create-namespace --set crds.enabled=true --wait -``` - -## Deploy Airlock Microgateway Operator - -> This guide assumes a microgateway-license.txt file is present in the working directory. - -1. Install CRDs and Operator. +## Deploy Airlock Microgateway CNI +1. Install the CNI Plugin with Helm. + > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni). ```bash - # Create namespace - kubectl create namespace airlock-microgateway-system - - # Install License - kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt - - # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades) - helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.3.4' --wait + # Standard setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4' + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni ``` + ```bash + # GKE setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.4/deploy/charts/airlock-microgateway-cni/gke-values.yaml + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + ```bash + # OpenShift setup + helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.4/deploy/charts/airlock-microgateway-cni/openshift-values.yaml + kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details). 2. (Recommended) You can verify the correctness of the installation with `helm test`. ```bash - helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.4' - helm test airlock-microgateway -n airlock-microgateway-system --logs - helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.4' + # Standard and GKE setup + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4' + helm test airlock-microgateway-cni -n kube-system --logs + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4' + ``` + ```bash + # OpenShift setup + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4' + helm test airlock-microgateway-cni -n openshift-operators --logs + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.4' ``` -### Upgrading CRDs - -The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster. -CRDs should instead be manually upgraded before upgrading the Operator itself via the following command: -```bash -kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.3.4 --server-side --force-conflicts -``` - -**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts. + Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error. ## Support @@ -104,61 +89,33 @@ For the community edition, check our **[Airlock community forum](https://forum.a | Key | Type | Default | Description | |-----|------|---------|-------------| +| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. | | commonAnnotations | object | `{}` | Annotations to add to all resources. | | commonLabels | object | `{}` | Labels to add to all resources. | -| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". | -| dashboards.config.grafana.dashboardLabel.name | string | `"grafana_dashboard"` | Name of the label that lets Grafana identify ConfigMaps that represent dashboards. | -| dashboards.config.grafana.dashboardLabel.value | string | `"1"` | Value of the label that lets Grafana identify ConfigMaps that represent dashboards. | -| dashboards.config.grafana.folderAnnotation.name | string | `"grafana_folder"` | Name of the annotation containing the folder name to file dashboards into. | -| dashboards.config.grafana.folderAnnotation.value | string | `"Airlock Microgateway"` | Name of the folder dashboards are filed into within the Grafana UI. | -| dashboards.create | bool | `false` | Whether to create any ConfigMaps containing Grafana dashboards to import. | -| dashboards.instances.blockLogs.create | bool | `true` | Whether to create the block logs dashboard. | -| dashboards.instances.blockMetrics.create | bool | `true` | Whether to create the block metrics dashboard. | -| dashboards.instances.license.create | bool | `true` | Whether to create the license dashboard. | -| dashboards.instances.overview.create | bool | `true` | Whether to create the overview dashboard. | -| engine.image.digest | string | `"sha256:91e05c509bed3b51ff4888d7475980d56cbc85db121aa766d1bde413204f9070"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | -| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. | -| engine.image.tag | string | `"4.3.4"` | Image tag to pull. | -| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. | -| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. | -| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. | +| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. | +| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. | +| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. | +| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. | +| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. | | fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. | +| image.digest | string | `"sha256:1e01310b3ad8566e9b39ee539ed5c959049aadda1a18c1a534e96d8865e20172"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. | +| image.tag | string | `"4.3.4"` | Image tag to pull. | | imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. | -| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. | -| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". | -| networkValidator.image.digest | string | `"sha256:7a73d4b82a2d4165bbc5efa55de4fee9d43f2b1c1edb3505cdc8afd1361bad9b"` | SHA256 image digest to pull (in the format "sha256:7a73d4b82a2d4165bbc5efa55de4fee9d43f2b1c1edb3505cdc8afd1361bad9b"). Overrides tag when specified. | -| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| networkValidator.image.repository | string | `"cgr.dev/chainguard/netcat"` | Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. | -| networkValidator.image.tag | string | `""` | Image tag to pull. | -| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. | -| operator.config.logLevel | string | `"info"` | Operator application log level. | -| operator.image.digest | string | `"sha256:6819c78d5570de66edce6c13964c6e1b4cc4746d0c0bc6f4975cd38e324828c0"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. | -| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. | -| operator.image.tag | string | `"4.3.4"` | Image tag to pull. | -| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. | -| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. | -| operator.podLabels | object | `{}` | Labels to add to all Pods. | -| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. | -| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. | -| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. | -| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | -| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | -| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | -| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. | -| operator.serviceLabels | object | `{}` | Labels to add to the Service. | -| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. | -| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. | -| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. | -| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. | -| operator.watchNamespaceSelector | object | `{}` | Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. Please note that this feature requires a Premium license. | -| operator.watchNamespaces | list | `[]` | Allows to restrict the operator to specific namespaces, depending on your needs. For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. | -| sessionAgent.image.digest | string | `"sha256:df4e50d0929cb4c5e4486452979b59ec17f5e49a1516b685acd3a1ab0ddb3cf4"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | -| sessionAgent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | -| sessionAgent.image.repository | string | `"quay.io/airlock/microgateway-session-agent"` | Image repository from which to pull the Airlock Microgateway Session Agent image. | -| sessionAgent.image.tag | string | `"4.3.4"` | Image tag to pull. | -| sessionAgent.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Session Agent container. | +| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. | +| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation | +| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. | +| podAnnotations | object | `{}` | Annotations to add to all Pods. | +| podLabels | object | `{}` | Labels to add to all Pods. | +| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). | +| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. | +| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. | +| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. | +| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | +| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | +| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | | tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. | ## License diff --git a/charts/airlock/microgateway/4.3.4/app-readme.md b/charts/airlock/microgateway/4.3.4/app-readme.md deleted file mode 100644 index e32cac025..000000000 --- a/charts/airlock/microgateway/4.3.4/app-readme.md +++ /dev/null @@ -1,28 +0,0 @@ -# Airlock Microgateway - -*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.* - -## Features -* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection. -* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction -* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication -* Content security filters for protecting against known attacks (OWASP Top 10) -* Access control to allow only authenticated users to access the protected services -* API security features like JSON parsing or OpenAPI specification enforcement - -For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**. - -## Requirements -* [Airlock Microgateway CNI Helm Chart](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Also available as Rancher Chart) -* [Airlock Microgateway License](https://github.com/airlock/microgateway?tab=readme-ov-file#obtain-airlock-microgateway-license) (After obtaining the license install it according to the [documentation](https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-operator)) -* [cert-manager](https://cert-manager.io/docs/installation/) - -## Documentation and links - -Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway. - -* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html) -* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html) -* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html) -* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html) -* [GitHub](https://github.com/airlock/microgateway) \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/crds/accesscontrols.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/accesscontrols.microgateway.airlock.com.yaml deleted file mode 100644 index 9dc81f14d..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/accesscontrols.microgateway.airlock.com.yaml +++ /dev/null @@ -1,124 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: accesscontrols.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: AccessControl - listKind: AccessControlList - plural: accesscontrols - singular: accesscontrol - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: AccessControl specifies the options to perform access control with a Microgateway Engine container. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specifies how the Airlock Microgateway Engine performs access control. - properties: - policies: - description: Policies configures access control policies. - items: - properties: - authorization: - description: Authorization configures how requests are authorized. An empty object value {} disables authorization. - properties: - authentication: - description: Authentication specifies that clients need to be authenticated with the provided method. - properties: - oidc: - description: OIDC configures client authentication using OpenID Connect. - properties: - oidcRelyingPartyRef: - description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - oidcRelyingPartyRef - type: object - type: object - type: object - identityPropagation: - description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application. - properties: - actions: - description: Actions specifies the propagation actions. - items: - properties: - identityPropagationRef: - description: IdentityPropagationRef selects an IdentityPropagation to apply. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - identityPropagationRef - type: object - type: array - onFailure: - description: |- - OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values: - _Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations. - enum: - - Pass - type: string - required: - - actions - - onFailure - type: object - required: - - authorization - type: object - maxItems: 1 - minItems: 1 - type: array - required: - - policies - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.4/crds/contentsecurities.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/contentsecurities.microgateway.airlock.com.yaml deleted file mode 100644 index e63a5b1eb..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/contentsecurities.microgateway.airlock.com.yaml +++ /dev/null @@ -1,139 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: contentsecurities.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: ContentSecurity - listKind: ContentSecurityList - plural: contentsecurities - singular: contentsecurity - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: ContentSecurity specifies the options to secure an upstream web application with a Microgateway Engine container. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specifies the options to secure an upstream web application with a Microgateway Engine container. - properties: - apiProtection: - description: |- - APIProtection defines the relevant configurations to protect APIs. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - graphQLRef: - description: |- - GraphQLRef selects the relevant GraphQL configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - openAPIRef: - description: |- - OpenAPIRef selects the relevant OpenAPI configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - filter: - description: |- - Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests - to protect against various attack patterns. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - denyRulesRef: - description: |- - DenyRulesRef selects the relevant DenyRules configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - headerRewritesRef: - description: |- - HeaderRewritesRef selects the relevant HeaderRewrites. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - limitsRef: - description: |- - LimitsRef selects the relevant Limits configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - parserRef: - description: |- - ParserRef selects the relevant Parser configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.4/crds/denyrules.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/denyrules.microgateway.airlock.com.yaml deleted file mode 100644 index 7108ee5e0..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/denyrules.microgateway.airlock.com.yaml +++ /dev/null @@ -1,1804 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: denyrules.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: DenyRules - listKind: DenyRulesList - plural: denyrules - singular: denyrules - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - DenyRules configures request filtering using Airlock built-in and custom deny rules. - Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application. - To handle possible false positives, lower the security level or define fine-granular deny rule exceptions - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired deny rules behavior. - properties: - request: - description: Request configures deny rules for downstream requests. - properties: - builtIn: - description: BuiltIn configures the built-in deny rules. - properties: - exceptions: - description: Exceptions allows to define exceptions for specific requests and deny rules. - items: - description: |- - DenyRulesException defines an exception for deny rules. Exceptions may be defined by any or a combination of the following elements: blockedData (the request data causing a block) or requestConditions (properties of a request without taking into consideration the reason why a request has been blocked). - At least one of blockedData and requestConditions must be set. - properties: - blockedData: - description: BlockedData defines an exception based on the request data causing the block. - properties: - graphQL: - description: |- - GraphQL defines an exception based on a blocked GraphQL query. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - argument: - description: |- - Argument defines an argument of a field of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - field: - description: |- - Field defines a field of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value defines the value of an argument of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - header: - description: |- - Header defines an exception based on a blocked header. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - json: - description: |- - JSON defines an exception based on a blocked JSON property. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - jsonPath: - description: |- - JSONPath defines the JSONPath pattern to match the path within the JSON. - Expressions in JSONPath i.e. `?(expr)` are not supported. - minLength: 1 - type: string - key: - description: |- - Key defines the key of the JSON property. - At most one of key and value can be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value defines the value of the JSON property. - At most one of key and value can be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - parameter: - description: |- - Parameter defines an exception based on a blocked parameter. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - name: - description: Name defines the name of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - source: - default: Any - description: Source defines the source of the parameter. - enum: - - Query - - Post - - Any - type: string - value: - description: Value defines the value of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - path: - description: |- - Path defines an exception based on the blocked path. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - pathSegment: - description: |- - PathSegment defines an exception based on a blocked path segment. - Only one of parameter, header, path, pathSegment, json or graphQL can be set. - properties: - segments: - description: Segments defines the position of a segment within the path. - properties: - index: - description: Index specifies an exact path segment position by index (0-based). - minimum: 0 - type: integer - type: object - value: - description: Value defines the value of a path segment. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - type: object - requestConditions: - description: RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - ruleKeys: - description: RuleKeys restricts the exception to a set of deny rules. - items: - description: |- - A deny rule name can be any of the following values: - ENCODING | - EXPLOIT | - HPP | - HTML | - IDOR | - LDAP | - NOSQL | - OGNL | - PHP | - PROTOCOL | - SANITY | - SCANNING | - SQL | - TEMPLATE | - UNIXCMD | - WINCMD | - XSS - enum: - - ENCODING - - EXPLOIT - - HPP - - HTML - - IDOR - - LDAP - - NOSQL - - OGNL - - PHP - - PROTOCOL - - SANITY - - SCANNING - - SQL - - TEMPLATE - - UNIXCMD - - WINCMD - - XSS - type: string - minItems: 1 - type: array - type: object - type: array - overrides: - description: Overrides allows to override the builtIn settings for specific deny rules. - items: - description: DenyRulesOverride allows to override the builtIn settings for specific deny rules. - properties: - conditions: - description: Conditions select which built-in deny rules' settings will be adjusted. - properties: - ruleKeys: - description: RuleKeys is a list of built-in deny rule names. - items: - description: |- - A deny rule name can be any of the following values: - ENCODING | - EXPLOIT | - HPP | - HTML | - IDOR | - LDAP | - NOSQL | - OGNL | - PHP | - PROTOCOL | - SANITY | - SCANNING | - SQL | - TEMPLATE | - UNIXCMD | - WINCMD | - XSS - enum: - - ENCODING - - EXPLOIT - - HPP - - HTML - - IDOR - - LDAP - - NOSQL - - OGNL - - PHP - - PROTOCOL - - SANITY - - SCANNING - - SQL - - TEMPLATE - - UNIXCMD - - WINCMD - - XSS - type: string - minItems: 1 - type: array - types: - description: Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules. - items: - description: |- - A deny rule override type name can be any of the following values: - Header | - Parameter | - Path | - JSON | - GraphQL - enum: - - Header - - Parameter - - Path - - PathSegment - - JSON - - GraphQL - type: string - minItems: 0 - type: array - type: object - settings: - description: Settings override the corresponding properties for the selected rules. - properties: - level: - description: Level specifies the filter strength. - enum: - - Unfiltered - - Basic - - Standard - - Strict - type: string - threatHandlingMode: - description: ThreatHandlingMode specifies how threats should be handled. - enum: - - Block - - LogOnly - type: string - type: object - type: object - type: array - settings: - description: Settings contains the keys which will be adjusted. - properties: - level: - default: Standard - description: Level represents a set of deny rules with different filter strengths. - enum: - - Unfiltered - - Basic - - Standard - - Strict - type: string - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches. - enum: - - Block - - LogOnly - type: string - type: object - type: object - custom: - description: Custom allows configuring additional deny rules. - properties: - rules: - description: Rules defines list of additional deny rules. - items: - properties: - blockData: - description: BlockData specifies the request data which should cause a block. - properties: - graphQL: - description: |- - GraphQL specifies to block requests containing a matching GraphQL property. - At least one of field, argument and value must be set. - properties: - argument: - description: |- - Argument defines an argument of a field of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - field: - description: |- - Field defines a field of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value defines the value of an argument of the GraphQL query. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - header: - description: |- - Header specifies to block requests containing a matching header. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - json: - description: |- - JSON specifies to block requests containing a matching JSON property in the body. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - key: - description: Key defines the key of a JSON object. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a JSON object. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - parameter: - description: |- - Parameter specifies to block requests containing a matching parameter. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - name: - description: Name defines the name of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a parameter. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - path: - description: |- - Path specifies to block requests with a matching path. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - matcher: - description: Matcher specifies which path to block. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - pathSegment: - description: |- - PathSegment specifies to block requests containing a matching path segment. - Only one of parameter, header, path, pathSegment or json can be set. - properties: - segments: - description: |- - Segments restricts which path segments are filtered by this rule. - If not specified, all segments of a path are filtered. - properties: - index: - description: Index restricts the rule to the path segment at this index (0-based). - minimum: 0 - type: integer - type: object - value: - description: Value specifies which path segment values to block. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - required: - - value - type: object - type: object - requestConditions: - description: RequestConditions defines additional request properties which must be matched in order for this rule to apply. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - ruleKey: - description: RuleKey defines a technical key for the deny rule. Must be unique. - minLength: 1 - pattern: ^[A-Z][A-Z0-9_]*$ - type: string - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches. - enum: - - Block - - LogOnly - type: string - required: - - blockData - - ruleKey - type: object - type: array - x-kubernetes-list-map-keys: - - ruleKey - x-kubernetes-list-type: map - type: object - type: object - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.4/crds/envoyclusters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/envoyclusters.microgateway.airlock.com.yaml deleted file mode 100644 index 35dda9f2f..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/envoyclusters.microgateway.airlock.com.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: envoyclusters.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: EnvoyCluster - listKind: EnvoyClusterList - plural: envoyclusters - singular: envoycluster - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: EnvoyCluster is an additional Envoy Cluster resource which is added to those defined by the Airlock Microgateway. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired additional Envoy cluster. - properties: - value: - description: Value defines the Envoy Cluster which is added to those configured by the Airlock Microgateway. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.4/crds/envoyconfigurations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/envoyconfigurations.microgateway.airlock.com.yaml deleted file mode 100644 index c4f61f20d..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/envoyconfigurations.microgateway.airlock.com.yaml +++ /dev/null @@ -1,185 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: envoyconfigurations.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: EnvoyConfiguration - listKind: EnvoyConfigurationList - plural: envoyconfigurations - singular: envoyconfiguration - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - EnvoyConfiguration is the Schema for the envoyconfigurations API - {{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration - properties: - envoyResources: - properties: - clusters: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - endpoints: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - extensions: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - listeners: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - routes: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - runtimes: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - scopedRoutes: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - secrets: - items: - type: object - x-kubernetes-preserve-unknown-fields: true - type: array - type: object - envoyResourcesRaw: - description: |- - EnvoyResourcesRaw defines the desired state for each resource type. The resources are stored as zstd compressed JSON bytes. - For debugging purposes, the resources can be inspected with the following command: `kubectl get envoyconfiguration -ojsonpath='{.spec.envoyResourcesRaw}' | base64 -d | zstd -d | jq` - format: byte - type: string - nodeID: - description: '**Deprecated:** This field is now ignored as NodeID is always derived from the resource name.' - type: string - type: object - status: - description: EnvoyConfigurationStatus defines the observed state of EnvoyConfiguration - properties: - conditions: - items: - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status to another. - format: date-time - type: string - message: - description: A human-readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of EnvoyConfiguration condition. - type: string - required: - - status - - type - type: object - type: array - status: - type: string - xds: - properties: - resourceTypes: - additionalProperties: - description: XdsResourceTypeSyncStatus defines the sync status of xDS for a specific resource type - properties: - errorMessage: - description: ErrorMessage defines an optional message why the currently served resources of this resource type are rejected by the client. - type: string - resources: - additionalProperties: - description: XdsResourceStatus defines the status of xDS for a specific resource - properties: - version: - description: Version defines the version which is currently served for this resource. - type: string - required: - - version - type: object - description: Resources defines the resources which are currently served for this resource type. - type: object - status: - description: Status defines the current sync status of this resource type. - type: string - version: - description: Version defines the version which is currently served for this resource type. - type: string - required: - - resources - - status - - version - type: object - description: ResourceTypes defines the sync statuses for each resource type. - type: object - version: - description: Version defines the version of the underlying xDS snapshot. - type: integer - required: - - version - type: object - required: - - status - - xds - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/airlock/microgateway/4.3.4/crds/envoyhttpfilters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/envoyhttpfilters.microgateway.airlock.com.yaml deleted file mode 100644 index 538ff672f..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/envoyhttpfilters.microgateway.airlock.com.yaml +++ /dev/null @@ -1,58 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: envoyhttpfilters.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: EnvoyHTTPFilter - listKind: EnvoyHTTPFilterList - plural: envoyhttpfilters - singular: envoyhttpfilter - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource which is added to those defined by the Airlock Microgateway. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired additional Envoy HTTP filter. - properties: - value: - description: Value defines the HTTP filter which is added to those configured by the Airlock Microgateway. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.4/crds/graphqls.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/graphqls.microgateway.airlock.com.yaml deleted file mode 100644 index 165abe0a2..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/graphqls.microgateway.airlock.com.yaml +++ /dev/null @@ -1,88 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: graphqls.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: GraphQL - listKind: GraphQLList - plural: graphqls - singular: graphql - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: GraphQL contains the configuration for the GraphQL specification. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired GraphQL specification. - properties: - settings: - description: Settings defines the settings to configure GraphQL. - properties: - allowIntrospection: - default: true - description: AllowIntrospection specifies if the introspection system is exposed. - type: boolean - allowMutations: - default: true - description: AllowMutations specifies if mutations are allowed. - type: boolean - schema: - description: Specifies the GraphQL schema. - properties: - source: - description: Source specifies the GraphQL schema to be enforced. - properties: - configMapRef: - description: ConfigMapRef references the configmap by its name containing the well-known key 'schema.graphql'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - required: - - source - type: object - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled. - enum: - - Block - - LogOnly - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.4/crds/headerrewrites.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/headerrewrites.microgateway.airlock.com.yaml deleted file mode 100644 index 72a1067f9..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/headerrewrites.microgateway.airlock.com.yaml +++ /dev/null @@ -1,759 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: headerrewrites.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: HeaderRewrites - listKind: HeaderRewritesList - plural: headerrewrites - singular: headerrewrites - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: HeaderRewrites is the Schema for the headerrewrites API - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired header rewriting behavior. - properties: - request: - description: Request defines manipulations on upstream request headers. - properties: - add: - description: Add defines which request headers will be added before forwarding to the upstream. - properties: - custom: - description: |- - Custom allows configuring additional upstream request headers. - Add selected headers. - items: - properties: - headers: - description: Headers to add. - items: - description: HeaderRewritesHeader specifies a header with a particular value - properties: - name: - description: Name defines the name of a header. - minLength: 1 - type: string - value: - description: Value defines the value of a header. - type: string - required: - - name - - value - type: object - minItems: 1 - type: array - mode: - default: AddIfAbsent - description: Mode defines the header addition strategy. - enum: - - AddIfAbsent - - OverwriteOrAdd - type: string - name: - description: Name describing the configured operation. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - allow: - description: |- - Allow defines which request headers will be forwarded to the upstream. - This can either be allHeaders or matchingHeaders. - Default: matchingHeaders: {...} - properties: - allHeaders: - description: AllHeaders specifies that all request headers should be forwarded. - type: object - matchingHeaders: - description: MatchingHeaders specifies which request headers should be forwarded. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream request headers. - properties: - standardHeaders: - default: true - description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream request headers. - items: - properties: - headers: - description: Headers to allow. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - remove: - description: Remove defines which request headers will be removed before forwarding to the upstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream request headers. - properties: - alternativeForwardedHeaders: - default: true - description: |- - AlternativeForwardedHeaders removes downstream request headers which could potentially - be abused to alter the upstream's view of the remote connection. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream request headers. - items: - properties: - headers: - description: Headers to remove. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - response: - description: Response defines manipulations on upstream response headers. - properties: - add: - description: Add defines which response headers will be added before forwarding to the downstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response headers. - properties: - csp: - default: true - description: |- - CSP sets a content security policy which allows only same-origin requests except for images - if the 'Content-Security-Policy' header is not set by the upstream. - type: boolean - featurePolicy: - default: false - description: |- - FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features - if the 'Feature-Policy' header is not set by the upstream. - **Deprecated:** Use permissionsPolicy instead. - type: boolean - hsts: - default: true - description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream. - type: boolean - hstsPreload: - default: false - description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload. - type: boolean - permissionsPolicy: - default: true - description: |- - PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features - if the 'Permissions-Policy' header is not set by the upstream. - type: boolean - referrerPolicy: - default: true - description: |- - ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests - if the 'Referrer-Policy' header is not set by the upstream. - type: boolean - xContentTypeOptions: - default: true - description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream. - type: boolean - xFrameOptions: - default: true - description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to add. - items: - description: HeaderRewritesHeader specifies a header with a particular value - properties: - name: - description: Name defines the name of a header. - minLength: 1 - type: string - value: - description: Value defines the value of a header. - type: string - required: - - name - - value - type: object - minItems: 1 - type: array - mode: - default: AddIfAbsent - description: Mode defines the header addition strategy. - enum: - - AddIfAbsent - - OverwriteOrAdd - type: string - name: - description: Name describing the configured operation. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - allow: - description: |- - Allow defines which response headers will be forwarded to the downstream. - This can either be allHeaders or matchingHeaders. - Default: allHeaders: {} - properties: - allHeaders: - description: AllHeaders specifies that all response headers should be forwarded. - type: object - matchingHeaders: - description: MatchingHeaders specifies which response headers should be forwarded. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response header. - properties: - standardHeaders: - default: false - description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to allow. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - remove: - description: Remove defines which response headers will be removed before forwarding to the downstream. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined upstream response headers. - properties: - auth: - description: Auth defines the categories of headers concerning authentication. - properties: - basic: - default: false - description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication. - type: boolean - negotiate: - default: true - description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate. - type: boolean - ntlm: - default: true - description: |- - NTLM removes upstream response headers that advise clients to authenticate with NTLM. - By default, these headers are removed, because NTLM pass-through is not supported. - type: boolean - type: object - informationLeakage: - description: InformationLeakage defines the categories of headers concerning information leakage. - properties: - application: - default: true - description: Application removes upstream response headers that leak information about the deployed software. - type: boolean - server: - default: true - description: Server removes upstream response headers that leak information about the server. - type: boolean - type: object - permissiveCors: - default: true - description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security. - type: boolean - type: object - custom: - description: Custom allows configuring additional upstream response headers. - items: - properties: - headers: - description: Headers to remove. - items: - description: |- - HeaderMatcher defines a matcher for an HTTP header. - At least one of name and value must be set. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - minItems: 1 - type: array - name: - description: Name describing the configured remove operation. Must be unique. - minLength: 1 - type: string - required: - - headers - - name - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - type: object - type: object - settings: - description: Settings configures the HeaderRewrites filter. - properties: - operationalMode: - default: Production - description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses. - enum: - - Production - - Integration - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.4/crds/identitypropagations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/identitypropagations.microgateway.airlock.com.yaml deleted file mode 100644 index 661e932f7..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/identitypropagations.microgateway.airlock.com.yaml +++ /dev/null @@ -1,108 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: identitypropagations.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: IdentityPropagation - listKind: IdentityPropagationList - plural: identitypropagations - singular: identitypropagation - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: IdentityPropagation specifies the desired identity propagation. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired identity propagation. - properties: - header: - description: Header configures identity propagation via a request header. - properties: - name: - description: Name of the header to set. - minLength: 1 - type: string - value: - description: Value to propagate to the application. - properties: - source: - description: Source from which to extract the value. - properties: - metadata: - description: Metadata specifies to extract a value from an Envoy dynamic filter metadata key. - properties: - key: - description: Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`. - minLength: 1 - type: string - namespace: - description: Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`. - minLength: 1 - type: string - required: - - key - - namespace - type: object - oidc: - description: OIDC specifies to extract a value from the result of an OpenID Connect flow. - properties: - idToken: - description: IDToken specifies to extract the value from the OpenID Connect ID Token. - properties: - claim: - description: Claim selects the JWT claim from which to extract the value. - minLength: 1 - type: string - required: - - claim - type: object - required: - - idToken - type: object - type: object - required: - - source - type: object - required: - - name - - value - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.4/crds/limits.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/limits.microgateway.airlock.com.yaml deleted file mode 100644 index a75813dc4..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/limits.microgateway.airlock.com.yaml +++ /dev/null @@ -1,651 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: limits.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: Limits - listKind: LimitsList - plural: limits - singular: limits - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Limits contains the configuration for limits. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired limits behavior. - properties: - request: - description: Request defines the limits for requests. - properties: - limited: - description: Limited enables limits on request scope. - properties: - exceptions: - description: Exceptions defines limit exceptions. - items: - description: LimitsException defines an exception for limits. - properties: - length: - description: Length defines an exception for length limits based on the data element exceeding the limit. - properties: - graphQL: - description: GraphQL defines a field, argument or value length limit exception for a GraphQL query. - properties: - argument: - description: |- - Argument restricts the exception to GraphQL queries with a matching argument of a field. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - field: - description: |- - Field restricts the exception to GraphQL queries with a matching field. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: |- - Value restricts the exception to GraphQL queries with a matching argument value. - At least one of field, argument and value must be set. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - json: - description: JSON defines a key and value length limit exception for a JSON property. - properties: - jsonPath: - description: |- - JSONPath restricts the exception to JSON properties with a matching JSONPath. - Expressions in JSONPath i.e. `?(expr)` are not supported. - minLength: 1 - type: string - required: - - jsonPath - type: object - parameter: - description: Parameter defines a name and value length limit exception for a parameter. - properties: - name: - description: Name restricts the exception to parameters with a matching name. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - source: - default: Any - description: Source restricts the exception to parameters of this kind. - enum: - - Query - - Post - - Any - type: string - required: - - name - type: object - type: object - requestConditions: - description: RequestConditions defines additional request properties which must be matched in order for this exception to apply. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - type: object - type: array - general: - description: General defines general request limits. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Mi - description: BodySize limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective for any request not processed by one of the content parsers (e.g. json) as configured in the Parser CRD. **Note** This limit does not apply to WebSocket or gRPC traffic. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - pathLength: - anyOf: - - type: integer - - type: string - default: 1Ki - description: PathLength defines the maximum path length for all requests (parsed and unparsed). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - graphQL: - description: GraphQL defines the limits for GraphQL requests. - properties: - nestingDepth: - default: 10 - description: NestingDepth defines the maximum depth of nesting for GraphQL objects. - format: int64 - type: integer - querySize: - anyOf: - - type: integer - - type: string - default: 1Ki - description: QuerySize defines the maximum size for GraphQL queries. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - valueLength: - anyOf: - - type: integer - - type: string - default: "256" - description: ValueLength defines the maximum length for GraphQL values. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - json: - description: JSON defines the limits for JSON requests. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Ki - description: BodySize limits the total size of the JSON request body. It specifies the number of bytes (0 = unlimited). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - elementCount: - default: 10000 - description: ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive). - format: int64 - type: integer - keyCount: - default: 250 - description: KeyCount defines the maximum number of keys of a single JSON object (non-recursive). - format: int64 - type: integer - keyLength: - anyOf: - - type: integer - - type: string - default: "128" - description: KeyLength defines the maximum length for JSON keys. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - nestingDepth: - default: 100 - description: NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays. - format: int64 - type: integer - valueLength: - anyOf: - - type: integer - - type: string - default: 8Ki - description: ValueLength defines the maximum length for JSON values. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - multipart: - description: Multipart defines the limits for Multipart requests. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Mi - description: BodySize limits the total size of the Multipart request body. It specifies the number of bytes (0 = unlimited). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - parameter: - description: Parameter defines the limits for request parameters. - properties: - bodySize: - anyOf: - - type: integer - - type: string - default: 100Ki - description: BodySize limits the total size of the form data body. It specifies the number of bytes (0 = unlimited). - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - count: - default: 128 - description: Count defines the maximum number of request parameters. - format: int64 - type: integer - nameLength: - anyOf: - - type: integer - - type: string - default: "128" - description: NameLength defines the maximum length for parameter names. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - valueLength: - anyOf: - - type: integer - - type: string - default: 8Ki - description: ValueLength defines the maximum length for parameter values. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - unlimited: - description: Unlimited disables all limits on request scope. - type: object - type: object - settings: - description: Settings configures the limits filter. - properties: - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled when a limit hits. - enum: - - Block - - LogOnly - type: string - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.4/crds/oidcproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/oidcproviders.microgateway.airlock.com.yaml deleted file mode 100644 index 030bd153b..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/oidcproviders.microgateway.airlock.com.yaml +++ /dev/null @@ -1,305 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: oidcproviders.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: OIDCProvider - listKind: OIDCProviderList - plural: oidcproviders - singular: oidcprovider - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - OIDCProvider specifies an OpenID Provider (OP). - - - {{% notice warning %}} The OIDC feature is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened. - In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases: - - The state parameter is guessable. - - Sessions are always shared across all Microgateway Engines using the same Redis instance. - I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A - may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs. - - - {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of an OpenID Provider. - properties: - static: - description: Static configures an OpenID Provider by explicitly specifying all endpoints. - properties: - endpoints: - description: Endpoints specifies the OpenID Provider endpoints. - properties: - authorization: - description: Authorization specifies the endpoint to which the authorization request is sent. - properties: - uri: - description: URI specifies the endpoint address. - format: uri - minLength: 1 - pattern: ^(http|https)://.*$ - type: string - required: - - uri - type: object - token: - description: Token configures the endpoint from which the access, ID and refresh tokens are obtained. - properties: - tls: - description: TLS defines TLS settings. - properties: - certificateVerification: - description: CertificateVerification specifies how the certificate presented by the server is verified. - properties: - custom: - description: |- - Custom explicitly specifies how the server certificate should be verified. - Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key. - properties: - allowedSANs: - description: |- - AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, - that is to say, the SAN is verified if at least one matcher is matched. - AllowedSANs requires trustedCA to be set. - items: - description: |- - TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. - properties: - matcher: - description: Matcher defines the string matcher for the SAN value. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - sanType: - description: SanType defines the type of SAN matcher. - enum: - - DNS - - Email - - URI - - IPAddress - type: string - required: - - matcher - - sanType - type: object - minItems: 1 - type: array - certificatePinning: - description: |- - CertificatePinning defines constraints the presented certificate must fulfill. - If more than one constraint is configured only one must be satisfied. - At least one of allowedSPKIs and allowedHashes must be set. - properties: - allowedHashes: - description: |- - AllowedHashes is a list of hex-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - allowedSPKIs: - description: |- - AllowedSPKIs is a list of base64-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - type: object - crl: - description: CRL defines the Certificate Revocation List (CRL) settings. - properties: - lists: - description: Lists defines the list of secretRefs containing Certificate Revocation Lists. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - validationMode: - default: VerifyChain - description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. - enum: - - VerifyLeafCertOnly - - VerifyChain - type: string - type: object - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - verificationDepth: - default: 1 - description: |- - VerificationDepth specifies the hops in the certificate chain at which validation is performed. - 1 means that either the leaf or the signing CA must be in the set of trusted certificates. - format: int32 - type: integer - required: - - certificates - type: object - type: object - disabled: - description: |- - Disabled specifies to trust any certificate without verification. - THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. - type: object - publicCAs: - description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image. - type: object - type: object - ciphers: - description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. - items: - type: string - minItems: 1 - type: array - protocol: - description: Protocol defines the supported TLS protocol versions. - properties: - maximum: - description: Maximum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - minimum: - description: Minimum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - type: object - type: object - uri: - description: URI specifies the endpoint address. - format: uri - minLength: 1 - pattern: ^(http|https)://.*$ - type: string - required: - - uri - type: object - required: - - authorization - - token - type: object - required: - - endpoints - type: object - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.4/crds/oidcrelyingparties.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/oidcrelyingparties.microgateway.airlock.com.yaml deleted file mode 100644 index 7398b262b..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/oidcrelyingparties.microgateway.airlock.com.yaml +++ /dev/null @@ -1,224 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: oidcrelyingparties.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: OIDCRelyingParty - listKind: OIDCRelyingPartyList - plural: oidcrelyingparties - singular: oidcrelyingparty - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP). - - - {{% notice warning %}} The OIDC feature is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened. - In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases: - - The state parameter is guessable. - - Sessions are always shared across all Microgateway Engines using the same Redis instance. - I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A - may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs. - - - {{% /notice %}} - {{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the OIDC Relying Party configuration. - properties: - clientID: - description: ClientID specifies the OIDCRelyingParty "client_id". - minLength: 1 - type: string - credentials: - description: Credentials used for client authentication on the back-channel with the authorization server. - properties: - clientSecret: - description: ClientSecret authenticates with the client password issued by the OpenID Provider (OP). - properties: - method: - default: BasicAuth - description: Method specifies in which format the client secret is sent with the authorization request. - enum: - - BasicAuth - - FormURLEncoded - type: string - secretRef: - description: SecretRef specifies the kubernetes secret containing the client password with key "client.secret". - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - required: - - clientSecret - type: object - oidcProviderRef: - description: OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - pathMapping: - description: PathMapping configures the action matching. - properties: - logoutPath: - description: LogoutPath specifies which request paths should initiate a logout. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - redirectPath: - description: RedirectPath specifies which request paths should be interpreted as a response from the authorization endpoint. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - required: - - logoutPath - - redirectPath - type: object - redirectURI: - description: |- - RedirectURI configures the "redirect_uri" parameter included in the authorization request. - May contain envoy command operators, e.g. '%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback'. - minLength: 1 - type: string - required: - - clientID - - credentials - - oidcProviderRef - - pathMapping - - redirectURI - type: object - required: - - spec - type: object - served: true - storage: true - subresources: {} diff --git a/charts/airlock/microgateway/4.3.4/crds/openapis.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/openapis.microgateway.airlock.com.yaml deleted file mode 100644 index b05f43ef2..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/openapis.microgateway.airlock.com.yaml +++ /dev/null @@ -1,167 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: openapis.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: OpenAPI - listKind: OpenAPIList - plural: openapis - singular: openapi - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: OpenAPI contains the configuration for the OpenAPI specification. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired OpenAPI specification. - properties: - response: - description: Response defines the validation behaviour for responses. - properties: - secured: - description: Secured enables response checking. - properties: - validation: - default: Lax - description: Validation defines the validation mode for responses. - enum: - - Lax - - Strict - type: string - type: object - unsecured: - description: Unsecured disables response checking. - type: object - type: object - settings: - description: Settings defines the settings to configure OpenAPI specification enforcement. - properties: - logging: - description: Logging specifies the access log behavior. - properties: - maxFailedSubvalidations: - default: 10 - description: MaxFailedSubvalidations defines the maximum number of failed subvalidations being logged. - format: int64 - type: integer - type: object - schema: - description: Schema configures the OpenAPI specification. - properties: - source: - description: Source specifies the OpenAPI specification to be enforced. - properties: - configMapRef: - description: ConfigMapRef references the configmap by its name containing the well-known key 'openapi.json'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - required: - - source - type: object - threatHandlingMode: - default: Block - description: ThreatHandlingMode specifies how threats should be handled. - enum: - - Block - - LogOnly - type: string - validation: - description: Validation specifies the patterns for the validation behavior. - properties: - authentication: - description: Authentication defines the settings for the authentication scheme. - properties: - oAuth2: - description: OAuth2 specifies the OAuth2 parameters. - properties: - allowedParameters: - description: AllowedParameters specifies the allowed parameters for the authentication scheme. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined allowed parameters. - properties: - standardParameters: - default: true - description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters. - type: boolean - type: object - custom: - description: Custom allows configuring additional allowed parameters. - items: - minLength: 1 - type: string - minItems: 1 - type: array - type: object - type: object - oidc: - description: Oidc specifies the OIDC parameters. - properties: - allowedParameters: - description: AllowedParameters specifies the allowed parameters for the authentication scheme. - properties: - builtIn: - description: BuiltIn allows configuring a set of predefined allowed parameters. - properties: - standardParameters: - default: true - description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters. - type: boolean - type: object - custom: - description: Custom allows configuring additional allowed parameters. - items: - minLength: 1 - type: string - minItems: 1 - type: array - type: object - type: object - type: object - type: object - required: - - schema - type: object - required: - - settings - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.4/crds/parsers.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/parsers.microgateway.airlock.com.yaml deleted file mode 100644 index 15171f2b7..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/parsers.microgateway.airlock.com.yaml +++ /dev/null @@ -1,358 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: parsers.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: Parser - listKind: ParserList - plural: parsers - singular: parser - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Parser contains the configuration for content parsers (default and custom). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired parser behavior. - properties: - request: - description: Request defines the parsing for downstream requests. - properties: - custom: - description: Custom allows configuring additional rules for parser selection. - properties: - rules: - description: |- - Rules defines a custom set prepended before built-in rules of enabled request parsers. - Disable all built-in parsers to overrule them completely. - items: - properties: - action: - description: |- - Action specifies what should happen when a request condition matches. - Only one of parse or skip can be set. - properties: - parse: - description: Parse activates the configured parser. - properties: - form: - description: Form activates the Form parser. - type: object - json: - description: JSON activates the JSON parser. - type: object - multipart: - description: Multipart activates the multipart parser. - type: object - type: object - skip: - description: Skip disables any content parsing - type: object - type: object - requestConditions: - description: RequestConditions defines additional request properties which must be matched in order for this rule to apply. - properties: - header: - description: Header defines the matching headers of a request. - properties: - name: - description: Name defines the name of a header. - properties: - matcher: - description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - value: - description: Value defines the value of a header. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - type: object - invert: - default: false - description: Invert indicates whether the request condition should be inverted. - type: boolean - mediaType: - description: MediaType defines the matching media type from the content-type header of a request. - properties: - matcher: - description: |- - NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. - In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - method: - description: Method defines the matching methods of a request. - items: - description: Method defines common HTTP methods. - enum: - - GET - - HEAD - - POST - - PUT - - PATCH - - DELETE - - CONNECT - - OPTIONS - - TRACE - type: string - type: array - path: - description: Path defines the matching path of a request. - properties: - matcher: - description: StringMatcher defines the way to match a string. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - required: - - matcher - type: object - remoteIP: - description: RemoteIP defines the matching remote IPs of a request. - properties: - cidrRanges: - description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. - items: - description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. - format: cidr - type: string - minItems: 1 - type: array - invert: - default: false - description: Invert indicates whether the match should be inverted. - type: boolean - required: - - cidrRanges - type: object - type: object - required: - - action - - requestConditions - type: object - type: array - type: object - defaultContentType: - default: application/x-www-form-urlencoded - description: DefaultContentType specifies the content-type header which should be injected into the request before parser selection if it is not already present and the request has a body. - minLength: 1 - type: string - parsers: - description: Parsers defines the configuration for the available content parsers. - properties: - form: - description: Form defines the configuration for the form parser. - properties: - enable: - default: true - description: Enable defines whether form payloads are inspected. - type: boolean - mediaTypePattern: - default: .*urlencoded.* - description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as form arguments. - minLength: 1 - type: string - type: object - json: - description: JSON defines the configuration for the JSON parser. - properties: - enable: - default: true - description: Enable defines whether json payloads are inspected. - type: boolean - mediaTypePattern: - default: .*json.* - description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as JSON. - minLength: 1 - type: string - type: object - multipart: - description: Multipart defines the configuration for the multipart parser. - properties: - enable: - default: true - description: Enable defines whether multipart payloads are inspected. - type: boolean - mediaTypePattern: - default: .*multipart.* - description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as a multipart payload. - minLength: 1 - type: string - type: object - type: object - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.4/crds/redisproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/redisproviders.microgateway.airlock.com.yaml deleted file mode 100644 index 9acdf4ddb..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/redisproviders.microgateway.airlock.com.yaml +++ /dev/null @@ -1,159 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: redisproviders.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: RedisProvider - listKind: RedisProviderList - plural: redisproviders - singular: redisprovider - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: RedisProvider contains a client configuration for connecting to a Redis database. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of a Redis database client configuration. - properties: - auth: - description: Auth specifies the Redis credentials. - properties: - password: - description: Password specifies the Redis password. - properties: - secretRef: - description: SecretRef selects the secret containing the Redis password under the key 'redis.password'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - username: - default: default - description: Username specifies the Redis username to authenticate with. - minLength: 1 - pattern: ^[^\s]+$ - type: string - required: - - password - type: object - mode: - description: Mode configures the redis deployment mode. - properties: - standalone: - description: Standalone specifies the standalone Redis instance to connect to. - properties: - host: - description: Host specifies the IP or hostname. - minLength: 1 - pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$ - type: string - port: - default: 6379 - description: Port specifies the port. - maximum: 65535 - minimum: 1 - type: integer - required: - - host - type: object - type: object - timeouts: - description: Timeouts specifies the timeouts when interacting with the Redis endpoint. - properties: - connect: - default: 5s - description: Connect specifies the timeout for establishing a connection. - type: string - maxDuration: - default: 2s - description: MaxDuration specifies the response timeout. - type: string - type: object - tls: - description: TLS defines TLS settings. If not specified, TLS is disabled i.e. unencrypted TCP is used when connecting to the Redis instance. - properties: - certificateVerification: - description: CertificateVerification specifies how the certificate presented by the server is verified. - properties: - custom: - description: Custom explicitly specifies how the server certificate should be verified. - properties: - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - required: - - certificates - type: object - required: - - trustedCA - type: object - disabled: - description: 'Disabled specifies to trust any certificate without verification. THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. Note: This setting currently also disables TLS SNI.' - type: object - publicCAs: - description: PublicCAs specifies to only accept certificates with a SAN matching the host and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Session Agent’s base image. - type: object - type: object - type: object - required: - - mode - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.4/crds/sessionhandlings.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/sessionhandlings.microgateway.airlock.com.yaml deleted file mode 100644 index bb4c0f9c1..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/sessionhandlings.microgateway.airlock.com.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: sessionhandlings.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: SessionHandling - listKind: SessionHandlingList - plural: sessionhandlings - singular: sessionhandling - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: |- - SessionHandling contains the configuration for session handling. - - - {{% notice warning %}} The Session Handling feature (required for OIDC) is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as high-availability Redis configurations (e.g. Sentinel/Cluster) are not yet supported. - {{% /notice %}} - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired session handling behavior. - properties: - persistence: - description: Persistence configures where to store the session state. - properties: - redisProviderRef: - description: RedisProviderRef specifies to cache session information in the provided Redis instance. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - redisProviderRef - type: object - required: - - persistence - type: object - required: - - spec - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.4/crds/sidecargateways.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/sidecargateways.microgateway.airlock.com.yaml deleted file mode 100644 index 6847f7393..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/sidecargateways.microgateway.airlock.com.yaml +++ /dev/null @@ -1,758 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: sidecargateways.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: SidecarGateway - listKind: SidecarGatewayList - plural: sidecargateways - singular: sidecargateway - scope: Namespaced - versions: - - additionalPrinterColumns: - - jsonPath: .status.status - name: Status - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha1 - schema: - openAPIV3Schema: - description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application. - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired sidecar gateway behavior. - properties: - applications: - description: Applications defines applications which run on different ports. - items: - properties: - containerPort: - default: 8080 - description: |- - ContainerPort refers to the container port. - This must be a valid port number, 0 < x < 65536. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - downstream: - description: Downstream defines the downstream configuration for this application - properties: - protocol: - description: |- - Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set. - Default: auto: {} - properties: - auto: - description: Auto specifies that the protocol should be inferred. - properties: - http2: - description: HTTP2 specifies the settings for when HTTP/2 is inferred. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - http1: - description: HTTP1 specifies that the client is assumed to speak HTTP/1.1. - type: object - http2: - description: HTTP2 specifies that the client is assumed to speak HTTP/2. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - remoteIP: - description: |- - RemoteIP defines how the remote IP of a client is propagated. - Default: xff: {...} - properties: - connectionIP: - description: ConnectionIP configures to use the source IP address of the direct downstream connection. - type: object - customHeader: - description: CustomHeader specifies to use a custom header for remote IP extraction. - properties: - headerName: - description: HeaderName specifies the name of the custom header containing the remote IP. - minLength: 1 - type: string - required: - default: true - description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403. - type: boolean - required: - - headerName - type: object - xff: - description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction. - properties: - numTrustedHops: - default: 1 - description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry. - format: int32 - minimum: 1 - type: integer - type: object - type: object - requestNormalizations: - description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching. - properties: - mergeSlashes: - default: true - description: MergeSlashes ensures that adjacent slashes in the path are merged into one. - type: boolean - normalizePath: - default: true - description: NormalizePath ensures normalization according to RFC 3986 without case normalization. - type: boolean - type: object - restrictions: - description: Restrictions defines restrictions for downstream. - properties: - http: - description: HTTP defines limits for the HTTP protocol. - properties: - headersLength: - anyOf: - - type: integer - - type: string - default: 60Ki - description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response. - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - type: object - timeouts: - description: Timeouts defines timeouts for downstream - properties: - http: - description: HTTP defines the settings for HTTP timeouts. - properties: - idle: - default: 5m - description: |- - Idle defines the settings for the idle timeout when no data is sent or received. - A value of 0 will completely disable the timeout. - Default: 5m - type: string - maxDuration: - default: 5m - description: |- - MaxDuration defines the total duration for a HTTP request/response stream. - A value of 0 will completely disable the timeout. - Default: 5m - type: string - requestHeaders: - default: 10s - description: |- - RequestHeaders defines the duration before all request headers must be received. - A value of 0 will completely disable the timeout. - Default: 10s - type: string - type: object - type: object - tls: - description: TLS defines the TLS settings. - properties: - ciphers: - description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. - items: - type: string - minItems: 1 - type: array - clientCertificate: - description: |- - ClientCertificate defines the TLS settings for verification of client certificates. - At most one of ignored, optional and required can be set. - Default: ignored: {} - properties: - ignored: - description: Ignored disables verification of the client certificate. - type: object - optional: - description: |- - Optional enables verification of the client certificate if one is presented. - In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate. - properties: - crl: - description: CRL defines the Certificate Revocation List (CRL) settings. - properties: - lists: - description: Lists defines the list of secretRefs containing Certificate Revocation Lists. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - validationMode: - default: VerifyChain - description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. - enum: - - VerifyLeafCertOnly - - VerifyChain - type: string - type: object - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - verificationDepth: - default: 1 - description: |- - VerificationDepth specifies the hops in the certificate chain at which validation is performed. - 1 means that either the leaf or the signing CA must be in the set of trusted certificates. - format: int32 - type: integer - required: - - certificates - type: object - required: - - trustedCA - type: object - required: - description: |- - Required contains settings for client certificate verification. A client must present a valid certificate. - At least one of trustedCA and certificatePinning must be set. - properties: - allowedSANs: - description: |- - AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, - that is to say, the SAN is verified if at least one matcher is matched. - AllowedSANs requires trustedCA to be set. - items: - description: |- - TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the - Subject Alternative Name of the presented certificate matches one of the specified matchers. - properties: - matcher: - description: Matcher defines the string matcher for the SAN value. - properties: - contains: - description: |- - Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - exact: - description: |- - Exact defines an explicit match on the string specified here. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - ignoreCase: - default: false - description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. - type: boolean - prefix: - description: |- - Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - regex: - description: |- - Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. - The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - suffix: - description: |- - Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. - Only one of exact, prefix, suffix, regex or contains can be set. - minLength: 1 - type: string - type: object - sanType: - description: SanType defines the type of SAN matcher. - enum: - - DNS - - Email - - URI - - IPAddress - type: string - required: - - matcher - - sanType - type: object - minItems: 1 - type: array - certificatePinning: - description: |- - CertificatePinning defines the constraints a client certificate must fulfill. - If more than one constraint is configured only one must be satisfied. - At least one of allowedSPKIs and allowedHashes must be set. - properties: - allowedHashes: - description: |- - AllowedHashes is a list of hex-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - allowedSPKIs: - description: |- - AllowedSPKIs is a list of base64-encoded SHA-256 hashes. - If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. - items: - type: string - minItems: 1 - type: array - type: object - crl: - description: CRL defines the Certificate Revocation List (CRL) settings. - properties: - lists: - description: Lists defines the list of secretRefs containing Certificate Revocation Lists. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - validationMode: - default: VerifyChain - description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. - enum: - - VerifyLeafCertOnly - - VerifyChain - type: string - type: object - trustedCA: - description: TrustedCA defines which CA certificates are trusted. - properties: - certificates: - description: Certificates defines the list of secretRefs containing trusted CA certificates. - items: - properties: - secretRef: - description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - secretRef - type: object - minItems: 1 - type: array - verificationDepth: - default: 1 - description: |- - VerificationDepth specifies the hops in the certificate chain at which validation is performed. - 1 means that either the leaf or the signing CA must be in the set of trusted certificates. - format: int32 - type: integer - required: - - certificates - type: object - type: object - type: object - enable: - default: false - description: Enable defines if the downstream connection is encrypted. - type: boolean - protocol: - description: Protocol defines the supported TLS protocol versions. - properties: - maximum: - description: Maximum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - minimum: - description: Minimum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - type: object - secretRef: - description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls). - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - xfcc: - description: |- - XFCC defines the handling of X-Forwarded-Client-Cert header. Meaning of the possible values: - _Sanitize_: Do not send the XFCC header to the next hop. This is the default value. - _ForwardOnly_: When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request. - _AppendAndForward_: When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it. - _SanitizeAndSet_: When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop. - _AlwaysForwardOnly_: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS. - Note: When forwarding the XFCC header in the request you might have to adjust the header length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http) - enum: - - Sanitize - - ForwardOnly - - AppendAndForward - - SanitizeAndSet - - AlwaysForwardOnly - type: string - type: object - type: object - envoyHTTPFilterRefs: - description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters. - properties: - prepend: - description: Prepend selects the relevant EnvoyHTTPFilters which are added before those configured by the Airlock Microgateway. - items: - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: array - type: object - routes: - description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies. - items: - description: |- - SidecarGatewayApplicationRoute defines the security configurations for different paths. - At most one of secured and unsecured can be set. - Default: secured: {...} - properties: - pathPrefix: - default: / - description: PathPrefix defines the path prefix used during route selection. - minLength: 1 - type: string - secured: - description: Secured enables WAF processing for this route. - properties: - accessControlRef: - description: |- - AccessControlRef selects the relevant AccessControl configuration resource. - If undefined, Airlock Microgateway does not perform any access control. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - contentSecurityRef: - description: |- - ContentSecurityRef selects the relevant ContentSecurity configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: object - unsecured: - description: |- - Unsecured disables all WAF functionality and therefore protection for this route. - WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged. - type: object - type: object - type: array - x-kubernetes-list-map-keys: - - pathPrefix - x-kubernetes-list-type: map - telemetryRef: - description: |- - TelemetryRef selects the relevant Telemetry configuration resource. - If undefined, default settings are applied, designed to work with most upstream web application services. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - upstream: - description: Upstream defines the upstream configuration for this application - properties: - protocol: - description: |- - Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set. - Default: auto: {} - properties: - auto: - description: Auto specifies to negotiate the protocol with TLS ALPN (if TLS is enabled) or, as a fallback, use the same protocol that is used by the downstream connection. - properties: - http2: - description: HTTP2 specifies the settings for when HTTP/2 is inferred. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - http1: - description: HTTP1 specifies to use HTTP/1.1. - type: object - http2: - description: HTTP2 specifies to use HTTP/2. - properties: - allowConnect: - default: false - description: Allows proxying Websocket and other upgrades over H2 connect. - type: boolean - type: object - type: object - timeouts: - description: Timeouts defines the timeout settings. - properties: - http: - description: HTTP defines the settings for HTTP timeouts. - properties: - idle: - description: |- - Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited. - A value of 0 will completely disable the timeout. - type: string - maxDuration: - default: 15s - description: |- - MaxDuration defines the total duration for a HTTP request/response stream. - Default: 15s - type: string - type: object - type: object - tls: - description: TLS defines the TLS settings. - properties: - ciphers: - description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. - items: - type: string - minItems: 1 - type: array - enable: - default: false - description: Enable defines if the upstream connection is encrypted. - type: boolean - protocol: - description: Protocol defines the supported TLS protocol versions. - properties: - maximum: - description: Maximum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - minimum: - description: Minimum supported TLS version. - enum: - - TLSv1_0 - - TLSv1_1 - - TLSv1_2 - - TLSv1_3 - type: string - type: object - type: object - type: object - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - containerPort - x-kubernetes-list-type: map - envoyClusterRefs: - description: EnvoyClusterRefs selects the relevant EnvoyClusters. - items: - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - podSelector: - description: PodSelector defines to which Pods the configuration will be applied to. - properties: - matchLabels: - additionalProperties: - type: string - description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels. - type: object - type: object - sessionHandlingRef: - description: SessionHandlingRef selects the SessionHandling configuration to apply. - properties: - name: - description: Name of the resource - minLength: 1 - type: string - required: - - name - type: object - required: - - applications - type: object - status: - description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date. - properties: - conditions: - items: - properties: - lastTransitionTime: - description: Last time the condition transitioned from one status to another. - format: date-time - type: string - message: - description: A human-readable message indicating details about the transition. - type: string - reason: - description: The reason for the condition's last transition. - type: string - status: - description: Status of the condition, one of True, False, Unknown. - type: string - type: - description: Type of SidecarGateway condition. - type: string - required: - - status - - type - type: object - type: array - pods: - items: - properties: - envoyConfig: - description: EnvoyConfig indicates the name of the EnvoyConfig CR for the Pod. - type: string - name: - description: Name indicates the name of a Pod selected by the SidecarGateway. - type: string - sessionAgentSecret: - type: string - required: - - name - type: object - type: array - status: - type: string - unmanagedPods: - items: - properties: - managedBy: - description: ManagedBy indicates the Airlock Microgateway Operator instance which manages this Pod. - type: string - name: - description: Name indicates the name of a Pod selected by the SidecarGateway. - type: string - sessionAgentSecret: - type: string - required: - - name - type: object - type: array - required: - - status - type: object - type: object - served: true - storage: true - subresources: - status: {} diff --git a/charts/airlock/microgateway/4.3.4/crds/telemetries.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.4/crds/telemetries.microgateway.airlock.com.yaml deleted file mode 100644 index d1a8897a7..000000000 --- a/charts/airlock/microgateway/4.3.4/crds/telemetries.microgateway.airlock.com.yaml +++ /dev/null @@ -1,96 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.15.0 - labels: - app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.4 - name: telemetries.microgateway.airlock.com -spec: - group: microgateway.airlock.com - names: - categories: - - airlock-microgateway - kind: Telemetry - listKind: TelemetryList - plural: telemetries - singular: telemetry - scope: Namespaced - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: Telemetry contains the configuration for telemetry (logging, metrics & tracing). - properties: - apiVersion: - description: |- - APIVersion defines the versioned schema of this representation of an object. - Servers should convert recognized schemas to the latest internal value, and - may reject unrecognized values. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources - type: string - kind: - description: |- - Kind is a string value representing the REST resource this object represents. - Servers may infer this from the endpoint the client submits requests to. - Cannot be updated. - In CamelCase. - More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds - type: string - metadata: - type: object - spec: - description: Specification of the desired telemetry behavior. - properties: - correlation: - description: Correlation defines the correlation aspects of Telemetry. - properties: - idSource: - description: IDSource specifies how an external correlation ID should be obtained for a request. If not specified, no correlation ID will be logged. - properties: - header: - description: Header specifies to extract the correlation ID from a request header. If the header is absent from a request, no correlation ID will be logged. - properties: - name: - default: X-Correlation-Id - description: Name of the header (case-insensitive) from which to extract the correlation ID. - minLength: 1 - type: string - type: object - required: - - header - type: object - request: - description: Request defines the request related correlation settings of Telemetry. - properties: - allowDownstreamRequestID: - default: true - description: AllowDownstreamRequestID defines whether trace sampling will consider a provided x-request-id. - type: boolean - alterRequestID: - default: true - description: AlterRequestID defines whether to alter the UUID to reflect the trace sampling decision. If disabled no modification to the UUID will be performed, this may break tracing in the upstream. - type: boolean - type: object - type: object - logging: - description: Logging defines the logging aspects of Telemetry. - properties: - accessLog: - description: AccessLog defines the access log settings of Telemetry. - properties: - format: - description: Format defines the Access Log format of the sidecar. - properties: - json: - description: JSON defines the Access Log format as JSON. - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - type: object - type: object - type: object - type: object - served: true - storage: true diff --git a/charts/airlock/microgateway/4.3.4/dashboards/blockLogs.json b/charts/airlock/microgateway/4.3.4/dashboards/blockLogs.json deleted file mode 100644 index ef0ce6d62..000000000 --- a/charts/airlock/microgateway/4.3.4/dashboards/blockLogs.json +++ /dev/null @@ -1,510 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_LOKI", - "label": "Loki", - "description": "", - "type": "datasource", - "pluginId": "loki", - "pluginName": "Loki" - }, - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__elements": {}, - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "10.2.0" - }, - { - "type": "datasource", - "id": "loki", - "name": "Loki", - "version": "1.0.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "1.0.0" - }, - { - "type": "panel", - "id": "table", - "name": "Table", - "version": "" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "grafana", - "uid": "-- Grafana --" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "description": "Blocked requests by Airlock Microgateway retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace and block type. Column filters on the table allow for even a more granular filtering of the logs.", - "editable": true, - "fiscalYearStartMonth": 0, - "graphTooltip": 0, - "id": null, - "links": [ - { - "asDropdown": true, - "icon": "external link", - "includeVars": true, - "keepTime": true, - "tags": [ - "airlock-microgateway" - ], - "targetBlank": true, - "title": "Airlock Microgateway", - "tooltip": "", - "type": "dashboards", - "url": "" - } - ], - "panels": [ - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "custom": { - "align": "auto", - "cellOptions": { - "type": "auto" - }, - "filterable": true, - "inspect": true - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "Namespace" - }, - "properties": [ - { - "id": "custom.width", - "value": 221 - }, - { - "id": "custom.filterable" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Timestamp" - }, - "properties": [ - { - "id": "custom.width", - "value": 214 - }, - { - "id": "unit", - "value": "dateTimeAsIso" - }, - { - "id": "custom.filterable" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Method" - }, - "properties": [ - { - "id": "custom.width", - "value": 89 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Client IP" - }, - "properties": [ - { - "id": "custom.width", - "value": 138 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Request ID" - }, - "properties": [ - { - "id": "custom.width", - "value": 328 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Block Type" - }, - "properties": [ - { - "id": "custom.width", - "value": 116 - }, - { - "id": "custom.filterable", - "value": false - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Request Size" - }, - "properties": [ - { - "id": "custom.width", - "value": 126 - }, - { - "id": "unit", - "value": "bytes" - }, - { - "id": "custom.align", - "value": "right" - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Attack Type" - }, - "properties": [ - { - "id": "custom.width", - "value": 217 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Application" - }, - "properties": [ - { - "id": "custom.width", - "value": 207 - } - ] - } - ] - }, - "gridPos": { - "h": 27, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 2, - "options": { - "cellHeight": "sm", - "footer": { - "countRows": false, - "enablePagination": true, - "fields": "", - "reducer": [ - "sum" - ], - "show": false - }, - "showHeader": true, - "sortBy": [] - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_deny_rule\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.deny_rules.matches\"\n| label_format block_type=\"deny_rules\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule_key }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "Deny Rule Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_limit\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.limits.matches\"\n| label_format block_type=\"limits\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "Limit Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_openapi\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.openapi.reference\", constraint=\"airlock.openapi.request.failed_validation.constraint\", position=\"airlock.openapi.request.failed_validation.position\", message=\"airlock.openapi.request.failed_validation.message\"\n| label_format block_type=\"openapi\", attack_type=\"openapi\", details=`{{.reference }}: {{.constraint }} at {{ .position }} ({{ .message }})` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "OpenAPI Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_parser\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", attack_type=\"airlock.parser\", failed_check=\"airlock.parser.matches[0].failed_check\", message=\"airlock.parser.matches[0].message\"\n| label_format block_type=\"parsing\", attack_type=\"parsing\", details=`{{.failed_check}}: {{.message}}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "Parser Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_graphql\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.graphql.reference\", message=\"airlock.graphql.request.failed_validation.message\"\n| label_format block_type=\"graphql\", attack_type=\"graphql\", details=`{{ .reference }}: {{ .message }}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "GraphQL Blocks" - } - ], - "title": "Blocked Request logs", - "transformations": [ - { - "id": "merge", - "options": {} - }, - { - "id": "extractFields", - "options": { - "format": "json", - "source": "labels" - } - }, - { - "id": "filterFieldsByName", - "options": { - "byVariable": false, - "include": { - "names": [ - "Time", - "attack_type", - "block_type", - "client_ip", - "details", - "http_method", - "namespace", - "request_id", - "request_size", - "url", - "pod" - ] - } - } - }, - { - "id": "organize", - "options": { - "excludeByName": { - "Line": true, - "id": true, - "labelTypes": true, - "labels": true, - "tsNs": false - }, - "includeByName": {}, - "indexByName": { - "Time": 0, - "attack_type": 7, - "block_type": 6, - "client_ip": 9, - "details": 8, - "http_method": 3, - "namespace": 1, - "pod": 2, - "request_id": 10, - "request_size": 5, - "url": 4 - }, - "renameByName": { - "Time": "Timestamp", - "attack_type": "Attack Type", - "block_type": "Block Type", - "client_ip": "Client IP", - "details": "Details", - "http_method": "Method", - "namespace": "Namespace", - "pod": "Pod", - "request_id": "Request ID", - "request_size": "Request Size", - "tsNs": "", - "url": "Path" - } - } - } - ], - "type": "table" - } - ], - "schemaVersion": 39, - "tags": [ - "airlock-microgateway" - ], - "templating": { - "list": [ - { - "current": { - "selected": false, - "text": "Loki", - "value": "P8E80F9AEF21F6940" - }, - "hide": 2, - "includeAll": false, - "label": "DS_LOKI", - "multi": false, - "name": "DS_LOKI", - "options": [], - "query": "loki", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_http_rq_total,namespace)", - "hide": 0, - "includeAll": true, - "label": "Application Namespace", - "multi": true, - "name": "namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_http_rq_total,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 5, - "type": "query" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", - "hide": 0, - "includeAll": true, - "label": "Block Type", - "multi": true, - "name": "blockType", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 5, - "type": "query" - }, - { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, - "hide": 2, - "includeAll": false, - "label": "DS_PROMETHEUS", - "multi": false, - "name": "DS_PROMETHEUS", - "options": [], - "query": "prometheus", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - } - ] - }, - "time": { - "from": "now-15m", - "to": "now" - }, - "timeRangeUpdatedDuringEditOrView": false, - "timepicker": {}, - "timezone": "browser", - "title": "Airlock Microgateway Blocked Request Logs", - "uid": "adnyzcvwnyadcc", - "version": 3, - "weekStart": "" -} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/dashboards/blockMetrics.json b/charts/airlock/microgateway/4.3.4/dashboards/blockMetrics.json deleted file mode 100644 index ba383d22e..000000000 --- a/charts/airlock/microgateway/4.3.4/dashboards/blockMetrics.json +++ /dev/null @@ -1,758 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__elements": {}, - "__requires": [ - { - "type": "panel", - "id": "barchart", - "name": "Bar chart", - "version": "" - }, - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "10.2.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "1.0.0" - }, - { - "type": "panel", - "id": "stat", - "name": "Stat", - "version": "" - }, - { - "type": "panel", - "id": "timeseries", - "name": "Time series", - "version": "" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "grafana", - "uid": "-- Grafana --" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "description": "Metrics on requests blocked by Airlock Microgateway.\n\nDashboard can be filtered by namespaces as well as block types.", - "editable": true, - "fiscalYearStartMonth": 0, - "graphTooltip": 0, - "id": null, - "links": [ - { - "asDropdown": true, - "icon": "external link", - "includeVars": true, - "keepTime": true, - "tags": [ - "airlock-microgateway" - ], - "targetBlank": true, - "title": "Airlock Microgateway", - "tooltip": "", - "type": "dashboards", - "url": "" - } - ], - "panels": [ - { - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 6, - "title": "Airlock Microgateway Block Metrics", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Total number of requests processed by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 0, - "y": 1 - }, - "id": 1, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": false, - "expr": "round(sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", - "format": "time_series", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": true, - "legendFormat": "Processed Requests", - "range": false, - "refId": "A", - "useBackend": false - } - ], - "title": "Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [ - { - "options": { - "match": "nan", - "result": { - "index": 0, - "text": "n/a" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "percentunit" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 4, - "y": 1 - }, - "id": 2, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": false, - "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])) / sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range]))", - "fullMetaSearch": false, - "includeNullMetadata": true, - "instant": true, - "legendFormat": "Blocked Requests (%)", - "range": false, - "refId": "A", - "useBackend": false - } - ], - "title": "% Blocked Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "blue", - "mode": "fixed" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "left", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "blue", - "value": null - } - ] - } - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "% Blocks" - }, - "properties": [ - { - "id": "custom.axisPlacement", - "value": "right" - }, - { - "id": "unit", - "value": "percentunit" - }, - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - }, - { - "id": "max", - "value": 1 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Requests per second" - }, - "properties": [ - { - "id": "unit", - "value": "short" - }, - { - "id": "custom.fillOpacity", - "value": 25 - } - ] - } - ] - }, - "gridPos": { - "h": 10, - "w": 20, - "x": 0, - "y": 5 - }, - "id": 3, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "timezone": [ - "" - ], - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", - "instant": false, - "legendFormat": "Requests per second", - "range": true, - "refId": "Requests per Second" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) / sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", - "hide": false, - "instant": false, - "legendFormat": "% Blocks", - "range": true, - "refId": "Blocks" - } - ], - "title": "Requests vs. % Blocks", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Blocked requests by block type.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "super-light-orange", - "mode": "fixed" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisGridShow": true, - "axisLabel": "", - "axisPlacement": "auto", - "fillOpacity": 80, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineWidth": 0, - "scaleDistribution": { - "type": "linear" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "fieldMinMax": false, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "none" - }, - "overrides": [] - }, - "gridPos": { - "h": 11, - "w": 10, - "x": 0, - "y": 15 - }, - "id": 4, - "options": { - "barRadius": 0, - "barWidth": 0.8, - "fullHighlight": false, - "groupWidth": 0.7, - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": false - }, - "orientation": "horizontal", - "showValue": "never", - "stacking": "none", - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "asc" - }, - "xField": "block_type", - "xTickLabelRotation": 0, - "xTickLabelSpacing": 0 - }, - "pluginVersion": "10.4.3", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", - "format": "time_series", - "instant": true, - "legendFormat": "__auto", - "range": false, - "refId": "A" - } - ], - "title": "Block Type", - "transformations": [ - { - "id": "reduce", - "options": { - "includeTimeField": false, - "labelsToFields": true, - "mode": "seriesToRows", - "reducers": [ - "sum" - ] - } - } - ], - "type": "barchart" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Blocked requests by attack type, which are subsets of the various block types.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "light-orange", - "mode": "fixed" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "fillOpacity": 80, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "lineWidth": 1, - "scaleDistribution": { - "type": "linear" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 11, - "w": 10, - "x": 10, - "y": 15 - }, - "id": 5, - "options": { - "barRadius": 0, - "barWidth": 0.8, - "fullHighlight": false, - "groupWidth": 0.7, - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": false - }, - "orientation": "horizontal", - "showValue": "never", - "stacking": "none", - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - }, - "xField": "attack_type", - "xTickLabelRotation": 0, - "xTickLabelSpacing": 0 - }, - "pluginVersion": "10.4.3", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "round(sum by (attack_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", - "instant": true, - "legendFormat": "__auto", - "range": false, - "refId": "A" - } - ], - "title": "Attack Type", - "transformations": [ - { - "id": "reduce", - "options": { - "labelsToFields": true, - "reducers": [ - "sum" - ] - } - } - ], - "type": "barchart" - } - ], - "refresh": "", - "schemaVersion": 39, - "tags": [ - "airlock-microgateway" - ], - "templating": { - "list": [ - { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, - "hide": 2, - "includeAll": false, - "label": "Datasource Prometheus", - "multi": false, - "name": "DS_PROMETHEUS", - "options": [], - "query": "prometheus", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "current": { - "selected": false, - "text": "Loki", - "value": "P8E80F9AEF21F6940" - }, - "hide": 2, - "includeAll": false, - "label": "DS_LOKI", - "multi": false, - "name": "DS_LOKI", - "options": [], - "query": "loki", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_valid,namespace)", - "hide": 0, - "includeAll": true, - "label": "Operator Namespace", - "multi": true, - "name": "operator_namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_valid,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": ".*", - "skipUrlSync": false, - "sort": 0, - "type": "query" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_http_rq_total,namespace)", - "hide": 0, - "includeAll": true, - "label": "Application Namespace", - "multi": true, - "name": "namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_http_rq_total,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 5, - "type": "query" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", - "hide": 0, - "includeAll": true, - "label": "Block Type", - "multi": true, - "name": "blockType", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 5, - "type": "query" - } - ] - }, - "time": { - "from": "now-24h", - "to": "now" - }, - "timeRangeUpdatedDuringEditOrView": false, - "timepicker": { - "hidden": false - }, - "timezone": "browser", - "title": "Airlock Microgateway Block Metrics", - "uid": "ddnqoczu7qvb4cdd3dd", - "version": 3, - "weekStart": "" -} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/dashboards/license.json b/charts/airlock/microgateway/4.3.4/dashboards/license.json deleted file mode 100644 index b9d5777e2..000000000 --- a/charts/airlock/microgateway/4.3.4/dashboards/license.json +++ /dev/null @@ -1,521 +0,0 @@ -{ - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "__elements": {}, - "__requires": [ - { - "type": "grafana", - "id": "grafana", - "name": "Grafana", - "version": "10.2.0" - }, - { - "type": "datasource", - "id": "prometheus", - "name": "Prometheus", - "version": "1.0.0" - }, - { - "type": "panel", - "id": "stat", - "name": "Stat", - "version": "" - }, - { - "type": "panel", - "id": "timeseries", - "name": "Time series", - "version": "" - } - ], - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "grafana", - "uid": "-- Grafana --" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "type": "dashboard" - } - ] - }, - "editable": true, - "fiscalYearStartMonth": 0, - "graphTooltip": 0, - "id": null, - "links": [ - { - "asDropdown": true, - "icon": "external link", - "includeVars": true, - "keepTime": true, - "tags": [ - "airlock-microgateway" - ], - "targetBlank": true, - "title": "Airlock Microgateway", - "tooltip": "", - "type": "dashboards", - "url": "" - } - ], - "panels": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "License status of Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [ - { - "options": { - "0": { - "color": "red", - "index": 1, - "text": "Invalid" - }, - "1": { - "color": "green", - "index": 0, - "text": "Valid" - } - }, - "type": "value" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 0, - "y": 0 - }, - "id": 1, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "License Status", - "range": false, - "refId": "Licenses" - } - ], - "title": "License Status", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Expiry date of the Airlock Microgateway license associated with the selected operator.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "time: L" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 3, - "y": 0 - }, - "id": 4, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "min(microgateway_license_expiry_timestamp_seconds{namespace=~\"${operator_namespace.regex}\"})*1000", - "instant": true, - "legendFormat": "Expiry Date (MM/DD/YYYY)", - "range": false, - "refId": "A" - } - ], - "title": "License Expiry Date", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Number of licensed requests for applications protected by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 7, - "y": 0 - }, - "id": 6, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(microgateway_license_max_rq_count_per_month{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "Licensed Requests", - "range": false, - "refId": "A" - } - ], - "title": "Licensed Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Estimated number of requests protected by Airlock Microgateway over 30 days based on the last 7 days.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 5, - "x": 11, - "y": 0 - }, - "id": 2, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d]))/7*30", - "instant": true, - "legendFormat": "Estimated Requests", - "range": false, - "refId": "A" - } - ], - "title": "Requests over 30 days (estimated)", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Number of requests per week processed by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "blue", - "mode": "fixed" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 12, - "w": 16, - "x": 0, - "y": 4 - }, - "id": 5, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(avg_over_time(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d])[2m:30s]))", - "instant": false, - "legendFormat": "# Requests per week", - "range": true, - "refId": "A" - } - ], - "title": "Processed Requests per week", - "type": "timeseries" - } - ], - "schemaVersion": 39, - "tags": [ - "airlock-microgateway" - ], - "templating": { - "list": [ - { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, - "hide": 2, - "includeAll": false, - "label": "DS_PROMETHEUS", - "multi": false, - "name": "DS_PROMETHEUS", - "options": [], - "query": "prometheus", - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "type": "datasource" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_valid,namespace)", - "description": "", - "hide": 0, - "includeAll": false, - "label": "Operator Namespace", - "multi": false, - "name": "operator_namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_valid,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "type": "query" - } - ] - }, - "time": { - "from": "now-7d", - "to": "now" - }, - "timeRangeUpdatedDuringEditOrView": false, - "timepicker": {}, - "timezone": "browser", - "title": "Airlock Microgateway License", - "uid": "cdpq79bzrr01se", - "version": 2, - "weekStart": "" -} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/gke-values.yaml b/charts/airlock/microgateway/4.3.4/gke-values.yaml new file mode 100644 index 000000000..d6d5c21d1 --- /dev/null +++ b/charts/airlock/microgateway/4.3.4/gke-values.yaml @@ -0,0 +1,4 @@ +# values for deploying on GKE + +config: + cniBinDir: "/home/kubernetes/bin" diff --git a/charts/airlock/microgateway/4.3.4/openshift-values.yaml b/charts/airlock/microgateway/4.3.4/openshift-values.yaml new file mode 100644 index 000000000..3b1d6cccd --- /dev/null +++ b/charts/airlock/microgateway/4.3.4/openshift-values.yaml @@ -0,0 +1,15 @@ +# values for deploying on OpenShift + +rbac: + createSCCRole: true + +privileged: true + +multusNetworkAttachmentDefinition: + create: true + namespace: default + +config: + installMode: "standalone" + cniNetDir: "/etc/cni/multus/net.d" + cniBinDir: "/var/lib/cni/bin" diff --git a/charts/airlock/microgateway/4.3.4/questions.yml b/charts/airlock/microgateway/4.3.4/questions.yml new file mode 100644 index 000000000..73ed44d64 --- /dev/null +++ b/charts/airlock/microgateway/4.3.4/questions.yml @@ -0,0 +1,18 @@ +questions: + - variable: config.cniNetDir + required: true + type: string + label: CNI Network Configuration Directory + group: "CNI Settings" + description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host." + - variable: config.cniBinDir + required: true + type: string + label: CNI Plugin Binaries Directory + group: "CNI Settings" + description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host." + - variable: config.installMode + required: true + label: CNI Plugin Installation Mode + group: "CNI Settings" + description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment." diff --git a/charts/airlock/microgateway/4.3.4/templates/NOTES.txt b/charts/airlock/microgateway/4.3.4/templates/NOTES.txt index 6e5ce218a..bb94ff521 100644 --- a/charts/airlock/microgateway/4.3.4/templates/NOTES.txt +++ b/charts/airlock/microgateway/4.3.4/templates/NOTES.txt @@ -1,47 +1,15 @@ -Thank you for installing Airlock Microgateway. +Thank you for installing Airlock Microgateway CNI. -Please ensure the following prerequisites are fulfilled: -* Cert-Manager is installed. - https://cert-manager.io/docs/installation/helm/ -* Airlock Microgateway CNI is also installed on the cluster. - https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni -* A valid Airlock Microgateway license is deployed in the Kubernetes secret 'airlock-microgateway-license'. - * Get a free Community license: https://airlock.com/en/microgateway-community - * Order a Premium license: https://airlock.com/en/microgateway-premium +Please ensure that the helm values'.config.cniNetDir' and '.config.cniBinDir' are configured for your Kubernetes distribution. +For further information, consider our manual https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}. +The chapter 'Setup > Installation' describes how to set those settings correctly. Further information: -* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }} -* CRD API reference documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/api/crds +* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }} * Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm -{{- if .Values.crds.skipVersionCheck }} -Warning: CRD version check skipped -{{- else -}} -{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}} -{{- if $outdatedCRDs -}} - {{- fail (printf ` - -Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'. -Therefore, the CRDs must be manually upgraded with the following command before deploying this chart: - -kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts - -If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.` - .Chart.AppVersion) - -}} -{{- end -}} -{{- end -}} -{{- if .Values.tests.enabled -}} - {{- if .Values.operator.watchNamespaces -}} - {{- if not (has .Release.Namespace .Values.operator.watchNamespaces) -}} - {{- fail (printf ` - -To execute 'helm test', it is necessary that the release namespace '%s' is part of the operator's watch scope. Either disable the tests or ensure that the release namespace is added to watch namspace list ('operator.watchNamespaces') in the helm values. -` - .Release.Namespace) - -}} - {{- end -}} - {{- end -}} -{{- end }} +Next steps: +* Install Airlock Microgateway (if not done already) + https://artifacthub.io/packages/helm/airlock-microgateway/microgateway Your release version is {{ .Chart.Version }}. \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/_helpers.tpl b/charts/airlock/microgateway/4.3.4/templates/_helpers.tpl index 733ba9648..996491a87 100644 --- a/charts/airlock/microgateway/4.3.4/templates/_helpers.tpl +++ b/charts/airlock/microgateway/4.3.4/templates/_helpers.tpl @@ -1,16 +1,14 @@ {{/* Expand the name of the chart. -We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) -and the longest explicit suffix is 14 characters. */}} -{{- define "airlock-microgateway.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }} +{{- define "airlock-microgateway-cni.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Convert an image configuration object into an image ref string. */}} -{{- define "airlock-microgateway.image" -}} +{{- define "airlock-microgateway-cni.image" -}} {{- if .digest -}} {{- printf "%s@%s" .repository .digest -}} {{- else if .tag -}} @@ -22,19 +20,19 @@ Convert an image configuration object into an image ref string. {{/* Create a default fully qualified app name. -We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) -and the longest implicit suffix is 27 characters. +We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) +and the longest suffix is 13 characters. If release name contains chart name it will be used as a full name. */}} -{{- define "airlock-microgateway.fullname" -}} +{{- define "airlock-microgateway-cni.fullname" -}} {{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }} +{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }} {{- else }} {{- $name := default .Chart.Name .Values.nameOverride }} {{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 36 | trimSuffix "-" }} +{{- .Release.Name | trunc 50 | trimSuffix "-" }} {{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }} +{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }} {{- end }} {{- end }} {{- end }} @@ -42,112 +40,62 @@ If release name contains chart name it will be used as a full name. {{/* Create chart name and version as used by the chart label. */}} -{{- define "airlock-microgateway.chart" -}} +{{- define "airlock-microgateway-cni.chart" -}} {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} {{- end }} {{/* Common labels */}} -{{- define "airlock-microgateway.sharedLabels" -}} -helm.sh/chart: {{ include "airlock-microgateway.chart" . }} +{{- define "airlock-microgateway-cni.labels" -}} +helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }} +{{ include "airlock-microgateway-cni.selectorLabels" . }} {{- if .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- end }} app.kubernetes.io/managed-by: {{ .Release.Service }} -app.kubernetes.io/part-of: {{ .Chart.Name }} {{- with .Values.commonLabels }} {{ toYaml .}} {{- end }} {{- end }} {{/* -Common Selector labels +Common labels without component */}} -{{- define "airlock-microgateway.sharedSelectorLabels" -}} -app.kubernetes.io/instance: {{ .Release.Name }} +{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}} +{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}} +{{ unset $labels "app.kubernetes.io/component" | toYaml }} {{- end }} {{/* -Restricted Container Security Context +Selector labels */}} -{{- define "airlock-microgateway.restrictedSecurityContext" -}} -allowPrivilegeEscalation: false -privileged: false -runAsNonRoot: true -capabilities: - drop: ["ALL"] -readOnlyRootFilesystem: true -seccompProfile: - type: RuntimeDefault +{{- define "airlock-microgateway-cni.selectorLabels" -}} +app.kubernetes.io/component: cni-plugin-installer +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }} {{- end }} -{{/* Precondition: May only be used if AppVersion is isSemver */}} -{{- define "airlock-microgateway.supportedCRDVersionPattern" -}} -{{- $version := (semver .Chart.AppVersion) -}} -{{- if $version.Prerelease -}} ->= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }} -{{- else -}} ->= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0 -{{- end -}} -{{- end -}} +{{/* +Create the name of the service account to use for the CNI Plugin +*/}} +{{- define "airlock-microgateway-cni.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} -{{- define "airlock-microgateway.outdatedCRDs" -}} -{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}} - {{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}} - {{- range $path, $_ := .Files.Glob "crds/*.yaml" -}} - {{- $api := ($.Files.Get $path | fromYaml).metadata.name -}} - {{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}} - {{- $isOutdated := false -}} - {{- if $crd -}} - {{/* If CRD is already present in the cluster, it must have the minimum supported version */}} - {{- $isOutdated = true -}} - {{- if hasKey $crd.metadata "labels" -}} - {{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}} - {{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}} - {{- if (semverCompare $supportedVersion $crdVersion) }} - {{- $isOutdated = false -}} - {{- end }} - {{- end -}} - {{- end -}} - {{- end -}} - {{- if $isOutdated }} -{{ base $path }} - {{- end }} - {{- end -}} -{{- end -}} -{{- end -}} - -{{- define "airlock-microgateway.isSemver" -}} +{{- define "airlock-microgateway-cni.isSemver" -}} {{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}} {{- end -}} -{{- define "airlock-microgateway.docsVersion" -}} -{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} +{{- define "airlock-microgateway-cni.docsVersion" -}} +{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} {{- $version := (semver .Chart.AppVersion) -}} {{- $version.Major }}.{{ $version.Minor -}} {{- else -}} {{- print "latest" -}} {{- end -}} {{- end -}} - -{{- define "airlock-microgateway.watchNamespaceSelector.labelQuery" -}} -{{- $list := list -}} -{{- with .matchLabels -}} - {{- range $key, $value := . -}} - {{- $list = append $list (printf "%s=%s" $key $value) -}} - {{- end -}} -{{- end -}} -{{- with .matchExpressions -}} - {{- range . -}} - {{- if has .operator (list "In" "NotIn") -}} - {{- $list = append $list (printf "%s %s (%s)" .key (lower .operator) (join "," .values)) -}} - {{- else if eq .operator "Exists" -}} - {{- $list = append $list .key -}} - {{- else if eq .operator "DoesNotExist" -}} - {{- $list = append $list (printf "!%s" .key) -}} - {{- end -}} - {{- end -}} -{{- end -}} -{{- join "," $list -}} -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/clusterrole.yaml b/charts/airlock/microgateway/4.3.4/templates/clusterrole.yaml new file mode 100644 index 000000000..ef88ac783 --- /dev/null +++ b/charts/airlock/microgateway/4.3.4/templates/clusterrole.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - patch +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.4/templates/clusterrolebinding.yaml b/charts/airlock/microgateway/4.3.4/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..04f87cb0f --- /dev/null +++ b/charts/airlock/microgateway/4.3.4/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "airlock-microgateway-cni.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.4/templates/configmap.yaml b/charts/airlock/microgateway/4.3.4/templates/configmap.yaml new file mode 100644 index 000000000..b880116ef --- /dev/null +++ b/charts/airlock/microgateway/4.3.4/templates/configmap.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + plugin-conf.json: |- + { + "type": "{{ include "airlock-microgateway-cni.fullname" . }}", + "debug": {{ eq .Values.config.logLevel "debug" }}, + "logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log", + "kubernetes": { + "kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig", + "excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }} + } + } diff --git a/charts/airlock/microgateway/4.3.4/templates/daemonset.yaml b/charts/airlock/microgateway/4.3.4/templates/daemonset.yaml new file mode 100644 index 000000000..4ba9f2669 --- /dev/null +++ b/charts/airlock/microgateway/4.3.4/templates/daemonset.yaml @@ -0,0 +1,136 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + kubectl.kubernetes.io/default-container: cni-installer + {{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - args: + - --log-level + - "{{ .Values.config.logLevel }}" + env: + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + key: plugin-conf.json + name: {{ include "airlock-microgateway-cni.fullname" . }} + - name: CNI_BIN_DIR + value: /host/opt/cni/bin + - name: CNI_NET_DIR + value: /host/etc/cni/net.d + - name: KUBECONFIG_FILE_NAME + value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" + - name: INSTALL_MODE + value: {{ .Values.config.installMode }} + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: {{ include "airlock-microgateway-cni.image" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cni-installer + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + startupProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 5 + initialDelaySeconds: 3 + periodSeconds: 3 + timeoutSeconds: 3 + readinessProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 1 + periodSeconds: 60 + timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /run/cni-installer + name: cni-installer-status + hostNetwork: true + priorityClassName: system-node-critical + restartPolicy: Always + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + terminationGracePeriodSeconds: 5 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir + - emptyDir: {} + name: cni-installer-status diff --git a/charts/airlock/microgateway/4.3.4/templates/network-attachment-definition.yaml b/charts/airlock/microgateway/4.3.4/templates/network-attachment-definition.yaml new file mode 100644 index 000000000..5d657e309 --- /dev/null +++ b/charts/airlock/microgateway/4.3.4/templates/network-attachment-definition.yaml @@ -0,0 +1,13 @@ +{{- if .Values.multusNetworkAttachmentDefinition.create -}} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/_operator_helpers.tpl b/charts/airlock/microgateway/4.3.4/templates/operator/_operator_helpers.tpl deleted file mode 100644 index a540ff9f4..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/_operator_helpers.tpl +++ /dev/null @@ -1,42 +0,0 @@ -{{/* -Create a default fully qualified name for operator components. -*/}} -{{- define "airlock-microgateway.operator.fullname" -}} -{{ include "airlock-microgateway.fullname" . }}-operator -{{- end }} - - -{{/* -Common operator labels -*/}} -{{- define "airlock-microgateway.operator.labels" -}} -{{ include "airlock-microgateway.sharedLabels" . }} -{{ include "airlock-microgateway.operator.selectorLabels" . }} -{{- end }} - -{{/* -Operator Selector labels -*/}} -{{- define "airlock-microgateway.operator.selectorLabels" -}} -{{ include "airlock-microgateway.sharedSelectorLabels" . }} -app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-operator -app.kubernetes.io/component: controller -{{- end }} - -{{/* -Create the name of the service account to use for the operator -*/}} -{{- define "airlock-microgateway.operator.serviceAccountName" -}} -{{- if .Values.operator.serviceAccount.create }} -{{- default (include "airlock-microgateway.operator.fullname" .) .Values.operator.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.operator.serviceAccount.name }} -{{- end }} -{{- end }} - -{{/* -ServiceMonitor metrics regex pattern for leader only metrics -*/}} -{{- define "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" -}} -^(microgateway_license|microgateway_sidecars).*$ -{{- end }} diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/_rbac.gen.tpl b/charts/airlock/microgateway/4.3.4/templates/operator/_rbac.gen.tpl deleted file mode 100644 index 83b314cbc..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/_rbac.gen.tpl +++ /dev/null @@ -1,237 +0,0 @@ -{{/* AUTOGENERATED FILE DO NOT EDIT */}} - -{{/* -Operator rbac permission rules -*/}} -{{- define "airlock-microgateway-operator.rbacRules" -}} -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - pods - verbs: - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - "" - resources: - - pods/finalizers - verbs: - - update -- apiGroups: - - "" - resources: - - pods/status - verbs: - - patch - - update -- apiGroups: - - "" - resources: - - secrets - verbs: - - create - - delete - - get - - list - - update - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - accesscontrols - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - contentsecurities - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - denyrules - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - envoyclusters - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - envoyconfigurations - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - envoyconfigurations/status - verbs: - - get - - patch - - update -- apiGroups: - - microgateway.airlock.com - resources: - - envoyhttpfilters - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - graphqls - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - headerrewrites - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - identitypropagations - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - limits - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - oidcproviders - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - oidcrelyingparties - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - openapis - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - parsers - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - redisproviders - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - sessionhandlings - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways - verbs: - - get - - list - - patch - - update - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways/finalizers - verbs: - - update -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways/status - verbs: - - get - - patch - - update -- apiGroups: - - microgateway.airlock.com - resources: - - telemetries - verbs: - - get - - list - - watch -{{- end }} diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/_webhooks.gen.tpl b/charts/airlock/microgateway/4.3.4/templates/operator/_webhooks.gen.tpl deleted file mode 100644 index 02e304890..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/_webhooks.gen.tpl +++ /dev/null @@ -1,339 +0,0 @@ -{{/* AUTOGENERATED FILE DO NOT EDIT */}} - -{{/* -Operator mutating webhooks -*/}} -{{- define "airlock-microgateway-operator.mutatingWebhooks" -}} -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /mutate-v1-pod - failurePolicy: Fail - name: mutate-pod.microgateway.airlock.com - reinvocationPolicy: IfNeeded - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - resources: - - pods - sideEffects: None - objectSelector: - matchLabels: - sidecar.microgateway.airlock.com/inject: "true" -{{- end }} - -{{/* -Operator validating webhooks -*/}} -{{- define "airlock-microgateway-operator.validatingWebhooks" -}} -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-v1-pod - failurePolicy: Fail - name: validate-pod.microgateway.airlock.com - rules: - - apiGroups: - - "" - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - pods - sideEffects: None - objectSelector: - matchLabels: - sidecar.microgateway.airlock.com/inject: "true" -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol - failurePolicy: Fail - name: validate-accesscontrol.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - accesscontrols - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-denyrules - failurePolicy: Fail - name: validate-denyrules.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - denyrules - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-envoycluster - failurePolicy: Fail - name: validate-envoycluster.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - envoyclusters - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter - failurePolicy: Fail - name: validate-envoyhttpfilter.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - envoyhttpfilters - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-graphql - failurePolicy: Fail - name: validate-graphql.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - graphqls - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites - failurePolicy: Fail - name: validate-headerrewrites.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - headerrewrites - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation - failurePolicy: Fail - name: validate-identitypropagation.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - identitypropagations - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-limits - failurePolicy: Fail - name: validate-limits.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - limits - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider - failurePolicy: Fail - name: validate-oidcprovider.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - oidcproviders - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty - failurePolicy: Fail - name: validate-oidcrelyingparty.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - oidcrelyingparties - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-openapi - failurePolicy: Fail - name: validate-openapi.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - openapis - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-parser - failurePolicy: Fail - name: validate-parser.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - parsers - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-redisprovider - failurePolicy: Fail - name: validate-redisprovider.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - redisproviders - sideEffects: None -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: airlock-microgateway-operator-webhook - namespace: '{{ .Release.Namespace }}' - path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway - failurePolicy: Fail - name: validate-sidecargateway.microgateway.airlock.com - rules: - - apiGroups: - - microgateway.airlock.com - apiVersions: - - v1alpha1 - operations: - - CREATE - - UPDATE - resources: - - sidecargateways - sideEffects: None -{{- end }} diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/configmap.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/configmap.yaml deleted file mode 100644 index 95e52d7df..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/configmap.yaml +++ /dev/null @@ -1,394 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-config - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -data: - engine_bootstrap_config_template.yaml: | - # Base configuration, admin interface on port 19000 - admin: - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 - dynamic_resources: - cds_config: - initial_fetch_timeout: 10s - resource_api_version: V3 - api_config_source: - api_type: GRPC - transport_api_version: V3 - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster - set_node_on_first_message_only: true - # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC - rate_limit_settings: - max_tokens: 5 - fill_rate: 0.2 - lds_config: - resource_api_version: V3 - initial_fetch_timeout: 10s - api_config_source: - api_type: GRPC - transport_api_version: V3 - grpc_services: - - envoy_grpc: - cluster_name: xds_cluster - set_node_on_first_message_only: true - # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC - rate_limit_settings: - max_tokens: 5 - fill_rate: 0.2 - static_resources: - listeners: - - name: probe - address: - socket_address: - address: 0.0.0.0 - port_value: 19001 - filter_chains: - - filters: - - name: http_connection_manager - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: probe - codec_type: AUTO - http2_protocol_options: - initial_connection_window_size: 1048576 - initial_stream_window_size: 65536 - max_concurrent_streams: 100 - route_config: - name: probe - virtual_hosts: - - name: probe - domains: - - '*' - routes: - - name: ready - match: - path: /ready - headers: - - name: ':method' - string_match: - exact: 'GET' - route: - cluster: airlock_microgateway_engine_admin - http_filters: - - name: envoy.filters.http.router - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - - name: metrics - address: - socket_address: - address: 0.0.0.0 - port_value: 19002 - filter_chains: - - filters: - - name: http_connection_manager - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager - stat_prefix: metrics - codec_type: AUTO - http2_protocol_options: - initial_connection_window_size: 1048576 - initial_stream_window_size: 65536 - max_concurrent_streams: 100 - route_config: - name: metrics - virtual_hosts: - - name: metrics - domains: - - '*' - routes: - - name: metrics - match: - path: /metrics - headers: - - name: ':method' - string_match: - exact: 'GET' - route: - prefix_rewrite: '/stats/prometheus' - cluster: airlock_microgateway_engine_admin - http_filters: - - name: envoy.filters.http.router - typed_config: - '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router - clusters: - - name: xds_cluster - connect_timeout: 1s - type: STRICT_DNS - load_assignment: - cluster_name: xds_cluster - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local - port_value: 13377 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: - connection_keepalive: - interval: 360s - timeout: 5s - transport_socket: - name: envoy.transport_sockets.tls - typed_config: - '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext - common_tls_context: - tls_params: - tls_minimum_protocol_version: TLSv1_3 - tls_maximum_protocol_version: TLSv1_3 - validation_context_sds_secret_config: - name: validation_context_sds - sds_config: - resource_api_version: V3 - path_config_source: - path: /etc/envoy/validation_context_sds_secret.yaml - watched_directory: - path: /etc/envoy/ - tls_certificate_sds_secret_configs: - - name: tls_certificate_sds - sds_config: - resource_api_version: V3 - path_config_source: - path: /etc/envoy/tls_certificate_sds_secret.yaml - watched_directory: - path: /etc/envoy/ - - name: airlock_microgateway_engine_admin - connect_timeout: 1s - type: STATIC - load_assignment: - cluster_name: airlock_microgateway_engine_admin - endpoints: - - lb_endpoints: - - endpoint: - address: - socket_address: - address: 127.0.0.1 - port_value: 19000 - typed_extension_protocol_options: - envoy.extensions.upstreams.http.v3.HttpProtocolOptions: - '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions - explicit_http_config: - http2_protocol_options: - connection_keepalive: - interval: 360s - timeout: 5s - stats_config: - stats_tags: - - tag_name: "block_type" - regex: "\\.(block_type\\.([^.]+))" - - tag_name: "attack_type" - regex: "\\.(attack_type\\.([^.]+))" - - tag_name: "envoy_cluster_name" - regex: "\\.(cluster\\.([^.]+))" - - tag_name: "version" - regex: "\\.(version\\.([^.]+))" - use_all_default_tags: true - overload_manager: - resource_monitors: - - name: "envoy.resource_monitors.global_downstream_max_connections" - typed_config: - "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig - max_active_downstream_connections: 50000 - bootstrap_extensions: - - name: airlock.bootstrap.engine_build_info - typed_config: - '@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats - application_log_config: - log_format: - text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}' - engine_container_template.yaml: | - name: "$(ENGINE_NAME)" - image: "$(ENGINE_IMAGE)" - imagePullPolicy: {{ .Values.engine.image.pullPolicy }} - args: - - "--config-path" - - "/etc/envoy/bootstrap_config.yaml" - - "--base-id" - - "$(BASE_ID)" - - "--file-flush-interval-msec" - - '1000' - - "--drain-time-s" - - '60' - - "--service-node" - - "$(POD_NAME).$(POD_NAMESPACE)" - - "--service-cluster" - - "$(APP_NAME).$(POD_NAMESPACE)" - - "--log-path" - - "/dev/stdout" - - "--log-level" - - "$(LOG_LEVEL)" - volumeMounts: - - name: airlock-microgateway-bootstrap-secret-volume - mountPath: /etc/envoy - readOnly: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: POD_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - ports: - - containerPort: 13378 - protocol: TCP - - containerPort: 19001 - protocol: TCP - - containerPort: 19002 - protocol: TCP - livenessProbe: - httpGet: - path: /ready - port: 19001 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 5 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - httpGet: - path: /ready - port: 19001 - scheme: HTTP - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 3 - successThreshold: 1 - timeoutSeconds: 1 - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} - runAsUser: $(SECURITYCONTEXT_UID) - {{- with .Values.engine.resources }} - resources: - {{- toYaml . | nindent 6 }} - {{- end }} - session_agent_container_template.yaml: | - name: "$(SESSION_AGENT_NAME)" - image: "$(SESSION_AGENT_IMAGE)" - imagePullPolicy: {{ .Values.sessionAgent.image.pullPolicy }} - args: - - "--port" - - "19004" - - "--config-path" - - "/etc/microgateway-session-agent/config.json" - volumeMounts: - - name: airlock-microgateway-session-agent-volume - mountPath: /etc/microgateway-session-agent - readOnly: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - ports: - - containerPort: 19004 - livenessProbe: - {{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}} - grpc: - port: 19004 - {{- else }} - tcpSocket: - port: 19004 - {{- end }} - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 5 - successThreshold: 1 - timeoutSeconds: 5 - readinessProbe: - {{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}} - grpc: - port: 19004 - {{- else }} - tcpSocket: - port: 19004 - {{- end }} - initialDelaySeconds: 5 - periodSeconds: 5 - failureThreshold: 3 - successThreshold: 1 - timeoutSeconds: 5 - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} - runAsUser: $(SECURITYCONTEXT_UID) - {{- with .Values.sessionAgent.resources }} - resources: - {{- toYaml . | nindent 6 }} - {{- end }} - network_validator_container_template.yaml: | - name: "$(NETWORK_VALIDATOR_NAME)" - image: "$(NETWORK_VALIDATOR_IMAGE)" - imagePullPolicy: {{ .Values.networkValidator.image.pullPolicy }} - command: ["/bin/sh", "-c"] - args: - - |- - echo 'pong' | nc -v -l 127.0.0.1 13378 & - for i in 1 2 3; do - sleep 1s - if r=$(echo 'ping' | nc -v -q 0 127.0.0.1 19003) && [ $r == pong ]; then - echo -n 'Traffic redirection to Airlock Microgateway Engine is working.' > /dev/termination-log - exit 0 - fi - done - echo -en 'Traffic redirection to Airlock Microgateway Engine is not working.\nRestart the pod after ensuring that hostNetwork is disabled and a compatible Airlock Microgateway CNI version is installed on the node.\nCertain environments may also require additional configuration (see docs.airlock.com for more information).' > /dev/termination-log - exit 1 - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} - runAsUser: $(SECURITYCONTEXT_UID) - operator_config.yaml: | - apiVersion: config.airlock.com/v1alpha1 - kind: OperatorConfig - health: - healthProbeBindAddress: :8081 - metrics: - bindAddress: 0.0.0.0:8080 - webhook: - port: 9443 - deployment: - sidecar: - engineContainerTemplate: "/sidecar/engine_container_template.yaml" - networkValidatorContainerTemplate: "/sidecar/network_validator_container_template.yaml" - sessionAgentContainerTemplate: "/sidecar/session_agent_container_template.yaml" - engine: - bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml" - log: - level: {{ .Values.operator.config.logLevel }} - {{- with $.Values.operator.watchNamespaceSelector }} - namespaces: - selector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with $.Values.operator.watchNamespaces }} - namespaces: - list: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/dashboard-configmap.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/dashboard-configmap.yaml deleted file mode 100644 index b71ac89b6..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/dashboard-configmap.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.dashboards.create -}} -{{- range $instance := (keys .Values.dashboards.instances | sortAlpha) -}} -{{- $dashboard := get $.Values.dashboards.instances $instance -}} -{{- if $dashboard.create }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "airlock-microgateway.fullname" $ }}-dashboard-{{ $instance | lower }} - namespace: {{ $.Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }} - {{- with $.Values.dashboards.config.grafana.dashboardLabel -}} - {{- .name | nindent 4 -}}: {{ .value | quote }} - {{- end }} - annotations: - {{- with $.Values.dashboards.config.grafana.folderAnnotation -}} - {{- .name | nindent 4 -}}: {{ .value | quote }} - {{- end }} - {{- with $.Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -data: - {{- printf "%s.json" $instance | nindent 2 }}: |- - {{- ($.Files.Get (printf "dashboards/%s.json" $instance)) | nindent 4 -}} -{{- end -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/deployment.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/deployment.yaml deleted file mode 100644 index db340cdec..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/deployment.yaml +++ /dev/null @@ -1,143 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - replicas: {{ .Values.operator.replicaCount }} - {{- with .Values.operator.updateStrategy }} - strategy: - {{- toYaml . | trim | nindent 4 }} - {{- end }} - selector: - matchLabels: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} - template: - metadata: - annotations: - checksum/config: {{ include (print $.Template.BasePath "/operator/configmap.yaml") . | sha256sum }} - kubectl.kubernetes.io/default-container: manager - {{- with mustMerge .Values.operator.podAnnotations .Values.commonAnnotations}} - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 8 }} - {{- with .Values.operator.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - containers: - - args: - - --config=operator_config.yaml - env: - - name: ENGINE_IMAGE - value: {{ include "airlock-microgateway.image" .Values.engine.image }} - - name: NETWORK_VALIDATOR_IMAGE - value: {{ include "airlock-microgateway.image" .Values.networkValidator.image }} - - name: SESSION_AGENT_IMAGE - value: {{ include "airlock-microgateway.image" .Values.sessionAgent.image }} - - name: OPERATOR_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: {{ include "airlock-microgateway.image" .Values.operator.image }} - imagePullPolicy: {{ .Values.operator.image.pullPolicy }} - livenessProbe: - httpGet: - path: /healthz - port: 8081 - initialDelaySeconds: 15 - periodSeconds: 20 - timeoutSeconds: 5 - name: manager - ports: - - containerPort: 9443 - name: webhook-server - protocol: TCP - - containerPort: 13377 - name: xds-server - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8081 - protocol: TCP - readinessProbe: - httpGet: - path: /readyz - port: 8081 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 5 - {{- with .Values.operator.resources }} - resources: - {{- toYaml . | nindent 10 }} - {{- end }} - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 10 }} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: FallbackToLogsOnError - volumeMounts: - - mountPath: /tmp/k8s-webhook-server/serving-certs - name: cert - readOnly: true - - mountPath: /opt/airlock/license/ - name: airlock-microgateway-license - readOnly: true - - mountPath: /operator_config.yaml - name: operator-config - subPath: operator_config.yaml - - mountPath: /sidecar/engine_container_template.yaml - name: operator-config - subPath: engine_container_template.yaml - - mountPath: /sidecar/network_validator_container_template.yaml - name: operator-config - subPath: network_validator_container_template.yaml - - mountPath: /sidecar/session_agent_container_template.yaml - name: operator-config - subPath: session_agent_container_template.yaml - - mountPath: /engine_bootstrap_config_template.yaml - name: operator-config - subPath: engine_bootstrap_config_template.yaml - securityContext: - runAsNonRoot: true - serviceAccountName: {{ include "airlock-microgateway.operator.serviceAccountName" . }} - terminationGracePeriodSeconds: 10 - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.operator.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.operator.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.operator.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: cert - secret: - defaultMode: 420 - secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert - - name: airlock-microgateway-license - secret: - defaultMode: 292 - optional: true - secretName: {{ .Values.license.secretName }} - - configMap: - name: {{ include "airlock-microgateway.operator.fullname" . }}-config - name: operator-config diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/manager-role.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/manager-role.yaml deleted file mode 100644 index 90335bcfe..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/manager-role.yaml +++ /dev/null @@ -1,33 +0,0 @@ -{{- if .Values.operator.rbac.create }} -{{- if empty .Values.operator.watchNamespaces }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: -{{ include "airlock-microgateway-operator.rbacRules" . -}} -{{- else }} -{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager - namespace: {{ $namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }} - {{- with $.Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: -{{ include "airlock-microgateway-operator.rbacRules" $ }} ---- -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/manager-rolebinding.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/manager-rolebinding.yaml deleted file mode 100644 index ae99cfb7b..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/manager-rolebinding.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.operator.rbac.create }} -{{- if empty .Values.operator.watchNamespaces }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} -subjects: - - kind: ServiceAccount - name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} -{{- else }} -{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager - namespace: {{ $namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }} - {{- with $.Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager -subjects: - - kind: ServiceAccount - name: {{ include "airlock-microgateway.operator.serviceAccountName" $ }} - namespace: {{ $.Release.Namespace }} ---- -{{- end -}} -{{- end -}} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/metrics-service.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/metrics-service.yaml deleted file mode 100644 index 34d23f6d6..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/metrics-service.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-metrics - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: http - name: metrics - port: 8080 - protocol: TCP - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} ---- -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-leader-metrics - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - operator.microgateway.airlock.com/isLeader: "true" - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: http - name: metrics - port: 8080 - protocol: TCP - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} - operator.microgateway.airlock.com/isLeader: "true" \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/mutating-webhook.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/mutating-webhook.yaml deleted file mode 100644 index 311f9726a..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/mutating-webhook.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: MutatingWebhookConfiguration -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert - {{- with .Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -webhooks: -{{- range $webhook := (include "airlock-microgateway-operator.mutatingWebhooks" .) | fromYamlArray }} -- {{ toYaml $webhook | indent 2 | trim }} - {{- with $.Values.operator.watchNamespaceSelector }} - namespaceSelector: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with $.Values.operator.watchNamespaces }} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/podmonitor.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/podmonitor.yaml deleted file mode 100644 index 1fe34fcb3..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/podmonitor.yaml +++ /dev/null @@ -1,27 +0,0 @@ -{{- if .Values.engine.sidecar.podMonitor.create }} -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: {{ include "airlock-microgateway.fullname" . }}-engine - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.engine.sidecar.podMonitor.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - namespaceSelector: - any: true - selector: - matchLabels: - sidecar.microgateway.airlock.com/inject: "true" - microgateway.airlock.com/managedBy: {{ .Release.Namespace }} - podMetricsEndpoints: - - targetPort: 19002 - path: /metrics - scheme: http -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/role.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/role.yaml deleted file mode 100644 index 5378be8ef..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/role.yaml +++ /dev/null @@ -1,45 +0,0 @@ -{{- if .Values.operator.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -rules: - - apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - get - - list - - watch - - create - - update - - patch - - delete - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/rolebinding.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/rolebinding.yaml deleted file mode 100644 index bafec1015..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/rolebinding.yaml +++ /dev/null @@ -1,20 +0,0 @@ -{{- if .Values.operator.rbac.create -}} -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election -subjects: - - kind: ServiceAccount - name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/selfsigned-issuer.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/selfsigned-issuer.yaml deleted file mode 100644 index 466c56338..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/selfsigned-issuer.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - selfSigned: {} diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/serviceaccount.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/serviceaccount.yaml deleted file mode 100644 index 434d7e9d3..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/serviceaccount.yaml +++ /dev/null @@ -1,13 +0,0 @@ -{{- if .Values.operator.serviceAccount.create -}} -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with mustMerge .Values.operator.serviceAccount.annotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -{{- end -}} diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/servicemonitor.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/servicemonitor.yaml deleted file mode 100644 index ff85a9a31..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/servicemonitor.yaml +++ /dev/null @@ -1,60 +0,0 @@ -{{- if .Values.operator.serviceMonitor.create }} -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceMonitor.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} - matchExpressions: - - { key: "operator.microgateway.airlock.com/isLeader", operator: DoesNotExist } - endpoints: - - path: /metrics - port: metrics - scheme: http - metricRelabelings: - - sourceLabels: - - __name__ - regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }} - action: drop ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-leader - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceMonitor.labels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - selector: - matchLabels: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} - operator.microgateway.airlock.com/isLeader: "true" - endpoints: - - path: /metrics - port: metrics - scheme: http - metricRelabelings: - - sourceLabels: - - __name__ - regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }} - action: keep -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/serving-certificate.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/serving-certificate.yaml deleted file mode 100644 index 60b92e1e2..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/serving-certificate.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-serving-cert - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - dnsNames: - - airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc - - airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc.cluster.local - issuerRef: - kind: Issuer - name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer - secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/validating-webhook.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/validating-webhook.yaml deleted file mode 100644 index 5d6b4396b..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/validating-webhook.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - annotations: - cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert - {{- with .Values.commonAnnotations }} - {{- toYaml . | nindent 4 }} - {{- end }} -webhooks: -{{- range $webhook := (include "airlock-microgateway-operator.validatingWebhooks" .) | fromYamlArray }} -- {{ toYaml $webhook | indent 2 | trim }} - {{- with $.Values.operator.watchNamespaceSelector }} - namespaceSelector: - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with $.Values.operator.watchNamespaces }} - namespaceSelector: - matchExpressions: - - key: kubernetes.io/metadata.name - operator: In - values: - {{- toYaml . | nindent 10 }} - {{- end }} -{{- end }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/webhook-service.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/webhook-service.yaml deleted file mode 100644 index 477ea839f..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/webhook-service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-webhook - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: https - name: webhook - port: 443 - protocol: TCP - targetPort: 9443 - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/operator/xds-service.yaml b/charts/airlock/microgateway/4.3.4/templates/operator/xds-service.yaml deleted file mode 100644 index 81b41acf5..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/operator/xds-service.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: airlock-microgateway-operator-xds - namespace: {{ .Release.Namespace }} - labels: - {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} - {{- with .Values.operator.serviceLabels }} - {{- toYaml . | nindent 4 }} - {{- end }} - {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ports: - - appProtocol: grpc - name: xds - port: 13377 - protocol: TCP - targetPort: 13377 - selector: - {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} - operator.microgateway.airlock.com/isLeader: "true" diff --git a/charts/airlock/microgateway/4.3.4/templates/scc-role.yaml b/charts/airlock/microgateway/4.3.4/templates/scc-role.yaml new file mode 100644 index 000000000..862748692 --- /dev/null +++ b/charts/airlock/microgateway/4.3.4/templates/scc-role.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/scc-rolebinding.yaml b/charts/airlock/microgateway/4.3.4/templates/scc-rolebinding.yaml new file mode 100644 index 000000000..ebd02982c --- /dev/null +++ b/charts/airlock/microgateway/4.3.4/templates/scc-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged +subjects: +- kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.4/templates/serviceaccount.yaml b/charts/airlock/microgateway/4.3.4/templates/serviceaccount.yaml new file mode 100644 index 000000000..3dc8d58ea --- /dev/null +++ b/charts/airlock/microgateway/4.3.4/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.4/templates/tests/rbac.yaml b/charts/airlock/microgateway/4.3.4/templates/tests/rbac.yaml index 93bd4cd1b..744799333 100644 --- a/charts/airlock/microgateway/4.3.4/templates/tests/rbac.yaml +++ b/charts/airlock/microgateway/4.3.4/templates/tests/rbac.yaml @@ -2,142 +2,63 @@ apiVersion: v1 kind: ServiceAccount metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests roleRef: apiGroup: rbac.authorization.k8s.io kind: Role - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" subjects: - kind: ServiceAccount - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests rules: - apiGroups: - - microgateway.airlock.com + - "apps" resources: - - sidecargateways + - daemonsets resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway" + - {{ include "airlock-microgateway-cni.fullname" . }} verbs: - - get - - list - - watch - - delete + - get + - watch + - list - apiGroups: - - microgateway.airlock.com + - "" resources: - - sidecargateways + - pods + - pods/log verbs: - - create + - get + - list +{{- if .Values.rbac.createSCCRole }} - apiGroups: - - "" - resources: - - events - verbs: - - list -- apiGroups: - - "apps" - resources: - - deployments + - security.openshift.io resourceNames: - - "{{ include "airlock-microgateway.operator.fullname" . }}" - verbs: - - get - - list - - watch -- apiGroups: - - "apps" + - privileged resources: - - statefulsets - - statefulsets/scale - resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-backend" + - securitycontextconstraints verbs: - - get - - list - - watch - - patch -- apiGroups: - - "" - resources: - - pods - - pods/log - - pods/status - - pods/attach - resourceNames: - - "{{ include "airlock-microgateway.fullname" . }}-test-backend-0" - - "{{ include "airlock-microgateway.fullname" . }}-test-valid-request" - - "{{ include "airlock-microgateway.fullname" . }}-test-injection-request" - verbs: - - get - - list - - create - - watch - - delete -- apiGroups: - - "" - resources: - - pods - verbs: - - create -{{- if .Values.operator.watchNamespaceSelector }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" -subjects: - - kind: ServiceAccount - name: "{{ include "airlock-microgateway.fullname" . }}-tests" - namespace: {{ .Release.Namespace }} ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: tests - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list -{{- end }} + - use +{{- end -}} {{- end -}} diff --git a/charts/airlock/microgateway/4.3.4/templates/tests/service.yaml b/charts/airlock/microgateway/4.3.4/templates/tests/service.yaml deleted file mode 100644 index 30ddc278d..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/tests/service.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if .Values.tests.enabled -}} -apiVersion: v1 -kind: Service -metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-service" - namespace: {{ .Release.Namespace }} - labels: - app: test-service - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} -spec: - selector: - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} - ports: - - name: http - port: 8080 - targetPort: 8080 -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/tests/statefulset.yaml b/charts/airlock/microgateway/4.3.4/templates/tests/statefulset.yaml deleted file mode 100644 index 710a7b9f6..000000000 --- a/charts/airlock/microgateway/4.3.4/templates/tests/statefulset.yaml +++ /dev/null @@ -1,56 +0,0 @@ -{{- if .Values.tests.enabled -}} -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - namespace: {{ .Release.Namespace }} - labels: - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} -spec: - serviceName: nginx - replicas: 0 - selector: - matchLabels: - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 6 }} - template: - metadata: - annotations: - k8s.v1.cni.cncf.io/networks: default/airlock-microgateway-cni - labels: - sidecar.microgateway.airlock.com/inject: "true" - sidecar.istio.io/inject: "false" - app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" - {{- include "airlock-microgateway.sharedLabels" . | nindent 8 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 8 }} - spec: - containers: - - image: cgr.dev/chainguard/nginx - name: nginx - ports: - - containerPort: 8080 - volumeMounts: - - mountPath: /var/lib/nginx/tmp/ - name: nginx-tmp - - mountPath: /var/run - name: nginx-run - securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 12 }} - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - emptyDir: {} - name: nginx-tmp - - emptyDir: {} - name: nginx-run -{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/templates/tests/test-install.yaml b/charts/airlock/microgateway/4.3.4/templates/tests/test-install.yaml index ab82abea7..12d8c8de7 100644 --- a/charts/airlock/microgateway/4.3.4/templates/tests/test-install.yaml +++ b/charts/airlock/microgateway/4.3.4/templates/tests/test-install.yaml @@ -2,14 +2,11 @@ apiVersion: v1 kind: Pod metadata: - name: "{{ include "airlock-microgateway.fullname" . }}-test-install" + name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install" namespace: {{ .Release.Namespace }} labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} app.kubernetes.io/component: test-install - app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests - sidecar.istio.io/inject: "false" - {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} - {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} annotations: helm.sh/hook: test helm.sh/hook-delete-policy: before-hook-creation @@ -19,209 +16,88 @@ spec: - name: test image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}" securityContext: - {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + readOnly: true + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + readOnly: true command: - sh - -c - | set -eu - clean_up() { - echo "" - echo "### Clean up test resources" - kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true - echo "" - echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'" - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=60s - sleep 3s - echo "" - } - fail() { + echo "Error: ${1}" echo "" - echo "### Error: ${1}" - echo "" - - if kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway >/dev/null 2>&1; then - echo "" - echo 'Microgateway Sidecargateway status:' - kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true - echo "" - echo "" - fi - - if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 >/dev/null 2>&1; then - echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':" - kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true - echo "" - echo "" - echo 'Logs of Nginx container:' - kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true - echo "" - echo "" - # Wait for engine logs - sleep 10s - echo 'Logs of Microgateway Engine container:' - kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true - fi - + echo 'CNI installer logs:' + kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer exit 1 } - create_sidecargateway() { - # create SidecarGateway resource for testing purposes - kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true - kubectl apply -f - </dev/null 2>&1; do sleep 1s; i=$((i+1)); done - kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request - kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request - } - - {{- if .Values.operator.watchNamespaceSelector }} - echo "### Verify that Namespace Selector matches Namespace '{{ .Release.Namespace }}'" - if ! kubectl get namespace -l '{{ include "airlock-microgateway.watchNamespaceSelector.labelQuery" .Values.operator.watchNamespaceSelector }}' | grep -q {{ .Release.Namespace }}; then - labels=$(kubectl get namespace {{ .Release.Namespace }} -o jsonpath={.metadata.labels} | jq | awk '{print " " $0}') - fail {{printf `"Operator namespace '%s' is not part of the operator's watch scope. To execute 'helm test', the selector configured in the helm value 'operator.watchNamespaceSelector' must match the namespace's labels:\n* Current selector:\n%s\n\n* Current labels:\n$labels\n###"` - .Release.Namespace - (replace "\"" "\\\"" (replace "\n" "\\n" (.Values.operator.watchNamespaceSelector | toPrettyJson | indent 2))) - }} + if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then + fail 'CNI DaemonSet rollout did not complete within timeout' fi - echo "" - {{- end }} - trap clean_up EXIT - echo "" - - echo "### Waiting for Microgateway Operator Deployments to be ready" - if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \ - deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then - fail 'Timout occurred' + echo "Checking whether CNI binary was installed" + if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then + fail 'CNI binary was not installed' fi - echo "" - echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica" - # scale to zero replicas to ensure no pods are present from previous runs - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s - kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s - echo "" - - echo "### Waiting for backend pod" - i=0 - while true; do - if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then - break - elif [ $i -gt 3 ]; then - fail 'Pod not ready' - fi - sleep 2s - i=$((i+1)) - done - - echo "### Checking Microgateway Engine sidecar container was injected" - if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then - fail 'Microgateway Engine sidecar container not injected' + echo "Checking whether CNI kubeconfig was installed" + if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then + fail 'CNI kubeconfig was not created' fi - echo "True" - echo "" - echo "### Checking for valid license" - i=0 - while true; do - if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then - break - elif [ $i -gt 30 ]; then - fail 'Microgateway license is missing or invalid' - fi - sleep 2s - i=$((i+1)) - done - echo "True" - echo "" + echo "Checking whether CNI configuration was written" + case {{ .Values.config.installMode }} in + "chained") + for file in "/host/etc/cni/net.d/"*.conflist; do + if containsMGWCNIConf "${file}"; then + echo "Success" + exit 0 + fi + done + ;; + "standalone") + if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then + echo "Success" + exit 0 + fi + ;; + "manual") + echo "- Skipping because we are in 'manual' install mode" + echo "Success" + exit 0 + ;; + esac - echo "### Create SidecarGateway resource for testing" - if ! create_sidecargateway ; then - fail 'Creation of SidecarGateway resource failed' - fi - echo "" - - echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready" - if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then - fail 'Timout occurred' - fi - echo "" - - echo "### Waiting for 'engine-config-valid' condition" - if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then - fail 'Configuration was never accepted by the Microgateway Engine' - fi - sleep 5s - echo "" - echo "" - - echo "### Checking whether a valid request is successful and returns HTTP status code '200'" - out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true) - echo "Response:" - echo "${out}" - if ! echo "${out}" | grep -q "200 OK"; then - fail 'A valid request was not successful' - fi - echo "" - echo "" - - echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'" - out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true) - echo "Response:" - echo "${out}" - if ! echo "${out}" | grep -q "400 Bad Request"; then - fail 'A malicious request was not blocked' - fi - echo "" - echo "" - - echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded" - exit 0 - serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests" + fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found' + serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir {{- end -}} diff --git a/charts/airlock/microgateway/4.3.4/values.schema.json b/charts/airlock/microgateway/4.3.4/values.schema.json index 173d6b084..e087bd700 100644 --- a/charts/airlock/microgateway/4.3.4/values.schema.json +++ b/charts/airlock/microgateway/4.3.4/values.schema.json @@ -14,15 +14,6 @@ "commonAnnotations": { "$ref": "#/definitions/StringMap" }, - "crds": { - "type": "object", - "properties": { - "skipVersionCheck": { - "type": "boolean" - } - }, - "additionalProperties": false - }, "imagePullSecrets": { "type": "array", "items": { @@ -39,304 +30,120 @@ "additionalProperties": true } }, - "operator": { + "image": { + "$ref": "#/definitions/Image" + }, + "podAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "podLabels": { + "$ref": "#/definitions/StringMap" + }, + "resources": { + "type": "object" + }, + "nodeSelector": { + "$ref": "#/definitions/StringMap" + }, + "affinity": { + "type": "object" + }, + "rbac": { "type": "object", "properties": { - "replicaCount": { - "type": "integer", - "minimum": 0 - }, - "updateStrategy": { - "$ref": "#/definitions/UpdateStrategy" - }, - "image": { - "$ref": "#/definitions/Image" - }, - "podAnnotations": { - "$ref": "#/definitions/StringMap" - }, - "podLabels": { - "$ref": "#/definitions/StringMap" - }, - "serviceAnnotations": { - "$ref": "#/definitions/StringMap" - }, - "serviceLabels": { - "$ref": "#/definitions/StringMap" - }, - "resources": { - "type": "object" - }, - "nodeSelector": { - "$ref": "#/definitions/StringMap" - }, - "tolerations": { - "type": "array", - "items": { - "type": "object" - } - }, - "affinity": { - "type": "object" - }, - "config": { - "type": "object", - "properties": { - "logLevel": { - "type": "string", - "enum": [ - "debug", - "info", - "warn", - "error" - ] - } - }, - "required": [ - "logLevel" - ], - "additionalProperties": false - }, - "serviceAccount": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "annotations": { - "$ref": "#/definitions/StringMap" - }, - "name": { - "type": "string" - } - }, - "required": [ - "annotations", - "create", - "name" - ], - "additionalProperties": false - }, - "watchNamespaces": { - "type": "array", - "items": { - "type": "string" - } - }, - "watchNamespaceSelector": { - "$ref": "#/definitions/LabelSelector" - }, - "rbac": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - }, - "serviceMonitor": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "labels": { - "$ref": "#/definitions/StringMap" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - } - }, - "oneOf": [ - { - "properties": { - "watchNamespaces": { - "minItems": 1 - }, - "watchNamespaceSelector": { - "additionalProperties": false - } - } - }, - { - "properties": { - "watchNamespaces": { - "maxItems": 0 - }, - "watchNamespaceSelector": { - "$ref": "#/definitions/LabelSelector" - } - } - } - ], - "required": [ - "affinity", - "config", - "image", - "updateStrategy", - "nodeSelector", - "podAnnotations", - "podLabels", - "rbac", - "replicaCount", - "resources", - "serviceAccount", - "serviceAnnotations", - "serviceLabels", - "serviceMonitor", - "tolerations" - ], - "additionalProperties": false - }, - "engine": { - "type": "object", - "properties": { - "image": { - "$ref": "#/definitions/Image" - }, - "resources": { - "type": "object" - }, - "sidecar": { - "type": "object", - "properties":{ - "podMonitor": { - "type": "object", - "properties": { - "create": { - "type": "boolean" - }, - "labels": { - "$ref": "#/definitions/StringMap" - } - }, - "required": [ - "create" - ], - "additionalProperties": false - } - }, - "required": [ - "podMonitor" - ], - "additionalProperties": false - } - }, - "required": [ - "image", - "resources", - "sidecar" - ], - "additionalProperties": false - }, - "networkValidator": { - "type": "object", - "properties": { - "image": { - "$ref": "#/definitions/Image" - } - }, - "required": [ - "image" - ], - "additionalProperties": false - }, - "sessionAgent": { - "type": "object", - "properties": { - "image": { - "$ref": "#/definitions/Image" - }, - "resources": { - "type": "object" - } - }, - "required": [ - "image", - "resources" - ], - "additionalProperties": false - }, - "license": { - "type": "object", - "properties": { - "secretName": { - "type": "string", - "minLength": 1 - } - }, - "required": [ - "secretName" - ], - "additionalProperties": false - }, - "dashboards": { - "type": "object", - "properties" : { "create": { "type": "boolean" }, - "config": { - "type": "object", - "properties": { - "grafana": { - "type": "object", - "properties": { - "folderAnnotation": { - "$ref": "#/definitions/NameValuePair" - }, - "dashboardLabel": { - "$ref": "#/definitions/NameValuePair" - } - }, - "required": [ - "folderAnnotation", - "dashboardLabel" - ], - "additionalProperties": false - } - }, - "required": [ - "grafana" - ], - "additionalProperties": false - }, - "instances": { - "type": "object", - "properties": { - "overview": { - "$ref": "#/definitions/DashboardInstance" - }, - "license" : { - "$ref": "#/definitions/DashboardInstance" - }, - "blockMetrics" : { - "$ref": "#/definitions/DashboardInstance" - }, - "blockLogs" : { - "$ref": "#/definitions/DashboardInstance" - } - }, - "required": [ - "overview", - "license", - "blockMetrics", - "blockLogs" - ], - "additionalProperties": false + "createSCCRole": { + "type": "boolean" } }, "required": [ "create", - "config", - "instances" + "createSCCRole" + ], + "additionalProperties": false + }, + "privileged": { + "type": "boolean" + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "annotations": { + "$ref": "#/definitions/StringMap" + }, + "name": { + "type": "string" + } + }, + "required": [ + "annotations", + "create", + "name" + ], + "additionalProperties": false + }, + "multusNetworkAttachmentDefinition": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "namespace": { + "type": "string" + } + }, + "required": [ + "create", + "namespace" + ], + "additionalProperties": false + }, + "config": { + "type": "object", + "properties": { + "installMode": { + "type": "string", + "enum": [ + "chained", + "standalone", + "manual" + ] + }, + "logLevel": { + "type": "string", + "enum": [ + "debug", + "info", + "warn", + "error" + ] + }, + "cniNetDir": { + "type": "string", + "minLength": 1 + }, + "cniBinDir": { + "type": "string", + "minLength": 1 + }, + "excludeNamespaces": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "cniBinDir", + "cniNetDir", + "excludeNamespaces", + "installMode", + "logLevel" ], "additionalProperties": false }, @@ -357,18 +164,22 @@ } }, "required": [ + "affinity", "commonAnnotations", "commonLabels", - "crds", - "engine", + "config", "fullnameOverride", + "image", "imagePullSecrets", - "license", + "multusNetworkAttachmentDefinition", "nameOverride", - "operator", - "networkValidator", - "sessionAgent", - "dashboards", + "nodeSelector", + "podAnnotations", + "podLabels", + "privileged", + "rbac", + "resources", + "serviceAccount", "tests" ], "additionalProperties": false, @@ -409,132 +220,6 @@ "tag" ], "additionalProperties": false - }, - "LabelSelector": { - "type": "object", - "properties": { - "matchExpressions": { - "type": "array", - "items": { - "type": "object", - "required": [ - "key", - "operator" - ], - "properties": { - "key": { - "type": "string" - }, - "operator": { - "type": "string" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "additionalProperties": false - } - }, - "matchLabels": { - "$ref": "#/definitions/StringMap" - } - }, - "additionalProperties": false - }, - "UpdateStrategy": { - "type": "object", - "oneOf" : [ - { - "properties": { - "type": { - "$ref": "#/definitions/RecreateType" - } - }, - "required": [ - "type" - ], - "additionalProperties": false - }, - { - "properties": { - "type": { - "$ref": "#/definitions/RollingUpdateType" - }, - "rollingUpdate": { - "$ref": "#/definitions/RollingUpdate" - } - }, - "required": [ - "type" - ], - "additionalProperties": false - } - ] - }, - "RecreateType": { - "type": "string", - "enum": [ - "Recreate" - ] - }, - "RollingUpdateType": { - "type": "string", - "enum": [ - "RollingUpdate" - ] - }, - "RollingUpdate": { - "type": "object", - "properties": { - "maxSurge": { - "type": ["integer", "string"], - "minimum": 0, - "pattern": "^\\d+%?$" - }, - "maxUnavailable": { - "type": ["integer", "string"], - "minimum": 0, - "pattern": "^\\d+%?$" - } - }, - "anyOf": [ - {"required": ["maxSurge"]}, - {"required": ["maxUnavailable"]} - ], - "additionalProperties": false - }, - "DashboardInstance" : { - "type" : "object", - "properties" : { - "create" : { - "type" : "boolean" - } - }, - "required" : [ - "create" - ], - "additionalProperties": false - }, - "NameValuePair" : { - "type" : "object", - "properties" : { - "name" : { - "type": "string", - "minLength": 1 - }, - "value" : { - "type" : "string", - "minLength": 1 - } - }, - "required" : [ - "name", - "value" - ], - "additionalProperties": false } } } diff --git a/charts/airlock/microgateway/4.3.4/values.yaml b/charts/airlock/microgateway/4.3.4/values.yaml index af720d5c6..63ef36033 100644 --- a/charts/airlock/microgateway/4.3.4/values.yaml +++ b/charts/airlock/microgateway/4.3.4/values.yaml @@ -1,4 +1,4 @@ -# -- Allows overriding the name to use instead of "microgateway". +# -- Allows overriding the name to use instead of "microgateway-cni". nameOverride: "" # -- Allows overriding the name to use as full name of resources. fullnameOverride: "" @@ -10,203 +10,75 @@ commonAnnotations: {} imagePullSecrets: [] # - name: myRegistryKeySecretName -crds: - # -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. - # The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster - # when performing a "helm install/upgrade". - skipVersionCheck: false -operator: - # -- Number of replicas for the operator Deployment. - replicaCount: 2 - # -- Specifies the operator update strategy. - updateStrategy: - type: RollingUpdate - # Specifies the Airlock Microgateway Operator image. - image: - # -- Image repository from which to pull the Airlock Microgateway Operator image. - repository: "quay.io/airlock/microgateway-operator" - # -- Image tag to pull. - tag: "4.3.4" - # -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). - # Overrides tag when specified. - digest: "sha256:6819c78d5570de66edce6c13964c6e1b4cc4746d0c0bc6f4975cd38e324828c0" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Annotations to add to all Pods. - podAnnotations: {} - # -- Labels to add to all Pods. - podLabels: {} - # -- Annotations to add to the Service. - serviceAnnotations: {} - # prometheus.io/scrape: "true" - # prometheus.io/port: "8080" - - # -- Labels to add to the Service. - serviceLabels: {} - # -- Resource restrictions to apply to the operator container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 1000m - # memory: 512Mi - # requests: - # cpu: 100m - # memory: 512Mi - - # -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. - nodeSelector: {} - # -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. - tolerations: [] - # -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling. - affinity: {} - # Parameters for the operator configuration. - config: - # -- Operator application log level. - logLevel: "info" - # Configures the generation of the ServiceAccount. - serviceAccount: - # -- Whether a ServiceAccount should be created. - create: true - # -- Annotations to add to the ServiceAccount. - annotations: {} - # -- Name of the ServiceAccount to use. - # If not set and create is true, a name is generated using the fullname template. - name: "" - # -- Allows to restrict the operator to specific namespaces, depending on your needs. - # For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). - # In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. - # For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. - # An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. - # Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. - # Please note that this feature requires a Premium license. - watchNamespaces: [] - # -- Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. - # It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. - # This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). - # An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. - # Please note that this feature requires a Premium license. - watchNamespaceSelector: {} - # For further examples, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements. - # matchLabels: - # microgateway.airlock.com/enable: "true" - # matchExpressions: - # - { key: environment, operator: NotIn, values: [dev] } - - # Configures the generation of Role and RoleBinding as well as ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above. - rbac: - # -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. - create: true - # Configures the generation of a Prometheus Operator ServiceMonitor. - serviceMonitor: - # -- Whether to create a ServiceMonitor resource for monitoring. - create: false - # -- Labels to add to the ServiceMonitor. - labels: {} - # release: "" -engine: - # Specifies the Airlock Microgateway Engine image. - image: - # -- Image repository from which to pull the Airlock Microgateway Engine image. - repository: "quay.io/airlock/microgateway-engine" - # -- Image tag to pull. - tag: "4.3.4" - # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). - # Overrides tag when specified. - digest: "sha256:91e05c509bed3b51ff4888d7475980d56cbc85db121aa766d1bde413204f9070" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Resource restrictions to apply to the Airlock Microgateway Engine container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 500m - # memory: 128Mi - # requests: - # cpu: 10m - # memory: 40Mi - - # Additional configuration when deployed as a sidecar. - sidecar: - # Configures the generation of a Prometheus Operator PodMonitor. - podMonitor: - # -- Whether to create a PodMonitor resource for monitoring. - create: false - # -- Labels to add to the PodMonitor. - labels: {} - # release: "" -networkValidator: - # Specifies the Airlock Microgateway Network Validator image to be injected as an init-container. - image: - # -- Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. - repository: "cgr.dev/chainguard/netcat" - # -- Image tag to pull. - tag: "" - # -- SHA256 image digest to pull (in the format "sha256:7a73d4b82a2d4165bbc5efa55de4fee9d43f2b1c1edb3505cdc8afd1361bad9b"). - # Overrides tag when specified. - digest: "sha256:7a73d4b82a2d4165bbc5efa55de4fee9d43f2b1c1edb3505cdc8afd1361bad9b" - # -- Pull policy for this image. - pullPolicy: IfNotPresent -sessionAgent: - # Specifies the Airlock Microgateway Session Agent image. - image: - # -- Image repository from which to pull the Airlock Microgateway Session Agent image. - repository: "quay.io/airlock/microgateway-session-agent" - # -- Image tag to pull. - tag: "4.3.4" - # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). - # Overrides tag when specified. - digest: "sha256:df4e50d0929cb4c5e4486452979b59ec17f5e49a1516b685acd3a1ab0ddb3cf4" - # -- Pull policy for this image. - pullPolicy: IfNotPresent - # -- Resource restrictions to apply to the Airlock Microgateway Session Agent container. - resources: {} - # We recommend at least the following resource specification. - # limits: - # cpu: 150m - # memory: 32Mi - # requests: - # cpu: 10m - # memory: 8Mi -license: - # -- Name of the secret containing the "microgateway-license.txt" key. - secretName: "airlock-microgateway-license" -# Creates dashboards in the form of ConfigMaps that can be imported -# by Grafana using its sidecar setup. -dashboards: - # -- Whether to create any ConfigMaps containing Grafana dashboards to import. +# Specifies the Airlock Microgateway CNI image. +image: + # -- Image repository from which to pull the Airlock Microgateway CNI image. + repository: "quay.io/airlock/microgateway-cni" + # -- Image tag to pull. + tag: "4.3.4" + # -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). + # Overrides tag when specified. + digest: "sha256:1e01310b3ad8566e9b39ee539ed5c959049aadda1a18c1a534e96d8865e20172" + # -- Pull policy for this image. + pullPolicy: IfNotPresent +# -- Annotations to add to all Pods. +podAnnotations: {} +# -- Labels to add to all Pods. +podLabels: {} +# -- Resource restrictions to apply to the CNI installer container. +resources: + requests: + cpu: 10m + memory: 100Mi +# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. +nodeSelector: + kubernetes.io/os: linux +# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. +affinity: {} +# Configures the generation of RBAC Roles and RoleBindings. +rbac: + # -- Whether to create RBAC resources which are required for the CNI plugin to function. + create: true + # -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. + createSCCRole: false +# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). +privileged: false +# Configures the generation of the ServiceAccount. +serviceAccount: + # -- Whether a ServiceAccount should be created. + create: true + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- Name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" +# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift) +multusNetworkAttachmentDefinition: + # -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. create: false - config: - # Configures the necessary label and annotations along with their values - # to enable Grafana to correctly identify the ConfigMaps containing - # dashboards and file them within a dedicated folder in the dashboard overview. - # These settings need to match the Grafana sidecar configuration. - grafana: - folderAnnotation: - # -- Name of the annotation containing the folder name to file dashboards into. - name: "grafana_folder" - # -- Name of the folder dashboards are filed into within the Grafana UI. - value: "Airlock Microgateway" - dashboardLabel: - # -- Name of the label that lets Grafana identify ConfigMaps that represent dashboards. - name: "grafana_dashboard" - # -- Value of the label that lets Grafana identify ConfigMaps that represent dashboards. - value: "1" - instances: - # Available dashboard instances that can be individually created/deployed. - overview: - # -- Whether to create the overview dashboard. - create: true - license: - # -- Whether to create the license dashboard. - create: true - blockMetrics: - # -- Whether to create the block metrics dashboard. - create: true - blockLogs: - # -- Whether to create the block logs dashboard. - create: true -# Check whether the installation of the Airlock Microgateway Helm Chart was successful. -# Requires a secret with a valid Airlock Microgateway license key already to be present. + # -- Namespace in which the NetworkAttachmentDefinition is deployed. + # Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces + # may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation + namespace: default +# Parameters for the CNI installer configuration. +config: + # -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), + # as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) + # or in `manual` mode, where no CNI network configuration is written. + installMode: "chained" + # -- Log level for the CNI installer and plugin. + logLevel: info + # -- Directory where the CNI config files reside on the host. + # This path can either be found in the documentation of your Kubernetes distribution or CNI provider. + # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. + cniNetDir: "/etc/cni/net.d" + # -- Directory where the CNI plugin binaries reside on the host. + # This path can either be found in the documentation of your Kubernetes distribution or CNI provider. + # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. + cniBinDir: "/opt/cni/bin" + # -- Namespaces for which this CNI plugin should not apply any modifications. + excludeNamespaces: + - kube-system tests: # -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). # If set to false, `helm test` will not run any tests. diff --git a/charts/airlock/microgateway/4.4.1/.helmignore b/charts/airlock/microgateway/4.4.1/.helmignore new file mode 100644 index 000000000..101ff5ac5 --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/.helmignore @@ -0,0 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# CRDs kustomization.yaml +/crds/kustomization.yaml +# Helm unit tests +/tests +/validation diff --git a/charts/airlock/microgateway/4.4.1/Chart.yaml b/charts/airlock/microgateway/4.4.1/Chart.yaml new file mode 100644 index 000000000..4e46fe73f --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/Chart.yaml @@ -0,0 +1,44 @@ +annotations: + artifacthub.io/category: security + artifacthub.io/license: MIT + artifacthub.io/links: | + - name: Airlock Microgateway Documentation + url: https://docs.airlock.com/microgateway/4.4/ + - name: Airlock Microgateway Labs + url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io + - name: Airlock Microgateway Forum + url: https://forum.airlock.com/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Airlock Microgateway + catalog.cattle.io/kube-version: '>=1.25.0-0' + catalog.cattle.io/release-name: "" + charts.openshift.io/name: Airlock Microgateway +apiVersion: v2 +appVersion: 4.4.1 +description: A Helm chart for deploying the Airlock Microgateway +home: https://www.airlock.com/en/microgateway +icon: file://assets/icons/microgateway.svg +keywords: +- WAF +- Web Application Firewall +- WAAP +- Web Application and API protection +- OWASP +- Airlock +- Microgateway +- Security +- Filtering +- DevSecOps +- shift left +- control plane +- Operator +kubeVersion: '>=1.25.0-0' +maintainers: +- email: support@airlock.com + name: Airlock + url: https://www.airlock.com/ +name: microgateway +sources: +- https://github.com/airlock/microgateway +type: application +version: 4.4.1 diff --git a/charts/airlock/microgateway/4.4.1/README.md b/charts/airlock/microgateway/4.4.1/README.md new file mode 100644 index 000000000..1c976c66c --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/README.md @@ -0,0 +1,186 @@ +# Airlock Microgateway + +![Version: 4.4.1](https://img.shields.io/badge/Version-4.4.1-informational?style=flat-square) ![AppVersion: 4.4.1](https://img.shields.io/badge/AppVersion-4.4.1-informational?style=flat-square) + +*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.* + + + + + Microgateway + + +Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability. +__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.4.1).__ + +### Features +* Kubernetes native integration with sidecar injection and Gateway API support +* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction +* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication +* Content security filters for protecting against known attacks (OWASP Top 10) +* Access control using OpenID Connect to allow only authenticated users to access the protected services +* API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation + +For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**. + +## Documentation and links + +Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway. + +* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html) +* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html) +* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html) +* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html) +* [GitHub](https://github.com/airlock/microgateway) + +# Quick start guide + +The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**. + +## Prerequisites +* (Recommended) [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Required for [data plane mode sidecar](https://docs.airlock.com/microgateway/latest/?topic=MGW-00000137)) +* [Airlock Microgateway License](#obtain-airlock-microgateway-license) +* [cert-manager](https://cert-manager.io/) +* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0) + +In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license. +For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing. +### Obtain Airlock Microgateway License +1. Either request a community or premium license + * Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community) + * Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium) +2. Check your inbox and save the license file microgateway-license.txt locally. + +> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type. +### Deploy cert-manager +```bash +helm repo add jetstack https://charts.jetstack.io +helm install cert-manager jetstack/cert-manager --version 'v1.16.1' -n cert-manager --create-namespace --set crds.enabled=true --wait +``` + +## Deploy Airlock Microgateway Operator + +> This guide assumes a microgateway-license.txt file is present in the working directory. + +1. Install CRDs and Operator. + ```bash + # Create namespace + kubectl create namespace airlock-microgateway-system + + # Install License + kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt + + # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades) + helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.4.1' --wait + ``` + +2. (Recommended) You can verify the correctness of the installation with `helm test`. + ```bash + helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.1' + helm test airlock-microgateway -n airlock-microgateway-system --logs + helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.4.1' + ``` + +### Upgrading CRDs + +The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster. +CRDs should instead be manually upgraded before upgrading the Operator itself via the following command: +```bash +kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.4.1 --server-side --force-conflicts +``` + +**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts. + +## Support + +### Premium support +If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process). + +### Community support +For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question. +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commonAnnotations | object | `{}` | Annotations to add to all resources. | +| commonLabels | object | `{}` | Labels to add to all resources. | +| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". | +| dashboards.config.grafana.dashboardLabel.name | string | `"grafana_dashboard"` | Name of the label that lets Grafana identify ConfigMaps that represent dashboards. | +| dashboards.config.grafana.dashboardLabel.value | string | `"1"` | Value of the label that lets Grafana identify ConfigMaps that represent dashboards. | +| dashboards.config.grafana.folderAnnotation.name | string | `"grafana_folder"` | Name of the annotation containing the folder name to file dashboards into. | +| dashboards.config.grafana.folderAnnotation.value | string | `"Airlock Microgateway"` | Name of the folder dashboards are filed into within the Grafana UI. | +| dashboards.create | bool | `false` | Whether to create any ConfigMaps containing Grafana dashboards to import. | +| dashboards.instances.blockLogs.create | bool | `true` | Whether to create the block logs dashboard. | +| dashboards.instances.blockMetrics.create | bool | `true` | Whether to create the block metrics dashboard. | +| dashboards.instances.headerLogs.create | bool | `true` | Whether to create the header rewrite logs dashboard. | +| dashboards.instances.license.create | bool | `true` | Whether to create the license dashboard. | +| dashboards.instances.logOnlyLogs.create | bool | `true` | Whether to create the log only logs dashboard. | +| dashboards.instances.logOnlyMetrics.create | bool | `true` | Whether to create the log only metrics dashboard | +| dashboards.instances.overview.create | bool | `true` | Whether to create the overview dashboard. | +| engine.image.digest | string | `"sha256:06573ef5e6769dbd6eb8606e34c56f1ad2084b6adcae9925b1d2d153a45cbc47"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | +| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. | +| engine.image.tag | string | `"4.4.1"` | Image tag to pull. | +| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. | +| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. | +| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. | +| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. | +| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. | +| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. | +| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". | +| networkValidator.image.digest | string | `"sha256:7ef657ce316ce9d86f90c1dc99702d1190877c6ac2e923e696dc82c30050a14c"` | SHA256 image digest to pull (in the format "sha256:7ef657ce316ce9d86f90c1dc99702d1190877c6ac2e923e696dc82c30050a14c"). Overrides tag when specified. | +| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| networkValidator.image.repository | string | `"cgr.dev/chainguard/netcat"` | Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. | +| networkValidator.image.tag | string | `""` | Image tag to pull. | +| networkValidator.resources | object | `{"limits":{"cpu":"25m","memory":"12Mi"},"requests":{"cpu":"5m","memory":"1Mi"}}` | Resource restrictions to apply to the Airlock Microgateway Network Validator init-container. | +| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. | +| operator.config.logLevel | string | `"info"` | Operator application log level. | +| operator.gatewayAPI.controllerName | string | `"microgateway.airlock.com/gatewayclass-controller"` | Controller name referred in the GatewayClasses managed by this operator. The value must be a path prefixed by the domain `microgateway.airlock.com`. | +| operator.gatewayAPI.enabled | bool | `false` | Whether to enable the Kubernetes Gateway API related controllers. Requires that the gateway.networking.k8s.io/v1 resources are installed on the cluster. | +| operator.image.digest | string | `"sha256:1133c3e59418eec1721683e68dd19faca577609ace6eebd010a56e52b1f75789"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. | +| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. | +| operator.image.tag | string | `"4.4.1"` | Image tag to pull. | +| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. | +| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. | +| operator.podLabels | object | `{}` | Labels to add to all Pods. | +| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. | +| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. | +| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. | +| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | +| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | +| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | +| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. | +| operator.serviceLabels | object | `{}` | Labels to add to the Service. | +| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. | +| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. | +| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. | +| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. | +| operator.watchNamespaceSelector | object | `{}` | Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. Please note that this feature requires a Premium license. | +| operator.watchNamespaces | list | `[]` | Allows to restrict the operator to specific namespaces, depending on your needs. For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. | +| sessionAgent.image.digest | string | `"sha256:733a25f61ea7cf43c0a46da7d3ecb9a263bda49bf60e1fd8e4162be33aa24b7b"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | +| sessionAgent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| sessionAgent.image.repository | string | `"quay.io/airlock/microgateway-session-agent"` | Image repository from which to pull the Airlock Microgateway Session Agent image. | +| sessionAgent.image.tag | string | `"4.4.1"` | Image tag to pull. | +| sessionAgent.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Session Agent container. | +| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. | + +## License +View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image. +* Decompiling or reverse engineering is not permitted. +* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted. + +Airlock® is a security innovation by [ergon](https://www.ergon.ch/en) + + + + + + + Airlock Secure Access Hub + + diff --git a/charts/airlock/microgateway/4.2.3/app-readme.md b/charts/airlock/microgateway/4.4.1/app-readme.md similarity index 100% rename from charts/airlock/microgateway/4.2.3/app-readme.md rename to charts/airlock/microgateway/4.4.1/app-readme.md diff --git a/charts/airlock/microgateway/4.4.1/crds/accesscontrols.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/accesscontrols.microgateway.airlock.com.yaml new file mode 100644 index 000000000..c10c65c1f --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/crds/accesscontrols.microgateway.airlock.com.yaml @@ -0,0 +1,501 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.4 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.4.1 + name: accesscontrols.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: AccessControl + listKind: AccessControlList + plural: accesscontrols + singular: accesscontrol + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: AccessControl specifies the options to perform access control with a Microgateway Engine container. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specifies how the Airlock Microgateway Engine performs access control. + properties: + policies: + description: Policies configures access control policies. The first matching policy (from top to bottom) applies. + items: + properties: + authorization: + description: Authorization configures how requests are authorized. An empty object value {} disables authorization. + properties: + authentication: + description: Authentication specifies that clients need to be authenticated with the provided method. + properties: + oidc: + description: OIDC configures client authentication using OpenID Connect. + properties: + oidcRelyingPartyRef: + description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - oidcRelyingPartyRef + type: object + type: object + deny: + description: Deny specifies to deny access for all requests matching this policy. + type: object + requireAll: + description: RequireAll specifies conditions which must all be satisfied for the request to be authorized. + items: + properties: + oidc: + description: OIDC specifies a condition on the result of an OpenID Connect flow. + properties: + claim: + description: Claim specifies a condition on a JWT claim. + properties: + name: + description: Name of the claim. + minLength: 1 + type: string + value: + description: |- + Value of the claim. If not specified, only existence of the claim is checked (any value is allowed). + + Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives. + In case of a non-string value, the match will be performed against the stringified value. + + If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + required: + - name + type: object + required: + - claim + type: object + required: + - oidc + type: object + minItems: 1 + type: array + requireAny: + description: RequireAny specifies conditions of which at least one must be satisfied for the request to be authorized. + items: + properties: + oidc: + description: OIDC specifies a condition on the result of an OpenID Connect flow. + properties: + claim: + description: Claim specifies a condition on a JWT claim. + properties: + name: + description: Name of the claim. + minLength: 1 + type: string + value: + description: |- + Value of the claim. If not specified, only existence of the claim is checked (any value is allowed). + + Value matching is only supported if the data type of the claim is either primitive (`number`, `boolean`, `string`) or `array` of primitives. + In case of a non-string value, the match will be performed against the stringified value. + + If the claim has an unsupported data type (e.g. `object` or `null`), its value will never match. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + required: + - name + type: object + required: + - claim + type: object + required: + - oidc + type: object + minItems: 1 + type: array + type: object + identityPropagation: + description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application. + properties: + actions: + description: Actions specifies the propagation actions. + items: + properties: + identityPropagationRef: + description: IdentityPropagationRef selects an IdentityPropagation to apply. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - identityPropagationRef + type: object + type: array + onFailure: + description: |- + OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values: + _Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations. + enum: + - Pass + type: string + required: + - actions + - onFailure + type: object + requestConditions: + description: |- + RequestConditions defines additional request properties which must be matched in order for this policy to apply. A policy without request conditions will always match. + + WARNING: There is currently a limitation that if `authentication.oidc` is configured for this policy, you must ensure that the request condition also matches logout requests and callback redirects from the OIDC Provider as configured in the OIDCRelyingParty (`pathMapping.logoutPath` / `pathMapping.redirectPath`). + properties: + header: + description: Header defines the matching headers of a request. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + invert: + default: false + description: Invert indicates whether the request condition should be inverted. + type: boolean + mediaType: + description: MediaType defines the matching media type from the content-type header of a request. + properties: + matcher: + description: |- + NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. + In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + method: + description: Method defines the matching methods of a request. + items: + description: Method defines common HTTP methods. + enum: + - GET + - HEAD + - POST + - PUT + - PATCH + - DELETE + - CONNECT + - OPTIONS + - TRACE + type: string + type: array + path: + description: Path defines the matching path of a request. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + remoteIP: + description: RemoteIP defines the matching remote IPs of a request. + properties: + cidrRanges: + description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. + items: + description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. + format: cidr + type: string + minItems: 1 + type: array + invert: + default: false + description: Invert indicates whether the match should be inverted. + type: boolean + required: + - cidrRanges + type: object + type: object + required: + - authorization + type: object + minItems: 1 + type: array + required: + - policies + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/charts/airlock/microgateway/4.3.0/crds/contentsecurities.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/contentsecurities.microgateway.airlock.com.yaml similarity index 98% rename from charts/airlock/microgateway/4.3.0/crds/contentsecurities.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/contentsecurities.microgateway.airlock.com.yaml index 05214f023..cbe6fb3a1 100644 --- a/charts/airlock/microgateway/4.3.0/crds/contentsecurities.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/contentsecurities.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 + app.kubernetes.io/version: 4.4.1 name: contentsecurities.microgateway.airlock.com spec: group: microgateway.airlock.com diff --git a/charts/airlock/microgateway/4.4.1/crds/contentsecuritypolicies.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/contentsecuritypolicies.microgateway.airlock.com.yaml new file mode 100644 index 000000000..3fd1d7545 --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/crds/contentsecuritypolicies.microgateway.airlock.com.yaml @@ -0,0 +1,476 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.4 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.4.1 + gateway.networking.k8s.io/policy: direct + name: contentsecuritypolicies.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: ContentSecurityPolicy + listKind: ContentSecurityPolicyList + plural: contentsecuritypolicies + singular: contentsecuritypolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ContentSecurityPolicy is a Direct Attached Policy for the Kubernetes Gateway API. It specifies the options to secure an upstream web application with a Microgateway. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ContentSecurityPolicy. + properties: + secured: + description: Secured enables WAF processing for the routes attached to this policy. + properties: + apiProtection: + description: |- + APIProtection defines the relevant configurations to protect APIs. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + graphQLRef: + description: |- + GraphQLRef selects the relevant GraphQL configuration resource. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + openAPIRef: + description: |- + OpenAPIRef selects the relevant OpenAPI configuration resource. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + type: object + filter: + description: |- + Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests + to protect against various attack patterns. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + denyRulesRef: + description: |- + DenyRulesRef selects the relevant DenyRules configuration resource. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + type: object + limitsRef: + description: |- + LimitsRef selects the relevant Limits configuration resource. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + parserRef: + description: |- + ParserRef selects the relevant Parser configuration resource. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + type: object + targetRefs: + description: |- + TargetRefs are the resources this policy is being attached to. Referenced resources must be in the same namespace as the policy. + Support: HTTPRoute. + items: + description: |- + LocalPolicyTargetReference identifies an API object to apply a direct or + inherited policy to. This should be used as part of Policy resources + that can target Gateway API resources. For more information on how this + policy attachment model works, and a sample Policy resource, refer to + the policy attachment documentation for Gateway API. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-validations: + - message: 'TargetRef Kind must be: HTTPRoute' + rule: self.all(t, t.kind=='HTTPRoute') + - message: TargetRef Group must be gateway.networking.k8s.io. + rule: self.all(t, t.group=='gateway.networking.k8s.io') + unsecured: + description: |- + Unsecured disables all WAF functionality and therefore protection for the routes attached to this policy. + WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged. + type: object + required: + - targetRefs + type: object + status: + description: Status defines the state of the ContentSecurityPolicy. + properties: + ancestors: + description: |- + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. + + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. + + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. + + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. + + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. + items: + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. + + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. + + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. + + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. + + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. + + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. + properties: + ancestorRef: + description: |- + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: Conditions describes the status of the Policy with respect to the given Ancestor. + items: + description: Condition contains details for one aspect of the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - controllerName + type: object + maxItems: 16 + type: array + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/airlock/microgateway/4.3.0/crds/denyrules.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/denyrules.microgateway.airlock.com.yaml similarity index 99% rename from charts/airlock/microgateway/4.3.0/crds/denyrules.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/denyrules.microgateway.airlock.com.yaml index 906353c0a..234190a28 100644 --- a/charts/airlock/microgateway/4.3.0/crds/denyrules.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/denyrules.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 + app.kubernetes.io/version: 4.4.1 name: denyrules.microgateway.airlock.com spec: group: microgateway.airlock.com @@ -864,7 +864,9 @@ spec: TEMPLATE | UNIXCMD | WINCMD | - XSS + XSS | + SSRF | + BOT enum: - ENCODING - EXPLOIT @@ -883,6 +885,8 @@ spec: - UNIXCMD - WINCMD - XSS + - SSRF + - BOT type: string minItems: 1 type: array @@ -917,7 +921,9 @@ spec: TEMPLATE | UNIXCMD | WINCMD | - XSS + XSS | + SSRF | + BOT enum: - ENCODING - EXPLOIT @@ -936,6 +942,8 @@ spec: - UNIXCMD - WINCMD - XSS + - SSRF + - BOT type: string minItems: 1 type: array diff --git a/charts/airlock/microgateway/4.3.1/crds/envoyclusters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/envoyclusters.microgateway.airlock.com.yaml similarity index 96% rename from charts/airlock/microgateway/4.3.1/crds/envoyclusters.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/envoyclusters.microgateway.airlock.com.yaml index 8d2c6ef97..4127d53eb 100644 --- a/charts/airlock/microgateway/4.3.1/crds/envoyclusters.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/envoyclusters.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 + app.kubernetes.io/version: 4.4.1 name: envoyclusters.microgateway.airlock.com spec: group: microgateway.airlock.com diff --git a/charts/airlock/microgateway/4.3.1/crds/envoyconfigurations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/envoyconfigurations.microgateway.airlock.com.yaml similarity index 98% rename from charts/airlock/microgateway/4.3.1/crds/envoyconfigurations.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/envoyconfigurations.microgateway.airlock.com.yaml index 38f381b72..a71ef4cc2 100644 --- a/charts/airlock/microgateway/4.3.1/crds/envoyconfigurations.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/envoyconfigurations.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 + app.kubernetes.io/version: 4.4.1 name: envoyconfigurations.microgateway.airlock.com spec: group: microgateway.airlock.com diff --git a/charts/airlock/microgateway/4.2.3/crds/envoyhttpfilters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/envoyhttpfilters.microgateway.airlock.com.yaml similarity index 96% rename from charts/airlock/microgateway/4.2.3/crds/envoyhttpfilters.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/envoyhttpfilters.microgateway.airlock.com.yaml index f81221802..358e1973d 100644 --- a/charts/airlock/microgateway/4.2.3/crds/envoyhttpfilters.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/envoyhttpfilters.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.14.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.2.3 + app.kubernetes.io/version: 4.4.1 name: envoyhttpfilters.microgateway.airlock.com spec: group: microgateway.airlock.com diff --git a/charts/airlock/microgateway/4.3.3/crds/graphqls.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/graphqls.microgateway.airlock.com.yaml similarity index 97% rename from charts/airlock/microgateway/4.3.3/crds/graphqls.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/graphqls.microgateway.airlock.com.yaml index 1d9cb3b94..39046d24c 100644 --- a/charts/airlock/microgateway/4.3.3/crds/graphqls.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/graphqls.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 + app.kubernetes.io/version: 4.4.1 name: graphqls.microgateway.airlock.com spec: group: microgateway.airlock.com diff --git a/charts/airlock/microgateway/4.4.1/crds/headerrewrites.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/headerrewrites.microgateway.airlock.com.yaml new file mode 100644 index 000000000..d99797f1e --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/crds/headerrewrites.microgateway.airlock.com.yaml @@ -0,0 +1,2083 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.4 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.4.1 + name: headerrewrites.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: HeaderRewrites + listKind: HeaderRewritesList + plural: headerrewrites + singular: headerrewrites + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: HeaderRewrites is the Schema for the headerrewrites API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired header rewriting behavior. + properties: + request: + description: Request defines manipulations on upstream request headers. + properties: + add: + description: Add defines which request headers will be added before forwarding to the upstream. + properties: + custom: + description: |- + Custom allows configuring additional upstream request headers. + Add selected headers. + items: + properties: + headers: + description: Headers to add. + items: + description: HeaderRewritesHeader specifies a header with a particular value + properties: + name: + description: Name defines the name of a header. + minLength: 1 + type: string + value: + description: Value defines the value of a header. + type: string + required: + - name + - value + type: object + minItems: 1 + type: array + mode: + default: AddIfAbsent + description: Mode defines the header addition strategy. + enum: + - AddIfAbsent + - OverwriteOrAdd + type: string + name: + description: Name describing the configured operation. + minLength: 1 + type: string + requestConditions: + description: RequestConditions defines additional request properties which must be matched in order for this operation to be applied. + properties: + header: + description: Header defines the matching headers of a request. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + invert: + default: false + description: Invert indicates whether the request condition should be inverted. + type: boolean + mediaType: + description: MediaType defines the matching media type from the content-type header of a request. + properties: + matcher: + description: |- + NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. + In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + method: + description: Method defines the matching methods of a request. + items: + description: Method defines common HTTP methods. + enum: + - GET + - HEAD + - POST + - PUT + - PATCH + - DELETE + - CONNECT + - OPTIONS + - TRACE + type: string + type: array + path: + description: Path defines the matching path of a request. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + remoteIP: + description: RemoteIP defines the matching remote IPs of a request. + properties: + cidrRanges: + description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. + items: + description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. + format: cidr + type: string + minItems: 1 + type: array + invert: + default: false + description: Invert indicates whether the match should be inverted. + type: boolean + required: + - cidrRanges + type: object + type: object + required: + - headers + - name + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + allow: + description: |- + Allow defines which request headers will be forwarded to the upstream. + This can either be allHeaders or matchingHeaders. + Default: matchingHeaders: {...} + properties: + allHeaders: + description: AllHeaders specifies that all request headers should be forwarded. + type: object + matchingHeaders: + description: MatchingHeaders specifies which request headers should be forwarded. + properties: + builtIn: + description: BuiltIn allows configuring a set of predefined upstream request headers. + properties: + standardHeaders: + default: true + description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers. + type: boolean + tracingHeaders: + default: false + description: TracingHeaders defines whether to allow common tracing headers to be forwarded to the upstream. + type: boolean + type: object + custom: + description: Custom allows configuring additional upstream request headers. + items: + properties: + headers: + description: Headers to allow. + items: + description: |- + HeaderMatcher defines a matcher for an HTTP header. + At least one of name and value must be set. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + minItems: 1 + type: array + name: + description: Name describing the configured operation. Must be unique. + minLength: 1 + type: string + requestConditions: + description: RequestConditions defines additional request properties which must be matched in order for this operation to be applied. + properties: + header: + description: Header defines the matching headers of a request. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + invert: + default: false + description: Invert indicates whether the request condition should be inverted. + type: boolean + mediaType: + description: MediaType defines the matching media type from the content-type header of a request. + properties: + matcher: + description: |- + NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. + In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + method: + description: Method defines the matching methods of a request. + items: + description: Method defines common HTTP methods. + enum: + - GET + - HEAD + - POST + - PUT + - PATCH + - DELETE + - CONNECT + - OPTIONS + - TRACE + type: string + type: array + path: + description: Path defines the matching path of a request. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + remoteIP: + description: RemoteIP defines the matching remote IPs of a request. + properties: + cidrRanges: + description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. + items: + description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. + format: cidr + type: string + minItems: 1 + type: array + invert: + default: false + description: Invert indicates whether the match should be inverted. + type: boolean + required: + - cidrRanges + type: object + type: object + required: + - headers + - name + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: object + remove: + description: Remove defines which request headers will be removed before forwarding to the upstream. + properties: + builtIn: + description: BuiltIn allows configuring a set of predefined upstream request headers. + properties: + alternativeForwardedHeaders: + default: true + description: |- + AlternativeForwardedHeaders removes downstream request headers which could potentially + be abused to alter the upstream's view of the remote connection. + type: boolean + type: object + custom: + description: Custom allows configuring additional upstream request headers. + items: + properties: + headers: + description: Headers to remove. + items: + description: |- + HeaderMatcher defines a matcher for an HTTP header. + At least one of name and value must be set. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + minItems: 1 + type: array + name: + description: Name describing the configured operation. Must be unique. + minLength: 1 + type: string + requestConditions: + description: RequestConditions defines additional request properties which must be matched in order for this operation to be applied. + properties: + header: + description: Header defines the matching headers of a request. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + invert: + default: false + description: Invert indicates whether the request condition should be inverted. + type: boolean + mediaType: + description: MediaType defines the matching media type from the content-type header of a request. + properties: + matcher: + description: |- + NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. + In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + method: + description: Method defines the matching methods of a request. + items: + description: Method defines common HTTP methods. + enum: + - GET + - HEAD + - POST + - PUT + - PATCH + - DELETE + - CONNECT + - OPTIONS + - TRACE + type: string + type: array + path: + description: Path defines the matching path of a request. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + remoteIP: + description: RemoteIP defines the matching remote IPs of a request. + properties: + cidrRanges: + description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. + items: + description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. + format: cidr + type: string + minItems: 1 + type: array + invert: + default: false + description: Invert indicates whether the match should be inverted. + type: boolean + required: + - cidrRanges + type: object + type: object + required: + - headers + - name + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: object + response: + description: Response defines manipulations on upstream response headers. + properties: + add: + description: Add defines which response headers will be added before forwarding to the downstream. + properties: + builtIn: + description: BuiltIn allows configuring a set of predefined upstream response headers. + properties: + csp: + default: true + description: |- + CSP sets a content security policy which allows only same-origin requests except for images + if the 'Content-Security-Policy' header is not set by the upstream. + type: boolean + featurePolicy: + default: false + description: |- + FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features + if the 'Feature-Policy' header is not set by the upstream. + **Deprecated:** Use permissionsPolicy instead. + type: boolean + hsts: + default: true + description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream. + type: boolean + hstsPreload: + default: false + description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload. + type: boolean + permissionsPolicy: + default: true + description: |- + PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features + if the 'Permissions-Policy' header is not set by the upstream. + type: boolean + referrerPolicy: + default: true + description: |- + ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests + if the 'Referrer-Policy' header is not set by the upstream. + type: boolean + xContentTypeOptions: + default: true + description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream. + type: boolean + xFrameOptions: + default: true + description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream. + type: boolean + type: object + custom: + description: Custom allows configuring additional upstream response headers. + items: + properties: + headers: + description: Headers to add. + items: + description: HeaderRewritesHeader specifies a header with a particular value + properties: + name: + description: Name defines the name of a header. + minLength: 1 + type: string + value: + description: Value defines the value of a header. + type: string + required: + - name + - value + type: object + minItems: 1 + type: array + mode: + default: AddIfAbsent + description: Mode defines the header addition strategy. + enum: + - AddIfAbsent + - OverwriteOrAdd + type: string + name: + description: Name describing the configured operation. + minLength: 1 + type: string + requestConditions: + description: RequestConditions defines additional request properties which must be matched in order for this operation to be applied. + properties: + header: + description: Header defines the matching headers of a request. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + invert: + default: false + description: Invert indicates whether the request condition should be inverted. + type: boolean + mediaType: + description: MediaType defines the matching media type from the content-type header of a request. + properties: + matcher: + description: |- + NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. + In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + method: + description: Method defines the matching methods of a request. + items: + description: Method defines common HTTP methods. + enum: + - GET + - HEAD + - POST + - PUT + - PATCH + - DELETE + - CONNECT + - OPTIONS + - TRACE + type: string + type: array + path: + description: Path defines the matching path of a request. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + remoteIP: + description: RemoteIP defines the matching remote IPs of a request. + properties: + cidrRanges: + description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. + items: + description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. + format: cidr + type: string + minItems: 1 + type: array + invert: + default: false + description: Invert indicates whether the match should be inverted. + type: boolean + required: + - cidrRanges + type: object + type: object + required: + - headers + - name + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + allow: + description: |- + Allow defines which response headers will be forwarded to the downstream. + This can either be allHeaders or matchingHeaders. + Default: allHeaders: {} + properties: + allHeaders: + description: AllHeaders specifies that all response headers should be forwarded. + type: object + matchingHeaders: + description: MatchingHeaders specifies which response headers should be forwarded. + properties: + builtIn: + description: BuiltIn allows configuring a set of predefined upstream response header. + properties: + standardHeaders: + default: false + description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers. + type: boolean + type: object + custom: + description: Custom allows configuring additional upstream response headers. + items: + properties: + headers: + description: Headers to allow. + items: + description: |- + HeaderMatcher defines a matcher for an HTTP header. + At least one of name and value must be set. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + minItems: 1 + type: array + name: + description: Name describing the configured operation. Must be unique. + minLength: 1 + type: string + requestConditions: + description: RequestConditions defines additional request properties which must be matched in order for this operation to be applied. + properties: + header: + description: Header defines the matching headers of a request. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + invert: + default: false + description: Invert indicates whether the request condition should be inverted. + type: boolean + mediaType: + description: MediaType defines the matching media type from the content-type header of a request. + properties: + matcher: + description: |- + NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. + In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + method: + description: Method defines the matching methods of a request. + items: + description: Method defines common HTTP methods. + enum: + - GET + - HEAD + - POST + - PUT + - PATCH + - DELETE + - CONNECT + - OPTIONS + - TRACE + type: string + type: array + path: + description: Path defines the matching path of a request. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + remoteIP: + description: RemoteIP defines the matching remote IPs of a request. + properties: + cidrRanges: + description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. + items: + description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. + format: cidr + type: string + minItems: 1 + type: array + invert: + default: false + description: Invert indicates whether the match should be inverted. + type: boolean + required: + - cidrRanges + type: object + type: object + required: + - headers + - name + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: object + remove: + description: Remove defines which response headers will be removed before forwarding to the downstream. + properties: + builtIn: + description: BuiltIn allows configuring a set of predefined upstream response headers. + properties: + auth: + description: Auth defines the categories of headers concerning authentication. + properties: + basic: + default: false + description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication. + type: boolean + negotiate: + default: true + description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate. + type: boolean + ntlm: + default: true + description: |- + NTLM removes upstream response headers that advise clients to authenticate with NTLM. + By default, these headers are removed, because NTLM pass-through is not supported. + type: boolean + type: object + informationLeakage: + description: InformationLeakage defines the categories of headers concerning information leakage. + properties: + application: + default: true + description: Application removes upstream response headers that leak information about the deployed software. + type: boolean + server: + default: true + description: Server removes upstream response headers that leak information about the server. + type: boolean + type: object + permissiveCors: + default: true + description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security. + type: boolean + type: object + custom: + description: Custom allows configuring additional upstream response headers. + items: + properties: + headers: + description: Headers to remove. + items: + description: |- + HeaderMatcher defines a matcher for an HTTP header. + At least one of name and value must be set. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + minItems: 1 + type: array + name: + description: Name describing the configured remove operation. Must be unique. + minLength: 1 + type: string + requestConditions: + description: RequestConditions defines additional request properties which must be matched in order for this operation to be applied. + properties: + header: + description: Header defines the matching headers of a request. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + invert: + default: false + description: Invert indicates whether the request condition should be inverted. + type: boolean + mediaType: + description: MediaType defines the matching media type from the content-type header of a request. + properties: + matcher: + description: |- + NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. + In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + method: + description: Method defines the matching methods of a request. + items: + description: Method defines common HTTP methods. + enum: + - GET + - HEAD + - POST + - PUT + - PATCH + - DELETE + - CONNECT + - OPTIONS + - TRACE + type: string + type: array + path: + description: Path defines the matching path of a request. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + remoteIP: + description: RemoteIP defines the matching remote IPs of a request. + properties: + cidrRanges: + description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. + items: + description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. + format: cidr + type: string + minItems: 1 + type: array + invert: + default: false + description: Invert indicates whether the match should be inverted. + type: boolean + required: + - cidrRanges + type: object + type: object + required: + - headers + - name + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: object + settings: + description: Settings configures the HeaderRewrites filter. + properties: + operationalMode: + default: Production + description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses. + enum: + - Production + - Integration + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/airlock/microgateway/4.3.0/crds/identitypropagations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/identitypropagations.microgateway.airlock.com.yaml similarity index 64% rename from charts/airlock/microgateway/4.3.0/crds/identitypropagations.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/identitypropagations.microgateway.airlock.com.yaml index 8ff36ad33..a51e47545 100644 --- a/charts/airlock/microgateway/4.3.0/crds/identitypropagations.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/identitypropagations.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 + app.kubernetes.io/version: 4.4.1 name: identitypropagations.microgateway.airlock.com spec: group: microgateway.airlock.com @@ -47,6 +47,48 @@ spec: spec: description: Specification of the desired identity propagation. properties: + bearerToken: + description: BearerToken configures identity propagation via an authorization header containing a bearer token. + properties: + source: + description: Source from which to extract the token. + properties: + metadata: + description: Metadata specifies to extract a value from an Envoy dynamic filter metadata key. + properties: + key: + description: Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`. + minLength: 1 + type: string + namespace: + description: Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`. + minLength: 1 + type: string + required: + - key + - namespace + type: object + oidc: + description: OIDC specifies to extract a value from the result of an OpenID Connect flow. + properties: + accessToken: + description: AccessToken specifies to extract the value from the OpenID Connect Access Token. + type: object + idToken: + description: IDToken specifies to extract the value from the OpenID Connect ID Token. + properties: + claim: + description: Claim selects the JWT claim from which to extract the value. + minLength: 1 + type: string + required: + - claim + type: object + type: object + type: object + required: + - source + type: object header: description: Header configures identity propagation via a request header. properties: @@ -78,6 +120,9 @@ spec: oidc: description: OIDC specifies to extract a value from the result of an OpenID Connect flow. properties: + accessToken: + description: AccessToken specifies to extract the value from the OpenID Connect Access Token. + type: object idToken: description: IDToken specifies to extract the value from the OpenID Connect ID Token. properties: @@ -88,8 +133,6 @@ spec: required: - claim type: object - required: - - idToken type: object type: object required: diff --git a/charts/airlock/microgateway/4.4.1/crds/jwks.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/jwks.microgateway.airlock.com.yaml new file mode 100644 index 000000000..a780e6a34 --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/crds/jwks.microgateway.airlock.com.yaml @@ -0,0 +1,294 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.4 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.4.1 + name: jwks.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: JWKS + listKind: JWKSList + plural: jwks + singular: jwks + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: JWKS provides a JSON Web Key Set. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the JWKS. + properties: + provider: + description: Provider configures the source from which to retrieve the JWKS. + properties: + local: + description: Local specifies to retrieve the JWKS from a local secret. + properties: + secretRef: + description: SecretRef selects the secret containing the JWKS under the key 'jwks.json'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object + remote: + description: Remote specifies to retrieve the JWKS from a remote endpoint. + properties: + timeouts: + description: Timeouts specifies the timeouts when interacting with the Token endpoint. + properties: + connect: + default: 5s + description: Connect specifies the timeout for establishing a connection. + type: string + maxDuration: + default: 15s + description: MaxDuration specifies the response timeout. + type: string + type: object + tls: + description: TLS defines TLS settings. + properties: + certificateVerification: + description: CertificateVerification specifies how the certificate presented by the server is verified. + properties: + custom: + description: |- + Custom explicitly specifies how the server certificate should be verified. + Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key. + properties: + allowedSANs: + description: |- + AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the + Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, + that is to say, the SAN is verified if at least one matcher is matched. + AllowedSANs requires trustedCA to be set. + items: + description: |- + TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the + Subject Alternative Name of the presented certificate matches one of the specified matchers. + properties: + matcher: + description: Matcher defines the string matcher for the SAN value. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + sanType: + description: SanType defines the type of SAN matcher. + enum: + - DNS + - Email + - URI + - IPAddress + type: string + required: + - matcher + - sanType + type: object + minItems: 1 + type: array + certificatePinning: + description: |- + CertificatePinning defines constraints the presented certificate must fulfill. + If more than one constraint is configured only one must be satisfied. + At least one of allowedSPKIs and allowedHashes must be set. + properties: + allowedHashes: + description: |- + AllowedHashes is a list of hex-encoded SHA-256 hashes. + If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. + items: + type: string + minItems: 1 + type: array + allowedSPKIs: + description: |- + AllowedSPKIs is a list of base64-encoded SHA-256 hashes. + If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. + items: + type: string + minItems: 1 + type: array + type: object + crl: + description: CRL defines the Certificate Revocation List (CRL) settings. + properties: + lists: + description: Lists defines the list of secretRefs containing Certificate Revocation Lists. + items: + properties: + secretRef: + description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object + minItems: 1 + type: array + validationMode: + default: VerifyChain + description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. + enum: + - VerifyLeafCertOnly + - VerifyChain + type: string + type: object + trustedCA: + description: TrustedCA defines which CA certificates are trusted. + properties: + certificates: + description: Certificates defines the list of secretRefs containing trusted CA certificates. + items: + properties: + secretRef: + description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object + minItems: 1 + type: array + verificationDepth: + default: 1 + description: |- + VerificationDepth specifies the hops in the certificate chain at which validation is performed. + 1 means that either the leaf or the signing CA must be in the set of trusted certificates. + format: int32 + type: integer + required: + - certificates + type: object + type: object + disabled: + description: |- + Disabled specifies to trust any certificate without verification. + THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. + type: object + publicCAs: + description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image. + type: object + type: object + ciphers: + description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. + items: + type: string + minItems: 1 + type: array + protocol: + description: Protocol defines the supported TLS protocol versions. + properties: + maximum: + description: Maximum supported TLS version. + enum: + - TLSv1_0 + - TLSv1_1 + - TLSv1_2 + - TLSv1_3 + type: string + minimum: + description: Minimum supported TLS version. + enum: + - TLSv1_0 + - TLSv1_1 + - TLSv1_2 + - TLSv1_3 + type: string + type: object + type: object + uri: + description: URI specifies the endpoint address. + format: uri + minLength: 1 + pattern: ^(http|https)://.*$ + type: string + required: + - uri + type: object + type: object + required: + - provider + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/charts/airlock/microgateway/4.3.0/crds/limits.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/limits.microgateway.airlock.com.yaml similarity index 99% rename from charts/airlock/microgateway/4.3.0/crds/limits.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/limits.microgateway.airlock.com.yaml index f807994db..89ba9977c 100644 --- a/charts/airlock/microgateway/4.3.0/crds/limits.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/limits.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 + app.kubernetes.io/version: 4.4.1 name: limits.microgateway.airlock.com spec: group: microgateway.airlock.com diff --git a/charts/airlock/microgateway/4.3.0/crds/oidcproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/oidcproviders.microgateway.airlock.com.yaml similarity index 86% rename from charts/airlock/microgateway/4.3.0/crds/oidcproviders.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/oidcproviders.microgateway.airlock.com.yaml index 56dad4130..9777a206b 100644 --- a/charts/airlock/microgateway/4.3.0/crds/oidcproviders.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/oidcproviders.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 + app.kubernetes.io/version: 4.4.1 name: oidcproviders.microgateway.airlock.com spec: group: microgateway.airlock.com @@ -28,19 +28,7 @@ spec: description: |- OIDCProvider specifies an OpenID Provider (OP). - - {{% notice warning %}} The OIDC feature is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened. - In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases: - - The state parameter is guessable. - - Sessions are always shared across all Microgateway Engines using the same Redis instance. - I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A - may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs. - - - {{% /notice %}} + {{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}} properties: apiVersion: description: |- @@ -83,6 +71,18 @@ spec: token: description: Token configures the endpoint from which the access, ID and refresh tokens are obtained. properties: + timeouts: + description: Timeouts specifies the timeouts when interacting with the Token endpoint. + properties: + connect: + default: 5s + description: Connect specifies the timeout for establishing a connection. + type: string + maxDuration: + default: 15s + description: MaxDuration specifies the response timeout. + type: string + type: object tls: description: TLS defines TLS settings. properties: @@ -293,8 +293,45 @@ spec: - authorization - token type: object + issuer: + description: Issuer specifies the unique identifier of the OIDC Provider, which is used e.g. for signature verification. + format: uri + minLength: 1 + pattern: ^(http|https)://.*$ + type: string + tokenValidation: + description: TokenValidation configures token validation. + properties: + idToken: + description: IDToken configures validation for the OIDC ID Token. + properties: + signatureVerification: + description: SignatureVerification specifies how to verify the ID Token signature. + properties: + disabled: + description: Disabled specifies to skip verification of the JWT signature. Not recommended for production environments. + type: object + jwksRef: + description: JwksRef specifies the JWKS to use for verifying the JWT signature (usually provided by the OpenID Provider). + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + type: object + required: + - signatureVerification + type: object + required: + - idToken + type: object required: - endpoints + - issuer + - tokenValidation type: object type: object required: diff --git a/charts/airlock/microgateway/4.3.0/crds/oidcrelyingparties.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/oidcrelyingparties.microgateway.airlock.com.yaml similarity index 84% rename from charts/airlock/microgateway/4.3.0/crds/oidcrelyingparties.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/oidcrelyingparties.microgateway.airlock.com.yaml index 578ac39df..4005300a3 100644 --- a/charts/airlock/microgateway/4.3.0/crds/oidcrelyingparties.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/oidcrelyingparties.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 + app.kubernetes.io/version: 4.4.1 name: oidcrelyingparties.microgateway.airlock.com spec: group: microgateway.airlock.com @@ -28,19 +28,6 @@ spec: description: |- OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP). - - {{% notice warning %}} The OIDC feature is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened. - In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases: - - The state parameter is guessable. - - Sessions are always shared across all Microgateway Engines using the same Redis instance. - I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A - may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs. - - - {{% /notice %}} {{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}} properties: apiVersion: @@ -96,6 +83,10 @@ spec: required: - clientSecret type: object + flowTimeout: + default: 5m + description: FlowTimeout specifies the time window within which an initiated OIDC flow can be completed by the client. + type: string oidcProviderRef: description: OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users. properties: @@ -110,7 +101,10 @@ spec: description: PathMapping configures the action matching. properties: logoutPath: - description: LogoutPath specifies which request paths should initiate a logout. + description: |- + LogoutPath specifies which request paths should initiate a logout. + + WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches these logout requests. properties: matcher: description: StringMatcher defines the way to match a string. @@ -155,7 +149,10 @@ spec: - matcher type: object redirectPath: - description: RedirectPath specifies which request paths should be interpreted as a response from the authorization endpoint. + description: |- + RedirectPath specifies which request paths should be interpreted as a callback redirect from the authorization endpoint. + + WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently ensure that it also matches these callback redirect requests. properties: matcher: description: StringMatcher defines the way to match a string. @@ -206,9 +203,23 @@ spec: redirectURI: description: |- RedirectURI configures the "redirect_uri" parameter included in the authorization request. - May contain envoy command operators, e.g. '%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback'. + May contain envoy command operators, e.g.: `%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback` + + WARNING: If the AccessControl policy referencing this OIDCRelyingParty has a request condition, you must currently + ensure that it also matches requests to this URI. minLength: 1 type: string + scopes: + description: |- + Scopes specifies the scopes to request during the OIDC flow. + The mandatory `openid` scope is implicitly added to the list if not already present. + Default: `['openid', 'profile']` + + Note: Different OIDCRelyingParties which use the same OIDC Provider and Client ID must request the same scopes for now. + items: + minLength: 1 + type: string + type: array required: - clientID - credentials diff --git a/charts/airlock/microgateway/4.3.0/crds/openapis.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/openapis.microgateway.airlock.com.yaml similarity index 98% rename from charts/airlock/microgateway/4.3.0/crds/openapis.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/openapis.microgateway.airlock.com.yaml index 451dc8b88..2531bc334 100644 --- a/charts/airlock/microgateway/4.3.0/crds/openapis.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/openapis.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 + app.kubernetes.io/version: 4.4.1 name: openapis.microgateway.airlock.com spec: group: microgateway.airlock.com diff --git a/charts/airlock/microgateway/4.3.3/crds/parsers.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/parsers.microgateway.airlock.com.yaml similarity index 99% rename from charts/airlock/microgateway/4.3.3/crds/parsers.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/parsers.microgateway.airlock.com.yaml index db60b6c84..5ed82205d 100644 --- a/charts/airlock/microgateway/4.3.3/crds/parsers.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/parsers.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.3 + app.kubernetes.io/version: 4.4.1 name: parsers.microgateway.airlock.com spec: group: microgateway.airlock.com diff --git a/charts/airlock/microgateway/4.3.0/crds/redisproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/redisproviders.microgateway.airlock.com.yaml similarity index 67% rename from charts/airlock/microgateway/4.3.0/crds/redisproviders.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/redisproviders.microgateway.airlock.com.yaml index 59c94b966..65c785f0a 100644 --- a/charts/airlock/microgateway/4.3.0/crds/redisproviders.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/redisproviders.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 + app.kubernetes.io/version: 4.4.1 name: redisproviders.microgateway.airlock.com spec: group: microgateway.airlock.com @@ -74,6 +74,63 @@ spec: mode: description: Mode configures the redis deployment mode. properties: + cluster: + description: Cluster specifies the Redis Cluster to connect to. + properties: + nodes: + description: Nodes specifies the Cluster nodes. + items: + properties: + host: + description: Host specifies the IP or hostname. + minLength: 1 + pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$ + type: string + port: + default: 6379 + description: Port specifies the port. + maximum: 65535 + minimum: 1 + type: integer + required: + - host + type: object + minItems: 1 + type: array + required: + - nodes + type: object + sentinel: + description: Sentinel specifies the Redis Sentinels to connect to. + properties: + masterName: + description: MasterName specifies the master name. + minLength: 1 + type: string + nodes: + description: Nodes specifies the Sentinel nodes. + items: + properties: + host: + description: Host specifies the IP or hostname. + minLength: 1 + pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$ + type: string + port: + default: 6379 + description: Port specifies the port. + maximum: 65535 + minimum: 1 + type: integer + required: + - host + type: object + minItems: 1 + type: array + required: + - masterName + - nodes + type: object standalone: description: Standalone specifies the standalone Redis instance to connect to. properties: @@ -148,6 +205,22 @@ spec: description: PublicCAs specifies to only accept certificates with a SAN matching the host and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Session Agent’s base image. type: object type: object + clientCertificate: + description: ClientCertificate configures client certificate authentication. If not specified, TLS-based client authentication is disabled. + properties: + secretRef: + description: SecretRef specifies the client certificate to use (secret of type kubernetes.io/tls). + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object type: object required: - mode diff --git a/charts/airlock/microgateway/4.3.0/crds/sessionhandlings.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/sessionhandlings.microgateway.airlock.com.yaml similarity index 57% rename from charts/airlock/microgateway/4.3.0/crds/sessionhandlings.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/sessionhandlings.microgateway.airlock.com.yaml index 5275aa7b4..81ed6ac88 100644 --- a/charts/airlock/microgateway/4.3.0/crds/sessionhandlings.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/sessionhandlings.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 + app.kubernetes.io/version: 4.4.1 name: sessionhandlings.microgateway.airlock.com spec: group: microgateway.airlock.com @@ -21,15 +21,7 @@ spec: - name: v1alpha1 schema: openAPIV3Schema: - description: |- - SessionHandling contains the configuration for session handling. - - - {{% notice warning %}} The Session Handling feature (required for OIDC) is currently in an experimental state. - - - We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as high-availability Redis configurations (e.g. Sentinel/Cluster) are not yet supported. - {{% /notice %}} + description: SessionHandling contains the configuration for session handling. properties: apiVersion: description: |- @@ -51,6 +43,14 @@ spec: spec: description: Specification of the desired session handling behavior. properties: + defaultTimeouts: + description: DefaultTimeouts specifies the session timeouts to apply when not provided by the authentication method. + properties: + lifetime: + default: 12h + description: Lifetime specifies the maximum duration a session can exist. + type: string + type: object persistence: description: Persistence configures where to store the session state. properties: @@ -67,6 +67,18 @@ spec: required: - redisProviderRef type: object + prefix: + description: |- + Prefix specifies the prefix under which the sessions should be stored in the persistence layer. + If not specified, an automatic prefix derived from the namespaced SessionHandling CR name is used, which ensures that sessions will always be isolated on Microgateways configured with different SessionHandling CRs, even if they share the same persistence backend. + + To allow session sharing between different Microgateway deployments, ensure that the prefix and persistence backend is the same across all corresponding SessionHandling CRs. + + Note: Session cookies are currently never shared across different fully qualified domain names (FQDNs) and authentication via different OIDC Relying Parties generates different session cookies. Clients will therefore only able to transparently reuse session cookies for connecting to different Microgateway deployments if those are a) exposed under the same FQDN and b) handle authentication via the same OIDC Relying Party. + maxLength: 64 + minLength: 1 + pattern: ^[a-zA-Z][a-zA-Z0-9_]*$ + type: string required: - persistence type: object diff --git a/charts/airlock/microgateway/4.3.1/crds/sidecargateways.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/sidecargateways.microgateway.airlock.com.yaml similarity index 99% rename from charts/airlock/microgateway/4.3.1/crds/sidecargateways.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/sidecargateways.microgateway.airlock.com.yaml index 9639c94fb..7229bacc0 100644 --- a/charts/airlock/microgateway/4.3.1/crds/sidecargateways.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/sidecargateways.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.1 + app.kubernetes.io/version: 4.4.1 name: sidecargateways.microgateway.airlock.com spec: group: microgateway.airlock.com diff --git a/charts/airlock/microgateway/4.3.0/crds/telemetries.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.4.1/crds/telemetries.microgateway.airlock.com.yaml similarity index 98% rename from charts/airlock/microgateway/4.3.0/crds/telemetries.microgateway.airlock.com.yaml rename to charts/airlock/microgateway/4.4.1/crds/telemetries.microgateway.airlock.com.yaml index 80a7cba97..96ef223f2 100644 --- a/charts/airlock/microgateway/4.3.0/crds/telemetries.microgateway.airlock.com.yaml +++ b/charts/airlock/microgateway/4.4.1/crds/telemetries.microgateway.airlock.com.yaml @@ -2,10 +2,10 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.15.0 + controller-gen.kubebuilder.io/version: v0.16.4 labels: app.kubernetes.io/name: airlock-microgateway-operator - app.kubernetes.io/version: 4.3.0 + app.kubernetes.io/version: 4.4.1 name: telemetries.microgateway.airlock.com spec: group: microgateway.airlock.com diff --git a/charts/airlock/microgateway/4.3.0/dashboards/blockLogs.json b/charts/airlock/microgateway/4.4.1/dashboards/blockLogs.json similarity index 68% rename from charts/airlock/microgateway/4.3.0/dashboards/blockLogs.json rename to charts/airlock/microgateway/4.4.1/dashboards/blockLogs.json index ef0ce6d62..8c96b4f64 100644 --- a/charts/airlock/microgateway/4.3.0/dashboards/blockLogs.json +++ b/charts/airlock/microgateway/4.4.1/dashboards/blockLogs.json @@ -60,7 +60,7 @@ } ] }, - "description": "Blocked requests by Airlock Microgateway retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace and block type. Column filters on the table allow for even a more granular filtering of the logs.", + "description": "Log entries of threats blocked by Airlock Microgateway.\n\nThe dashboard can be filtered by namespace and block type. Column filters on the table allow for an even more granular filtering of the logs.", "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, @@ -140,7 +140,7 @@ }, { "id": "unit", - "value": "dateTimeAsIso" + "value": "time: YYYY-MM-DD HH:mm:ss.SSS" }, { "id": "custom.filterable" @@ -150,12 +150,12 @@ { "matcher": { "id": "byName", - "options": "Method" + "options": "HTTP Method" }, "properties": [ { "id": "custom.width", - "value": 89 + "value": 140 } ] }, @@ -222,7 +222,7 @@ { "matcher": { "id": "byName", - "options": "Attack Type" + "options": "Block Subtype" }, "properties": [ { @@ -230,18 +230,6 @@ "value": 217 } ] - }, - { - "matcher": { - "id": "byName", - "options": "Application" - }, - "properties": [ - { - "id": "custom.width", - "value": 207 - } - ] } ] }, @@ -266,7 +254,7 @@ "showHeader": true, "sortBy": [] }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -274,62 +262,14 @@ "uid": "${DS_LOKI}" }, "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_deny_rule\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.deny_rules.matches\"\n| label_format block_type=\"deny_rules\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule_key }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"", + "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.actions.block.details\", block_type=\"airlock.actions.block.block_type\", block_subtype=\"airlock.actions.block.block_subtype\"\n| block_type=~\"${blockType:regex}\"", "hide": false, "queryType": "range", - "refId": "Deny Rule Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_limit\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.limits.matches\"\n| label_format block_type=\"limits\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "Limit Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_openapi\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.openapi.reference\", constraint=\"airlock.openapi.request.failed_validation.constraint\", position=\"airlock.openapi.request.failed_validation.position\", message=\"airlock.openapi.request.failed_validation.message\"\n| label_format block_type=\"openapi\", attack_type=\"openapi\", details=`{{.reference }}: {{.constraint }} at {{ .position }} ({{ .message }})` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "OpenAPI Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_parser\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", attack_type=\"airlock.parser\", failed_check=\"airlock.parser.matches[0].failed_check\", message=\"airlock.parser.matches[0].message\"\n| label_format block_type=\"parsing\", attack_type=\"parsing\", details=`{{.failed_check}}: {{.message}}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "Parser Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_graphql\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.graphql.reference\", message=\"airlock.graphql.request.failed_validation.message\"\n| label_format block_type=\"graphql\", attack_type=\"graphql\", details=`{{ .reference }}: {{ .message }}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "GraphQL Blocks" + "refId": "Blocks" } ], "title": "Blocked Request logs", "transformations": [ - { - "id": "merge", - "options": {} - }, { "id": "extractFields", "options": { @@ -344,16 +284,16 @@ "include": { "names": [ "Time", - "attack_type", + "block_subtype", "block_type", "client_ip", "details", + "domain", "http_method", "namespace", "request_id", "request_size", - "url", - "pod" + "url" ] } } @@ -371,30 +311,29 @@ "includeByName": {}, "indexByName": { "Time": 0, - "attack_type": 7, + "block_subtype": 7, "block_type": 6, "client_ip": 9, "details": 8, + "domain": 2, "http_method": 3, "namespace": 1, - "pod": 2, "request_id": 10, "request_size": 5, "url": 4 }, "renameByName": { "Time": "Timestamp", - "attack_type": "Attack Type", + "block_subtype": "Block Subtype", "block_type": "Block Type", "client_ip": "Client IP", "details": "Details", - "http_method": "Method", + "domain": "URL Domain", + "http_method": "HTTP Method", "namespace": "Namespace", - "pod": "Pod", "request_id": "Request ID", "request_size": "Request Size", - "tsNs": "", - "url": "Path" + "url": "URL Path" } } } @@ -409,11 +348,7 @@ "templating": { "list": [ { - "current": { - "selected": false, - "text": "Loki", - "value": "P8E80F9AEF21F6940" - }, + "current": {}, "hide": 2, "includeAll": false, "label": "DS_LOKI", @@ -477,11 +412,7 @@ "type": "query" }, { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, + "current": {}, "hide": 2, "includeAll": false, "label": "DS_PROMETHEUS", @@ -503,7 +434,7 @@ "timeRangeUpdatedDuringEditOrView": false, "timepicker": {}, "timezone": "browser", - "title": "Airlock Microgateway Blocked Request Logs", + "title": "Airlock Microgateway Threats Block - Logs", "uid": "adnyzcvwnyadcc", "version": 3, "weekStart": "" diff --git a/charts/airlock/microgateway/4.3.0/dashboards/blockMetrics.json b/charts/airlock/microgateway/4.4.1/dashboards/blockMetrics.json similarity index 95% rename from charts/airlock/microgateway/4.3.0/dashboards/blockMetrics.json rename to charts/airlock/microgateway/4.4.1/dashboards/blockMetrics.json index ba383d22e..0b98122ef 100644 --- a/charts/airlock/microgateway/4.3.0/dashboards/blockMetrics.json +++ b/charts/airlock/microgateway/4.4.1/dashboards/blockMetrics.json @@ -58,7 +58,7 @@ } ] }, - "description": "Metrics on requests blocked by Airlock Microgateway.\n\nDashboard can be filtered by namespaces as well as block types.", + "description": "Metrics on threats blocked by Airlock Microgateway.\n\nDashboard can be filtered by namespaces as well as block types.", "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, @@ -88,7 +88,7 @@ "y": 0 }, "id": 6, - "title": "Airlock Microgateway Block Metrics", + "title": "Airlock Microgateway Threats Block - Metrics", "type": "row" }, { @@ -140,7 +140,7 @@ "textMode": "auto", "wideLayout": true }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -225,7 +225,7 @@ "textMode": "auto", "wideLayout": true }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -408,7 +408,7 @@ "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "description": "Blocked requests by block type.", + "description": "Blocked threats by block type.", "fieldConfig": { "defaults": { "color": { @@ -448,7 +448,7 @@ } ] }, - "unit": "none" + "unit": "short" }, "overrides": [] }, @@ -482,7 +482,7 @@ "xTickLabelRotation": 0, "xTickLabelSpacing": 0 }, - "pluginVersion": "10.4.3", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -520,7 +520,7 @@ "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "description": "Blocked requests by attack type, which are subsets of the various block types.", + "description": "Blocked threats by block subtype, which are subsets of the various block types.", "fieldConfig": { "defaults": { "color": { @@ -557,7 +557,8 @@ "value": null } ] - } + }, + "unit": "short" }, "overrides": [] }, @@ -587,11 +588,11 @@ "mode": "single", "sort": "none" }, - "xField": "attack_type", + "xField": "block_subtype", "xTickLabelRotation": 0, "xTickLabelSpacing": 0 }, - "pluginVersion": "10.4.3", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -600,14 +601,14 @@ }, "editorMode": "code", "exemplar": false, - "expr": "round(sum by (attack_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", + "expr": "round(sum by (block_subtype) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", "instant": true, "legendFormat": "__auto", "range": false, "refId": "A" } ], - "title": "Attack Type", + "title": "Block Subtype", "transformations": [ { "id": "reduce", @@ -630,11 +631,7 @@ "templating": { "list": [ { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, + "current": {}, "hide": 2, "includeAll": false, "label": "Datasource Prometheus", @@ -648,11 +645,7 @@ "type": "datasource" }, { - "current": { - "selected": false, - "text": "Loki", - "value": "P8E80F9AEF21F6940" - }, + "current": {}, "hide": 2, "includeAll": false, "label": "DS_LOKI", @@ -751,7 +744,7 @@ "hidden": false }, "timezone": "browser", - "title": "Airlock Microgateway Block Metrics", + "title": "Airlock Microgateway Threats Block - Metrics", "uid": "ddnqoczu7qvb4cdd3dd", "version": 3, "weekStart": "" diff --git a/charts/airlock/microgateway/4.3.3/dashboards/blockLogs.json b/charts/airlock/microgateway/4.4.1/dashboards/headerLogs.json similarity index 55% rename from charts/airlock/microgateway/4.3.3/dashboards/blockLogs.json rename to charts/airlock/microgateway/4.4.1/dashboards/headerLogs.json index ef0ce6d62..a6c45008f 100644 --- a/charts/airlock/microgateway/4.3.3/dashboards/blockLogs.json +++ b/charts/airlock/microgateway/4.4.1/dashboards/headerLogs.json @@ -7,14 +7,6 @@ "type": "datasource", "pluginId": "loki", "pluginName": "Loki" - }, - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" } ], "__elements": {}, @@ -60,7 +52,7 @@ } ] }, - "description": "Blocked requests by Airlock Microgateway retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace and block type. Column filters on the table allow for even a more granular filtering of the logs.", + "description": "Logs for header rewrites by Airlock Microgateway, retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace. Column filters on the table allow for an even more granular filtering of the logs.", "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, @@ -84,6 +76,7 @@ "panels": [ { "datasource": { + "default": false, "type": "loki", "uid": "${DS_LOKI}" }, @@ -140,7 +133,7 @@ }, { "id": "unit", - "value": "dateTimeAsIso" + "value": "time: YYYY-MM-DD HH:mm:ss.SSS" }, { "id": "custom.filterable" @@ -150,12 +143,12 @@ { "matcher": { "id": "byName", - "options": "Method" + "options": "HTTP Method" }, "properties": [ { "id": "custom.width", - "value": 89 + "value": 140 } ] }, @@ -183,22 +176,6 @@ } ] }, - { - "matcher": { - "id": "byName", - "options": "Block Type" - }, - "properties": [ - { - "id": "custom.width", - "value": 116 - }, - { - "id": "custom.filterable", - "value": false - } - ] - }, { "matcher": { "id": "byName", @@ -218,30 +195,6 @@ "value": "right" } ] - }, - { - "matcher": { - "id": "byName", - "options": "Attack Type" - }, - "properties": [ - { - "id": "custom.width", - "value": 217 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Application" - }, - "properties": [ - { - "id": "custom.width", - "value": 207 - } - ] } ] }, @@ -266,7 +219,7 @@ "showHeader": true, "sortBy": [] }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -274,62 +227,14 @@ "uid": "${DS_LOKI}" }, "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_deny_rule\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.deny_rules.matches\"\n| label_format block_type=\"deny_rules\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule_key }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"", + "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"header_rewrites\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", header_request_details=\"airlock.actions.header_rewrites.request\", header_response_details=\"airlock.actions.header_rewrites.response\", log_type=\"event.dataset\" | log_type = `envoy.access`", "hide": false, "queryType": "range", - "refId": "Deny Rule Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_limit\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.limits.matches\"\n| label_format block_type=\"limits\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "Limit Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_openapi\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.openapi.reference\", constraint=\"airlock.openapi.request.failed_validation.constraint\", position=\"airlock.openapi.request.failed_validation.position\", message=\"airlock.openapi.request.failed_validation.message\"\n| label_format block_type=\"openapi\", attack_type=\"openapi\", details=`{{.reference }}: {{.constraint }} at {{ .position }} ({{ .message }})` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "OpenAPI Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_parser\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", attack_type=\"airlock.parser\", failed_check=\"airlock.parser.matches[0].failed_check\", message=\"airlock.parser.matches[0].message\"\n| label_format block_type=\"parsing\", attack_type=\"parsing\", details=`{{.failed_check}}: {{.message}}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "Parser Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_graphql\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.graphql.reference\", message=\"airlock.graphql.request.failed_validation.message\"\n| label_format block_type=\"graphql\", attack_type=\"graphql\", details=`{{ .reference }}: {{ .message }}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "GraphQL Blocks" + "refId": "Header Rewrites" } ], - "title": "Blocked Request logs", + "title": "Header Rewrite Logs", "transformations": [ - { - "id": "merge", - "options": {} - }, { "id": "extractFields", "options": { @@ -344,16 +249,15 @@ "include": { "names": [ "Time", - "attack_type", - "block_type", "client_ip", - "details", + "domain", + "header_request_details", + "header_response_details", "http_method", "namespace", "request_id", "request_size", - "url", - "pod" + "url" ] } } @@ -371,30 +275,28 @@ "includeByName": {}, "indexByName": { "Time": 0, - "attack_type": 7, - "block_type": 6, - "client_ip": 9, - "details": 8, + "client_ip": 8, + "domain": 2, + "header_request_details": 6, + "header_response_details": 7, "http_method": 3, "namespace": 1, - "pod": 2, - "request_id": 10, + "request_id": 9, "request_size": 5, "url": 4 }, "renameByName": { "Time": "Timestamp", - "attack_type": "Attack Type", - "block_type": "Block Type", "client_ip": "Client IP", "details": "Details", - "http_method": "Method", + "domain": "URL Domain", + "header_request_details": "Request Header Actions", + "header_response_details": "Response Header Actions", + "http_method": "HTTP Method", "namespace": "Namespace", - "pod": "Pod", "request_id": "Request ID", "request_size": "Request Size", - "tsNs": "", - "url": "Path" + "url": "URL Path" } } } @@ -409,11 +311,7 @@ "templating": { "list": [ { - "current": { - "selected": false, - "text": "Loki", - "value": "P8E80F9AEF21F6940" - }, + "current": {}, "hide": 2, "includeAll": false, "label": "DS_LOKI", @@ -452,36 +350,7 @@ "type": "query" }, { - "allValue": ".*", "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", - "hide": 0, - "includeAll": true, - "label": "Block Type", - "multi": true, - "name": "blockType", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 5, - "type": "query" - }, - { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, "hide": 2, "includeAll": false, "label": "DS_PROMETHEUS", @@ -500,11 +369,10 @@ "from": "now-15m", "to": "now" }, - "timeRangeUpdatedDuringEditOrView": false, "timepicker": {}, "timezone": "browser", - "title": "Airlock Microgateway Blocked Request Logs", - "uid": "adnyzcvwnyadcc", - "version": 3, + "title": "Airlock Microgateway Header Rewrites - Logs", + "uid": "adnydadenyadcc", + "version": 1, "weekStart": "" } \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.4/dashboards/overview.json b/charts/airlock/microgateway/4.4.1/dashboards/license.json similarity index 54% rename from charts/airlock/microgateway/4.3.4/dashboards/overview.json rename to charts/airlock/microgateway/4.4.1/dashboards/license.json index 094276621..14886328a 100644 --- a/charts/airlock/microgateway/4.3.4/dashboards/overview.json +++ b/charts/airlock/microgateway/4.4.1/dashboards/license.json @@ -58,6 +58,7 @@ } ] }, + "description": "Overview on Airlock Microgateway License attributes and usage.", "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, @@ -79,246 +80,12 @@ } ], "panels": [ - { - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 0 - }, - "id": 3, - "title": "Overview", - "type": "row" - }, { "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "description": "Number of pods that are protected by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "text", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 0, - "y": 1 - }, - "id": 11, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "exemplar": false, - "expr": "sum(microgateway_sidecars{namespace=~\"${operator_namespace.regex}\"})", - "instant": true, - "legendFormat": "Protected Pods", - "range": false, - "refId": "A" - } - ], - "title": "Protected Pods", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Total number of requests processed by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 3, - "y": 1 - }, - "id": 4, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": false, - "expr": "round(sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", - "format": "time_series", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": true, - "legendFormat": "Processed Requests", - "range": false, - "refId": "A", - "useBackend": false - } - ], - "title": "Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [ - { - "options": { - "match": "nan", - "result": { - "index": 0, - "text": "n/a" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "percentunit" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 6, - "y": 1 - }, - "id": 5, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "last" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": false, - "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])) / sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range]))", - "fullMetaSearch": false, - "includeNullMetadata": true, - "instant": true, - "legendFormat": "Blocked Requests (%)", - "range": false, - "refId": "A", - "useBackend": false - } - ], - "title": "% Blocked Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "License status of Airlock Microgateway.", + "description": "Aggregated status of the Airlock Microgateway licenses selected in the dashboard filter.", "fieldConfig": { "defaults": { "color": { @@ -356,15 +123,16 @@ "gridPos": { "h": 4, "w": 3, - "x": 9, - "y": 1 + "x": 0, + "y": 0 }, - "id": 10, + "id": 1, "options": { "colorMode": "value", "graphMode": "area", "justifyMode": "auto", "orientation": "auto", + "percentChangeColorMode": "standard", "reduceOptions": { "calcs": [ "lastNotNull" @@ -376,7 +144,7 @@ "textMode": "auto", "wideLayout": true }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -385,33 +153,229 @@ }, "editorMode": "code", "exemplar": false, - "expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})", + "expr": "min(microgateway_license_valid * on (service,instance) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})", "instant": true, "legendFormat": "License Status", "range": false, "refId": "Licenses" } ], - "title": "License", + "title": "License Status", "type": "stat" }, - { - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 5 - }, - "id": 2, - "title": "Blocks", - "type": "row" - }, { "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.", + "description": "Next upcoming expiry date over all Airlock Microgateway licenses selected in the dashboard filter.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "text", + "mode": "fixed" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "time: L" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 3, + "y": 0 + }, + "id": 4, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "10.2.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "min(microgateway_license_expiry_timestamp_seconds * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})*1000", + "instant": true, + "legendFormat": "Expiry Date (MM/DD/YYYY)", + "range": false, + "refId": "A" + } + ], + "title": "License Expiry Date", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Sum of the number licensed requests over all Airlock Microgateway license selected in the dashboard filter.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "text", + "mode": "fixed" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 7, + "y": 0 + }, + "id": 6, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "10.2.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(topk(1, (microgateway_license_max_rq_count_per_month > 0) * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}) by (id))", + "instant": true, + "legendFormat": "Licensed Requests", + "range": false, + "refId": "A" + } + ], + "title": "Licensed Requests", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Sum of the estimated number of requests over 30 days based on the last 7 days over all Airlock Microgateway licenses selected in the dashboard filter.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "text", + "mode": "fixed" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 5, + "x": 11, + "y": 0 + }, + "id": 2, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "10.2.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "(sum((label_replace(increase(microgateway_license_http_rq_total[7d]), \"namespace\", \"$1\", \"job\", \"(.+)/.*\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30", + "instant": true, + "legendFormat": "Estimated Requests", + "range": false, + "refId": "A" + } + ], + "title": "Requests over 30 days (estimated)", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Number of requests per week processed by Airlock Microgateway.", "fieldConfig": { "defaults": { "color": { @@ -423,8 +387,9 @@ "axisCenteredZero": false, "axisColorMode": "text", "axisLabel": "", - "axisPlacement": "left", + "axisPlacement": "auto", "barAlignment": 0, + "barWidthFactor": 0.6, "drawStyle": "line", "fillOpacity": 0, "gradientMode": "none", @@ -455,65 +420,22 @@ "mode": "absolute", "steps": [ { - "color": "blue", + "color": "green", "value": null } ] - } - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "% Blocks" - }, - "properties": [ - { - "id": "custom.axisPlacement", - "value": "right" - }, - { - "id": "unit", - "value": "percentunit" - }, - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - }, - { - "id": "max", - "value": 1 - } - ] }, - { - "matcher": { - "id": "byName", - "options": "Requests per second" - }, - "properties": [ - { - "id": "unit", - "value": "short" - }, - { - "id": "custom.fillOpacity", - "value": 25 - } - ] - } - ] + "unit": "short" + }, + "overrides": [] }, "gridPos": { - "h": 10, - "w": 12, + "h": 13, + "w": 24, "x": 0, - "y": 6 + "y": 4 }, - "id": 6, + "id": 5, "options": { "legend": { "calcs": [], @@ -521,9 +443,6 @@ "placement": "bottom", "showLegend": true }, - "timezone": [ - "" - ], "tooltip": { "maxHeight": 600, "mode": "single", @@ -537,36 +456,24 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "code", - "exemplar": false, - "expr": "sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", - "instant": false, - "legendFormat": "Requests per second", - "range": true, - "refId": "Requests per Second" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) / sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", + "expr": " sum((label_replace(avg_over_time(increase(microgateway_license_http_rq_total[7d])[2m:30s]), \"namespace\", \"$1\", \"job\", \"(.+)/.*\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})", "hide": false, "instant": false, - "legendFormat": "% Blocks", + "legendFormat": "# Requests per week", "range": true, - "refId": "Blocks" + "refId": "C" } ], - "title": "Requests vs. % Blocks", + "title": "Processed Requests per week", "type": "timeseries" }, { "datasource": { + "default": false, "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "description": "Requests blocked by Airlock Microgateway categorized by their corresponding type.", + "description": "Estimated number of requests over 30 days based on the last 7 days per operator namespace for the Airlock Microgateway licenses selected in the dashboard filter.", "fieldConfig": { "defaults": { "color": { @@ -575,26 +482,10 @@ "custom": { "align": "auto", "cellOptions": { - "barAlignment": 0, - "drawStyle": "line", - "gradientMode": "none", - "hideValue": false, - "lineInterpolation": "linear", - "lineStyle": { - "dash": [ - 10, - 10 - ], - "fill": "solid" - }, - "showPoints": "never", - "spanNulls": false, - "type": "sparkline" + "type": "auto" }, "inspect": false }, - "displayName": "Block Type", - "fieldMinMax": false, "mappings": [], "thresholds": { "mode": "absolute", @@ -602,6 +493,10 @@ { "color": "green", "value": null + }, + { + "color": "red", + "value": 80 } ] } @@ -610,67 +505,78 @@ { "matcher": { "id": "byName", - "options": "block_type" + "options": "License ID" }, "properties": [ { "id": "custom.width", - "value": 153 - }, - { - "id": "custom.cellOptions", - "value": { - "type": "auto" - } + "value": 330 } ] }, { "matcher": { "id": "byName", - "options": "Trend #Block Types" + "options": "Requests over 30 days (estimated)" }, "properties": [ { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } + "id": "unit", + "value": "short" + }, + { + "id": "mappings", + "value": [ + { + "options": { + "match": "null+nan", + "result": { + "index": 0, + "text": "0" + } + }, + "type": "special" + } + ] + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Operator Namespace" + }, + "properties": [ + { + "id": "custom.width", + "value": 307 } ] } ] }, "gridPos": { - "h": 10, - "w": 12, - "x": 12, - "y": 6 + "h": 8, + "w": 11, + "x": 0, + "y": 17 }, "id": 7, "options": { - "cellHeight": "lg", + "cellHeight": "sm", "footer": { "countRows": false, - "enablePagination": false, - "fields": [ - "Value" - ], + "fields": "", "reducer": [ "sum" ], "show": false }, - "showHeader": false, - "sortBy": [ - { - "desc": true, - "displayName": "block_type" - } - ] + "frameIndex": 1, + "showHeader": true, + "sortBy": [] }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -678,84 +584,91 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "code", - "expr": "sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m] offset -1m))/(60000/$__interval_ms)", - "format": "time_series", - "instant": false, + "exemplar": false, + "expr": "(sum by (namespace, id) ((label_replace(increase(microgateway_license_http_rq_total[7d]), \"namespace\", \"$1\", \"job\", \"(.+)/.*\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30", + "format": "table", + "hide": false, + "instant": true, "legendFormat": "__auto", - "range": true, - "refId": "Block Types" + "range": false, + "refId": "Est. Usage over 30 days" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "(min by(namespace) (microgateway_build_info{container=\"manager\"})) * on (namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}", + "format": "table", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": false, + "refId": "Engine License" } ], - "title": "Blocked Requests by Type", + "title": "Usage by Operator Namespace", "transformations": [ { - "id": "timeSeriesTable", + "id": "merge", + "options": {} + }, + { + "id": "organize", "options": { - "A": { - "timeField": "Time" + "excludeByName": { + "Time": true, + "Value #Engine License": true, + "Value #Licensed Req": false, + "container": true, + "endpoint": true, + "instance": true, + "job": true, + "namespace": false, + "pod": true, + "service": true, + "version": true }, - "Block Types": { - "stat": "sum", - "timeField": "Time" + "includeByName": {}, + "indexByName": { + "Time": 0, + "Value": 3, + "id": 2, + "namespace": 1 + }, + "renameByName": { + "Value #Est. Usage over 30 days": "Requests over 30 days (estimated)", + "Value #License Expiry Date": "Expiry Date", + "Value #License Type": "License Type", + "Value #Licensed Req": "Licensed Requests", + "Value #Validity": "Valid", + "id": "License ID", + "namespace": "Operator Namespace" } } } ], "type": "table" }, - { - "gridPos": { - "h": 1, - "w": 24, - "x": 0, - "y": 16 - }, - "id": 1, - "title": "Latency", - "type": "row" - }, { "datasource": { "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "description": "Percentiles of the application downstream latency over one minute.", + "description": "Metadata for the Airlock Microgateway licenses selected in the dashboard filter.", "fieldConfig": { "defaults": { "color": { - "mode": "palette-classic" + "mode": "thresholds" }, "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false + "align": "auto", + "cellOptions": { + "type": "auto" }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } + "inspect": false }, "mappings": [], "thresholds": { @@ -764,245 +677,198 @@ { "color": "green", "value": null + }, + { + "color": "red", + "value": 80 } ] - }, - "unit": "ms" + } }, "overrides": [ { "matcher": { "id": "byName", - "options": "25th Percentile" + "options": "License ID" }, "properties": [ { - "id": "color", - "value": { - "fixedColor": "super-light-purple", - "mode": "fixed" - } + "id": "custom.width", + "value": 321 } ] }, { "matcher": { "id": "byName", - "options": "50th Percentile" + "options": "Valid" }, "properties": [ { - "id": "color", - "value": { - "fixedColor": "purple", - "mode": "fixed" - } + "id": "mappings", + "value": [ + { + "options": { + "0": { + "color": "red", + "index": 1, + "text": "Invalid" + }, + "1": { + "color": "green", + "index": 0, + "text": "Valid" + } + }, + "type": "value" + }, + { + "options": { + "match": "null+nan", + "result": { + "color": "red", + "index": 2, + "text": "Invalid" + } + }, + "type": "special" + } + ] + }, + { + "id": "custom.width", + "value": 65 } ] }, { "matcher": { "id": "byName", - "options": "95th Percentile" + "options": "License Type" }, "properties": [ { - "id": "color", - "value": { - "fixedColor": "dark-purple", - "mode": "fixed" - } + "id": "mappings", + "value": [ + { + "options": { + "0": { + "index": 1, + "text": "Community" + }, + "1": { + "index": 0, + "text": "Premium" + } + }, + "type": "value" + }, + { + "options": { + "match": "null+nan", + "result": { + "index": 2, + "text": "n/a" + } + }, + "type": "special" + } + ] + }, + { + "id": "custom.width", + "value": 109 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Expiry Date" + }, + "properties": [ + { + "id": "unit", + "value": "time:L" + }, + { + "id": "custom.width", + "value": 130 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Requests over 30 days (estimated)" + }, + "properties": [ + { + "id": "unit", + "value": "short" + }, + { + "id": "mappings", + "value": [ + { + "options": { + "match": "null+nan", + "result": { + "index": 0, + "text": "0" + } + }, + "type": "special" + } + ] + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Licensed Requests" + }, + "properties": [ + { + "id": "unit", + "value": "short" + }, + { + "id": "custom.width", + "value": 160 } ] } ] }, "gridPos": { - "h": 9, - "w": 12, - "x": 0, + "h": 8, + "w": 13, + "x": 11, "y": 17 }, "id": 8, "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true + "cellHeight": "sm", + "footer": { + "countRows": false, + "fields": "", + "reducer": [ + "sum" + ], + "show": false }, - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.25, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "instant": false, - "legendFormat": "25th Percentile", - "range": true, - "refId": "25th Percentile" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.5, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "hide": false, - "instant": false, - "legendFormat": "50th Percentile", - "range": true, - "refId": "50th Percentile" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "histogram_quantile(0.95, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "hide": false, - "instant": false, - "legendFormat": "95th Percentile", - "range": true, - "refId": "95th Percentile" - } - ], - "title": "Application Downstream Latency", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Percentiles of the Airlock Microgateway processing time over one minute.", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 0, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "ms" - }, - "overrides": [ + "frameIndex": 1, + "showHeader": true, + "sortBy": [ { - "matcher": { - "id": "byName", - "options": "25th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "super-light-purple", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "50th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "purple", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "95th Percentile" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "dark-purple", - "mode": "fixed" - } - } - ] + "desc": false, + "displayName": "Expiry Date" } ] }, - "gridPos": { - "h": 9, - "w": 12, - "x": 12, - "y": 17 - }, - "id": 9, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "maxHeight": 600, - "mode": "single", - "sort": "none" - } - }, + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -1010,11 +876,13 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "code", - "expr": "histogram_quantile(0.25, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", - "instant": false, - "legendFormat": "25th Percentile", - "range": true, - "refId": "0.25 Percentile" + "exemplar": false, + "expr": "min by (id) (microgateway_license_valid * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})", + "format": "table", + "instant": true, + "legendFormat": "__auto", + "range": false, + "refId": "Validity" }, { "datasource": { @@ -1022,12 +890,14 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "code", - "expr": "histogram_quantile(0.5, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", + "exemplar": false, + "expr": "topk(1,microgateway_license_max_rq_count_per_month * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})by (id)", + "format": "table", "hide": false, - "instant": false, - "legendFormat": "50th Percentile", - "range": true, - "refId": "0.5 Percentile" + "instant": true, + "legendFormat": "__auto", + "range": false, + "refId": "Licensed Req" }, { "datasource": { @@ -1035,16 +905,99 @@ "uid": "${DS_PROMETHEUS}" }, "editorMode": "code", - "expr": "histogram_quantile(0.95, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", + "exemplar": false, + "expr": "min by (id) (microgateway_license_is_premium * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})", + "format": "table", "hide": false, - "instant": false, - "legendFormat": "95th Percentile", - "range": true, - "refId": "0.95 Percentile" + "instant": true, + "legendFormat": "__auto", + "range": false, + "refId": "License Type" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "min by (id) (microgateway_license_expiry_timestamp_seconds * on (service, namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"})*1000", + "format": "table", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": false, + "refId": "License Expiry Date" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "(sum by (id) ((label_replace(increase(microgateway_license_http_rq_total[7d]), \"namespace\", \"$1\", \"job\", \"(.+)/.*\")) * on(namespace) group_left(id) microgateway_license_info{id=~\"${license_id.regex}\"}))/7*30", + "format": "table", + "hide": false, + "instant": true, + "legendFormat": "__auto", + "range": false, + "refId": "Est. Usage over 30 days" } ], - "title": "Airlock Microgateway Processing Time", - "type": "timeseries" + "title": "License Overview", + "transformations": [ + { + "id": "merge", + "options": {} + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Time": true, + "Value #Licensed Req": false, + "container": true, + "endpoint": true, + "instance": true, + "job": true, + "namespace": true, + "pod": true, + "service": true + }, + "includeByName": {}, + "indexByName": {}, + "renameByName": { + "Value #Est. Usage over 30 days": "Requests over 30 days (estimated)", + "Value #License Expiry Date": "Expiry Date", + "Value #License Type": "License Type", + "Value #Licensed Req": "Licensed Requests", + "Value #Validity": "Valid", + "id": "License ID", + "namespace": "Operator Namespace" + } + } + }, + { + "id": "filterByValue", + "options": { + "filters": [ + { + "config": { + "id": "equal", + "options": { + "value": "" + } + }, + "fieldName": "License ID" + } + ], + "match": "any", + "type": "exclude" + } + } + ], + "type": "table" } ], "refresh": "", @@ -1055,11 +1008,7 @@ "templating": { "list": [ { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, + "current": {}, "hide": 2, "includeAll": false, "label": "DS_PROMETHEUS", @@ -1079,41 +1028,17 @@ "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "definition": "label_values(microgateway_license_valid,namespace)", + "definition": "label_values(microgateway_license_info,id)", + "description": "", "hide": 0, "includeAll": true, - "label": "Operator Namespace", + "label": "License ID", "multi": true, - "name": "operator_namespace", + "name": "license_id", "options": [], "query": { "qryType": 1, - "query": "label_values(microgateway_license_valid,namespace)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": ".*", - "skipUrlSync": false, - "sort": 0, - "type": "query" - }, - { - "allValue": ".*", - "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_license_http_rq_total,namespace)", - "hide": 0, - "includeAll": true, - "label": "Application Namespace", - "multi": true, - "name": "namespace", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_license_http_rq_total,namespace)", + "query": "label_values(microgateway_license_info,id)", "refId": "PrometheusVariableQueryEditor-VariableQuery" }, "refresh": 2, @@ -1125,14 +1050,14 @@ ] }, "time": { - "from": "now-24h", + "from": "now-7d", "to": "now" }, "timeRangeUpdatedDuringEditOrView": false, "timepicker": {}, "timezone": "browser", - "title": "Airlock Microgateway Overview", - "uid": "fdp5jb8fnrmyoa", - "version": 1, + "title": "Airlock Microgateway License", + "uid": "cdpq79bzrr01se", + "version": 2, "weekStart": "" } \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/dashboards/blockLogs.json b/charts/airlock/microgateway/4.4.1/dashboards/logOnlyLogs.json similarity index 55% rename from charts/airlock/microgateway/4.3.1/dashboards/blockLogs.json rename to charts/airlock/microgateway/4.4.1/dashboards/logOnlyLogs.json index ef0ce6d62..6d7ae7f22 100644 --- a/charts/airlock/microgateway/4.3.1/dashboards/blockLogs.json +++ b/charts/airlock/microgateway/4.4.1/dashboards/logOnlyLogs.json @@ -60,7 +60,7 @@ } ] }, - "description": "Blocked requests by Airlock Microgateway retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace and block type. Column filters on the table allow for even a more granular filtering of the logs.", + "description": "Log entries of threats logged in log-only mode by Airlock Microgateway.\n\nThe dashboard can be filtered by namespace. Column filters on the table allow for an even more granular filtering of the logs.", "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, @@ -84,6 +84,7 @@ "panels": [ { "datasource": { + "default": false, "type": "loki", "uid": "${DS_LOKI}" }, @@ -121,7 +122,7 @@ "properties": [ { "id": "custom.width", - "value": 221 + "value": 328 }, { "id": "custom.filterable" @@ -136,11 +137,11 @@ "properties": [ { "id": "custom.width", - "value": 214 + "value": 176 }, { "id": "unit", - "value": "dateTimeAsIso" + "value": "time: YYYY-MM-DD HH:mm:ss.SSS" }, { "id": "custom.filterable" @@ -150,12 +151,12 @@ { "matcher": { "id": "byName", - "options": "Method" + "options": "HTTP Method" }, "properties": [ { "id": "custom.width", - "value": 89 + "value": 132 } ] }, @@ -167,7 +168,7 @@ "properties": [ { "id": "custom.width", - "value": 138 + "value": 137 } ] }, @@ -183,22 +184,6 @@ } ] }, - { - "matcher": { - "id": "byName", - "options": "Block Type" - }, - "properties": [ - { - "id": "custom.width", - "value": 116 - }, - { - "id": "custom.filterable", - "value": false - } - ] - }, { "matcher": { "id": "byName", @@ -218,30 +203,6 @@ "value": "right" } ] - }, - { - "matcher": { - "id": "byName", - "options": "Attack Type" - }, - "properties": [ - { - "id": "custom.width", - "value": 217 - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Application" - }, - "properties": [ - { - "id": "custom.width", - "value": 207 - } - ] } ] }, @@ -266,7 +227,7 @@ "showHeader": true, "sortBy": [] }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -274,62 +235,14 @@ "uid": "${DS_LOKI}" }, "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_deny_rule\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.deny_rules.matches\"\n| label_format block_type=\"deny_rules\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule_key }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"", + "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= `log_only` |= `envoy.access` | json http_method=\"http.request.method\", url=\"url.path\", domain=\"url.domain\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.actions.log_only\", log_type=\"event.dataset\" | label_format log_count=`{{ len (fromJson .details) }}` | log_type = `envoy.access` | log_count > 0", "hide": false, "queryType": "range", - "refId": "Deny Rule Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_limit\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.limits.matches\"\n| label_format block_type=\"limits\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "Limit Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_openapi\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.openapi.reference\", constraint=\"airlock.openapi.request.failed_validation.constraint\", position=\"airlock.openapi.request.failed_validation.position\", message=\"airlock.openapi.request.failed_validation.message\"\n| label_format block_type=\"openapi\", attack_type=\"openapi\", details=`{{.reference }}: {{.constraint }} at {{ .position }} ({{ .message }})` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "OpenAPI Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_parser\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", attack_type=\"airlock.parser\", failed_check=\"airlock.parser.matches[0].failed_check\", message=\"airlock.parser.matches[0].message\"\n| label_format block_type=\"parsing\", attack_type=\"parsing\", details=`{{.failed_check}}: {{.message}}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "Parser Blocks" - }, - { - "datasource": { - "type": "loki", - "uid": "${DS_LOKI}" - }, - "editorMode": "code", - "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_graphql\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.graphql.reference\", message=\"airlock.graphql.request.failed_validation.message\"\n| label_format block_type=\"graphql\", attack_type=\"graphql\", details=`{{ .reference }}: {{ .message }}` | block_type=~\"${blockType:regex}\"", - "hide": false, - "queryType": "range", - "refId": "GraphQL Blocks" + "refId": "Log Only Logs" } ], - "title": "Blocked Request logs", + "title": "Threats Logs Log-Only", "transformations": [ - { - "id": "merge", - "options": {} - }, { "id": "extractFields", "options": { @@ -344,16 +257,14 @@ "include": { "names": [ "Time", - "attack_type", - "block_type", "client_ip", "details", + "domain", "http_method", "namespace", "request_id", "request_size", - "url", - "pod" + "url" ] } } @@ -371,30 +282,25 @@ "includeByName": {}, "indexByName": { "Time": 0, - "attack_type": 7, - "block_type": 6, - "client_ip": 9, - "details": 8, - "http_method": 3, + "client_ip": 8, + "details": 7, + "domain": 2, + "http_method": 4, "namespace": 1, - "pod": 2, - "request_id": 10, - "request_size": 5, - "url": 4 + "request_id": 9, + "request_size": 6, + "url": 5 }, "renameByName": { "Time": "Timestamp", - "attack_type": "Attack Type", - "block_type": "Block Type", "client_ip": "Client IP", "details": "Details", - "http_method": "Method", + "domain": "URL Domain", + "http_method": "HTTP Method", "namespace": "Namespace", - "pod": "Pod", "request_id": "Request ID", "request_size": "Request Size", - "tsNs": "", - "url": "Path" + "url": "URL Path" } } } @@ -409,11 +315,7 @@ "templating": { "list": [ { - "current": { - "selected": false, - "text": "Loki", - "value": "P8E80F9AEF21F6940" - }, + "current": {}, "hide": 2, "includeAll": false, "label": "DS_LOKI", @@ -452,36 +354,7 @@ "type": "query" }, { - "allValue": ".*", "current": {}, - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", - "hide": 0, - "includeAll": true, - "label": "Block Type", - "multi": true, - "name": "blockType", - "options": [], - "query": { - "qryType": 1, - "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", - "refId": "PrometheusVariableQueryEditor-VariableQuery" - }, - "refresh": 2, - "regex": "", - "skipUrlSync": false, - "sort": 5, - "type": "query" - }, - { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, "hide": 2, "includeAll": false, "label": "DS_PROMETHEUS", @@ -500,11 +373,10 @@ "from": "now-15m", "to": "now" }, - "timeRangeUpdatedDuringEditOrView": false, "timepicker": {}, "timezone": "browser", - "title": "Airlock Microgateway Blocked Request Logs", - "uid": "adnyzcvwnyadcc", - "version": 3, + "title": "Airlock Microgateway Threats LogOnly - Logs", + "uid": "adnasdfdwnyadcc", + "version": 7, "weekStart": "" } \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.1/dashboards/blockMetrics.json b/charts/airlock/microgateway/4.4.1/dashboards/logOnlyMetrics.json similarity index 70% rename from charts/airlock/microgateway/4.3.1/dashboards/blockMetrics.json rename to charts/airlock/microgateway/4.4.1/dashboards/logOnlyMetrics.json index ba383d22e..137e28ee0 100644 --- a/charts/airlock/microgateway/4.3.1/dashboards/blockMetrics.json +++ b/charts/airlock/microgateway/4.4.1/dashboards/logOnlyMetrics.json @@ -58,7 +58,7 @@ } ] }, - "description": "Metrics on requests blocked by Airlock Microgateway.\n\nDashboard can be filtered by namespaces as well as block types.", + "description": "Metrics on threats logged by Airlock Microgateway in threat handling mode LogOnly.\n\nDashboard can be filtered by namespaces as well as block types.", "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 0, @@ -88,7 +88,7 @@ "y": 0 }, "id": 6, - "title": "Airlock Microgateway Block Metrics", + "title": "Airlock Microgateway Threats LogOnly - Metrics", "type": "row" }, { @@ -96,81 +96,7 @@ "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "description": "Total number of requests processed by Airlock Microgateway.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 0, - "y": 1 - }, - "id": 1, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": [ - "lastNotNull" - ], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": false, - "expr": "round(sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", - "format": "time_series", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": true, - "legendFormat": "Processed Requests", - "range": false, - "refId": "A", - "useBackend": false - } - ], - "title": "Requests", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.", + "description": "Number of threats logged by Airlock Microgateway in threat handling mode LogOnly.", "fieldConfig": { "defaults": { "color": { @@ -198,14 +124,14 @@ } ] }, - "unit": "percentunit" + "unit": "short" }, "overrides": [] }, "gridPos": { "h": 4, "w": 4, - "x": 4, + "x": 0, "y": 1 }, "id": 2, @@ -214,6 +140,7 @@ "graphMode": "area", "justifyMode": "auto", "orientation": "auto", + "percentChangeColorMode": "standard", "reduceOptions": { "calcs": [ "last" @@ -225,7 +152,7 @@ "textMode": "auto", "wideLayout": true }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -235,17 +162,17 @@ "disableTextWrap": false, "editorMode": "code", "exemplar": false, - "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])) / sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range]))", + "expr": "round(sum(increase(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", "fullMetaSearch": false, "includeNullMetadata": true, "instant": true, - "legendFormat": "Blocked Requests (%)", + "legendFormat": "Logged threats in LogOnly mode", "range": false, "refId": "A", "useBackend": false } ], - "title": "% Blocked Requests", + "title": "Threats - LogOnly", "type": "stat" }, { @@ -253,11 +180,11 @@ "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.", + "description": "Number of threats per second handled in LogOnly mode.", "fieldConfig": { "defaults": { "color": { - "fixedColor": "blue", + "fixedColor": "orange", "mode": "fixed" }, "custom": { @@ -268,7 +195,7 @@ "axisPlacement": "left", "barAlignment": 0, "drawStyle": "line", - "fillOpacity": 0, + "fillOpacity": 25, "gradientMode": "none", "hideFrom": { "legend": false, @@ -301,53 +228,10 @@ "value": null } ] - } - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "% Blocks" - }, - "properties": [ - { - "id": "custom.axisPlacement", - "value": "right" - }, - { - "id": "unit", - "value": "percentunit" - }, - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - }, - { - "id": "max", - "value": 1 - } - ] }, - { - "matcher": { - "id": "byName", - "options": "Requests per second" - }, - "properties": [ - { - "id": "unit", - "value": "short" - }, - { - "id": "custom.fillOpacity", - "value": 25 - } - ] - } - ] + "unit": "short" + }, + "overrides": [] }, "gridPos": { "h": 10, @@ -380,27 +264,14 @@ }, "editorMode": "code", "exemplar": false, - "expr": "sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", + "expr": "sum(rate(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", "instant": false, - "legendFormat": "Requests per second", + "legendFormat": "Number of threats per second", "range": true, - "refId": "Requests per Second" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${DS_PROMETHEUS}" - }, - "editorMode": "code", - "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) / sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", - "hide": false, - "instant": false, - "legendFormat": "% Blocks", - "range": true, - "refId": "Blocks" + "refId": "LogOnly Events" } ], - "title": "Requests vs. % Blocks", + "title": "Threats - LogOnly", "type": "timeseries" }, { @@ -408,7 +279,7 @@ "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "description": "Blocked requests by block type.", + "description": "Number of threats in LogOnly mode by block type.", "fieldConfig": { "defaults": { "color": { @@ -448,7 +319,7 @@ } ] }, - "unit": "none" + "unit": "short" }, "overrides": [] }, @@ -482,7 +353,7 @@ "xTickLabelRotation": 0, "xTickLabelSpacing": 0 }, - "pluginVersion": "10.4.3", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -491,7 +362,7 @@ }, "editorMode": "code", "exemplar": false, - "expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", + "expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", "format": "time_series", "instant": true, "legendFormat": "__auto", @@ -520,7 +391,7 @@ "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "description": "Blocked requests by attack type, which are subsets of the various block types.", + "description": "Number of threats in LogOnly mode by block subtype, which are subsets of the various block types.", "fieldConfig": { "defaults": { "color": { @@ -557,7 +428,8 @@ "value": null } ] - } + }, + "unit": "short" }, "overrides": [] }, @@ -587,11 +459,11 @@ "mode": "single", "sort": "none" }, - "xField": "attack_type", + "xField": "block_subtype", "xTickLabelRotation": 0, "xTickLabelSpacing": 0 }, - "pluginVersion": "10.4.3", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -600,14 +472,14 @@ }, "editorMode": "code", "exemplar": false, - "expr": "round(sum by (attack_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", + "expr": "round(sum by (block_subtype) (increase(microgateway_http_downstream_rq_threats_logged_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", "instant": true, "legendFormat": "__auto", "range": false, "refId": "A" } ], - "title": "Attack Type", + "title": "Block Subtype", "transformations": [ { "id": "reduce", @@ -630,11 +502,7 @@ "templating": { "list": [ { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, + "current": {}, "hide": 2, "includeAll": false, "label": "Datasource Prometheus", @@ -648,11 +516,7 @@ "type": "datasource" }, { - "current": { - "selected": false, - "text": "Loki", - "value": "P8E80F9AEF21F6940" - }, + "current": {}, "hide": 2, "includeAll": false, "label": "DS_LOKI", @@ -722,7 +586,7 @@ "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", + "definition": "label_values(microgateway_http_downstream_rq_threats_logged_total,block_type)", "hide": 0, "includeAll": true, "label": "Block Type", @@ -731,7 +595,7 @@ "options": [], "query": { "qryType": 1, - "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", + "query": "label_values(microgateway_http_downstream_rq_threats_logged_total,block_type)", "refId": "PrometheusVariableQueryEditor-VariableQuery" }, "refresh": 2, @@ -746,13 +610,12 @@ "from": "now-24h", "to": "now" }, - "timeRangeUpdatedDuringEditOrView": false, "timepicker": { "hidden": false }, "timezone": "browser", - "title": "Airlock Microgateway Block Metrics", - "uid": "ddnqoczu7qvb4cdd3dd", - "version": 3, + "title": "Airlock Microgateway Threats LogOnly - Metrics", + "uid": "ddnqoczu7qv2mfmsd3dd", + "version": 1, "weekStart": "" } \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.3/dashboards/overview.json b/charts/airlock/microgateway/4.4.1/dashboards/overview.json similarity index 98% rename from charts/airlock/microgateway/4.3.3/dashboards/overview.json rename to charts/airlock/microgateway/4.4.1/dashboards/overview.json index 094276621..8a9c913b0 100644 --- a/charts/airlock/microgateway/4.3.3/dashboards/overview.json +++ b/charts/airlock/microgateway/4.4.1/dashboards/overview.json @@ -137,7 +137,7 @@ "textMode": "auto", "wideLayout": true }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -205,7 +205,7 @@ "textMode": "auto", "wideLayout": true }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -290,7 +290,7 @@ "textMode": "auto", "wideLayout": true }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -376,7 +376,7 @@ "textMode": "auto", "wideLayout": true }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -566,7 +566,7 @@ "type": "prometheus", "uid": "${DS_PROMETHEUS}" }, - "description": "Requests blocked by Airlock Microgateway categorized by their corresponding type.", + "description": "Threats blocked by Airlock Microgateway categorized by their corresponding block type.", "fieldConfig": { "defaults": { "color": { @@ -670,7 +670,7 @@ } ] }, - "pluginVersion": "11.0.0", + "pluginVersion": "10.2.0", "targets": [ { "datasource": { @@ -686,7 +686,7 @@ "refId": "Block Types" } ], - "title": "Blocked Requests by Type", + "title": "Blocked Threats by Block Type", "transformations": [ { "id": "timeSeriesTable", @@ -1055,11 +1055,7 @@ "templating": { "list": [ { - "current": { - "selected": false, - "text": "Prometheus", - "value": "PBFA97CFB590B2093" - }, + "current": {}, "hide": 2, "includeAll": false, "label": "DS_PROMETHEUS", diff --git a/charts/airlock/microgateway/4.4.1/templates/NOTES.txt b/charts/airlock/microgateway/4.4.1/templates/NOTES.txt new file mode 100644 index 000000000..a607483f9 --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/templates/NOTES.txt @@ -0,0 +1,61 @@ +Thank you for installing Airlock Microgateway. +{{- if .Values.operator.gatewayAPI.enabled }} + +K8s Gateway API support enabled. +Note that the K8s Gateway API support is an incubating Airlock Microgateway feature. We encourage you to try the installation and configuration for testing and evaluation. Your feedback is welcome. + + {{- if or .Values.operator.watchNamespaces .Values.operator.watchNamespaceSelector -}} + {{- fail ` + +K8s Gateway API is only supported using the 'AllNamespaces' installation mode type, ensure that 'operator.watchNamespaces' and 'operator.watchNamespaceSelector' are not configured. +` + -}} + {{- end -}} +{{- end }} + +Please ensure the following prerequisites are fulfilled: +* cert-manager is installed. + https://cert-manager.io/docs/installation/helm/ +* A valid Airlock Microgateway license is deployed in the Kubernetes secret '{{ .Release.Namespace }}/{{ .Values.license.secretName }}' + * Get a free Community license: https://airlock.com/en/microgateway-community + * Order a Premium license: https://airlock.com/en/microgateway-premium +* Airlock Microgateway CNI is installed on the cluster, when running data plane mode sidecar + https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni. + For more information about data plane modes, see https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/#data/1660804709650.html + +Further information: +* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }} +* CRD API reference documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/api/crds +* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm +{{- if .Values.crds.skipVersionCheck }} + +Warning: CRD version check skipped +{{- else -}} +{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}} +{{- if $outdatedCRDs -}} + {{- fail (printf ` + +Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'. +Therefore, the CRDs must be manually upgraded with the following command before deploying this chart: + +kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts + +If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.` + .Chart.AppVersion) + -}} +{{- end -}} +{{- end -}} +{{- if .Values.tests.enabled -}} + {{- if .Values.operator.watchNamespaces -}} + {{- if not (has .Release.Namespace .Values.operator.watchNamespaces) -}} + {{- fail (printf ` + +To execute 'helm test', it is necessary that the release namespace '%s' is part of the operator's watch scope. Either disable the tests or ensure that the release namespace is added to watch namspace list ('operator.watchNamespaces') in the helm values. +` + .Release.Namespace) + -}} + {{- end -}} + {{- end -}} +{{- end }} + +Your release version is {{ .Chart.Version }}. \ No newline at end of file diff --git a/charts/airlock/microgateway/4.4.1/templates/_helpers.tpl b/charts/airlock/microgateway/4.4.1/templates/_helpers.tpl new file mode 100644 index 000000000..733ba9648 --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/templates/_helpers.tpl @@ -0,0 +1,153 @@ +{{/* +Expand the name of the chart. +We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) +and the longest explicit suffix is 14 characters. +*/}} +{{- define "airlock-microgateway.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }} +{{- end }} + +{{/* +Convert an image configuration object into an image ref string. +*/}} +{{- define "airlock-microgateway.image" -}} + {{- if .digest -}} + {{- printf "%s@%s" .repository .digest -}} + {{- else if .tag -}} + {{- printf "%s:%s" .repository .tag -}} + {{- else -}} + {{- printf "%s" .repository -}} + {{- end -}} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) +and the longest implicit suffix is 27 characters. +If release name contains chart name it will be used as a full name. +*/}} +{{- define "airlock-microgateway.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 36 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "airlock-microgateway.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "airlock-microgateway.sharedLabels" -}} +helm.sh/chart: {{ include "airlock-microgateway.chart" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: {{ .Chart.Name }} +{{- with .Values.commonLabels }} +{{ toYaml .}} +{{- end }} +{{- end }} + +{{/* +Common Selector labels +*/}} +{{- define "airlock-microgateway.sharedSelectorLabels" -}} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Restricted Container Security Context +*/}} +{{- define "airlock-microgateway.restrictedSecurityContext" -}} +allowPrivilegeEscalation: false +privileged: false +runAsNonRoot: true +capabilities: + drop: ["ALL"] +readOnlyRootFilesystem: true +seccompProfile: + type: RuntimeDefault +{{- end }} + +{{/* Precondition: May only be used if AppVersion is isSemver */}} +{{- define "airlock-microgateway.supportedCRDVersionPattern" -}} +{{- $version := (semver .Chart.AppVersion) -}} +{{- if $version.Prerelease -}} +>= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }} +{{- else -}} +>= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0 +{{- end -}} +{{- end -}} + +{{- define "airlock-microgateway.outdatedCRDs" -}} +{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}} + {{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}} + {{- range $path, $_ := .Files.Glob "crds/*.yaml" -}} + {{- $api := ($.Files.Get $path | fromYaml).metadata.name -}} + {{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}} + {{- $isOutdated := false -}} + {{- if $crd -}} + {{/* If CRD is already present in the cluster, it must have the minimum supported version */}} + {{- $isOutdated = true -}} + {{- if hasKey $crd.metadata "labels" -}} + {{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}} + {{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}} + {{- if (semverCompare $supportedVersion $crdVersion) }} + {{- $isOutdated = false -}} + {{- end }} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if $isOutdated }} +{{ base $path }} + {{- end }} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "airlock-microgateway.isSemver" -}} +{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}} +{{- end -}} + +{{- define "airlock-microgateway.docsVersion" -}} +{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} + {{- $version := (semver .Chart.AppVersion) -}} + {{- $version.Major }}.{{ $version.Minor -}} +{{- else -}} + {{- print "latest" -}} +{{- end -}} +{{- end -}} + +{{- define "airlock-microgateway.watchNamespaceSelector.labelQuery" -}} +{{- $list := list -}} +{{- with .matchLabels -}} + {{- range $key, $value := . -}} + {{- $list = append $list (printf "%s=%s" $key $value) -}} + {{- end -}} +{{- end -}} +{{- with .matchExpressions -}} + {{- range . -}} + {{- if has .operator (list "In" "NotIn") -}} + {{- $list = append $list (printf "%s %s (%s)" .key (lower .operator) (join "," .values)) -}} + {{- else if eq .operator "Exists" -}} + {{- $list = append $list .key -}} + {{- else if eq .operator "DoesNotExist" -}} + {{- $list = append $list (printf "!%s" .key) -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- join "," $list -}} +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/_operator_helpers.tpl b/charts/airlock/microgateway/4.4.1/templates/operator/_operator_helpers.tpl similarity index 100% rename from charts/airlock/microgateway/4.2.3/templates/operator/_operator_helpers.tpl rename to charts/airlock/microgateway/4.4.1/templates/operator/_operator_helpers.tpl diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/_rbac.gen.tpl b/charts/airlock/microgateway/4.4.1/templates/operator/_rbac.gen.tpl similarity index 73% rename from charts/airlock/microgateway/4.2.3/templates/operator/_rbac.gen.tpl rename to charts/airlock/microgateway/4.4.1/templates/operator/_rbac.gen.tpl index 528f72bc6..faa078b6b 100644 --- a/charts/airlock/microgateway/4.2.3/templates/operator/_rbac.gen.tpl +++ b/charts/airlock/microgateway/4.4.1/templates/operator/_rbac.gen.tpl @@ -8,6 +8,8 @@ Operator rbac permission rules - "" resources: - configmaps + - namespaces + - replicasets verbs: - get - list @@ -52,28 +54,107 @@ Operator rbac permission rules - delete - get - list + - patch - update - watch +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch +- apiGroups: + - apps + resources: + - deployments + verbs: + - create + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - replicasets + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - apps + resources: + - replicasets/finalizers + verbs: + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - patch + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/finalizers + - gatewayclasses/status + - gateways/finalizers + - gateways/status + - httproutes/status + verbs: + - patch + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - httproutes + - referencegrants + verbs: + - get + - list + - watch - apiGroups: - microgateway.airlock.com resources: - accesscontrols - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - contentsecurities - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: + - contentsecuritypolicies - denyrules + - envoyclusters + - envoyhttpfilters + - graphqls + - headerrewrites + - identitypropagations + - jwks + - limits + - oidcproviders + - oidcrelyingparties + - openapis + - parsers + - redisproviders + - sessionhandlings + - telemetries verbs: - get - list @@ -81,11 +162,10 @@ Operator rbac permission rules - apiGroups: - microgateway.airlock.com resources: - - envoyclusters + - contentsecuritypolicies/status verbs: - - get - - list - - watch + - patch + - update - apiGroups: - microgateway.airlock.com resources: @@ -102,74 +182,11 @@ Operator rbac permission rules - microgateway.airlock.com resources: - envoyconfigurations/status + - sidecargateways/status verbs: - get - patch - update -- apiGroups: - - microgateway.airlock.com - resources: - - envoyhttpfilters - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - headerrewrites - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - identitypropagations - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - limits - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - oidcproviders - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - oidcrelyingparties - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - openapis - verbs: - - get - - list - - watch -- apiGroups: - - microgateway.airlock.com - resources: - - parsers - verbs: - - get - - list - - watch - apiGroups: - microgateway.airlock.com resources: @@ -186,20 +203,4 @@ Operator rbac permission rules - sidecargateways/finalizers verbs: - update -- apiGroups: - - microgateway.airlock.com - resources: - - sidecargateways/status - verbs: - - get - - patch - - update -- apiGroups: - - microgateway.airlock.com - resources: - - telemetries - verbs: - - get - - list - - watch {{- end }} diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/_webhooks.gen.tpl b/charts/airlock/microgateway/4.4.1/templates/operator/_webhooks.gen.tpl similarity index 84% rename from charts/airlock/microgateway/4.3.1/templates/operator/_webhooks.gen.tpl rename to charts/airlock/microgateway/4.4.1/templates/operator/_webhooks.gen.tpl index 02e304890..97474df39 100644 --- a/charts/airlock/microgateway/4.3.1/templates/operator/_webhooks.gen.tpl +++ b/charts/airlock/microgateway/4.4.1/templates/operator/_webhooks.gen.tpl @@ -76,6 +76,26 @@ Operator validating webhooks resources: - accesscontrols sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-contentsecuritypolicy + failurePolicy: Fail + name: validate-contentsecuritypolicy.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - contentsecuritypolicies + sideEffects: None - admissionReviewVersions: - v1 clientConfig: @@ -196,6 +216,26 @@ Operator validating webhooks resources: - identitypropagations sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-jwks + failurePolicy: Fail + name: validate-jwks.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - jwks + sideEffects: None - admissionReviewVersions: - v1 clientConfig: @@ -316,6 +356,26 @@ Operator validating webhooks resources: - redisproviders sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-sessionhandling + failurePolicy: Fail + name: validate-sessionhandling.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - sessionhandlings + sideEffects: None - admissionReviewVersions: - v1 clientConfig: diff --git a/charts/airlock/microgateway/4.3.1/templates/operator/configmap.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/configmap.yaml similarity index 97% rename from charts/airlock/microgateway/4.3.1/templates/operator/configmap.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/configmap.yaml index 95e52d7df..276a632e8 100644 --- a/charts/airlock/microgateway/4.3.1/templates/operator/configmap.yaml +++ b/charts/airlock/microgateway/4.4.1/templates/operator/configmap.yaml @@ -190,8 +190,8 @@ data: stats_tags: - tag_name: "block_type" regex: "\\.(block_type\\.([^.]+))" - - tag_name: "attack_type" - regex: "\\.(attack_type\\.([^.]+))" + - tag_name: "block_subtype" + regex: "\\.(block_subtype\\.([^.]+))" - tag_name: "envoy_cluster_name" regex: "\\.(cluster\\.([^.]+))" - tag_name: "version" @@ -364,6 +364,10 @@ data: securityContext: {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} runAsUser: $(SECURITYCONTEXT_UID) + {{- with .Values.networkValidator.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} operator_config.yaml: | apiVersion: config.airlock.com/v1alpha1 kind: OperatorConfig @@ -392,3 +396,10 @@ data: list: {{- toYaml . | nindent 8 }} {{- end }} + {{- with $.Values.operator.gatewayAPI }} + gatewayAPI: + enabled: {{ .enabled }} + {{- if .controllerName }} + controllerName: {{ .controllerName }} + {{- end }} + {{- end }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/dashboard-configmap.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/dashboard-configmap.yaml similarity index 100% rename from charts/airlock/microgateway/4.3.0/templates/operator/dashboard-configmap.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/dashboard-configmap.yaml diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/deployment.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/deployment.yaml similarity index 100% rename from charts/airlock/microgateway/4.3.0/templates/operator/deployment.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/deployment.yaml diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/manager-role.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/manager-role.yaml similarity index 100% rename from charts/airlock/microgateway/4.3.0/templates/operator/manager-role.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/manager-role.yaml diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/manager-rolebinding.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/manager-rolebinding.yaml similarity index 100% rename from charts/airlock/microgateway/4.3.0/templates/operator/manager-rolebinding.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/manager-rolebinding.yaml diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/metrics-service.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/metrics-service.yaml similarity index 100% rename from charts/airlock/microgateway/4.2.3/templates/operator/metrics-service.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/metrics-service.yaml diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/mutating-webhook.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/mutating-webhook.yaml similarity index 100% rename from charts/airlock/microgateway/4.3.0/templates/operator/mutating-webhook.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/mutating-webhook.yaml diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/podmonitor.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/podmonitor.yaml similarity index 100% rename from charts/airlock/microgateway/4.3.0/templates/operator/podmonitor.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/podmonitor.yaml diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/role.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/role.yaml similarity index 100% rename from charts/airlock/microgateway/4.2.3/templates/operator/role.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/role.yaml diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/rolebinding.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/rolebinding.yaml similarity index 100% rename from charts/airlock/microgateway/4.2.3/templates/operator/rolebinding.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/rolebinding.yaml diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/selfsigned-issuer.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/selfsigned-issuer.yaml similarity index 100% rename from charts/airlock/microgateway/4.2.3/templates/operator/selfsigned-issuer.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/selfsigned-issuer.yaml diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/serviceaccount.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/serviceaccount.yaml similarity index 100% rename from charts/airlock/microgateway/4.2.3/templates/operator/serviceaccount.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/serviceaccount.yaml diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/servicemonitor.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/servicemonitor.yaml similarity index 100% rename from charts/airlock/microgateway/4.2.3/templates/operator/servicemonitor.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/servicemonitor.yaml diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/serving-certificate.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/serving-certificate.yaml similarity index 100% rename from charts/airlock/microgateway/4.2.3/templates/operator/serving-certificate.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/serving-certificate.yaml diff --git a/charts/airlock/microgateway/4.3.0/templates/operator/validating-webhook.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/validating-webhook.yaml similarity index 100% rename from charts/airlock/microgateway/4.3.0/templates/operator/validating-webhook.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/validating-webhook.yaml diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/webhook-service.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/webhook-service.yaml similarity index 100% rename from charts/airlock/microgateway/4.2.3/templates/operator/webhook-service.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/webhook-service.yaml diff --git a/charts/airlock/microgateway/4.2.3/templates/operator/xds-service.yaml b/charts/airlock/microgateway/4.4.1/templates/operator/xds-service.yaml similarity index 100% rename from charts/airlock/microgateway/4.2.3/templates/operator/xds-service.yaml rename to charts/airlock/microgateway/4.4.1/templates/operator/xds-service.yaml diff --git a/charts/airlock/microgateway/4.4.1/templates/tests/rbac.yaml b/charts/airlock/microgateway/4.4.1/templates/tests/rbac.yaml new file mode 100644 index 000000000..93bd4cd1b --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/templates/tests/rbac.yaml @@ -0,0 +1,143 @@ +{{- if .Values.tests.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: tests + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + name: "{{ include "airlock-microgateway.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: tests + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + name: "{{ include "airlock-microgateway.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ include "airlock-microgateway.fullname" . }}-tests" +subjects: +- kind: ServiceAccount + name: "{{ include "airlock-microgateway.fullname" . }}-tests" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: tests + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + name: "{{ include "airlock-microgateway.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - microgateway.airlock.com + resources: + - sidecargateways + resourceNames: + - "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway" + verbs: + - get + - list + - watch + - delete +- apiGroups: + - microgateway.airlock.com + resources: + - sidecargateways + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - list +- apiGroups: + - "apps" + resources: + - deployments + resourceNames: + - "{{ include "airlock-microgateway.operator.fullname" . }}" + verbs: + - get + - list + - watch +- apiGroups: + - "apps" + resources: + - statefulsets + - statefulsets/scale + resourceNames: + - "{{ include "airlock-microgateway.fullname" . }}-test-backend" + verbs: + - get + - list + - watch + - patch +- apiGroups: + - "" + resources: + - pods + - pods/log + - pods/status + - pods/attach + resourceNames: + - "{{ include "airlock-microgateway.fullname" . }}-test-backend-0" + - "{{ include "airlock-microgateway.fullname" . }}-test-valid-request" + - "{{ include "airlock-microgateway.fullname" . }}-test-injection-request" + verbs: + - get + - list + - create + - watch + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - create +{{- if .Values.operator.watchNamespaceSelector }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: tests + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" +subjects: + - kind: ServiceAccount + name: "{{ include "airlock-microgateway.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: tests + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +{{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.2.3/templates/tests/service.yaml b/charts/airlock/microgateway/4.4.1/templates/tests/service.yaml similarity index 100% rename from charts/airlock/microgateway/4.2.3/templates/tests/service.yaml rename to charts/airlock/microgateway/4.4.1/templates/tests/service.yaml diff --git a/charts/airlock/microgateway/4.2.3/templates/tests/statefulset.yaml b/charts/airlock/microgateway/4.4.1/templates/tests/statefulset.yaml similarity index 100% rename from charts/airlock/microgateway/4.2.3/templates/tests/statefulset.yaml rename to charts/airlock/microgateway/4.4.1/templates/tests/statefulset.yaml diff --git a/charts/airlock/microgateway/4.4.1/templates/tests/test-install.yaml b/charts/airlock/microgateway/4.4.1/templates/tests/test-install.yaml new file mode 100644 index 000000000..721ae2b82 --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/templates/tests/test-install.yaml @@ -0,0 +1,227 @@ +{{- if .Values.tests.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "airlock-microgateway.fullname" . }}-test-install" + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: test-install + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + sidecar.istio.io/inject: "false" + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + restartPolicy: Never + containers: + - name: test + image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}" + securityContext: + {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} + command: + - sh + - -c + - | + set -eu + + clean_up() { + echo "" + echo "### Clean up test resources" + kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true + echo "" + echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'" + kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=60s + sleep 3s + echo "" + } + + fail() { + echo "" + echo "### Error: ${1}" + echo "" + + if kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway >/dev/null 2>&1; then + echo "" + echo 'Microgateway Sidecargateway status:' + kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true + echo "" + echo "" + fi + + if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 >/dev/null 2>&1; then + echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':" + kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true + echo "" + echo "" + echo 'Logs of Nginx container:' + kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true + echo "" + echo "" + # Wait for engine logs + sleep 10s + echo 'Logs of Microgateway Engine container:' + kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true + fi + + exit 1 + } + + create_sidecargateway() { + # create SidecarGateway resource for testing purposes + kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true + kubectl apply -f - </dev/null 2>&1; do sleep 1s; i=$((i+1)); done + kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request + kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request + } + + {{- if .Values.operator.watchNamespaceSelector }} + echo "### Verify that Namespace Selector matches Namespace '{{ .Release.Namespace }}'" + if ! kubectl get namespace -l '{{ include "airlock-microgateway.watchNamespaceSelector.labelQuery" .Values.operator.watchNamespaceSelector }}' | grep -q {{ .Release.Namespace }}; then + labels=$(kubectl get namespace {{ .Release.Namespace }} -o jsonpath={.metadata.labels} | jq | awk '{print " " $0}') + fail {{printf `"Operator namespace '%s' is not part of the operator's watch scope. To execute 'helm test', the selector configured in the helm value 'operator.watchNamespaceSelector' must match the namespace's labels:\n* Current selector:\n%s\n\n* Current labels:\n$labels\n###"` + .Release.Namespace + (replace "\"" "\\\"" (replace "\n" "\\n" (.Values.operator.watchNamespaceSelector | toPrettyJson | indent 2))) + }} + fi + echo "" + {{- end }} + + trap clean_up EXIT + echo "" + + echo "### Waiting for Microgateway Operator Deployments to be ready" + if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \ + deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then + fail 'Timeout occurred' + fi + echo "" + + echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica" + # scale to zero replicas to ensure no pods are present from previous runs + kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s + kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s + echo "" + + echo "### Waiting for backend pod" + i=0 + while true; do + if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then + break + elif [ $i -gt 3 ]; then + fail 'Pod not ready' + fi + sleep 2s + i=$((i+1)) + done + + echo "### Checking Microgateway Engine sidecar container was injected" + if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then + fail 'Microgateway Engine sidecar container not injected' + fi + echo "True" + echo "" + + echo "### Checking for valid license" + i=0 + while true; do + if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then + break + elif [ $i -gt 30 ]; then + fail 'Microgateway license is missing or invalid' + fi + sleep 2s + i=$((i+1)) + done + echo "True" + echo "" + + echo "### Create SidecarGateway resource for testing" + if ! create_sidecargateway ; then + fail 'Creation of SidecarGateway resource failed' + fi + echo "" + + echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready" + if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then + fail 'Timeout occurred' + fi + echo "" + + echo "### Waiting for 'engine-config-valid' condition" + if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then + fail 'Configuration was never accepted by the Microgateway Engine' + fi + sleep 5s + echo "" + echo "" + + echo "### Checking whether a valid request is successful and returns HTTP status code '200'" + out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true) + echo "Response:" + echo "${out}" + if ! echo "${out}" | grep -q "200 OK"; then + fail 'A valid request was not successful' + fi + echo "" + echo "" + + echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'" + out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true) + echo "Response:" + echo "${out}" + if ! echo "${out}" | grep -q "400 Bad Request"; then + fail 'A malicious request was not blocked' + fi + echo "" + echo "" + + echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded" + exit 0 + serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests" +{{- end -}} diff --git a/charts/airlock/microgateway/4.4.1/values.schema.json b/charts/airlock/microgateway/4.4.1/values.schema.json new file mode 100644 index 000000000..05c7d7717 --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/values.schema.json @@ -0,0 +1,572 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "type": "object", + "properties": { + "nameOverride": { + "type": "string" + }, + "fullnameOverride": { + "type": "string" + }, + "commonLabels": { + "$ref": "#/definitions/StringMap" + }, + "commonAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "crds": { + "type": "object", + "properties": { + "skipVersionCheck": { + "type": "boolean" + } + }, + "additionalProperties": false + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "minLength": 1 + } + }, + "required": [ + "name" + ], + "additionalProperties": true + } + }, + "operator": { + "type": "object", + "properties": { + "replicaCount": { + "type": "integer", + "minimum": 0 + }, + "updateStrategy": { + "$ref": "#/definitions/UpdateStrategy" + }, + "image": { + "$ref": "#/definitions/Image" + }, + "podAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "podLabels": { + "$ref": "#/definitions/StringMap" + }, + "serviceAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "serviceLabels": { + "$ref": "#/definitions/StringMap" + }, + "resources": { + "type": "object" + }, + "nodeSelector": { + "$ref": "#/definitions/StringMap" + }, + "tolerations": { + "type": "array", + "items": { + "type": "object" + } + }, + "affinity": { + "type": "object" + }, + "config": { + "type": "object", + "properties": { + "logLevel": { + "type": "string", + "enum": [ + "debug", + "info", + "warn", + "error" + ] + } + }, + "required": [ + "logLevel" + ], + "additionalProperties": false + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "annotations": { + "$ref": "#/definitions/StringMap" + }, + "name": { + "type": "string" + } + }, + "required": [ + "annotations", + "create", + "name" + ], + "additionalProperties": false + }, + "watchNamespaces": { + "type": "array", + "items": { + "type": "string" + } + }, + "watchNamespaceSelector": { + "$ref": "#/definitions/LabelSelector" + }, + "rbac": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + }, + "required": [ + "create" + ], + "additionalProperties": false + }, + "serviceMonitor": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "labels": { + "$ref": "#/definitions/StringMap" + } + }, + "required": [ + "create" + ], + "additionalProperties": false + }, + "gatewayAPI": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "controllerName" : { + "type": "string", + "pattern": "^microgateway\\.airlock\\.com\/[A-Za-z0-9\/\\-._~%!$&'()*+,;=:]+$" + } + }, + "required": [ + "enabled" + ], + "additionalProperties": false + } + }, + "oneOf": [ + { + "properties": { + "watchNamespaces": { + "minItems": 1 + }, + "watchNamespaceSelector": { + "additionalProperties": false + } + } + }, + { + "properties": { + "watchNamespaces": { + "maxItems": 0 + }, + "watchNamespaceSelector": { + "$ref": "#/definitions/LabelSelector" + } + } + } + ], + "required": [ + "affinity", + "config", + "image", + "updateStrategy", + "nodeSelector", + "podAnnotations", + "podLabels", + "rbac", + "replicaCount", + "resources", + "serviceAccount", + "serviceAnnotations", + "serviceLabels", + "serviceMonitor", + "tolerations" + ], + "additionalProperties": false + }, + "engine": { + "type": "object", + "properties": { + "image": { + "$ref": "#/definitions/Image" + }, + "resources": { + "type": "object" + }, + "sidecar": { + "type": "object", + "properties":{ + "podMonitor": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "labels": { + "$ref": "#/definitions/StringMap" + } + }, + "required": [ + "create" + ], + "additionalProperties": false + } + }, + "required": [ + "podMonitor" + ], + "additionalProperties": false + } + }, + "required": [ + "image", + "resources", + "sidecar" + ], + "additionalProperties": false + }, + "networkValidator": { + "type": "object", + "properties": { + "image": { + "$ref": "#/definitions/Image" + }, + "resources": { + "type": "object" + } + }, + "required": [ + "image", + "resources" + ], + "additionalProperties": false + }, + "sessionAgent": { + "type": "object", + "properties": { + "image": { + "$ref": "#/definitions/Image" + }, + "resources": { + "type": "object" + } + }, + "required": [ + "image", + "resources" + ], + "additionalProperties": false + }, + "license": { + "type": "object", + "properties": { + "secretName": { + "type": "string", + "minLength": 1 + } + }, + "required": [ + "secretName" + ], + "additionalProperties": false + }, + "dashboards": { + "type": "object", + "properties" : { + "create": { + "type": "boolean" + }, + "config": { + "type": "object", + "properties": { + "grafana": { + "type": "object", + "properties": { + "folderAnnotation": { + "$ref": "#/definitions/NameValuePair" + }, + "dashboardLabel": { + "$ref": "#/definitions/NameValuePair" + } + }, + "required": [ + "folderAnnotation", + "dashboardLabel" + ], + "additionalProperties": false + } + }, + "required": [ + "grafana" + ], + "additionalProperties": false + }, + "instances": { + "type": "object", + "properties": { + "overview": { + "$ref": "#/definitions/DashboardInstance" + }, + "license" : { + "$ref": "#/definitions/DashboardInstance" + }, + "blockMetrics" : { + "$ref": "#/definitions/DashboardInstance" + }, + "blockLogs" : { + "$ref": "#/definitions/DashboardInstance" + }, + "headerLogs" : { + "$ref": "#/definitions/DashboardInstance" + }, + "logOnlyMetrics" : { + "$ref": "#/definitions/DashboardInstance" + }, + "logOnlyLogs" : { + "$ref": "#/definitions/DashboardInstance" + } + }, + "required": [ + "overview", + "license", + "blockMetrics", + "blockLogs", + "headerLogs", + "logOnlyMetrics", + "logOnlyLogs" + ], + "additionalProperties": false + } + }, + "required": [ + "create", + "config", + "instances" + ], + "additionalProperties": false + }, + "tests": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "additionalProperties": false + }, + "global": { + "type": "object" + } + }, + "required": [ + "commonAnnotations", + "commonLabels", + "crds", + "engine", + "fullnameOverride", + "imagePullSecrets", + "license", + "nameOverride", + "operator", + "networkValidator", + "sessionAgent", + "dashboards", + "tests" + ], + "additionalProperties": false, + "definitions": { + "StringMap": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "Image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "minLength": 1 + }, + "tag": { + "type": "string" + }, + "digest": { + "type": "string", + "pattern": "^$|^sha256:[a-f0-9]{64}$" + }, + "pullPolicy": { + "type": "string", + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "required": [ + "digest", + "pullPolicy", + "repository", + "tag" + ], + "additionalProperties": false + }, + "LabelSelector": { + "type": "object", + "properties": { + "matchExpressions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "key", + "operator" + ], + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "additionalProperties": false + } + }, + "matchLabels": { + "$ref": "#/definitions/StringMap" + } + }, + "additionalProperties": false + }, + "UpdateStrategy": { + "type": "object", + "oneOf" : [ + { + "properties": { + "type": { + "$ref": "#/definitions/RecreateType" + } + }, + "required": [ + "type" + ], + "additionalProperties": false + }, + { + "properties": { + "type": { + "$ref": "#/definitions/RollingUpdateType" + }, + "rollingUpdate": { + "$ref": "#/definitions/RollingUpdate" + } + }, + "required": [ + "type" + ], + "additionalProperties": false + } + ] + }, + "RecreateType": { + "type": "string", + "enum": [ + "Recreate" + ] + }, + "RollingUpdateType": { + "type": "string", + "enum": [ + "RollingUpdate" + ] + }, + "RollingUpdate": { + "type": "object", + "properties": { + "maxSurge": { + "type": ["integer", "string"], + "minimum": 0, + "pattern": "^\\d+%?$" + }, + "maxUnavailable": { + "type": ["integer", "string"], + "minimum": 0, + "pattern": "^\\d+%?$" + } + }, + "anyOf": [ + {"required": ["maxSurge"]}, + {"required": ["maxUnavailable"]} + ], + "additionalProperties": false + }, + "DashboardInstance" : { + "type" : "object", + "properties" : { + "create" : { + "type" : "boolean" + } + }, + "required" : [ + "create" + ], + "additionalProperties": false + }, + "NameValuePair" : { + "type" : "object", + "properties" : { + "name" : { + "type": "string", + "minLength": 1 + }, + "value" : { + "type" : "string", + "minLength": 1 + } + }, + "required" : [ + "name", + "value" + ], + "additionalProperties": false + } + } +} diff --git a/charts/airlock/microgateway/4.4.1/values.yaml b/charts/airlock/microgateway/4.4.1/values.yaml new file mode 100644 index 000000000..f0f598ea1 --- /dev/null +++ b/charts/airlock/microgateway/4.4.1/values.yaml @@ -0,0 +1,237 @@ +# -- Allows overriding the name to use instead of "microgateway". +nameOverride: "" +# -- Allows overriding the name to use as full name of resources. +fullnameOverride: "" +# -- Labels to add to all resources. +commonLabels: {} +# -- Annotations to add to all resources. +commonAnnotations: {} +# -- ImagePullSecrets to use when pulling images. +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +crds: + # -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. + # The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster + # when performing a "helm install/upgrade". + skipVersionCheck: false +operator: + # -- Number of replicas for the operator Deployment. + replicaCount: 2 + # -- Specifies the operator update strategy. + updateStrategy: + type: RollingUpdate + # Specifies the Airlock Microgateway Operator image. + image: + # -- Image repository from which to pull the Airlock Microgateway Operator image. + repository: "quay.io/airlock/microgateway-operator" + # -- Image tag to pull. + tag: "4.4.1" + # -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). + # Overrides tag when specified. + digest: "sha256:1133c3e59418eec1721683e68dd19faca577609ace6eebd010a56e52b1f75789" + # -- Pull policy for this image. + pullPolicy: IfNotPresent + # -- Annotations to add to all Pods. + podAnnotations: {} + # -- Labels to add to all Pods. + podLabels: {} + # -- Annotations to add to the Service. + serviceAnnotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "8080" + + # -- Labels to add to the Service. + serviceLabels: {} + # -- Resource restrictions to apply to the operator container. + resources: {} + # We recommend at least the following resource specification. + # limits: + # cpu: 1000m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. + nodeSelector: {} + # -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. + tolerations: [] + # -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling. + affinity: {} + # Parameters for the operator configuration. + config: + # -- Operator application log level. + logLevel: "info" + # Configures the generation of the ServiceAccount. + serviceAccount: + # -- Whether a ServiceAccount should be created. + create: true + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- Name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + # -- Allows to restrict the operator to specific namespaces, depending on your needs. + # For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). + # In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. + # For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. + # An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. + # Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. + # Please note that this feature requires a Premium license. + watchNamespaces: [] + # -- Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. + # It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. + # This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). + # An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. + # Please note that this feature requires a Premium license. + watchNamespaceSelector: {} + # For further examples, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements. + # matchLabels: + # microgateway.airlock.com/enable: "true" + # matchExpressions: + # - { key: environment, operator: NotIn, values: [dev] } + + # Configures the generation of Role and RoleBinding as well as ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above. + rbac: + # -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. + create: true + # Configures the generation of a Prometheus Operator ServiceMonitor. + serviceMonitor: + # -- Whether to create a ServiceMonitor resource for monitoring. + create: false + # -- Labels to add to the ServiceMonitor. + labels: {} + # release: "" + # Configures the Kubernetes Gateway API integration. + gatewayAPI: + # -- Whether to enable the Kubernetes Gateway API related controllers. + # Requires that the gateway.networking.k8s.io/v1 resources are installed on the cluster. + enabled: false + # -- Controller name referred in the GatewayClasses managed by this operator. The value must be a path prefixed by the domain `microgateway.airlock.com`. + controllerName: microgateway.airlock.com/gatewayclass-controller +engine: + # Specifies the Airlock Microgateway Engine image. + image: + # -- Image repository from which to pull the Airlock Microgateway Engine image. + repository: "quay.io/airlock/microgateway-engine" + # -- Image tag to pull. + tag: "4.4.1" + # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). + # Overrides tag when specified. + digest: "sha256:06573ef5e6769dbd6eb8606e34c56f1ad2084b6adcae9925b1d2d153a45cbc47" + # -- Pull policy for this image. + pullPolicy: IfNotPresent + # -- Resource restrictions to apply to the Airlock Microgateway Engine container. + resources: {} + # We recommend at least the following resource specification. + # limits: + # cpu: 500m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 40Mi + + # Additional configuration when deployed as a sidecar. + sidecar: + # Configures the generation of a Prometheus Operator PodMonitor. + podMonitor: + # -- Whether to create a PodMonitor resource for monitoring. + create: false + # -- Labels to add to the PodMonitor. + labels: {} + # release: "" +networkValidator: + # Specifies the Airlock Microgateway Network Validator image to be injected as an init-container. + image: + # -- Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. + repository: "cgr.dev/chainguard/netcat" + # -- Image tag to pull. + tag: "" + # -- SHA256 image digest to pull (in the format "sha256:7ef657ce316ce9d86f90c1dc99702d1190877c6ac2e923e696dc82c30050a14c"). + # Overrides tag when specified. + digest: "sha256:7ef657ce316ce9d86f90c1dc99702d1190877c6ac2e923e696dc82c30050a14c" + # -- Pull policy for this image. + pullPolicy: IfNotPresent + # -- Resource restrictions to apply to the Airlock Microgateway Network Validator init-container. + resources: + limits: + cpu: 25m + memory: 12Mi + requests: + cpu: 5m + memory: 1Mi +sessionAgent: + # Specifies the Airlock Microgateway Session Agent image. + image: + # -- Image repository from which to pull the Airlock Microgateway Session Agent image. + repository: "quay.io/airlock/microgateway-session-agent" + # -- Image tag to pull. + tag: "4.4.1" + # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). + # Overrides tag when specified. + digest: "sha256:733a25f61ea7cf43c0a46da7d3ecb9a263bda49bf60e1fd8e4162be33aa24b7b" + # -- Pull policy for this image. + pullPolicy: IfNotPresent + # -- Resource restrictions to apply to the Airlock Microgateway Session Agent container. + resources: {} + # We recommend at least the following resource specification. + # limits: + # cpu: 150m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 8Mi +license: + # -- Name of the secret containing the "microgateway-license.txt" key. + secretName: "airlock-microgateway-license" +# Creates dashboards in the form of ConfigMaps that can be imported +# by Grafana using its sidecar setup. +dashboards: + # -- Whether to create any ConfigMaps containing Grafana dashboards to import. + create: false + config: + # Configures the necessary label and annotations along with their values + # to enable Grafana to correctly identify the ConfigMaps containing + # dashboards and file them within a dedicated folder in the dashboard overview. + # These settings need to match the Grafana sidecar configuration. + grafana: + folderAnnotation: + # -- Name of the annotation containing the folder name to file dashboards into. + name: "grafana_folder" + # -- Name of the folder dashboards are filed into within the Grafana UI. + value: "Airlock Microgateway" + dashboardLabel: + # -- Name of the label that lets Grafana identify ConfigMaps that represent dashboards. + name: "grafana_dashboard" + # -- Value of the label that lets Grafana identify ConfigMaps that represent dashboards. + value: "1" + instances: + # Available dashboard instances that can be individually created/deployed. + overview: + # -- Whether to create the overview dashboard. + create: true + license: + # -- Whether to create the license dashboard. + create: true + blockMetrics: + # -- Whether to create the block metrics dashboard. + create: true + blockLogs: + # -- Whether to create the block logs dashboard. + create: true + headerLogs: + # -- Whether to create the header rewrite logs dashboard. + create: true + logOnlyMetrics: + # -- Whether to create the log only metrics dashboard + create: true + logOnlyLogs: + # -- Whether to create the log only logs dashboard. + create: true +# Check whether the installation of the Airlock Microgateway Helm Chart was successful. +# Requires a secret with a valid Airlock Microgateway license key already to be present. +tests: + # -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). + # If set to false, `helm test` will not run any tests. + enabled: false diff --git a/charts/kasten/k10/7.0.1401/Chart.lock b/charts/kasten/k10/7.0.1401/Chart.lock new file mode 100644 index 000000000..b1b447114 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: grafana + repository: "" + version: 8.5.8 +- name: prometheus + repository: "" + version: 25.28.0 +digest: sha256:4af966da2fe3b7163bec3c5da98178c8232d6a6ad4405c8e592d38a6832ce704 +generated: "2024-11-15T16:25:38.370071605Z" diff --git a/charts/kasten/k10/7.0.1401/Chart.yaml b/charts/kasten/k10/7.0.1401/Chart.yaml new file mode 100644 index 000000000..3e1dd214a --- /dev/null +++ b/charts/kasten/k10/7.0.1401/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: k10 +apiVersion: v2 +appVersion: 7.0.14 +dependencies: +- condition: grafana.enabled + name: grafana + repository: "" + version: 8.5.8 +- condition: prometheus.server.enabled + name: prometheus + repository: "" + version: 25.28.0 +description: Kasten’s K10 Data Management Platform +home: https://kasten.io/ +icon: file://assets/icons/k10.png +kubeVersion: '>= 1.17.0-0' +maintainers: +- email: contact@kasten.io + name: kastenIO +name: k10 +version: 7.0.1401 diff --git a/charts/kasten/k10/7.0.1401/README.md b/charts/kasten/k10/7.0.1401/README.md new file mode 100644 index 000000000..7dbccc9c7 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/README.md @@ -0,0 +1,344 @@ +# Kasten's K10 Helm chart. + +[Kasten's k10](https://docs.kasten.io/) is a data lifecycle management system for all your persistence.enabled +container-based applications. + +## TL;DR; + +```console +$ helm install kasten/k10 --name=k10 --namespace=kasten-io +``` +Additionally, K10 images are available in Platform One's **Iron Bank** hardened container registry. +To install using these images, follow the instructions found +[here](https://docs.kasten.io/latest/install/ironbank.html). + +## Introduction + +This chart bootstraps Kasten's K10 platform on a [Kubernetes](http://kubernetes.io) cluster using +the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.23 - 1.26 + +## Installing the Chart + +To install the chart on a [GKE](https://cloud.google.com/container-engine/) cluster + +```console +$ helm install kasten/k10 --name=k10 --namespace=kasten-io +``` + +To install the chart on an [AWS](https://aws.amazon.com/) [kops](https://github.com/kubernetes/kops)-created cluster + +```console +$ helm install kasten/k10 --name=k10 --namespace=kasten-io --set secrets.awsAccessKeyId="${AWS_ACCESS_KEY_ID}" \ + --set secrets.awsSecretAccessKey="${AWS_SECRET_ACCESS_KEY}" +``` + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `k10` application: + +```console +$ helm delete k10 --purge +``` + +## Configuration + +The following table lists the configurable parameters of the K10 +chart and their default values. + +Parameter | Description | Default +--- | --- | --- +`eula.accept`| Whether to enable accept EULA before installation | `false` +`eula.company` | Company name. Required field if EULA is accepted | `None` +`eula.email` | Contact email. Required field if EULA is accepted | `None` +`license` | License string obtained from Kasten | `None` +`rbac.create` | Whether to enable RBAC with a specific cluster role and binding for K10 | `true` +`scc.create` | Whether to create a SecurityContextConstraints for K10 ServiceAccounts | `false` +`scc.priority` | Sets the SecurityContextConstraints priority | `15` +`services.dashboardbff.hostNetwork` | Whether the dashboardbff pods may use the node network | `false` +`services.executor.hostNetwork` | Whether the executor pods may use the node network | `false` +`services.aggregatedapis.hostNetwork` | Whether the aggregatedapis pods may use the node network | `false` +`serviceAccount.create`| Specifies whether a ServiceAccount should be created | `true` +`serviceAccount.name` | The name of the ServiceAccount to use. If not set, a name is derived using the release and chart names. | `None` +`ingress.create` | Specifies whether the K10 dashboard should be exposed via ingress | `false` +`ingress.name` | Optional name of the Ingress object for the K10 dashboard. If not set, the name is formed using the release name. | `{Release.Name}-ingress` +`ingress.class` | Cluster ingress controller class: `nginx`, `GCE` | `None` +`ingress.host` | FQDN (e.g., `k10.example.com`) for name-based virtual host | `None` +`ingress.urlPath` | URL path for K10 Dashboard (e.g., `/k10`) | `Release.Name` +`ingress.pathType` | Specifies the path type for the ingress resource | `ImplementationSpecific` +`ingress.annotations` | Additional Ingress object annotations | `{}` +`ingress.tls.enabled` | Configures a TLS use for `ingress.host` | `false` +`ingress.tls.secretName` | Optional TLS secret name | `None` +`ingress.defaultBackend.service.enabled` | Configures the default backend backed by a service for the K10 dashboard Ingress (mutually exclusive setting with `ingress.defaultBackend.resource.enabled`). | `false` +`ingress.defaultBackend.service.name` | The name of a service referenced by the default backend (required if the service-backed default backend is used). | `None` +`ingress.defaultBackend.service.port.name` | The port name of a service referenced by the default backend (mutually exclusive setting with port `number`, required if the service-backed default backend is used). | `None` +`ingress.defaultBackend.service.port.number` | The port number of a service referenced by the default backend (mutually exclusive setting with port `name`, required if the service-backed default backend is used). | `None` +`ingress.defaultBackend.resource.enabled` | Configures the default backend backed by a resource for the K10 dashboard Ingress (mutually exclusive setting with `ingress.defaultBackend.service.enabled`). | `false` +`ingress.defaultBackend.resource.apiGroup` | Optional API group of a resource backing the default backend. | `''` +`ingress.defaultBackend.resource.kind` | The type of a resource being referenced by the default backend (required if the resource default backend is used). | `None` +`ingress.defaultBackend.resource.name` | The name of a resource being referenced by the default backend (required if the resource default backend is used). | `None` +`global.persistence.size` | Default global size of volumes for K10 persistent services | `20Gi` +`global.persistence.catalog.size` | Size of a volume for catalog service | `global.persistence.size` +`global.persistence.jobs.size` | Size of a volume for jobs service | `global.persistence.size` +`global.persistence.logging.size` | Size of a volume for logging service | `global.persistence.size` +`global.persistence.metering.size` | Size of a volume for metering service | `global.persistence.size` +`global.persistence.storageClass` | Specified StorageClassName will be used for PVCs | `None` +`global.podLabels` | Configures custom labels to be set to all Kasten pods | `None` +`global.podAnnotations` | Configures custom annotations to be set to all Kasten pods | `None` +`global.airgapped.repository` | Specify the helm repository for offline (airgapped) installation | `''` +`global.imagePullSecret` | Provide secret which contains docker config for private repository. Use `k10-ecr` when secrets.dockerConfigPath is used. | `''` +`global.prometheus.external.host` | Provide external prometheus host name | `''` +`global.prometheus.external.port` | Provide external prometheus port number | `''` +`global.prometheus.external.baseURL` | Provide Base URL of external prometheus | `''` +`global.network.enable_ipv6` | Enable `IPv6` support for K10 | `false` +`google.workloadIdentityFederation.enabled` | Enable Google Workload Identity Federation for K10 | `false` +`google.workloadIdentityFederation.idp.type` | Identity Provider type for Google Workload Identity Federation for K10 | `''` +`google.workloadIdentityFederation.idp.aud` | Audience for whom the ID Token from Identity Provider is intended | `''` +`secrets.awsAccessKeyId` | AWS access key ID (required for AWS deployment) | `None` +`secrets.awsSecretAccessKey` | AWS access key secret | `None` +`secrets.awsIamRole` | ARN of the AWS IAM role assumed by K10 to perform any AWS operation. | `None` +`secrets.awsClientSecretName` | The secret that contains AWS access key ID, AWS access key secret and AWS IAM role for AWS | `None` +`secrets.googleApiKey` | Non-default base64 encoded GCP Service Account key | `None` +`secrets.googleProjectId` | Sets Google Project ID other than the one used in the GCP Service Account | `None` +`secrets.azureTenantId` | Azure tenant ID (required for Azure deployment) | `None` +`secrets.azureClientId` | Azure Service App ID | `None` +`secrets.azureClientSecret` | Azure Service APP secret | `None` +`secrets.azureClientSecretName` | The secret that contains ClientID, ClientSecret and TenantID for Azure | `None` +`secrets.azureResourceGroup` | Resource Group name that was created for the Kubernetes cluster | `None` +`secrets.azureSubscriptionID` | Subscription ID in your Azure tenant | `None` +`secrets.azureResourceMgrEndpoint` | Resource management endpoint for the Azure Stack instance | `None` +`secrets.azureADEndpoint` | Azure Active Directory login endpoint | `None` +`secrets.azureADResourceID` | Azure Active Directory resource ID to obtain AD tokens | `None` +`secrets.microsoftEntraIDEndpoint` | Microsoft Entra ID login endpoint | `None` +`secrets.microsoftEntraIDResourceID` | Microsoft Entra ID resource ID to obtain AD tokens | `None` +`secrets.azureCloudEnvID` | Azure Cloud Environment ID | `None` +`secrets.vsphereEndpoint` | vSphere endpoint for login | `None` +`secrets.vsphereUsername` | vSphere username for login | `None` +`secrets.vspherePassword` | vSphere password for login | `None` +`secrets.vsphereClientSecretName` | The secret that contains vSphere username, vSphere password and vSphere endpoint | `None` +`secrets.dockerConfig` | Set base64 encoded docker config to use for image pull operations. Alternative to the ``secrets.dockerConfigPath`` | `None` +`secrets.dockerConfigPath` | Use ``--set-file secrets.dockerConfigPath=path_to_docker_config.yaml`` to specify docker config for image pull. Will be overwritten if ``secrets.dockerConfig`` is set | `None` +`cacertconfigmap.name` | Name of the ConfigMap that contains a certificate for a trusted root certificate authority | `None` +`clusterName` | Cluster name for better logs visibility | `None` +`metering.awsRegion` | Sets AWS_REGION for metering service | `None` +`metering.mode` | Control license reporting (set to `airgap` for private-network installs) | `None` +`metering.reportCollectionPeriod` | Sets metric report collection period (in seconds) | `1800` +`metering.reportPushPeriod` | Sets metric report push period (in seconds) | `3600` +`metering.promoID` | Sets K10 promotion ID from marketing campaigns | `None` +`metering.awsMarketplace` | Sets AWS cloud metering license mode | `false` +`metering.awsManagedLicense` | Sets AWS managed license mode | `false` +`metering.redhatMarketplacePayg` | Sets Red Hat cloud metering license mode | `false` +`metering.licenseConfigSecretName` | Sets AWS managed license config secret | `None` +`externalGateway.create` | Configures an external gateway for K10 API services | `false` +`externalGateway.annotations` | Standard annotations for the services | `None` +`externalGateway.fqdn.name` | Domain name for the K10 API services | `None` +`externalGateway.fqdn.type` | Supported gateway type: `route53-mapper` or `external-dns` | `None` +`externalGateway.awsSSLCertARN` | ARN for the AWS ACM SSL certificate used in the K10 API server | `None` +`auth.basicAuth.enabled` | Configures basic authentication for the K10 dashboard | `false` +`auth.basicAuth.htpasswd` | A username and password pair separated by a colon character | `None` +`auth.basicAuth.secretName` | Name of an existing Secret that contains a file generated with htpasswd | `None` +`auth.k10AdminGroups` | A list of groups whose members are granted admin level access to K10's dashboard | `None` +`auth.k10AdminUsers` | A list of users who are granted admin level access to K10's dashboard | `None` +`auth.tokenAuth.enabled` | Configures token based authentication for the K10 dashboard | `false` +`auth.oidcAuth.enabled` | Configures Open ID Connect based authentication for the K10 dashboard | `false` +`auth.oidcAuth.providerURL` | URL for the OIDC Provider | `None` +`auth.oidcAuth.redirectURL` | URL to the K10 gateway service | `None` +`auth.oidcAuth.scopes` | Space separated OIDC scopes required for userinfo. Example: "profile email" | `None` +`auth.oidcAuth.prompt` | The type of prompt to be used during authentication (none, consent, login or select_account) | `select_account` +`auth.oidcAuth.clientID` | Client ID given by the OIDC provider for K10 | `None` +`auth.oidcAuth.clientSecret` | Client secret given by the OIDC provider for K10 | `None` +`auth.oidcAuth.clientSecretName` | The secret that contains the Client ID and Client secret given by the OIDC provider for K10 | `None` +`auth.oidcAuth.usernameClaim` | The claim to be used as the username | `sub` +`auth.oidcAuth.usernamePrefix` | Prefix that has to be used with the username obtained from the username claim | `None` +`auth.oidcAuth.groupClaim` | Name of a custom OpenID Connect claim for specifying user groups | `None` +`auth.oidcAuth.groupPrefix` | All groups will be prefixed with this value to prevent conflicts | `None` +`auth.oidcAuth.sessionDuration` | Maximum OIDC session duration | `1h` +`auth.oidcAuth.refreshTokenSupport` | Enable OIDC Refresh Token support | `false` +`auth.openshift.enabled` | Enables access to the K10 dashboard by authenticating with the OpenShift OAuth server | `false` +`auth.openshift.serviceAccount` | Name of the service account that represents an OAuth client | `None` +`auth.openshift.clientSecret` | The token corresponding to the service account | `None` +`auth.openshift.clientSecretName` | The secret that contains the token corresponding to the service account | `None` +`auth.openshift.dashboardURL` | The URL used for accessing K10's dashboard | `None` +`auth.openshift.openshiftURL` | The URL for accessing OpenShift's API server | `None` +`auth.openshift.insecureCA` | To turn off SSL verification of connections to OpenShift | `false` +`auth.openshift.useServiceAccountCA` | Set this to true to use the CA certificate corresponding to the Service Account ``auth.openshift.serviceAccount`` usually found at ``/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`` | `false` +`auth.openshift.caCertsAutoExtraction` | Set this to false to disable the OCP CA certificates automatic extraction to the K10 namespace | `true` +`auth.ldap.enabled` | Configures Active Directory/LDAP based authentication for the K10 dashboard | `false` +`auth.ldap.restartPod` | To force a restart of the authentication service pod (useful when updating authentication config) | `false` +`auth.ldap.dashboardURL` | The URL used for accessing K10's dashboard | `None` +`auth.ldap.host` | Host and optional port of the AD/LDAP server in the form `host:port` | `None` +`auth.ldap.insecureNoSSL` | Required if the AD/LDAP host is not using TLS | `false` +`auth.ldap.insecureSkipVerifySSL` | To turn off SSL verification of connections to the AD/LDAP host | `false` +`auth.ldap.startTLS` | When set to true, ldap:// is used to connect to the server followed by creation of a TLS session. When set to false, ldaps:// is used. | `false` +`auth.ldap.bindDN` | The Distinguished Name(username) used for connecting to the AD/LDAP host | `None` +`auth.ldap.bindPW` | The password corresponding to the `bindDN` for connecting to the AD/LDAP host | `None` +`auth.ldap.bindPWSecretName` | The name of the secret that contains the password corresponding to the `bindDN` for connecting to the AD/LDAP host | `None` +`auth.ldap.userSearch.baseDN` | The base Distinguished Name to start the AD/LDAP search from | `None` +`auth.ldap.userSearch.filter` | Optional filter to apply when searching the directory | `None` +`auth.ldap.userSearch.username` | Attribute used for comparing user entries when searching the directory | `None` +`auth.ldap.userSearch.idAttr` | AD/LDAP attribute in a user's entry that should map to the user ID field in a token | `None` +`auth.ldap.userSearch.emailAttr` | AD/LDAP attribute in a user's entry that should map to the email field in a token | `None` +`auth.ldap.userSearch.nameAttr` | AD/LDAP attribute in a user's entry that should map to the name field in a token | `None` +`auth.ldap.userSearch.preferredUsernameAttr` | AD/LDAP attribute in a user's entry that should map to the preferred_username field in a token | `None` +`auth.ldap.groupSearch.baseDN` | The base Distinguished Name to start the AD/LDAP group search from | `None` +`auth.ldap.groupSearch.filter` | Optional filter to apply when searching the directory for groups | `None` +`auth.ldap.groupSearch.nameAttr` | The AD/LDAP attribute that represents a group's name in the directory | `None` +`auth.ldap.groupSearch.userMatchers` | List of field pairs that are used to match a user to a group. | `None` +`auth.ldap.groupSearch.userMatchers.userAttr` | Attribute in the user's entry that must match with the `groupAttr` while searching for groups | `None` +`auth.ldap.groupSearch.userMatchers.groupAttr` | Attribute in the group's entry that must match with the `userAttr` while searching for groups | `None` +`auth.groupAllowList` | A list of groups whose members are allowed access to K10's dashboard | `None` +`services.securityContext` | Custom [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) for K10 service containers | `{"runAsUser" : 1000, "fsGroup": 1000}` +`services.securityContext.runAsUser` | User ID K10 service containers run as| `1000` +`services.securityContext.runAsGroup` | Group ID K10 service containers run as| `1000` +`services.securityContext.fsGroup` | FSGroup that owns K10 service container volumes | `1000` +`siem.logging.cluster.enabled` | Whether to enable writing K10 audit event logs to stdout (standard output) | `true` +`siem.logging.cloud.path` | Directory path for saving audit logs in a cloud object store | `k10audit/` +`siem.logging.cloud.awsS3.enabled` | Whether to enable sending K10 audit event logs to AWS S3 | `true` +`injectKanisterSidecar.enabled` | Enable Kanister sidecar injection for workload pods | `false` +`injectKanisterSidecar.namespaceSelector.matchLabels` | Set of labels to select namespaces in which sidecar injection is enabled for workloads | `{}` +`injectKanisterSidecar.objectSelector.matchLabels` | Set of labels to filter workload objects in which the sidecar is injected | `{}` +`injectKanisterSidecar.webhookServer.port` | Port number on which the mutating webhook server accepts request | `8080` +`gateway.insecureDisableSSLVerify` | Specifies whether to disable SSL verification for gateway pods | `false` +`gateway.exposeAdminPort` | Specifies whether to expose Admin port for gateway service | `true` +`gateway.resources.[requests\|limits].[cpu\|memory]` | Resource requests and limits for gateway pod | `{}` +`gateway.service.externalPort` | Specifies the gateway services external port | `80` +`genericVolumeSnapshot.resources.[requests\|limits].[cpu\|memory]` | Specifies resource requests and limits for generic backup sidecar and all temporary Kasten worker Pods. Superseded by ActionPodSpec | `{}` +`multicluster.enabled` | Choose whether to enable the multi-cluster system components and capabilities | `true` +`multicluster.primary.create` | Choose whether to setup cluster as a multi-cluster primary | `false` +`multicluster.primary.name` | Primary cluster name | `''` +`multicluster.primary.ingressURL` | Primary cluster dashboard URL | `''` +`prometheus.k10image.registry` | (optional) Set Prometheus image registry. | `gcr.io` +`prometheus.k10image.repository` | (optional) Set Prometheus image repository. | `kasten-images` +`prometheus.rbac.create` | (optional) Whether to create Prometheus RBAC configuration. Warning - this action will allow prometheus to scrape pods in all k8s namespaces | `false` +`prometheus.alertmanager.enabled` | DEPRECATED: (optional) Enable Prometheus `alertmanager` service | `false` +`prometheus.alertmanager.serviceAccount.create` | DEPRECATED: (optional) Set true to create ServiceAccount for `alertmanager` | `false` +`prometheus.networkPolicy.enabled` | DEPRECATED: (optional) Enable Prometheus `networkPolicy` | `false` +`prometheus.prometheus-node-exporter.enabled` | DEPRECATED: (optional) Enable Prometheus `node-exporter` | `false` +`prometheus.prometheus-node-exporter.serviceAccount.create` | DEPRECATED: (optional) Set true to create ServiceAccount for `prometheus-node-exporter` | `false` +`prometheus.prometheus-pushgateway.enabled` | DEPRECATED: (optional) Enable Prometheus `pushgateway` | `false` +`prometheus.prometheus-pushgateway.serviceAccount.create` | DEPRECATED: (optional) Set true to create ServiceAccount for `prometheus-pushgateway` | `false` +`prometheus.scrapeCAdvisor` | DEPRECATED: (optional) Enable Prometheus ScrapeCAdvisor | `false` +`prometheus.server.enabled` | (optional) If false, K10's Prometheus server will not be created, reducing the dashboard's functionality. | `true` +`prometheus.server.securityContext.runAsUser` | (optional) Set security context `runAsUser` ID for Prometheus server pod | `65534` +`prometheus.server.securityContext.runAsNonRoot` | (optional) Enable security context `runAsNonRoot` for Prometheus server pod | `true` +`prometheus.server.securityContext.runAsGroup` | (optional) Set security context `runAsGroup` ID for Prometheus server pod | `65534` +`prometheus.server.securityContext.fsGroup` | (optional) Set security context `fsGroup` ID for Prometheus server pod | `65534` +`prometheus.server.retention` | (optional) K10 Prometheus data retention | `"30d"` +`prometheus.server.strategy.rollingUpdate.maxSurge` | DEPRECATED: (optional) The number of Prometheus server pods that can be created above the desired amount of pods during an update | `"100%"` +`prometheus.server.strategy.rollingUpdate.maxUnavailable` | DEPRECATED: (optional) The number of Prometheus server pods that can be unavailable during the upgrade process | `"100%"` +`prometheus.server.strategy.type` | DEPRECATED: (optional) Change default deployment strategy for Prometheus server | `"RollingUpdate"` +`prometheus.server.persistentVolume.enabled` | DEPRECATED: (optional) If true, K10 Prometheus server will create a Persistent Volume Claim | `true` +`prometheus.server.persistentVolume.size` | (optional) K10 Prometheus server data Persistent Volume size | `30Gi` +`prometheus.server.persistentVolume.storageClass` | (optional) StorageClassName used to create Prometheus PVC. Setting this option overwrites global StorageClass value | `""` +`prometheus.server.configMapOverrideName` | DEPRECATED: (optional) Prometheus configmap name to override default generated name| `k10-prometheus-config` +`prometheus.server.fullnameOverride` | (optional) Prometheus deployment name to override default generated name| `prometheus-server` +`prometheus.server.baseURL` | (optional) K10 Prometheus external url path at which the server can be accessed | `/k10/prometheus/` +`prometheus.server.prefixURL` | (optional) K10 Prometheus prefix slug at which the server can be accessed | `/k10/prometheus/` +`prometheus.server.serviceAccounts.server.create` | DEPRECATED: (optional) Set true to create ServiceAccount for Prometheus server service | `true` +`grafana.enabled` | (optional) If false Grafana will not be available | `true` +`resources...[requests\|limits].[cpu\|memory]` | Overwriting the default K10 [container resource requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) | varies depending on the container +`route.enabled` | Specifies whether the K10 dashboard should be exposed via route | `false` +`route.host` | FQDN (e.g., `.k10.example.com`) for name-based virtual host | `""` +`route.path` | URL path for K10 Dashboard (e.g., `/k10`) | `/` +`route.annotations` | Additional Route object annotations | `{}` +`route.labels` | Additional Route object labels | `{}` +`route.tls.enabled` | Configures a TLS use for `route.host` | `false` +`route.tls.insecureEdgeTerminationPolicy` | Specifies behavior for insecure scheme traffic | `Redirect` +`route.tls.termination` | Specifies the TLS termination of the route | `edge` +`apigateway.serviceResolver` | Specifies the resolver used for service discovery in the API gateway (`dns` or `endpoint`) | `dns` +`limiter.executorReplicas` | Specifies the number of executor-svc Pods used to process Kasten jobs | 3 +`limiter.executorThreads` | Specifies the number of threads per executor-svc Pod used to process Kasten jobs | 8 +`limiter.workloadSnapshotsPerAction` | Per action limit of concurrent manifest data snapshots, based on workload (ex. Namespace, Deployment, StatefulSet, VirtualMachine) | 5 +`limiter.csiSnapshotsPerCluster` | Cluster-wide limit of concurrent CSI VolumeSnapshot creation requests | `10` +`limiter.directSnapshotsPerCluster` | Cluster-wide limit of concurrent non-CSI snapshot creation requests | `10` +`limiter.snapshotExportsPerAction` | Per action limit of concurrent volume export operations | `3` +`limiter.snapshotExportsPerCluster` | Cluster-wide limit of concurrent volume export operations | `10` +`limiter.genericVolumeBackupsPerCluster` | Cluster-wide limit of concurrent Generic Volume Backup operations | `10` +`limiter.imageCopiesPerCluster` | Cluster-wide limit of concurrent ImageStream container image backup (i.e. copy from) and restore (i.e. copy to) operations | `10` +`limiter.workloadRestoresPerAction` | Per action limit of concurrent manifest data restores, based on workload (ex. Namespace, Deployment, StatefulSet, VirtualMachine) | 3 +`limiter.csiSnapshotRestoresPerAction` | Per action limit of concurrent CSI volume provisioning requests when restoring from VolumeSnapshots | 3 +`limiter.volumeRestoresPerAction` | Per action limit of concurrent volume restore operations from an exported backup | 3 +`limiter.volumeRestoresPerCluster` | Cluster-wide limit of concurrent volume restore operations from exported backups | `10` +`cluster.domainName` | Specifies the domain name of the cluster | `""` +`timeout.blueprintBackup` | Specifies the timeout (in minutes) for Blueprint backup actions | `45` +`timeout.blueprintRestore` | Specifies the timeout (in minutes) for Blueprint restore actions | `600` +`timeout.blueprintDelete` | Specifies the timeout (in minutes) for Blueprint delete actions | `45` +`timeout.blueprintHooks` | Specifies the timeout (in minutes) for Blueprint backupPrehook and backupPosthook actions | `20` +`timeout.checkRepoPodReady` | Specifies the timeout (in minutes) for temporary worker Pods used to validate backup repository existence | `20` +`timeout.statsPodReady` | Specifies the timeout (in minutes) for temporary worker Pods used to collect repository statistics | `20` +`timeout.efsRestorePodReady` | Specifies the timeout (in minutes) for temporary worker Pods used for shareable volume restore operations | `45` +`timeout.workerPodReady` | Specifies the timeout (in minutes) for all other temporary worker Pods used during Veeam Kasten operations | `15` +`timeout.jobWait` | Specifies the timeout (in minutes) for completing execution of any child job, after which the parent job will be canceled. If no value is set, a default of 10 hours will be used | `None` +`awsConfig.assumeRoleDuration` | Duration of a session token generated by AWS for an IAM role. The minimum value is 15 minutes and the maximum value is the maximum duration setting for that IAM role. For documentation about how to view and edit the maximum session duration for an IAM role see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session. The value accepts a number along with a single character ``m``(for minutes) or ``h`` (for hours) Examples: 60m or 2h | `''` +`awsConfig.efsBackupVaultName` | Specifies the AWS EFS backup vault name | `k10vault` +`vmWare.taskTimeoutMin` | Specifies the timeout for VMWare operations | `60` +`encryption.primaryKey.awsCmkKeyId` | Specifies the AWS CMK key ID for encrypting K10 Primary Key | `None` +`garbagecollector.daemonPeriod` | Sets garbage collection period (in seconds) | `21600` +`garbagecollector.keepMaxActions` | Sets maximum actions to keep | `1000` +`garbagecollector.actions.enabled` | Enables action collectors | `false` +`kubeVirtVMs.snapshot.unfreezeTimeout` | Defines the time duration within which the VMs must be unfrozen while backing them up. To know more about format [go doc](https://pkg.go.dev/time#ParseDuration) can be followed | `5m` +`excludedApps` | Specifies a list of applications to be excluded from the dashboard & compliance considerations. Format should be a :ref:`YAML array` | `["kube-system", "kube-ingress", "kube-node-lease", "kube-public", "kube-rook-ceph"]` +`workerPodMetricSidecar.enabled` | Enables a sidecar container for temporary worker Pods used to push Pod performance metrics to Prometheus | `true` +`workerPodMetricSidecar.metricLifetime` | Specifies the period after which metrics for an individual worker Pod are removed from Prometheus | `2m` +`workerPodMetricSidecar.pushGatewayInterval` | Specifies the frequency for pushing metrics into Prometheus | `30s` +`workerPodMetricSidecar.resources.[requests\|limits].[cpu\|memory]` | Specifies resource requests and limits for the temporary worker Pod metric sidecar | `{}` +`forceRootInBlueprintActions` | Forces any Pod created by a Blueprint to run as root user | `true` +`defaultPriorityClassName` | Specifies the default [priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) name for all K10 deployments and ephemeral pods | `None` +`priorityClassName.` | Overrides the default [priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) name for the specified deployment | `{}` +`ephemeralPVCOverhead` | Set the percentage increase for the ephemeral Persistent Volume Claim's storage request, e.g. PVC size = (file raw size) * (1 + `ephemeralPVCOverhead`) | `0.1` +`datastore.parallelUploads` | Specifies how many files can be uploaded in parallel to the data store | `8` +`datastore.parallelDownloads` | Specifies how many files can be downloaded in parallel from the data store | `8` +`kastenDisasterRecovery.quickMode.enabled` | Enables K10 Quick Disaster Recovery | `false` +`fips.enabled` | Specifies whether K10 should be run in the FIPS mode of operation | `false` +`workerPodCRDs.enabled` | Specifies whether K10 should use `ActionPodSpec` for granular resource control of worker pods | `false` +`workerPodCRDs.resourcesRequests.maxCPU` | Max CPU which might be setup in `ActionPodSpec` | `''` +`workerPodCRDs.resourcesRequests.maxMemory` | Max memory which might be setup in `ActionPodSpec` | `''` +`workerPodCRDs.defaultActionPodSpec.name` | The name of `ActionPodSpec` that will be used by default for worker pod resources. | `''` +`workerPodCRDs.defaultActionPodSpec.namespace` | The namespace of `ActionPodSpec` that will be used by default for worker pod resources. | `''` + + + +## Helm tips and tricks + +There is a way of setting values via a yaml file instead of using `--set`. +First, copy/paste values into a file (e.g., my_values.yaml): + +```yaml +secrets: + awsAccessKeyId: ${AWS_ACCESS_KEY_ID} + awsSecretAccessKey: ${AWS_SECRET_ACCESS_KEY} +``` + +and then run: + +```bash + envsubst < my_values.yaml > my_values_out.yaml && helm install k10 kasten/k10 -f my_values_out.yaml +``` + +To set a single value from a file, `--set-file` may be used over `--set`: + +```bash + helm install k10 kasten/k10 --set-file license=my_license.lic +``` + + +To use non-default GCP ServiceAccount (SA) credentials, the credentials JSON file needs to be encoded into a base64 +string: + +```bash + sa_key=$(base64 -w0 sa-key.json) + helm install k10 kasten/k10 --namespace=kasten-io --set secrets.googleApiKey=$sa_key +``` + +If the Google Service Account belongs to a project other than the one in which the cluster +is located, then the project's ID of the cluster must be also provided during the installation: + +```bash + sa_key=$(base64 -w0 sa-key.json) + helm install k10 kasten/k10 --namespace=kasten-io --set secrets.googleApiKey=$sa_key --set secrets.googleProjectId= +``` diff --git a/charts/kasten/k10/7.0.1401/app-readme.md b/charts/kasten/k10/7.0.1401/app-readme.md new file mode 100644 index 000000000..1b221891b --- /dev/null +++ b/charts/kasten/k10/7.0.1401/app-readme.md @@ -0,0 +1,5 @@ +The K10 data management platform, purpose-built for Kubernetes, provides enterprise operations teams an easy-to-use, scalable, and secure system for backup/restore, disaster recovery, and mobility of Kubernetes applications. + +K10’s application-centric approach and deep integrations with relational and NoSQL databases, Kubernetes distributions, and all clouds provide teams the freedom of infrastructure choice without sacrificing operational simplicity. Policy-driven and extensible, K10 provides a native Kubernetes API and includes features such as full-spectrum consistency, database integrations, automatic application discovery, multi-cloud mobility, and a powerful web-based user interface. + +For more information, refer to the docs [https://docs.kasten.io/](https://docs.kasten.io/) diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/.helmignore b/charts/kasten/k10/7.0.1401/charts/grafana/.helmignore new file mode 100644 index 000000000..8cade1318 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.vscode +.project +.idea/ +*.tmproj +OWNERS diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/Chart.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/Chart.yaml new file mode 100644 index 000000000..b5e9b92dc --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/Chart.yaml @@ -0,0 +1,35 @@ +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/grafana/helm-charts + - name: Upstream Project + url: https://github.com/grafana/grafana +apiVersion: v2 +appVersion: 11.2.2-security-01 +description: The leading tool for querying and visualizing time series and metrics. +home: https://grafana.com +icon: https://artifacthub.io/image/b4fed1a7-6c8f-4945-b99d-096efa3e4116 +keywords: +- monitoring +- metric +kubeVersion: ^1.8.0-0 +maintainers: +- email: zanhsieh@gmail.com + name: zanhsieh +- email: rluckie@cisco.com + name: rtluckie +- email: maor.friedman@redhat.com + name: maorfr +- email: miroslav.hadzhiev@gmail.com + name: Xtigyro +- email: mail@torstenwalter.de + name: torstenwalter +- email: github@jkroepke.de + name: jkroepke +name: grafana +sources: +- https://github.com/grafana/grafana +- https://github.com/grafana/helm-charts +type: application +version: 8.5.8 diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/README.md b/charts/kasten/k10/7.0.1401/charts/grafana/README.md new file mode 100644 index 000000000..4ab1a01c3 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/README.md @@ -0,0 +1,783 @@ +# Grafana Helm Chart + +* Installs the web dashboarding system [Grafana](http://grafana.org/) + +## Get Repo Info + +```console +helm repo add grafana https://grafana.github.io/helm-charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```console +helm install my-release grafana/grafana +``` + +## Uninstalling the Chart + +To uninstall/delete the my-release deployment: + +```console +helm delete my-release +``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Upgrading an existing Release to a new major version + +A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an +incompatible breaking change needing manual actions. + +### To 4.0.0 (And 3.12.1) + +This version requires Helm >= 2.12.0. + +### To 5.0.0 + +You have to add --force to your helm upgrade command as the labels of the chart have changed. + +### To 6.0.0 + +This version requires Helm >= 3.1.0. + +### To 7.0.0 + +For consistency with other Helm charts, the `global.image.registry` parameter was renamed +to `global.imageRegistry`. If you were not previously setting `global.image.registry`, no action +is required on upgrade. If you were previously setting `global.image.registry`, you will +need to instead set `global.imageRegistry`. + +## Configuration + +| Parameter | Description | Default | +|-------------------------------------------|-----------------------------------------------|---------------------------------------------------------| +| `replicas` | Number of nodes | `1` | +| `podDisruptionBudget.minAvailable` | Pod disruption minimum available | `nil` | +| `podDisruptionBudget.maxUnavailable` | Pod disruption maximum unavailable | `nil` | +| `podDisruptionBudget.apiVersion` | Pod disruption apiVersion | `nil` | +| `deploymentStrategy` | Deployment strategy | `{ "type": "RollingUpdate" }` | +| `livenessProbe` | Liveness Probe settings | `{ "httpGet": { "path": "/api/health", "port": 3000 } "initialDelaySeconds": 60, "timeoutSeconds": 30, "failureThreshold": 10 }` | +| `readinessProbe` | Readiness Probe settings | `{ "httpGet": { "path": "/api/health", "port": 3000 } }`| +| `securityContext` | Deployment securityContext | `{"runAsUser": 472, "runAsGroup": 472, "fsGroup": 472}` | +| `priorityClassName` | Name of Priority Class to assign pods | `nil` | +| `image.registry` | Image registry | `docker.io` | +| `image.repository` | Image repository | `grafana/grafana` | +| `image.tag` | Overrides the Grafana image tag whose default is the chart appVersion (`Must be >= 5.0.0`) | `` | +| `image.sha` | Image sha (optional) | `` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Image pull secrets (can be templated) | `[]` | +| `service.enabled` | Enable grafana service | `true` | +| `service.ipFamilies` | Kubernetes service IP families | `[]` | +| `service.ipFamilyPolicy` | Kubernetes service IP family policy | `""` | +| `service.type` | Kubernetes service type | `ClusterIP` | +| `service.port` | Kubernetes port where service is exposed | `80` | +| `service.portName` | Name of the port on the service | `service` | +| `service.appProtocol` | Adds the appProtocol field to the service | `` | +| `service.targetPort` | Internal service is port | `3000` | +| `service.nodePort` | Kubernetes service nodePort | `nil` | +| `service.annotations` | Service annotations (can be templated) | `{}` | +| `service.labels` | Custom labels | `{}` | +| `service.clusterIP` | internal cluster service IP | `nil` | +| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `nil` | +| `service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to lb (if supported) | `[]` | +| `service.externalIPs` | service external IP addresses | `[]` | +| `service.externalTrafficPolicy` | change the default externalTrafficPolicy | `nil` | +| `headlessService` | Create a headless service | `false` | +| `extraExposePorts` | Additional service ports for sidecar containers| `[]` | +| `hostAliases` | adds rules to the pod's /etc/hosts | `[]` | +| `ingress.enabled` | Enables Ingress | `false` | +| `ingress.annotations` | Ingress annotations (values are templated) | `{}` | +| `ingress.labels` | Custom labels | `{}` | +| `ingress.path` | Ingress accepted path | `/` | +| `ingress.pathType` | Ingress type of path | `Prefix` | +| `ingress.hosts` | Ingress accepted hostnames | `["chart-example.local"]` | +| `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/ingress/annotations/#actions). Requires `ingress.hosts` to have one or more host entries. | `[]` | +| `ingress.tls` | Ingress TLS configuration | `[]` | +| `ingress.ingressClassName` | Ingress Class Name. MAY be required for Kubernetes versions >= 1.18 | `""` | +| `resources` | CPU/Memory resource requests/limits | `{}` | +| `nodeSelector` | Node labels for pod assignment | `{}` | +| `tolerations` | Toleration labels for pod assignment | `[]` | +| `affinity` | Affinity settings for pod assignment | `{}` | +| `extraInitContainers` | Init containers to add to the grafana pod | `{}` | +| `extraContainers` | Sidecar containers to add to the grafana pod | `""` | +| `extraContainerVolumes` | Volumes that can be mounted in sidecar containers | `[]` | +| `extraLabels` | Custom labels for all manifests | `{}` | +| `schedulerName` | Name of the k8s scheduler (other than default) | `nil` | +| `persistence.enabled` | Use persistent volume to store data | `false` | +| `persistence.type` | Type of persistence (`pvc` or `statefulset`) | `pvc` | +| `persistence.size` | Size of persistent volume claim | `10Gi` | +| `persistence.existingClaim` | Use an existing PVC to persist data (can be templated) | `nil` | +| `persistence.storageClassName` | Type of persistent volume claim | `nil` | +| `persistence.accessModes` | Persistence access modes | `[ReadWriteOnce]` | +| `persistence.annotations` | PersistentVolumeClaim annotations | `{}` | +| `persistence.finalizers` | PersistentVolumeClaim finalizers | `[ "kubernetes.io/pvc-protection" ]` | +| `persistence.extraPvcLabels` | Extra labels to apply to a PVC. | `{}` | +| `persistence.subPath` | Mount a sub dir of the persistent volume (can be templated) | `nil` | +| `persistence.inMemory.enabled` | If persistence is not enabled, whether to mount the local storage in-memory to improve performance | `false` | +| `persistence.inMemory.sizeLimit` | SizeLimit for the in-memory local storage | `nil` | +| `persistence.disableWarning` | Hide NOTES warning, useful when persisting to a database | `false` | +| `initChownData.enabled` | If false, don't reset data ownership at startup | true | +| `initChownData.image.registry` | init-chown-data container image registry | `docker.io` | +| `initChownData.image.repository` | init-chown-data container image repository | `busybox` | +| `initChownData.image.tag` | init-chown-data container image tag | `1.31.1` | +| `initChownData.image.sha` | init-chown-data container image sha (optional)| `""` | +| `initChownData.image.pullPolicy` | init-chown-data container image pull policy | `IfNotPresent` | +| `initChownData.resources` | init-chown-data pod resource requests & limits | `{}` | +| `schedulerName` | Alternate scheduler name | `nil` | +| `env` | Extra environment variables passed to pods | `{}` | +| `envValueFrom` | Environment variables from alternate sources. See the API docs on [EnvVarSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core) for format details. Can be templated | `{}` | +| `envFromSecret` | Name of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `""` | +| `envFromSecrets` | List of Kubernetes secrets (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `[]` | +| `envFromConfigMaps` | List of Kubernetes ConfigMaps (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `[]` | +| `envRenderSecret` | Sensible environment variables passed to pods and stored as secret. (passed through [tpl](https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function)) | `{}` | +| `enableServiceLinks` | Inject Kubernetes services as environment variables. | `true` | +| `extraSecretMounts` | Additional grafana server secret mounts | `[]` | +| `extraVolumeMounts` | Additional grafana server volume mounts | `[]` | +| `extraVolumes` | Additional Grafana server volumes | `[]` | +| `automountServiceAccountToken` | Mounted the service account token on the grafana pod. Mandatory, if sidecars are enabled | `true` | +| `createConfigmap` | Enable creating the grafana configmap | `true` | +| `extraConfigmapMounts` | Additional grafana server configMap volume mounts (values are templated) | `[]` | +| `extraEmptyDirMounts` | Additional grafana server emptyDir volume mounts | `[]` | +| `plugins` | Plugins to be loaded along with Grafana | `[]` | +| `datasources` | Configure grafana datasources (passed through tpl) | `{}` | +| `alerting` | Configure grafana alerting (passed through tpl) | `{}` | +| `notifiers` | Configure grafana notifiers | `{}` | +| `dashboardProviders` | Configure grafana dashboard providers | `{}` | +| `dashboards` | Dashboards to import | `{}` | +| `dashboardsConfigMaps` | ConfigMaps reference that contains dashboards | `{}` | +| `grafana.ini` | Grafana's primary configuration | `{}` | +| `global.imageRegistry` | Global image pull registry for all images. | `null` | +| `global.imagePullSecrets` | Global image pull secrets (can be templated). Allows either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). | `[]` | +| `ldap.enabled` | Enable LDAP authentication | `false` | +| `ldap.existingSecret` | The name of an existing secret containing the `ldap.toml` file, this must have the key `ldap-toml`. | `""` | +| `ldap.config` | Grafana's LDAP configuration | `""` | +| `annotations` | Deployment annotations | `{}` | +| `labels` | Deployment labels | `{}` | +| `podAnnotations` | Pod annotations | `{}` | +| `podLabels` | Pod labels | `{}` | +| `podPortName` | Name of the grafana port on the pod | `grafana` | +| `lifecycleHooks` | Lifecycle hooks for podStart and preStop [Example](https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/#define-poststart-and-prestop-handlers) | `{}` | +| `sidecar.image.registry` | Sidecar image registry | `quay.io` | +| `sidecar.image.repository` | Sidecar image repository | `kiwigrid/k8s-sidecar` | +| `sidecar.image.tag` | Sidecar image tag | `1.28.0` | +| `sidecar.image.sha` | Sidecar image sha (optional) | `""` | +| `sidecar.imagePullPolicy` | Sidecar image pull policy | `IfNotPresent` | +| `sidecar.resources` | Sidecar resources | `{}` | +| `sidecar.securityContext` | Sidecar securityContext | `{}` | +| `sidecar.enableUniqueFilenames` | Sets the kiwigrid/k8s-sidecar UNIQUE_FILENAMES environment variable. If set to `true` the sidecar will create unique filenames where duplicate data keys exist between ConfigMaps and/or Secrets within the same or multiple Namespaces. | `false` | +| `sidecar.alerts.enabled` | Enables the cluster wide search for alerts and adds/updates/deletes them in grafana |`false` | +| `sidecar.alerts.label` | Label that config maps with alerts should have to be added | `grafana_alert` | +| `sidecar.alerts.labelValue` | Label value that config maps with alerts should have to be added | `""` | +| `sidecar.alerts.searchNamespace` | Namespaces list. If specified, the sidecar will search for alerts config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.alerts.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | +| `sidecar.alerts.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `sidecar.alerts.reloadURL` | Full url of datasource configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/alerting/reload"` | +| `sidecar.alerts.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` | +| `sidecar.alerts.initAlerts` | Set to true to deploy the alerts sidecar as an initContainer. This is needed if skipReload is true, to load any alerts defined at startup time. | `false` | +| `sidecar.alerts.extraMounts` | Additional alerts sidecar volume mounts. | `[]` | +| `sidecar.dashboards.enabled` | Enables the cluster wide search for dashboards and adds/updates/deletes them in grafana | `false` | +| `sidecar.dashboards.SCProvider` | Enables creation of sidecar provider | `true` | +| `sidecar.dashboards.provider.name` | Unique name of the grafana provider | `sidecarProvider` | +| `sidecar.dashboards.provider.orgid` | Id of the organisation, to which the dashboards should be added | `1` | +| `sidecar.dashboards.provider.folder` | Logical folder in which grafana groups dashboards | `""` | +| `sidecar.dashboards.provider.folderUid` | Allows you to specify the static UID for the logical folder above | `""` | +| `sidecar.dashboards.provider.disableDelete` | Activate to avoid the deletion of imported dashboards | `false` | +| `sidecar.dashboards.provider.allowUiUpdates` | Allow updating provisioned dashboards from the UI | `false` | +| `sidecar.dashboards.provider.type` | Provider type | `file` | +| `sidecar.dashboards.provider.foldersFromFilesStructure` | Allow Grafana to replicate dashboard structure from filesystem. | `false` | +| `sidecar.dashboards.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | +| `sidecar.skipTlsVerify` | Set to true to skip tls verification for kube api calls | `nil` | +| `sidecar.dashboards.label` | Label that config maps with dashboards should have to be added | `grafana_dashboard` | +| `sidecar.dashboards.labelValue` | Label value that config maps with dashboards should have to be added | `""` | +| `sidecar.dashboards.folder` | Folder in the pod that should hold the collected dashboards (unless `sidecar.dashboards.defaultFolderName` is set). This path will be mounted. | `/tmp/dashboards` | +| `sidecar.dashboards.folderAnnotation` | The annotation the sidecar will look for in configmaps to override the destination folder for files | `nil` | +| `sidecar.dashboards.defaultFolderName` | The default folder name, it will create a subfolder under the `sidecar.dashboards.folder` and put dashboards in there instead | `nil` | +| `sidecar.dashboards.searchNamespace` | Namespaces list. If specified, the sidecar will search for dashboards config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.dashboards.script` | Absolute path to shell script to execute after a configmap got reloaded. | `nil` | +| `sidecar.dashboards.reloadURL` | Full url of dashboards configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/dashboards/reload"` | +| `sidecar.dashboards.skipReload` | Enabling this omits defining the REQ_USERNAME, REQ_PASSWORD, REQ_URL and REQ_METHOD environment variables | `false` | +| `sidecar.dashboards.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `sidecar.dashboards.extraMounts` | Additional dashboard sidecar volume mounts. | `[]` | +| `sidecar.datasources.enabled` | Enables the cluster wide search for datasources and adds/updates/deletes them in grafana |`false` | +| `sidecar.datasources.label` | Label that config maps with datasources should have to be added | `grafana_datasource` | +| `sidecar.datasources.labelValue` | Label value that config maps with datasources should have to be added | `""` | +| `sidecar.datasources.searchNamespace` | Namespaces list. If specified, the sidecar will search for datasources config-maps inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.datasources.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | +| `sidecar.datasources.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `sidecar.datasources.reloadURL` | Full url of datasource configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/datasources/reload"` | +| `sidecar.datasources.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` | +| `sidecar.datasources.initDatasources` | Set to true to deploy the datasource sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any datasources defined at startup time. | `false` | +| `sidecar.notifiers.enabled` | Enables the cluster wide search for notifiers and adds/updates/deletes them in grafana | `false` | +| `sidecar.notifiers.label` | Label that config maps with notifiers should have to be added | `grafana_notifier` | +| `sidecar.notifiers.labelValue` | Label value that config maps with notifiers should have to be added | `""` | +| `sidecar.notifiers.searchNamespace` | Namespaces list. If specified, the sidecar will search for notifiers config-maps (or secrets) inside these namespaces. Otherwise the namespace in which the sidecar is running will be used. It's also possible to specify ALL to search in all namespaces. | `nil` | +| `sidecar.notifiers.watchMethod` | Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. | `WATCH` | +| `sidecar.notifiers.resource` | Should the sidecar looks into secrets, configmaps or both. | `both` | +| `sidecar.notifiers.reloadURL` | Full url of notifier configuration reload API endpoint, to invoke after a config-map change | `"http://localhost:3000/api/admin/provisioning/notifications/reload"` | +| `sidecar.notifiers.skipReload` | Enabling this omits defining the REQ_URL and REQ_METHOD environment variables | `false` | +| `sidecar.notifiers.initNotifiers` | Set to true to deploy the notifier sidecar as an initContainer in addition to a container. This is needed if skipReload is true, to load any notifiers defined at startup time. | `false` | +| `smtp.existingSecret` | The name of an existing secret containing the SMTP credentials. | `""` | +| `smtp.userKey` | The key in the existing SMTP secret containing the username. | `"user"` | +| `smtp.passwordKey` | The key in the existing SMTP secret containing the password. | `"password"` | +| `admin.existingSecret` | The name of an existing secret containing the admin credentials (can be templated). | `""` | +| `admin.userKey` | The key in the existing admin secret containing the username. | `"admin-user"` | +| `admin.passwordKey` | The key in the existing admin secret containing the password. | `"admin-password"` | +| `serviceAccount.automountServiceAccountToken` | Automount the service account token on all pods where is service account is used | `false` | +| `serviceAccount.annotations` | ServiceAccount annotations | | +| `serviceAccount.create` | Create service account | `true` | +| `serviceAccount.labels` | ServiceAccount labels | `{}` | +| `serviceAccount.name` | Service account name to use, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `` | +| `serviceAccount.nameTest` | Service account name to use for test, when empty will be set to created account if `serviceAccount.create` is set else to `default` | `nil` | +| `rbac.create` | Create and use RBAC resources | `true` | +| `rbac.namespaced` | Creates Role and Rolebinding instead of the default ClusterRole and ClusteRoleBindings for the grafana instance | `false` | +| `rbac.useExistingRole` | Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. | `nil` | +| `rbac.pspEnabled` | Create PodSecurityPolicy (with `rbac.create`, grant roles permissions as well) | `false` | +| `rbac.pspUseAppArmor` | Enforce AppArmor in created PodSecurityPolicy (requires `rbac.pspEnabled`) | `false` | +| `rbac.extraRoleRules` | Additional rules to add to the Role | [] | +| `rbac.extraClusterRoleRules` | Additional rules to add to the ClusterRole | [] | +| `command` | Define command to be executed by grafana container at startup | `nil` | +| `args` | Define additional args if command is used | `nil` | +| `testFramework.enabled` | Whether to create test-related resources | `true` | +| `testFramework.image.registry` | `test-framework` image registry. | `docker.io` | +| `testFramework.image.repository` | `test-framework` image repository. | `bats/bats` | +| `testFramework.image.tag` | `test-framework` image tag. | `v1.4.1` | +| `testFramework.imagePullPolicy` | `test-framework` image pull policy. | `IfNotPresent` | +| `testFramework.securityContext` | `test-framework` securityContext | `{}` | +| `downloadDashboards.env` | Environment variables to be passed to the `download-dashboards` container | `{}` | +| `downloadDashboards.envFromSecret` | Name of a Kubernetes secret (must be manually created in the same namespace) containing values to be added to the environment. Can be templated | `""` | +| `downloadDashboards.resources` | Resources of `download-dashboards` container | `{}` | +| `downloadDashboardsImage.registry` | Curl docker image registry | `docker.io` | +| `downloadDashboardsImage.repository` | Curl docker image repository | `curlimages/curl` | +| `downloadDashboardsImage.tag` | Curl docker image tag | `7.73.0` | +| `downloadDashboardsImage.sha` | Curl docker image sha (optional) | `""` | +| `downloadDashboardsImage.pullPolicy` | Curl docker image pull policy | `IfNotPresent` | +| `namespaceOverride` | Override the deployment namespace | `""` (`Release.Namespace`) | +| `serviceMonitor.enabled` | Use servicemonitor from prometheus operator | `false` | +| `serviceMonitor.namespace` | Namespace this servicemonitor is installed in | | +| `serviceMonitor.interval` | How frequently Prometheus should scrape | `1m` | +| `serviceMonitor.path` | Path to scrape | `/metrics` | +| `serviceMonitor.scheme` | Scheme to use for metrics scraping | `http` | +| `serviceMonitor.tlsConfig` | TLS configuration block for the endpoint | `{}` | +| `serviceMonitor.labels` | Labels for the servicemonitor passed to Prometheus Operator | `{}` | +| `serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `30s` | +| `serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping. | `[]` | +| `serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion. | `[]` | +| `revisionHistoryLimit` | Number of old ReplicaSets to retain | `10` | +| `imageRenderer.enabled` | Enable the image-renderer deployment & service | `false` | +| `imageRenderer.image.registry` | image-renderer Image registry | `docker.io` | +| `imageRenderer.image.repository` | image-renderer Image repository | `grafana/grafana-image-renderer` | +| `imageRenderer.image.tag` | image-renderer Image tag | `latest` | +| `imageRenderer.image.sha` | image-renderer Image sha (optional) | `""` | +| `imageRenderer.image.pullPolicy` | image-renderer ImagePullPolicy | `Always` | +| `imageRenderer.env` | extra env-vars for image-renderer | `{}` | +| `imageRenderer.envValueFrom` | Environment variables for image-renderer from alternate sources. See the API docs on [EnvVarSource](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.17/#envvarsource-v1-core) for format details. Can be templated | `{}` | +| `imageRenderer.extraConfigmapMounts` | Additional image-renderer configMap volume mounts (values are templated) | `[]` | +| `imageRenderer.extraSecretMounts` | Additional image-renderer secret volume mounts | `[]` | +| `imageRenderer.extraVolumeMounts` | Additional image-renderer volume mounts | `[]` | +| `imageRenderer.extraVolumes` | Additional image-renderer volumes | `[]` | +| `imageRenderer.serviceAccountName` | image-renderer deployment serviceAccountName | `""` | +| `imageRenderer.securityContext` | image-renderer deployment securityContext | `{}` | +| `imageRenderer.podAnnotations` | image-renderer image-renderer pod annotation | `{}` | +| `imageRenderer.hostAliases` | image-renderer deployment Host Aliases | `[]` | +| `imageRenderer.priorityClassName` | image-renderer deployment priority class | `''` | +| `imageRenderer.service.enabled` | Enable the image-renderer service | `true` | +| `imageRenderer.service.portName` | image-renderer service port name | `http` | +| `imageRenderer.service.port` | image-renderer port used by deployment | `8081` | +| `imageRenderer.service.targetPort` | image-renderer service port used by service | `8081` | +| `imageRenderer.appProtocol` | Adds the appProtocol field to the service | `` | +| `imageRenderer.grafanaSubPath` | Grafana sub path to use for image renderer callback url | `''` | +| `imageRenderer.serverURL` | Remote image renderer url | `''` | +| `imageRenderer.renderingCallbackURL` | Callback url for the Grafana image renderer | `''` | +| `imageRenderer.podPortName` | name of the image-renderer port on the pod | `http` | +| `imageRenderer.revisionHistoryLimit` | number of image-renderer replica sets to keep | `10` | +| `imageRenderer.networkPolicy.limitIngress` | Enable a NetworkPolicy to limit inbound traffic from only the created grafana pods | `true` | +| `imageRenderer.networkPolicy.limitEgress` | Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods | `false` | +| `imageRenderer.resources` | Set resource limits for image-renderer pods | `{}` | +| `imageRenderer.nodeSelector` | Node labels for pod assignment | `{}` | +| `imageRenderer.tolerations` | Toleration labels for pod assignment | `[]` | +| `imageRenderer.affinity` | Affinity settings for pod assignment | `{}` | +| `networkPolicy.enabled` | Enable creation of NetworkPolicy resources. | `false` | +| `networkPolicy.allowExternal` | Don't require client label for connections | `true` | +| `networkPolicy.explicitNamespacesSelector` | A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed | `{}` | +| `networkPolicy.ingress` | Enable the creation of an ingress network policy | `true` | +| `networkPolicy.egress.enabled` | Enable the creation of an egress network policy | `false` | +| `networkPolicy.egress.ports` | An array of ports to allow for the egress | `[]` | +| `enableKubeBackwardCompatibility` | Enable backward compatibility of kubernetes where pod's defintion version below 1.13 doesn't have the enableServiceLinks option | `false` | + +### Example ingress with path + +With grafana 6.3 and above + +```yaml +grafana.ini: + server: + domain: monitoring.example.com + root_url: "%(protocol)s://%(domain)s/grafana" + serve_from_sub_path: true +ingress: + enabled: true + hosts: + - "monitoring.example.com" + path: "/grafana" +``` + +### Example of extraVolumeMounts and extraVolumes + +Configure additional volumes with `extraVolumes` and volume mounts with `extraVolumeMounts`. + +Example for `extraVolumeMounts` and corresponding `extraVolumes`: + +```yaml +extraVolumeMounts: + - name: plugins + mountPath: /var/lib/grafana/plugins + subPath: configs/grafana/plugins + readOnly: false + - name: dashboards + mountPath: /var/lib/grafana/dashboards + hostPath: /usr/shared/grafana/dashboards + readOnly: false + +extraVolumes: + - name: plugins + existingClaim: existing-grafana-claim + - name: dashboards + hostPath: /usr/shared/grafana/dashboards +``` + +Volumes default to `emptyDir`. Set to `persistentVolumeClaim`, +`hostPath`, `csi`, or `configMap` for other types. For a +`persistentVolumeClaim`, specify an existing claim name with +`existingClaim`. + +## Import dashboards + +There are a few methods to import dashboards to Grafana. Below are some examples and explanations as to how to use each method: + +```yaml +dashboards: + default: + some-dashboard: + json: | + { + "annotations": + + ... + # Complete json file here + ... + + "title": "Some Dashboard", + "uid": "abcd1234", + "version": 1 + } + custom-dashboard: + # This is a path to a file inside the dashboards directory inside the chart directory + file: dashboards/custom-dashboard.json + prometheus-stats: + # Ref: https://grafana.com/dashboards/2 + gnetId: 2 + revision: 2 + datasource: Prometheus + loki-dashboard-quick-search: + gnetId: 12019 + revision: 2 + datasource: + - name: DS_PROMETHEUS + value: Prometheus + - name: DS_LOKI + value: Loki + local-dashboard: + url: https://raw.githubusercontent.com/user/repository/master/dashboards/dashboard.json +``` + +## BASE64 dashboards + +Dashboards could be stored on a server that does not return JSON directly and instead of it returns a Base64 encoded file (e.g. Gerrit) +A new parameter has been added to the url use case so if you specify a b64content value equals to true after the url entry a Base64 decoding is applied before save the file to disk. +If this entry is not set or is equals to false not decoding is applied to the file before saving it to disk. + +### Gerrit use case + +Gerrit API for download files has the following schema: where {project-name} and +{file-id} usually has '/' in their values and so they MUST be replaced by %2F so if project-name is user/repo, branch-id is master and file-id is equals to dir1/dir2/dashboard +the url value is + +## Sidecar for dashboards + +If the parameter `sidecar.dashboards.enabled` is set, a sidecar container is deployed in the grafana +pod. This container watches all configmaps (or secrets) in the cluster and filters out the ones with +a label as defined in `sidecar.dashboards.label`. The files defined in those configmaps are written +to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported +dashboards are deleted/updated. + +A recommendation is to use one configmap per dashboard, as a reduction of multiple dashboards inside +one configmap is currently not properly mirrored in grafana. + +Example dashboard config: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: sample-grafana-dashboard + labels: + grafana_dashboard: "1" +data: + k8s-dashboard.json: |- + [...] +``` + +## Sidecar for datasources + +If the parameter `sidecar.datasources.enabled` is set, an init container is deployed in the grafana +pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and +filters out the ones with a label as defined in `sidecar.datasources.label`. The files defined in +those secrets are written to a folder and accessed by grafana on startup. Using these yaml files, +the data sources in grafana can be imported. + +Should you aim for reloading datasources in Grafana each time the config is changed, set `sidecar.datasources.skipReload: false` and adjust `sidecar.datasources.reloadURL` to `http://..svc.cluster.local/api/admin/provisioning/datasources/reload`. + +Secrets are recommended over configmaps for this usecase because datasources usually contain private +data like usernames and passwords. Secrets are the more appropriate cluster resource to manage those. + +Example values to add a postgres datasource as a kubernetes secret: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: grafana-datasources + labels: + grafana_datasource: 'true' # default value for: sidecar.datasources.label +stringData: + pg-db.yaml: |- + apiVersion: 1 + datasources: + - name: My pg db datasource + type: postgres + url: my-postgresql-db:5432 + user: db-readonly-user + secureJsonData: + password: 'SUperSEcretPa$$word' + jsonData: + database: my_datase + sslmode: 'disable' # disable/require/verify-ca/verify-full + maxOpenConns: 0 # Grafana v5.4+ + maxIdleConns: 2 # Grafana v5.4+ + connMaxLifetime: 14400 # Grafana v5.4+ + postgresVersion: 1000 # 903=9.3, 904=9.4, 905=9.5, 906=9.6, 1000=10 + timescaledb: false + # allow users to edit datasources from the UI. + editable: false +``` + +Example values to add a datasource adapted from [Grafana](http://docs.grafana.org/administration/provisioning/#example-datasource-config-file): + +```yaml +datasources: + datasources.yaml: + apiVersion: 1 + datasources: + # name of the datasource. Required + - name: Graphite + # datasource type. Required + type: graphite + # access mode. proxy or direct (Server or Browser in the UI). Required + access: proxy + # org id. will default to orgId 1 if not specified + orgId: 1 + # url + url: http://localhost:8080 + # database password, if used + password: + # database user, if used + user: + # database name, if used + database: + # enable/disable basic auth + basicAuth: + # basic auth username + basicAuthUser: + # basic auth password + basicAuthPassword: + # enable/disable with credentials headers + withCredentials: + # mark as default datasource. Max one per org + isDefault: + # fields that will be converted to json and stored in json_data + jsonData: + graphiteVersion: "1.1" + tlsAuth: true + tlsAuthWithCACert: true + # json object of data that will be encrypted. + secureJsonData: + tlsCACert: "..." + tlsClientCert: "..." + tlsClientKey: "..." + version: 1 + # allow users to edit datasources from the UI. + editable: false +``` + +## Sidecar for notifiers + +If the parameter `sidecar.notifiers.enabled` is set, an init container is deployed in the grafana +pod. This container lists all secrets (or configmaps, though not recommended) in the cluster and +filters out the ones with a label as defined in `sidecar.notifiers.label`. The files defined in +those secrets are written to a folder and accessed by grafana on startup. Using these yaml files, +the notification channels in grafana can be imported. The secrets must be created before +`helm install` so that the notifiers init container can list the secrets. + +Secrets are recommended over configmaps for this usecase because alert notification channels usually contain +private data like SMTP usernames and passwords. Secrets are the more appropriate cluster resource to manage those. + +Example datasource config adapted from [Grafana](https://grafana.com/docs/grafana/latest/administration/provisioning/#alert-notification-channels): + +```yaml +notifiers: + - name: notification-channel-1 + type: slack + uid: notifier1 + # either + org_id: 2 + # or + org_name: Main Org. + is_default: true + send_reminder: true + frequency: 1h + disable_resolve_message: false + # See `Supported Settings` section for settings supporter for each + # alert notification type. + settings: + recipient: 'XXX' + token: 'xoxb' + uploadImage: true + url: https://slack.com + +delete_notifiers: + - name: notification-channel-1 + uid: notifier1 + org_id: 2 + - name: notification-channel-2 + # default org_id: 1 +``` + +## Sidecar for alerting resources + +If the parameter `sidecar.alerts.enabled` is set, a sidecar container is deployed in the grafana +pod. This container watches all configmaps (or secrets) in the cluster (namespace defined by `sidecar.alerts.searchNamespace`) and filters out the ones with +a label as defined in `sidecar.alerts.label` (default is `grafana_alert`). The files defined in those configmaps are written +to a folder and accessed by grafana. Changes to the configmaps are monitored and the imported alerting resources are updated, however, deletions are a little more complicated (see below). + +This sidecar can be used to provision alert rules, contact points, notification policies, notification templates and mute timings as shown in [Grafana Documentation](https://grafana.com/docs/grafana/next/alerting/set-up/provision-alerting-resources/file-provisioning/). + +To fetch the alert config which will be provisioned, use the alert provisioning API ([Grafana Documentation](https://grafana.com/docs/grafana/next/developers/http_api/alerting_provisioning/)). +You can use either JSON or YAML format. + +Example config for an alert rule: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: sample-grafana-alert + labels: + grafana_alert: "1" +data: + k8s-alert.yml: |- + apiVersion: 1 + groups: + - orgId: 1 + name: k8s-alert + [...] +``` + +To delete provisioned alert rules is a two step process, you need to delete the configmap which defined the alert rule +and then create a configuration which deletes the alert rule. + +Example deletion configuration: + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: delete-sample-grafana-alert + namespace: monitoring + labels: + grafana_alert: "1" +data: + delete-k8s-alert.yml: |- + apiVersion: 1 + deleteRules: + - orgId: 1 + uid: 16624780-6564-45dc-825c-8bded4ad92d3 +``` + +## Statically provision alerting resources + +If you don't need to change alerting resources (alert rules, contact points, notification policies and notification templates) regularly you could use the `alerting` config option instead of the sidecar option above. +This will grab the alerting config and apply it statically at build time for the helm file. + +There are two methods to statically provision alerting configuration in Grafana. Below are some examples and explanations as to how to use each method: + +```yaml +alerting: + team1-alert-rules.yaml: + file: alerting/team1/rules.yaml + team2-alert-rules.yaml: + file: alerting/team2/rules.yaml + team3-alert-rules.yaml: + file: alerting/team3/rules.yaml + notification-policies.yaml: + file: alerting/shared/notification-policies.yaml + notification-templates.yaml: + file: alerting/shared/notification-templates.yaml + contactpoints.yaml: + apiVersion: 1 + contactPoints: + - orgId: 1 + name: Slack channel + receivers: + - uid: default-receiver + type: slack + settings: + # Webhook URL to be filled in + url: "" + # We need to escape double curly braces for the tpl function. + text: '{{ `{{ template "default.message" . }}` }}' + title: '{{ `{{ template "default.title" . }}` }}' +``` + +The two possibilities for static alerting resource provisioning are: + +* Inlining the file contents as shown for contact points in the above example. +* Importing a file using a relative path starting from the chart root directory as shown for the alert rules in the above example. + +### Important notes on file provisioning + +* The format of the files is defined in the [Grafana documentation](https://grafana.com/docs/grafana/next/alerting/set-up/provision-alerting-resources/file-provisioning/) on file provisioning. +* The chart supports importing YAML and JSON files. +* The filename must be unique, otherwise one volume mount will overwrite the other. +* In case of inlining, double curly braces that arise from the Grafana configuration format and are not intended as templates for the chart must be escaped. +* The number of total files under `alerting:` is not limited. Each file will end up as a volume mount in the corresponding provisioning folder of the deployed Grafana instance. +* The file size for each import is limited by what the function `.Files.Get` can handle, which suffices for most cases. + +## How to serve Grafana with a path prefix (/grafana) + +In order to serve Grafana with a prefix (e.g., ), add the following to your values.yaml. + +```yaml +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: "nginx" + nginx.ingress.kubernetes.io/rewrite-target: /$1 + nginx.ingress.kubernetes.io/use-regex: "true" + + path: /grafana/?(.*) + hosts: + - k8s.example.dev + +grafana.ini: + server: + root_url: http://localhost:3000/grafana # this host can be localhost +``` + +## How to securely reference secrets in grafana.ini + +This example uses Grafana [file providers](https://grafana.com/docs/grafana/latest/administration/configuration/#file-provider) for secret values and the `extraSecretMounts` configuration flag (Additional grafana server secret mounts) to mount the secrets. + +In grafana.ini: + +```yaml +grafana.ini: + [auth.generic_oauth] + enabled = true + client_id = $__file{/etc/secrets/auth_generic_oauth/client_id} + client_secret = $__file{/etc/secrets/auth_generic_oauth/client_secret} +``` + +Existing secret, or created along with helm: + +```yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: auth-generic-oauth-secret +type: Opaque +stringData: + client_id: + client_secret: +``` + +Include in the `extraSecretMounts` configuration flag: + +```yaml +extraSecretMounts: + - name: auth-generic-oauth-secret-mount + secretName: auth-generic-oauth-secret + defaultMode: 0440 + mountPath: /etc/secrets/auth_generic_oauth + readOnly: true +``` + +### extraSecretMounts using a Container Storage Interface (CSI) provider + +This example uses a CSI driver e.g. retrieving secrets using [Azure Key Vault Provider](https://github.com/Azure/secrets-store-csi-driver-provider-azure) + +```yaml +extraSecretMounts: + - name: secrets-store-inline + mountPath: /run/secrets + readOnly: true + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: "my-provider" + nodePublishSecretRef: + name: akv-creds +``` + +## Image Renderer Plug-In + +This chart supports enabling [remote image rendering](https://github.com/grafana/grafana-image-renderer/blob/master/README.md#run-in-docker) + +```yaml +imageRenderer: + enabled: true +``` + +### Image Renderer NetworkPolicy + +By default the image-renderer pods will have a network policy which only allows ingress traffic from the created grafana instance + +### High Availability for unified alerting + +If you want to run Grafana in a high availability cluster you need to enable +the headless service by setting `headlessService: true` in your `values.yaml` +file. + +As next step you have to setup the `grafana.ini` in your `values.yaml` in a way +that it will make use of the headless service to obtain all the IPs of the +cluster. You should replace ``{{ Name }}`` with the name of your helm deployment. + +```yaml +grafana.ini: + ... + unified_alerting: + enabled: true + ha_peers: {{ Name }}-headless:9094 + ha_listen_address: ${POD_IP}:9094 + ha_advertise_address: ${POD_IP}:9094 + + alerting: + enabled: false +``` diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/ci/default-values.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/ci/default-values.yaml new file mode 100644 index 000000000..fc2ba605a --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/ci/default-values.yaml @@ -0,0 +1 @@ +# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-affinity-values.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-affinity-values.yaml new file mode 100644 index 000000000..f5b9b53e7 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-affinity-values.yaml @@ -0,0 +1,16 @@ +affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/instance: grafana-test + app.kubernetes.io/name: grafana + topologyKey: failure-domain.beta.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/instance: grafana-test + app.kubernetes.io/name: grafana + topologyKey: kubernetes.io/hostname diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-dashboard-json-values.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-dashboard-json-values.yaml new file mode 100644 index 000000000..e0c4e4168 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-dashboard-json-values.yaml @@ -0,0 +1,53 @@ +dashboards: + my-provider: + my-awesome-dashboard: + # An empty but valid dashboard + json: | + { + "__inputs": [], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "6.3.5" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": null, + "graphTooltip": 0, + "id": null, + "links": [], + "panels": [], + "schemaVersion": 19, + "style": "dark", + "tags": [], + "templating": { + "list": [] + }, + "time": { + "from": "now-6h", + "to": "now" + }, + "timepicker": { + "refresh_intervals": ["5s"] + }, + "timezone": "", + "title": "Dummy Dashboard", + "uid": "IdcYQooWk", + "version": 1 + } + datasource: Prometheus diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-dashboard-values.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-dashboard-values.yaml new file mode 100644 index 000000000..7b662c5fd --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-dashboard-values.yaml @@ -0,0 +1,19 @@ +dashboards: + my-provider: + my-awesome-dashboard: + gnetId: 10000 + revision: 1 + datasource: Prometheus +dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'my-provider' + orgId: 1 + folder: '' + type: file + updateIntervalSeconds: 10 + disableDeletion: true + editable: true + options: + path: /var/lib/grafana/dashboards/my-provider diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-extraconfigmapmounts-values.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-extraconfigmapmounts-values.yaml new file mode 100644 index 000000000..5cc44a056 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-extraconfigmapmounts-values.yaml @@ -0,0 +1,7 @@ +extraConfigmapMounts: + - name: '{{ include "grafana.fullname" . }}' + configMap: '{{ include "grafana.fullname" . }}' + mountPath: /var/lib/grafana/dashboards/test-dashboard.json + # This is not a realistic test, but for this we only care about extraConfigmapMounts not being empty and pointing to an existing ConfigMap + subPath: grafana.ini + readOnly: true diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-image-renderer-values.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-image-renderer-values.yaml new file mode 100644 index 000000000..06c0bda13 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-image-renderer-values.yaml @@ -0,0 +1,107 @@ +podLabels: + customLableA: Aaaaa +imageRenderer: + enabled: true + env: + RENDERING_ARGS: --disable-gpu,--window-size=1280x758 + RENDERING_MODE: clustered + podLabels: + customLableB: Bbbbb + networkPolicy: + limitIngress: true + limitEgress: true + resources: + limits: + cpu: 1000m + memory: 1000Mi + requests: + cpu: 500m + memory: 50Mi + extraVolumes: + - name: empty-renderer-volume + emtpyDir: {} + extraVolumeMounts: + - mountPath: /tmp/renderer + name: empty-renderer-volume + extraConfigmapMounts: + - name: renderer-config + mountPath: /usr/src/app/config.json + subPath: renderer-config.json + configMap: image-renderer-config + extraSecretMounts: + - name: renderer-certificate + mountPath: /usr/src/app/certs/ + secretName: image-renderer-certificate + readOnly: true + +extraObjects: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: image-renderer-config + data: + renderer-config.json: | + { + "service": { + "host": null, + "port": 8081, + "protocol": "http", + "certFile": "", + "certKey": "", + + "metrics": { + "enabled": true, + "collectDefaultMetrics": true, + "requestDurationBuckets": [1, 5, 7, 9, 11, 13, 15, 20, 30] + }, + + "logging": { + "level": "info", + "console": { + "json": true, + "colorize": false + } + }, + + "security": { + "authToken": "-" + } + }, + "rendering": { + "chromeBin": null, + "args": ["--no-sandbox", "--disable-gpu"], + "ignoresHttpsErrors": false, + + "timezone": null, + "acceptLanguage": null, + "width": 1000, + "height": 500, + "deviceScaleFactor": 1, + "maxWidth": 3080, + "maxHeight": 3000, + "maxDeviceScaleFactor": 4, + "pageZoomLevel": 1, + "headed": false, + + "mode": "default", + "emulateNetworkConditions": false, + "clustering": { + "monitor": false, + "mode": "browser", + "maxConcurrency": 5, + "timeout": 30 + }, + + "verboseLogging": false, + "dumpio": false, + "timingMetrics": false + } + } + - apiVersion: v1 + kind: Secret + metadata: + name: image-renderer-certificate + type: Opaque + data: + # Decodes to 'PLACEHOLDER CERTIFICATE' + not-a-real-certificate: UExBQ0VIT0xERVIgQ0VSVElGSUNBVEU= diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-nondefault-values.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-nondefault-values.yaml new file mode 100644 index 000000000..fb5c17940 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-nondefault-values.yaml @@ -0,0 +1,6 @@ +global: + environment: prod +ingress: + enabled: true + hosts: + - monitoring-{{ .Values.global.environment }}.example.com diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-persistence.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-persistence.yaml new file mode 100644 index 000000000..b92ca02c9 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-persistence.yaml @@ -0,0 +1,3 @@ +persistence: + type: pvc + enabled: true diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-sidecars-envvaluefrom-values.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-sidecars-envvaluefrom-values.yaml new file mode 100644 index 000000000..a6935e56d --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/ci/with-sidecars-envvaluefrom-values.yaml @@ -0,0 +1,38 @@ +extraObjects: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: '{{ include "grafana.fullname" . }}-test' + data: + var1: "value1" + - apiVersion: v1 + kind: Secret + metadata: + name: '{{ include "grafana.fullname" . }}-test' + type: Opaque + data: + var2: "dmFsdWUy" + +sidecar: + dashboards: + enabled: true + envValueFrom: + VAR1: + configMapKeyRef: + name: '{{ include "grafana.fullname" . }}-test' + key: var1 + VAR2: + secretKeyRef: + name: '{{ include "grafana.fullname" . }}-test' + key: var2 + datasources: + enabled: true + envValueFrom: + VAR1: + configMapKeyRef: + name: '{{ include "grafana.fullname" . }}-test' + key: var1 + VAR2: + secretKeyRef: + name: '{{ include "grafana.fullname" . }}-test' + key: var2 diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/dashboards/custom-dashboard.json b/charts/kasten/k10/7.0.1401/charts/grafana/dashboards/custom-dashboard.json new file mode 100644 index 000000000..9e26dfeeb --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/dashboards/custom-dashboard.json @@ -0,0 +1 @@ +{} \ No newline at end of file diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/NOTES.txt b/charts/kasten/k10/7.0.1401/charts/grafana/templates/NOTES.txt new file mode 100644 index 000000000..a40f666a4 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/NOTES.txt @@ -0,0 +1,55 @@ +1. Get your '{{ .Values.adminUser }}' user password by running: + + kubectl get secret --namespace {{ include "grafana.namespace" . }} {{ .Values.admin.existingSecret | default (include "grafana.fullname" .) }} -o jsonpath="{.data.{{ .Values.admin.passwordKey | default "admin-password" }}}" | base64 --decode ; echo + + +2. The Grafana server can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster: + + {{ include "grafana.fullname" . }}.{{ include "grafana.namespace" . }}.svc.cluster.local +{{ if .Values.ingress.enabled }} + If you bind grafana to 80, please update values in values.yaml and reinstall: + ``` + securityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + + command: + - "setcap" + - "'cap_net_bind_service=+ep'" + - "/usr/sbin/grafana-server &&" + - "sh" + - "/run.sh" + ``` + Details refer to https://grafana.com/docs/installation/configuration/#http-port. + Or grafana would always crash. + + From outside the cluster, the server URL(s) are: + {{- range .Values.ingress.hosts }} + http://{{ . }} + {{- end }} +{{- else }} + Get the Grafana URL to visit by running these commands in the same shell: + {{- if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ include "grafana.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "grafana.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "grafana.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT + {{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ include "grafana.namespace" . }} -w {{ include "grafana.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ include "grafana.namespace" . }} {{ include "grafana.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + http://$SERVICE_IP:{{ .Values.service.port -}} + {{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ include "grafana.namespace" . }} -l "app.kubernetes.io/name={{ include "grafana.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ include "grafana.namespace" . }} port-forward $POD_NAME 3000 + {{- end }} +{{- end }} + +3. Login with the password from step 1 and the username: {{ .Values.adminUser }} + +{{- if and (not .Values.persistence.enabled) (not .Values.persistence.disableWarning) }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the Grafana pod is terminated. ##### +################################################################################# +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/_config.tpl b/charts/kasten/k10/7.0.1401/charts/grafana/templates/_config.tpl new file mode 100644 index 000000000..889762006 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/_config.tpl @@ -0,0 +1,176 @@ +{{/* + Generate config map data + */}} +{{- define "grafana.configData" -}} +{{ include "grafana.assertNoLeakedSecrets" . }} +{{- $files := .Files }} +{{- $root := . -}} +{{- with .Values.plugins }} +plugins: {{ join "," . }} +{{- end }} +grafana.ini: | +{{- range $elem, $elemVal := index .Values "grafana.ini" }} + {{- if not (kindIs "map" $elemVal) }} + {{- if kindIs "invalid" $elemVal }} + {{ $elem }} = + {{- else if kindIs "slice" $elemVal }} + {{ $elem }} = {{ toJson $elemVal }} + {{- else if kindIs "string" $elemVal }} + {{ $elem }} = {{ tpl $elemVal $ }} + {{- else }} + {{ $elem }} = {{ $elemVal }} + {{- end }} + {{- end }} +{{- end }} +{{- range $key, $value := index .Values "grafana.ini" }} + {{- if kindIs "map" $value }} + [{{ $key }}] + {{- range $elem, $elemVal := $value }} + {{- if kindIs "invalid" $elemVal }} + {{ $elem }} = + {{- else if kindIs "slice" $elemVal }} + {{ $elem }} = {{ toJson $elemVal }} + {{- else if kindIs "string" $elemVal }} + {{ $elem }} = {{ tpl $elemVal $ }} + {{- else }} + {{ $elem }} = {{ $elemVal }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} + +{{- range $key, $value := .Values.datasources }} +{{- if not (hasKey $value "secret") }} +{{ $key }}: | + {{- tpl (toYaml $value | nindent 2) $root }} +{{- end }} +{{- end }} + +{{- range $key, $value := .Values.notifiers }} +{{- if not (hasKey $value "secret") }} +{{ $key }}: | + {{- toYaml $value | nindent 2 }} +{{- end }} +{{- end }} + +{{- range $key, $value := .Values.alerting }} +{{- if (hasKey $value "file") }} +{{ $key }}: +{{- toYaml ( $files.Get $value.file ) | nindent 2 }} +{{- else if (or (hasKey $value "secret") (hasKey $value "secretFile"))}} +{{/* will be stored inside secret generated by "configSecret.yaml"*/}} +{{- else }} +{{ $key }}: | + {{- tpl (toYaml $value | nindent 2) $root }} +{{- end }} +{{- end }} + +{{- range $key, $value := .Values.dashboardProviders }} +{{ $key }}: | + {{- toYaml $value | nindent 2 }} +{{- end }} + +{{- if .Values.dashboards }} +download_dashboards.sh: | + #!/usr/bin/env sh + set -euf + {{- if .Values.dashboardProviders }} + {{- range $key, $value := .Values.dashboardProviders }} + {{- range $value.providers }} + mkdir -p {{ .options.path }} + {{- end }} + {{- end }} + {{- end }} +{{ $dashboardProviders := .Values.dashboardProviders }} +{{- range $provider, $dashboards := .Values.dashboards }} + {{- range $key, $value := $dashboards }} + {{- if (or (hasKey $value "gnetId") (hasKey $value "url")) }} + curl -skf \ + --connect-timeout 60 \ + --max-time 60 \ + {{- if not $value.b64content }} + {{- if not $value.acceptHeader }} + -H "Accept: application/json" \ + {{- else }} + -H "Accept: {{ $value.acceptHeader }}" \ + {{- end }} + {{- if $value.token }} + -H "Authorization: token {{ $value.token }}" \ + {{- end }} + {{- if $value.bearerToken }} + -H "Authorization: Bearer {{ $value.bearerToken }}" \ + {{- end }} + {{- if $value.basic }} + -H "Authorization: Basic {{ $value.basic }}" \ + {{- end }} + {{- if $value.gitlabToken }} + -H "PRIVATE-TOKEN: {{ $value.gitlabToken }}" \ + {{- end }} + -H "Content-Type: application/json;charset=UTF-8" \ + {{- end }} + {{- $dpPath := "" -}} + {{- range $kd := (index $dashboardProviders "dashboardproviders.yaml").providers }} + {{- if eq $kd.name $provider }} + {{- $dpPath = $kd.options.path }} + {{- end }} + {{- end }} + {{- if $value.url }} + "{{ $value.url }}" \ + {{- else }} + "https://grafana.com/api/dashboards/{{ $value.gnetId }}/revisions/{{- if $value.revision -}}{{ $value.revision }}{{- else -}}1{{- end -}}/download" \ + {{- end }} + {{- if $value.datasource }} + {{- if kindIs "string" $value.datasource }} + | sed '/-- .* --/! s/"datasource":.*,/"datasource": "{{ $value.datasource }}",/g' \ + {{- end }} + {{- if kindIs "slice" $value.datasource }} + {{- range $value.datasource }} + | sed '/-- .* --/! s/${{"{"}}{{ .name }}}/{{ .value }}/g' \ + {{- end }} + {{- end }} + {{- end }} + {{- if $value.b64content }} + | base64 -d \ + {{- end }} + > "{{- if $dpPath -}}{{ $dpPath }}{{- else -}}/var/lib/grafana/dashboards/{{ $provider }}{{- end -}}/{{ $key }}.json" + {{ end }} + {{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* + Generate dashboard json config map data + */}} +{{- define "grafana.configDashboardProviderData" -}} +provider.yaml: |- + apiVersion: 1 + providers: + - name: '{{ .Values.sidecar.dashboards.provider.name }}' + orgId: {{ .Values.sidecar.dashboards.provider.orgid }} + {{- if not .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} + folder: '{{ .Values.sidecar.dashboards.provider.folder }}' + folderUid: '{{ .Values.sidecar.dashboards.provider.folderUid }}' + {{- end }} + type: {{ .Values.sidecar.dashboards.provider.type }} + disableDeletion: {{ .Values.sidecar.dashboards.provider.disableDelete }} + allowUiUpdates: {{ .Values.sidecar.dashboards.provider.allowUiUpdates }} + updateIntervalSeconds: {{ .Values.sidecar.dashboards.provider.updateIntervalSeconds | default 30 }} + options: + foldersFromFilesStructure: {{ .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} + path: {{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }} +{{- end -}} + +{{- define "grafana.secretsData" -}} +{{- if and (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) }} +admin-user: {{ .Values.adminUser | b64enc | quote }} +{{- if .Values.adminPassword }} +admin-password: {{ .Values.adminPassword | b64enc | quote }} +{{- else }} +admin-password: {{ include "grafana.password" . }} +{{- end }} +{{- end }} +{{- if not .Values.ldap.existingSecret }} +ldap-toml: {{ tpl .Values.ldap.config $ | b64enc | quote }} +{{- end }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/_helpers.tpl b/charts/kasten/k10/7.0.1401/charts/grafana/templates/_helpers.tpl new file mode 100644 index 000000000..2a68cb6f8 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/_helpers.tpl @@ -0,0 +1,276 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "grafana.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "grafana.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "grafana.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create the name of the service account +*/}} +{{- define "grafana.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "grafana.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{- define "grafana.serviceAccountNameTest" -}} +{{- if .Values.serviceAccount.create }} +{{- default (print (include "grafana.fullname" .) "-test") .Values.serviceAccount.nameTest }} +{{- else }} +{{- default "default" .Values.serviceAccount.nameTest }} +{{- end }} +{{- end }} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "grafana.namespace" -}} +{{- if .Values.namespaceOverride }} +{{- .Values.namespaceOverride }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "grafana.labels" -}} +helm.sh/chart: {{ include "grafana.chart" . }} +{{ include "grafana.selectorLabels" . }} +{{- if or .Chart.AppVersion .Values.image.tag }} +app.kubernetes.io/version: {{ mustRegexReplaceAllLiteral "@sha.*" .Values.image.tag "" | default .Chart.AppVersion | trunc 63 | trimSuffix "-" | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.extraLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "grafana.selectorLabels" -}} +app.kubernetes.io/name: {{ include "grafana.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "grafana.imageRenderer.labels" -}} +helm.sh/chart: {{ include "grafana.chart" . }} +{{ include "grafana.imageRenderer.selectorLabels" . }} +{{- if or .Chart.AppVersion .Values.image.tag }} +app.kubernetes.io/version: {{ mustRegexReplaceAllLiteral "@sha.*" .Values.image.tag "" | default .Chart.AppVersion | trunc 63 | trimSuffix "-" | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels ImageRenderer +*/}} +{{- define "grafana.imageRenderer.selectorLabels" -}} +app.kubernetes.io/name: {{ include "grafana.name" . }}-image-renderer +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Looks if there's an existing secret and reuse its password. If not it generates +new password and use it. +*/}} +{{- define "grafana.password" -}} +{{- $secret := (lookup "v1" "Secret" (include "grafana.namespace" .) (include "grafana.fullname" .) ) }} +{{- if $secret }} +{{- index $secret "data" "admin-password" }} +{{- else }} +{{- (randAlphaNum 40) | b64enc | quote }} +{{- end }} +{{- end }} + +{{/* +Return the appropriate apiVersion for rbac. +*/}} +{{- define "grafana.rbac.apiVersion" -}} +{{- if $.Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +{{- print "rbac.authorization.k8s.io/v1" }} +{{- else }} +{{- print "rbac.authorization.k8s.io/v1beta1" }} +{{- end }} +{{- end }} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "grafana.ingress.apiVersion" -}} +{{- if and ($.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) }} +{{- print "networking.k8s.io/v1" }} +{{- else if $.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }} +{{- print "networking.k8s.io/v1beta1" }} +{{- else }} +{{- print "extensions/v1beta1" }} +{{- end }} +{{- end }} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "grafana.hpa.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "autoscaling/v2" }} +{{- print "autoscaling/v2" }} +{{- else }} +{{- print "autoscaling/v2beta2" }} +{{- end }} +{{- end }} + +{{/* +Return the appropriate apiVersion for podDisruptionBudget. +*/}} +{{- define "grafana.podDisruptionBudget.apiVersion" -}} +{{- if $.Values.podDisruptionBudget.apiVersion }} +{{- print $.Values.podDisruptionBudget.apiVersion }} +{{- else if $.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +{{- print "policy/v1" }} +{{- else }} +{{- print "policy/v1beta1" }} +{{- end }} +{{- end }} + +{{/* +Return if ingress is stable. +*/}} +{{- define "grafana.ingress.isStable" -}} +{{- eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1" }} +{{- end }} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "grafana.ingress.supportsIngressClassName" -}} +{{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) }} +{{- end }} + +{{/* +Return if ingress supports pathType. +*/}} +{{- define "grafana.ingress.supportsPathType" -}} +{{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) }} +{{- end }} + +{{/* +Formats imagePullSecrets. Input is (dict "root" . "imagePullSecrets" .{specific imagePullSecrets}) +*/}} +{{- define "grafana.imagePullSecrets" -}} +{{- $root := .root }} +{{- range (concat .root.Values.global.imagePullSecrets .imagePullSecrets) }} +{{- if eq (typeOf .) "map[string]interface {}" }} +- {{ toYaml (dict "name" (tpl .name $root)) | trim }} +{{- else }} +- name: {{ tpl . $root }} +{{- end }} +{{- end }} +{{- end }} + + +{{/* + Checks whether or not the configSecret secret has to be created + */}} +{{- define "grafana.shouldCreateConfigSecret" -}} +{{- $secretFound := false -}} +{{- range $key, $value := .Values.datasources }} + {{- if hasKey $value "secret" }} + {{- $secretFound = true}} + {{- end }} +{{- end }} +{{- range $key, $value := .Values.notifiers }} + {{- if hasKey $value "secret" }} + {{- $secretFound = true}} + {{- end }} +{{- end }} +{{- range $key, $value := .Values.alerting }} + {{- if (or (hasKey $value "secret") (hasKey $value "secretFile")) }} + {{- $secretFound = true}} + {{- end }} +{{- end }} +{{- $secretFound}} +{{- end -}} + +{{/* + Checks whether the user is attempting to store secrets in plaintext + in the grafana.ini configmap +*/}} +{{/* grafana.assertNoLeakedSecrets checks for sensitive keys in values */}} +{{- define "grafana.assertNoLeakedSecrets" -}} + {{- $sensitiveKeysYaml := ` +sensitiveKeys: +- path: ["database", "password"] +- path: ["smtp", "password"] +- path: ["security", "secret_key"] +- path: ["security", "admin_password"] +- path: ["auth.basic", "password"] +- path: ["auth.ldap", "bind_password"] +- path: ["auth.google", "client_secret"] +- path: ["auth.github", "client_secret"] +- path: ["auth.gitlab", "client_secret"] +- path: ["auth.generic_oauth", "client_secret"] +- path: ["auth.okta", "client_secret"] +- path: ["auth.azuread", "client_secret"] +- path: ["auth.grafana_com", "client_secret"] +- path: ["auth.grafananet", "client_secret"] +- path: ["azure", "user_identity_client_secret"] +- path: ["unified_alerting", "ha_redis_password"] +- path: ["metrics", "basic_auth_password"] +- path: ["external_image_storage.s3", "secret_key"] +- path: ["external_image_storage.webdav", "password"] +- path: ["external_image_storage.azure_blob", "account_key"] +` | fromYaml -}} + {{- if $.Values.assertNoLeakedSecrets -}} + {{- $grafanaIni := index .Values "grafana.ini" -}} + {{- range $_, $secret := $sensitiveKeysYaml.sensitiveKeys -}} + {{- $currentMap := $grafanaIni -}} + {{- $shouldContinue := true -}} + {{- range $index, $elem := $secret.path -}} + {{- if and $shouldContinue (hasKey $currentMap $elem) -}} + {{- if eq (len $secret.path) (add1 $index) -}} + {{- if not (regexMatch "\\$(?:__(?:env|file|vault))?{[^}]+}" (index $currentMap $elem)) -}} + {{- fail (printf "Sensitive key '%s' should not be defined explicitly in values. Use variable expansion instead. You can disable this client-side validation by changing the value of assertNoLeakedSecrets." (join "." $secret.path)) -}} + {{- end -}} + {{- else -}} + {{- $currentMap = index $currentMap $elem -}} + {{- end -}} + {{- else -}} + {{- $shouldContinue = false -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/_pod.tpl b/charts/kasten/k10/7.0.1401/charts/grafana/templates/_pod.tpl new file mode 100644 index 000000000..a8b104b5d --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/_pod.tpl @@ -0,0 +1,1329 @@ +{{- define "grafana.pod" -}} +{{- $sts := list "sts" "StatefulSet" "statefulset" -}} +{{- $root := . -}} +{{- with .Values.schedulerName }} +schedulerName: "{{ . }}" +{{- end }} +serviceAccountName: {{ include "grafana.serviceAccountName" . }} +automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} +{{- with .Values.securityContext }} +securityContext: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.hostAliases }} +hostAliases: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- if .Values.dnsPolicy }} +dnsPolicy: {{ .Values.dnsPolicy }} +{{- end }} +{{- with .Values.dnsConfig }} +dnsConfig: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.priorityClassName }} +priorityClassName: {{ . }} +{{- end }} +{{- if ( or .Values.persistence.enabled .Values.dashboards .Values.extraInitContainers (and .Values.sidecar.alerts.enabled .Values.sidecar.alerts.initAlerts) (and .Values.sidecar.datasources.enabled .Values.sidecar.datasources.initDatasources) (and .Values.sidecar.notifiers.enabled .Values.sidecar.notifiers.initNotifiers)) }} +initContainers: +{{- end }} +{{- if ( and .Values.persistence.enabled .Values.initChownData.enabled ) }} + - name: init-chown-data + {{- $registry := .Values.global.imageRegistry | default .Values.initChownData.image.registry -}} + {{- if .Values.initChownData.image.sha }} + image: "{{ $registry }}/{{ .Values.initChownData.image.repository }}{{ if .Values.initChownData.image.tag }}:{{ .Values.initChownData.image.tag }}{{ end }}@sha256:{{ .Values.initChownData.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.initChownData.image.repository }}{{ if .Values.initChownData.image.tag }}:{{ .Values.initChownData.image.tag }}{{ end }}" + {{- end }} + imagePullPolicy: {{ .Values.initChownData.image.pullPolicy }} + {{- with .Values.initChownData.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + command: + - chown + - -R + - {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }} + - /var/lib/grafana + {{- with .Values.initChownData.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: storage + mountPath: "/var/lib/grafana" + {{- with .Values.persistence.subPath }} + subPath: {{ tpl . $root }} + {{- end }} +{{- end }} +{{- if .Values.dashboards }} + - name: download-dashboards + {{- $registry := .Values.global.imageRegistry | default .Values.downloadDashboardsImage.registry -}} + {{- if .Values.downloadDashboardsImage.sha }} + image: "{{ $registry }}/{{ .Values.downloadDashboardsImage.repository }}{{ if .Values.downloadDashboardsImage.tag }}:{{ .Values.downloadDashboardsImage.tag }}{{ end }}@sha256:{{ .Values.downloadDashboardsImage.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.downloadDashboardsImage.repository }}{{ if .Values.downloadDashboardsImage.tag }}:{{ .Values.downloadDashboardsImage.tag }}{{ end }}" + {{- end }} + imagePullPolicy: {{ .Values.downloadDashboardsImage.pullPolicy }} + command: ["/bin/sh"] + args: [ "-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh" ] + {{- with .Values.downloadDashboards.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + env: + {{- range $key, $value := .Values.downloadDashboards.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- range $key, $value := .Values.downloadDashboards.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} + {{- with .Values.downloadDashboards.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.downloadDashboards.envFromSecret }} + envFrom: + - secretRef: + name: {{ tpl . $root }} + {{- end }} + volumeMounts: + - name: config + mountPath: "/etc/grafana/download_dashboards.sh" + subPath: download_dashboards.sh + - name: storage + mountPath: "/var/lib/grafana" + {{- with .Values.persistence.subPath }} + subPath: {{ tpl . $root }} + {{- end }} + {{- range .Values.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- end }} +{{- end }} +{{- if and .Values.sidecar.alerts.enabled .Values.sidecar.alerts.initAlerts }} + - name: {{ include "grafana.name" . }}-init-sc-alerts + {{- $registry := .Values.global.imageRegistry | default .Values.sidecar.image.registry -}} + {{- if .Values.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.sidecar.alerts.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.sidecar.alerts.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: "LIST" + - name: LABEL + value: "{{ .Values.sidecar.alerts.label }}" + {{- with .Values.sidecar.alerts.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.sidecar.logLevel .Values.sidecar.alerts.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.sidecar.logLevel .Values.sidecar.alerts.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/alerting" + - name: RESOURCE + value: {{ quote .Values.sidecar.alerts.resource }} + {{- with .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.sidecar.alerts.searchNamespace }} + - name: NAMESPACE + value: {{ . | join "," | quote }} + {{- end }} + {{- with .Values.sidecar.alerts.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: {{ quote . }} + {{- end }} + {{- with .Values.sidecar.alerts.script }} + - name: SCRIPT + value: {{ quote . }} + {{- end }} + {{- with .Values.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-alerts-volume + mountPath: "/etc/grafana/provisioning/alerting" + {{- with .Values.sidecar.alerts.extraMounts }} + {{- toYaml . | trim | nindent 6 }} + {{- end }} +{{- end }} +{{- if and .Values.sidecar.datasources.enabled .Values.sidecar.datasources.initDatasources }} + - name: {{ include "grafana.name" . }}-init-sc-datasources + {{- $registry := .Values.global.imageRegistry | default .Values.sidecar.image.registry -}} + {{- if .Values.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.sidecar.datasources.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- range $key, $value := .Values.sidecar.datasources.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} + {{- if .Values.sidecar.datasources.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: "LIST" + - name: LABEL + value: "{{ .Values.sidecar.datasources.label }}" + {{- with .Values.sidecar.datasources.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.sidecar.logLevel .Values.sidecar.datasources.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.sidecar.logLevel .Values.sidecar.datasources.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/datasources" + - name: RESOURCE + value: {{ quote .Values.sidecar.datasources.resource }} + {{- with .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- if .Values.sidecar.datasources.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (.Values.sidecar.datasources.searchNamespace | join ",") . }}" + {{- end }} + {{- with .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ . }}" + {{- end }} + {{- with .Values.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-datasources-volume + mountPath: "/etc/grafana/provisioning/datasources" +{{- end }} +{{- if and .Values.sidecar.notifiers.enabled .Values.sidecar.notifiers.initNotifiers }} + - name: {{ include "grafana.name" . }}-init-sc-notifiers + {{- $registry := .Values.global.imageRegistry | default .Values.sidecar.image.registry -}} + {{- if .Values.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.sidecar.notifiers.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.sidecar.notifiers.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: LIST + - name: LABEL + value: "{{ .Values.sidecar.notifiers.label }}" + {{- with .Values.sidecar.notifiers.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.sidecar.logLevel .Values.sidecar.notifiers.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.sidecar.logLevel .Values.sidecar.notifiers.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/notifiers" + - name: RESOURCE + value: {{ quote .Values.sidecar.notifiers.resource }} + {{- with .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.sidecar.notifiers.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (. | join ",") $root }}" + {{- end }} + {{- with .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ . }}" + {{- end }} + {{- with .Values.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-notifiers-volume + mountPath: "/etc/grafana/provisioning/notifiers" +{{- end}} +{{- with .Values.extraInitContainers }} + {{- tpl (toYaml .) $root | nindent 2 }} +{{- end }} +{{- if or .Values.image.pullSecrets .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- include "grafana.imagePullSecrets" (dict "root" $root "imagePullSecrets" .Values.image.pullSecrets) | nindent 2 }} +{{- end }} +{{- if not .Values.enableKubeBackwardCompatibility }} +enableServiceLinks: {{ .Values.enableServiceLinks }} +{{- end }} +containers: +{{- if and .Values.sidecar.alerts.enabled (not .Values.sidecar.alerts.initAlerts) }} + - name: {{ include "grafana.name" . }}-sc-alerts + {{- $registry := .Values.global.imageRegistry | default .Values.sidecar.image.registry -}} + {{- if .Values.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.sidecar.alerts.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.sidecar.alerts.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: {{ .Values.sidecar.alerts.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.alerts.label }}" + {{- with .Values.sidecar.alerts.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.sidecar.logLevel .Values.sidecar.alerts.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.sidecar.logLevel .Values.sidecar.alerts.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/alerting" + - name: RESOURCE + value: {{ quote .Values.sidecar.alerts.resource }} + {{- with .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.sidecar.alerts.searchNamespace }} + - name: NAMESPACE + value: {{ . | join "," | quote }} + {{- end }} + {{- with .Values.sidecar.alerts.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: {{ quote . }} + {{- end }} + {{- with .Values.sidecar.alerts.script }} + - name: SCRIPT + value: {{ quote . }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.sidecar.alerts.skipReload }} + - name: REQ_URL + value: {{ .Values.sidecar.alerts.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} + {{- if .Values.sidecar.alerts.watchServerTimeout }} + {{- if ne .Values.sidecar.alerts.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.alerts.watchServerTimeout with .Values.sidecar.alerts.watchMethod %s" .Values.sidecar.alerts.watchMethod) }} + {{- end }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.sidecar.alerts.watchServerTimeout }}" + {{- end }} + {{- if .Values.sidecar.alerts.watchClientTimeout }} + {{- if ne .Values.sidecar.alerts.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.alerts.watchClientTimeout with .Values.sidecar.alerts.watchMethod %s" .Values.sidecar.alerts.watchMethod) }} + {{- end }} + - name: WATCH_CLIENT_TIMEOUT + value: "{{ .Values.sidecar.alerts.watchClientTimeout }}" + {{- end }} + {{- with .Values.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-alerts-volume + mountPath: "/etc/grafana/provisioning/alerting" + {{- with .Values.sidecar.alerts.extraMounts }} + {{- toYaml . | trim | nindent 6 }} + {{- end }} +{{- end}} +{{- if .Values.sidecar.dashboards.enabled }} + - name: {{ include "grafana.name" . }}-sc-dashboard + {{- $registry := .Values.global.imageRegistry | default .Values.sidecar.image.registry -}} + {{- if .Values.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.sidecar.dashboards.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- range $key, $value := .Values.sidecar.dashboards.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} + {{- if .Values.sidecar.dashboards.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: {{ .Values.sidecar.dashboards.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.dashboards.label }}" + {{- with .Values.sidecar.dashboards.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.sidecar.logLevel .Values.sidecar.dashboards.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.sidecar.logLevel .Values.sidecar.dashboards.logLevel }} + {{- end }} + - name: FOLDER + value: "{{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }}" + - name: RESOURCE + value: {{ quote .Values.sidecar.dashboards.resource }} + {{- with .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.sidecar.dashboards.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (. | join ",") $root }}" + {{- end }} + {{- with .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ . }}" + {{- end }} + {{- with .Values.sidecar.dashboards.folderAnnotation }} + - name: FOLDER_ANNOTATION + value: "{{ . }}" + {{- end }} + {{- with .Values.sidecar.dashboards.script }} + - name: SCRIPT + value: "{{ . }}" + {{- end }} + {{- if not .Values.sidecar.dashboards.skipReload }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + - name: REQ_URL + value: {{ .Values.sidecar.dashboards.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} + {{- if .Values.sidecar.dashboards.watchServerTimeout }} + {{- if ne .Values.sidecar.dashboards.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.dashboards.watchServerTimeout with .Values.sidecar.dashboards.watchMethod %s" .Values.sidecar.dashboards.watchMethod) }} + {{- end }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.sidecar.dashboards.watchServerTimeout }}" + {{- end }} + {{- if .Values.sidecar.dashboards.watchClientTimeout }} + {{- if ne .Values.sidecar.dashboards.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.dashboards.watchClientTimeout with .Values.sidecar.dashboards.watchMethod %s" .Values.sidecar.dashboards.watchMethod) }} + {{- end }} + - name: WATCH_CLIENT_TIMEOUT + value: {{ .Values.sidecar.dashboards.watchClientTimeout | quote }} + {{- end }} + {{- with .Values.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-dashboard-volume + mountPath: {{ .Values.sidecar.dashboards.folder | quote }} + {{- with .Values.sidecar.dashboards.extraMounts }} + {{- toYaml . | trim | nindent 6 }} + {{- end }} +{{- end}} +{{- if and .Values.sidecar.datasources.enabled (not .Values.sidecar.datasources.initDatasources) }} + - name: {{ include "grafana.name" . }}-sc-datasources + {{- $registry := .Values.global.imageRegistry | default .Values.sidecar.image.registry -}} + {{- if .Values.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.sidecar.datasources.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- range $key, $value := .Values.sidecar.datasources.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} + {{- if .Values.sidecar.datasources.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: {{ .Values.sidecar.datasources.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.datasources.label }}" + {{- with .Values.sidecar.datasources.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.sidecar.logLevel .Values.sidecar.datasources.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.sidecar.logLevel .Values.sidecar.datasources.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/datasources" + - name: RESOURCE + value: {{ quote .Values.sidecar.datasources.resource }} + {{- with .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.sidecar.datasources.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (. | join ",") $root }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} + {{- if .Values.sidecar.datasources.script }} + - name: SCRIPT + value: "{{ .Values.sidecar.datasources.script }}" + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.sidecar.datasources.skipReload }} + - name: REQ_URL + value: {{ .Values.sidecar.datasources.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} + {{- if .Values.sidecar.datasources.watchServerTimeout }} + {{- if ne .Values.sidecar.datasources.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.datasources.watchServerTimeout with .Values.sidecar.datasources.watchMethod %s" .Values.sidecar.datasources.watchMethod) }} + {{- end }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.sidecar.datasources.watchServerTimeout }}" + {{- end }} + {{- if .Values.sidecar.datasources.watchClientTimeout }} + {{- if ne .Values.sidecar.datasources.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.datasources.watchClientTimeout with .Values.sidecar.datasources.watchMethod %s" .Values.sidecar.datasources.watchMethod) }} + {{- end }} + - name: WATCH_CLIENT_TIMEOUT + value: "{{ .Values.sidecar.datasources.watchClientTimeout }}" + {{- end }} + {{- with .Values.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-datasources-volume + mountPath: "/etc/grafana/provisioning/datasources" + {{- with .Values.sidecar.datasources.extraMounts }} + {{- toYaml . | trim | nindent 6 }} + {{- end }} +{{- end}} +{{- if .Values.sidecar.notifiers.enabled }} + - name: {{ include "grafana.name" . }}-sc-notifiers + {{- $registry := .Values.global.imageRegistry | default .Values.sidecar.image.registry -}} + {{- if .Values.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.sidecar.notifiers.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.sidecar.notifiers.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: {{ .Values.sidecar.notifiers.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.notifiers.label }}" + {{- with .Values.sidecar.notifiers.labelValue }} + - name: LABEL_VALUE + value: {{ quote . }} + {{- end }} + {{- if or .Values.sidecar.logLevel .Values.sidecar.notifiers.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.sidecar.logLevel .Values.sidecar.notifiers.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/notifiers" + - name: RESOURCE + value: {{ quote .Values.sidecar.notifiers.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- with .Values.sidecar.notifiers.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (. | join ",") $root }}" + {{- end }} + {{- with .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ . }}" + {{- end }} + {{- if .Values.sidecar.notifiers.script }} + - name: SCRIPT + value: "{{ .Values.sidecar.notifiers.script }}" + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.sidecar.notifiers.skipReload }} + - name: REQ_URL + value: {{ .Values.sidecar.notifiers.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} + {{- if .Values.sidecar.notifiers.watchServerTimeout }} + {{- if ne .Values.sidecar.notifiers.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.notifiers.watchServerTimeout with .Values.sidecar.notifiers.watchMethod %s" .Values.sidecar.notifiers.watchMethod) }} + {{- end }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.sidecar.notifiers.watchServerTimeout }}" + {{- end }} + {{- if .Values.sidecar.notifiers.watchClientTimeout }} + {{- if ne .Values.sidecar.notifiers.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.notifiers.watchClientTimeout with .Values.sidecar.notifiers.watchMethod %s" .Values.sidecar.notifiers.watchMethod) }} + {{- end }} + - name: WATCH_CLIENT_TIMEOUT + value: "{{ .Values.sidecar.notifiers.watchClientTimeout }}" + {{- end }} + {{- with .Values.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-notifiers-volume + mountPath: "/etc/grafana/provisioning/notifiers" + {{- with .Values.sidecar.notifiers.extraMounts }} + {{- toYaml . | trim | nindent 6 }} + {{- end }} +{{- end}} +{{- if .Values.sidecar.plugins.enabled }} + - name: {{ include "grafana.name" . }}-sc-plugins + {{- $registry := .Values.global.imageRegistry | default .Values.sidecar.image.registry -}} + {{- if .Values.sidecar.image.sha }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + {{- range $key, $value := .Values.sidecar.plugins.env }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + {{- if .Values.sidecar.plugins.ignoreAlreadyProcessed }} + - name: IGNORE_ALREADY_PROCESSED + value: "true" + {{- end }} + - name: METHOD + value: {{ .Values.sidecar.plugins.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.plugins.label }}" + {{- if .Values.sidecar.plugins.labelValue }} + - name: LABEL_VALUE + value: {{ quote .Values.sidecar.plugins.labelValue }} + {{- end }} + {{- if or .Values.sidecar.logLevel .Values.sidecar.plugins.logLevel }} + - name: LOG_LEVEL + value: {{ default .Values.sidecar.logLevel .Values.sidecar.plugins.logLevel }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/plugins" + - name: RESOURCE + value: {{ quote .Values.sidecar.plugins.resource }} + {{- with .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ . }}" + {{- end }} + {{- with .Values.sidecar.plugins.searchNamespace }} + - name: NAMESPACE + value: "{{ tpl (. | join ",") $root }}" + {{- end }} + {{- with .Values.sidecar.plugins.script }} + - name: SCRIPT + value: "{{ . }}" + {{- end }} + {{- with .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ . }}" + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.sidecar.plugins.skipReload }} + - name: REQ_URL + value: {{ .Values.sidecar.plugins.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} + {{- if .Values.sidecar.plugins.watchServerTimeout }} + {{- if ne .Values.sidecar.plugins.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.plugins.watchServerTimeout with .Values.sidecar.plugins.watchMethod %s" .Values.sidecar.plugins.watchMethod) }} + {{- end }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.sidecar.plugins.watchServerTimeout }}" + {{- end }} + {{- if .Values.sidecar.plugins.watchClientTimeout }} + {{- if ne .Values.sidecar.plugins.watchMethod "WATCH" }} + {{- fail (printf "Cannot use .Values.sidecar.plugins.watchClientTimeout with .Values.sidecar.plugins.watchMethod %s" .Values.sidecar.plugins.watchMethod) }} + {{- end }} + - name: WATCH_CLIENT_TIMEOUT + value: "{{ .Values.sidecar.plugins.watchClientTimeout }}" + {{- end }} + {{- with .Values.sidecar.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sidecar.securityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: sc-plugins-volume + mountPath: "/etc/grafana/provisioning/plugins" + {{- with .Values.sidecar.plugins.extraMounts }} + {{- toYaml . | trim | nindent 6 }} + {{- end }} +{{- end}} + - name: {{ .Chart.Name }} + {{- $registry := .Values.global.imageRegistry | default .Values.image.registry -}} + {{- if .Values.image.sha }} + image: "{{ $registry }}/{{ .Values.image.repository }}{{ if .Values.image.tag }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ end }}@sha256:{{ .Values.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.image.repository }}{{ if .Values.image.tag }}:{{ .Values.image.tag | default .Chart.AppVersion }}{{ end }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.command }} + command: + {{- range .Values.command }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- if .Values.args }} + args: + {{- range .Values.args }} + - {{ . | quote }} + {{- end }} + {{- end }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: config + mountPath: "/etc/grafana/grafana.ini" + subPath: grafana.ini + {{- if .Values.ldap.enabled }} + - name: ldap + mountPath: "/etc/grafana/ldap.toml" + subPath: ldap.toml + {{- end }} + {{- range .Values.extraConfigmapMounts }} + - name: {{ tpl .name $root }} + mountPath: {{ tpl .mountPath $root }} + subPath: {{ tpl (.subPath | default "") $root }} + readOnly: {{ .readOnly }} + {{- end }} + - name: storage + mountPath: "/var/lib/grafana" + {{- with .Values.persistence.subPath }} + subPath: {{ tpl . $root }} + {{- end }} + {{- with .Values.dashboards }} + {{- range $provider, $dashboards := . }} + {{- range $key, $value := $dashboards }} + {{- if (or (hasKey $value "json") (hasKey $value "file")) }} + - name: dashboards-{{ $provider }} + mountPath: "/var/lib/grafana/dashboards/{{ $provider }}/{{ $key }}.json" + subPath: "{{ $key }}.json" + {{- end }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.dashboardsConfigMaps }} + {{- range (keys . | sortAlpha) }} + - name: dashboards-{{ . }} + mountPath: "/var/lib/grafana/dashboards/{{ . }}" + {{- end }} + {{- end }} + {{- with .Values.datasources }} + {{- $datasources := . }} + {{- range (keys . | sortAlpha) }} + {{- if (or (hasKey (index $datasources .) "secret")) }} {{/*check if current datasource should be handeled as secret */}} + - name: config-secret + mountPath: "/etc/grafana/provisioning/datasources/{{ . }}" + subPath: {{ . | quote }} + {{- else }} + - name: config + mountPath: "/etc/grafana/provisioning/datasources/{{ . }}" + subPath: {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.notifiers }} + {{- $notifiers := . }} + {{- range (keys . | sortAlpha) }} + {{- if (or (hasKey (index $notifiers .) "secret")) }} {{/*check if current notifier should be handeled as secret */}} + - name: config-secret + mountPath: "/etc/grafana/provisioning/notifiers/{{ . }}" + subPath: {{ . | quote }} + {{- else }} + - name: config + mountPath: "/etc/grafana/provisioning/notifiers/{{ . }}" + subPath: {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.alerting }} + {{- $alertingmap := .}} + {{- range (keys . | sortAlpha) }} + {{- if (or (hasKey (index $.Values.alerting .) "secret") (hasKey (index $.Values.alerting .) "secretFile")) }} {{/*check if current alerting entry should be handeled as secret */}} + - name: config-secret + mountPath: "/etc/grafana/provisioning/alerting/{{ . }}" + subPath: {{ . | quote }} + {{- else }} + - name: config + mountPath: "/etc/grafana/provisioning/alerting/{{ . }}" + subPath: {{ . | quote }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.dashboardProviders }} + {{- range (keys . | sortAlpha) }} + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/{{ . }}" + subPath: {{ . | quote }} + {{- end }} + {{- end }} + {{- with .Values.sidecar.alerts.enabled }} + - name: sc-alerts-volume + mountPath: "/etc/grafana/provisioning/alerting" + {{- end}} + {{- if .Values.sidecar.dashboards.enabled }} + - name: sc-dashboard-volume + mountPath: {{ .Values.sidecar.dashboards.folder | quote }} + {{- if .Values.sidecar.dashboards.SCProvider }} + - name: sc-dashboard-provider + mountPath: "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml" + subPath: provider.yaml + {{- end}} + {{- end}} + {{- if .Values.sidecar.datasources.enabled }} + - name: sc-datasources-volume + mountPath: "/etc/grafana/provisioning/datasources" + {{- end}} + {{- if .Values.sidecar.plugins.enabled }} + - name: sc-plugins-volume + mountPath: "/etc/grafana/provisioning/plugins" + {{- end}} + {{- if .Values.sidecar.notifiers.enabled }} + - name: sc-notifiers-volume + mountPath: "/etc/grafana/provisioning/notifiers" + {{- end}} + {{- range .Values.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + subPath: {{ .subPath | default "" }} + {{- end }} + {{- range .Values.extraVolumeMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath | default "" }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.extraEmptyDirMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + {{- end }} + ports: + - name: {{ .Values.podPortName }} + containerPort: {{ .Values.service.targetPort }} + protocol: TCP + - name: {{ .Values.gossipPortName }}-tcp + containerPort: 9094 + protocol: TCP + - name: {{ .Values.gossipPortName }}-udp + containerPort: 9094 + protocol: UDP + env: + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: GF_SECURITY_ADMIN_USER + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: GF_SECURITY_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if .Values.plugins }} + - name: GF_INSTALL_PLUGINS + valueFrom: + configMapKeyRef: + name: {{ include "grafana.fullname" . }} + key: plugins + {{- end }} + {{- if .Values.smtp.existingSecret }} + - name: GF_SMTP_USER + valueFrom: + secretKeyRef: + name: {{ .Values.smtp.existingSecret }} + key: {{ .Values.smtp.userKey | default "user" }} + - name: GF_SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.smtp.existingSecret }} + key: {{ .Values.smtp.passwordKey | default "password" }} + {{- end }} + {{- if .Values.imageRenderer.enabled }} + - name: GF_RENDERING_SERVER_URL + {{- if .Values.imageRenderer.serverURL }} + value: {{ .Values.imageRenderer.serverURL | quote }} + {{- else }} + value: http://{{ include "grafana.fullname" . }}-image-renderer.{{ include "grafana.namespace" . }}:{{ .Values.imageRenderer.service.port }}/render + {{- end }} + - name: GF_RENDERING_CALLBACK_URL + {{- if .Values.imageRenderer.renderingCallbackURL }} + value: {{ .Values.imageRenderer.renderingCallbackURL | quote }} + {{- else }} + value: {{ .Values.imageRenderer.grafanaProtocol }}://{{ include "grafana.fullname" . }}.{{ include "grafana.namespace" . }}:{{ .Values.service.port }}/{{ .Values.imageRenderer.grafanaSubPath }} + {{- end }} + {{- end }} + - name: GF_PATHS_DATA + value: {{ (get .Values "grafana.ini").paths.data }} + - name: GF_PATHS_LOGS + value: {{ (get .Values "grafana.ini").paths.logs }} + - name: GF_PATHS_PLUGINS + value: {{ (get .Values "grafana.ini").paths.plugins }} + - name: GF_PATHS_PROVISIONING + value: {{ (get .Values "grafana.ini").paths.provisioning }} + {{- range $key, $value := .Values.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 10 }} + {{- end }} + {{- range $key, $value := .Values.env }} + - name: "{{ tpl $key $ }}" + value: "{{ tpl (print $value) $ }}" + {{- end }} + {{- if or .Values.envFromSecret (or .Values.envRenderSecret .Values.envFromSecrets) .Values.envFromConfigMaps }} + envFrom: + {{- if .Values.envFromSecret }} + - secretRef: + name: {{ tpl .Values.envFromSecret . }} + {{- end }} + {{- if .Values.envRenderSecret }} + - secretRef: + name: {{ include "grafana.fullname" . }}-env + {{- end }} + {{- range .Values.envFromSecrets }} + - secretRef: + name: {{ tpl .name $ }} + optional: {{ .optional | default false }} + {{- if .prefix }} + prefix: {{ tpl .prefix $ }} + {{- end }} + {{- end }} + {{- range .Values.envFromConfigMaps }} + - configMapRef: + name: {{ tpl .name $ }} + optional: {{ .optional | default false }} + {{- if .prefix }} + prefix: {{ tpl .prefix $ }} + {{- end }} + {{- end }} + {{- end }} + {{- with .Values.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.lifecycleHooks }} + lifecycle: + {{- tpl (toYaml .) $root | nindent 6 }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- with .Values.extraContainers }} + {{- tpl . $ | nindent 2 }} +{{- end }} +{{- with .Values.nodeSelector }} +nodeSelector: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.affinity }} +affinity: + {{- tpl (toYaml .) $root | nindent 2 }} +{{- end }} +{{- with .Values.topologySpreadConstraints }} +topologySpreadConstraints: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.tolerations }} +tolerations: + {{- toYaml . | nindent 2 }} +{{- end }} +volumes: + - name: config + configMap: + name: {{ include "grafana.fullname" . }} + {{- $createConfigSecret := eq (include "grafana.shouldCreateConfigSecret" .) "true" -}} + {{- if and .Values.createConfigmap $createConfigSecret }} + - name: config-secret + secret: + secretName: {{ include "grafana.fullname" . }}-config-secret + {{- end }} + {{- range .Values.extraConfigmapMounts }} + - name: {{ tpl .name $root }} + configMap: + name: {{ tpl .configMap $root }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- with .items }} + items: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} + {{- if .Values.dashboards }} + {{- range (keys .Values.dashboards | sortAlpha) }} + - name: dashboards-{{ . }} + configMap: + name: {{ include "grafana.fullname" $ }}-dashboards-{{ . }} + {{- end }} + {{- end }} + {{- if .Values.dashboardsConfigMaps }} + {{- range $provider, $name := .Values.dashboardsConfigMaps }} + - name: dashboards-{{ $provider }} + configMap: + name: {{ tpl $name $root }} + {{- end }} + {{- end }} + {{- if .Values.ldap.enabled }} + - name: ldap + secret: + {{- if .Values.ldap.existingSecret }} + secretName: {{ .Values.ldap.existingSecret }} + {{- else }} + secretName: {{ include "grafana.fullname" . }} + {{- end }} + items: + - key: ldap-toml + path: ldap.toml + {{- end }} + {{- if and .Values.persistence.enabled (eq .Values.persistence.type "pvc") }} + - name: storage + persistentVolumeClaim: + claimName: {{ tpl (.Values.persistence.existingClaim | default (include "grafana.fullname" .)) . }} + {{- else if and .Values.persistence.enabled (has .Values.persistence.type $sts) }} + {{/* nothing */}} + {{- else }} + - name: storage + {{- if .Values.persistence.inMemory.enabled }} + emptyDir: + medium: Memory + {{- with .Values.persistence.inMemory.sizeLimit }} + sizeLimit: {{ . }} + {{- end }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + {{- if .Values.sidecar.alerts.enabled }} + - name: sc-alerts-volume + emptyDir: + {{- with .Values.sidecar.alerts.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- end }} + {{- if .Values.sidecar.dashboards.enabled }} + - name: sc-dashboard-volume + emptyDir: + {{- with .Values.sidecar.dashboards.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- if .Values.sidecar.dashboards.SCProvider }} + - name: sc-dashboard-provider + configMap: + name: {{ include "grafana.fullname" . }}-config-dashboards + {{- end }} + {{- end }} + {{- if .Values.sidecar.datasources.enabled }} + - name: sc-datasources-volume + emptyDir: + {{- with .Values.sidecar.datasources.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- end }} + {{- if .Values.sidecar.plugins.enabled }} + - name: sc-plugins-volume + emptyDir: + {{- with .Values.sidecar.plugins.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- end }} + {{- if .Values.sidecar.notifiers.enabled }} + - name: sc-notifiers-volume + emptyDir: + {{- with .Values.sidecar.notifiers.sizeLimit }} + sizeLimit: {{ . }} + {{- else }} + {} + {{- end }} + {{- end }} + {{- range .Values.extraSecretMounts }} + {{- if .secretName }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + defaultMode: {{ .defaultMode }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- with .items }} + items: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- else if .projected }} + - name: {{ .name }} + projected: + {{- toYaml .projected | nindent 6 }} + {{- else if .csi }} + - name: {{ .name }} + csi: + {{- toYaml .csi | nindent 6 }} + {{- end }} + {{- end }} + {{- range .Values.extraVolumes }} + - name: {{ .name }} + {{- if .existingClaim }} + persistentVolumeClaim: + claimName: {{ .existingClaim }} + {{- else if .hostPath }} + hostPath: + {{ toYaml .hostPath | nindent 6 }} + {{- else if .csi }} + csi: + {{- toYaml .csi | nindent 6 }} + {{- else if .configMap }} + configMap: + {{- toYaml .configMap | nindent 6 }} + {{- else if .emptyDir }} + emptyDir: + {{- toYaml .emptyDir | nindent 6 }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} + {{- range .Values.extraEmptyDirMounts }} + - name: {{ .name }} + emptyDir: {} + {{- end }} + {{- with .Values.extraContainerVolumes }} + {{- tpl (toYaml .) $root | nindent 2 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/clusterrole.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/clusterrole.yaml new file mode 100644 index 000000000..3af4b62b6 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/clusterrole.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.rbac.create (or (not .Values.rbac.namespaced) .Values.rbac.extraClusterRoleRules) (not .Values.rbac.useExistingClusterRole) }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "grafana.fullname" . }}-clusterrole +{{- if or .Values.sidecar.dashboards.enabled .Values.rbac.extraClusterRoleRules .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.sidecar.alerts.enabled }} +rules: + {{- if or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.sidecar.alerts.enabled }} + - apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] + {{- end}} + {{- with .Values.rbac.extraClusterRoleRules }} + {{- toYaml . | nindent 2 }} + {{- end}} +{{- else }} +rules: [] +{{- end}} +{{- end}} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/clusterrolebinding.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..bda9431a2 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.rbac.create (or (not .Values.rbac.namespaced) .Values.rbac.extraClusterRoleRules) }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "grafana.fullname" . }}-clusterrolebinding + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +subjects: + - kind: ServiceAccount + name: {{ include "grafana.serviceAccountName" . }} + namespace: {{ include "grafana.namespace" . }} +roleRef: + kind: ClusterRole + {{- if .Values.rbac.useExistingClusterRole }} + name: {{ .Values.rbac.useExistingClusterRole }} + {{- else }} + name: {{ include "grafana.fullname" . }}-clusterrole + {{- end }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/configSecret.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/configSecret.yaml new file mode 100644 index 000000000..55574b9bb --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/configSecret.yaml @@ -0,0 +1,43 @@ +{{- $createConfigSecret := eq (include "grafana.shouldCreateConfigSecret" .) "true" -}} +{{- if and .Values.createConfigmap $createConfigSecret }} +{{- $files := .Files }} +{{- $root := . -}} +apiVersion: v1 +kind: Secret +metadata: + name: "{{ include "grafana.fullname" . }}-config-secret" + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: +{{- range $key, $value := .Values.alerting }} + {{- if (hasKey $value "secretFile") }} + {{- $key | nindent 2 }}: + {{- toYaml ( $files.Get $value.secretFile ) | b64enc | nindent 4}} + {{/* as of https://helm.sh/docs/chart_template_guide/accessing_files/ this will only work if you fork this chart and add files to it*/}} + {{- end }} +{{- end }} +stringData: +{{- range $key, $value := .Values.datasources }} +{{- if (hasKey $value "secret") }} +{{- $key | nindent 2 }}: | + {{- tpl (toYaml $value.secret | nindent 4) $root }} +{{- end }} +{{- end }} +{{- range $key, $value := .Values.notifiers }} +{{- if (hasKey $value "secret") }} +{{- $key | nindent 2 }}: | + {{- tpl (toYaml $value.secret | nindent 4) $root }} +{{- end }} +{{- end }} +{{- range $key, $value := .Values.alerting }} +{{ if (hasKey $value "secret") }} + {{- $key | nindent 2 }}: | + {{- tpl (toYaml $value.secret | nindent 4) $root }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/configmap-dashboard-provider.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/configmap-dashboard-provider.yaml new file mode 100644 index 000000000..b412c4d1f --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/configmap-dashboard-provider.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.sidecar.dashboards.enabled .Values.sidecar.dashboards.SCProvider }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "grafana.fullname" . }}-config-dashboards + namespace: {{ include "grafana.namespace" . }} +data: + {{- include "grafana.configDashboardProviderData" . | nindent 2 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/configmap.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/configmap.yaml new file mode 100644 index 000000000..0a2edf47e --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.createConfigmap }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- if or .Values.configMapAnnotations .Values.annotations }} + annotations: + {{- with .Values.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.configMapAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- end }} +data: + {{- include "grafana.configData" . | nindent 2 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/dashboards-json-configmap.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/dashboards-json-configmap.yaml new file mode 100644 index 000000000..df0ed0d8c --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/dashboards-json-configmap.yaml @@ -0,0 +1,35 @@ +{{- if .Values.dashboards }} +{{ $files := .Files }} +{{- range $provider, $dashboards := .Values.dashboards }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "grafana.fullname" $ }}-dashboards-{{ $provider }} + namespace: {{ include "grafana.namespace" $ }} + labels: + {{- include "grafana.labels" $ | nindent 4 }} + dashboard-provider: {{ $provider }} +{{- if $dashboards }} +data: +{{- $dashboardFound := false }} +{{- range $key, $value := $dashboards }} +{{- if (or (hasKey $value "json") (hasKey $value "file")) }} +{{- $dashboardFound = true }} + {{- print $key | nindent 2 }}.json: + {{- if hasKey $value "json" }} + |- + {{- $value.json | nindent 6 }} + {{- end }} + {{- if hasKey $value "file" }} + {{- toYaml ( $files.Get $value.file ) | nindent 4}} + {{- end }} +{{- end }} +{{- end }} +{{- if not $dashboardFound }} + {} +{{- end }} +{{- end }} +--- +{{- end }} + +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/deployment.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/deployment.yaml new file mode 100644 index 000000000..ad0d5680f --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/deployment.yaml @@ -0,0 +1,54 @@ +{{- if (and (not .Values.useStatefulSet) (or (not .Values.persistence.enabled) (eq .Values.persistence.type "pvc"))) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if (not .Values.autoscaling.enabled) }} + replicas: {{ .Values.replicas }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} + {{- with .Values.deploymentStrategy }} + strategy: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "grafana.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- include "k10.azMarketPlace.billingIdentifier" . | nindent 8 }} + annotations: + checksum/config: {{ include "grafana.configData" . | sha256sum }} + {{- if .Values.dashboards }} + checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} + {{- end }} + checksum/sc-dashboard-provider-config: {{ include "grafana.configDashboardProviderData" . | sha256sum }} + {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + checksum/secret: {{ include "grafana.secretsData" . | sha256sum }} + {{- end }} + {{- if .Values.envRenderSecret }} + checksum/secret-env: {{ tpl (toYaml .Values.envRenderSecret) . | sha256sum }} + {{- end }} + kubectl.kubernetes.io/default-container: {{ .Chart.Name }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- include "grafana.pod" . | nindent 6 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/extra-manifests.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/extra-manifests.yaml new file mode 100644 index 000000000..a9bb3b6ba --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/headless-service.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/headless-service.yaml new file mode 100644 index 000000000..3028589d3 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/headless-service.yaml @@ -0,0 +1,22 @@ +{{- $sts := list "sts" "StatefulSet" "statefulset" -}} +{{- if or .Values.headlessService (and .Values.persistence.enabled (not .Values.persistence.existingClaim) (has .Values.persistence.type $sts)) }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "grafana.fullname" . }}-headless + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + clusterIP: None + selector: + {{- include "grafana.selectorLabels" . | nindent 4 }} + type: ClusterIP + ports: + - name: {{ .Values.gossipPortName }}-tcp + port: 9094 +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/hpa.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/hpa.yaml new file mode 100644 index 000000000..46bbcb49a --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/hpa.yaml @@ -0,0 +1,52 @@ +{{- $sts := list "sts" "StatefulSet" "statefulset" -}} +{{- if .Values.autoscaling.enabled }} +apiVersion: {{ include "grafana.hpa.apiVersion" . }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "grafana.name" . }} + helm.sh/chart: {{ include "grafana.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + {{- if has .Values.persistence.type $sts }} + kind: StatefulSet + {{- else }} + kind: Deployment + {{- end }} + name: {{ include "grafana.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if eq (include "grafana.hpa.apiVersion" .) "autoscaling/v2beta1" }} + targetAverageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if .Values.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + {{- if eq (include "grafana.hpa.apiVersion" .) "autoscaling/v2beta1" }} + targetAverageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPU }} + {{- end }} + {{- end }} + {{- if .Values.autoscaling.behavior }} + behavior: {{ toYaml .Values.autoscaling.behavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-deployment.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-deployment.yaml new file mode 100644 index 000000000..7722ede50 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-deployment.yaml @@ -0,0 +1,200 @@ +{{ if .Values.imageRenderer.enabled }} +{{- $root := . -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "grafana.fullname" . }}-image-renderer + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.imageRenderer.labels" . | nindent 4 }} + {{- with .Values.imageRenderer.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.imageRenderer.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and (not .Values.imageRenderer.autoscaling.enabled) (.Values.imageRenderer.replicas) }} + replicas: {{ .Values.imageRenderer.replicas }} + {{- end }} + revisionHistoryLimit: {{ .Values.imageRenderer.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} + + {{- with .Values.imageRenderer.deploymentStrategy }} + strategy: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + template: + metadata: + labels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 8 }} + {{- with .Values.imageRenderer.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- include "k10.azMarketPlace.billingIdentifier" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- with .Values.imageRenderer.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.imageRenderer.schedulerName }} + schedulerName: "{{ . }}" + {{- end }} + {{- with .Values.imageRenderer.serviceAccountName }} + serviceAccountName: "{{ . }}" + {{- end }} + {{- with .Values.imageRenderer.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.imageRenderer.hostAliases }} + hostAliases: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.imageRenderer.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.imageRenderer.image.pullSecrets }} + imagePullSecrets: + {{- range . }} + - name: {{ tpl . $root }} + {{- end}} + {{- end }} + containers: + - name: {{ .Chart.Name }}-image-renderer + {{- $registry := .Values.global.imageRegistry | default .Values.imageRenderer.image.registry -}} + {{- if .Values.imageRenderer.image.sha }} + image: "{{ $registry }}/{{ .Values.imageRenderer.image.repository }}:{{ .Values.imageRenderer.image.tag }}@sha256:{{ .Values.imageRenderer.image.sha }}" + {{- else }} + image: "{{ $registry }}/{{ .Values.imageRenderer.image.repository }}:{{ .Values.imageRenderer.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.imageRenderer.image.pullPolicy }} + {{- if .Values.imageRenderer.command }} + command: + {{- range .Values.imageRenderer.command }} + - {{ . }} + {{- end }} + {{- end}} + ports: + - name: {{ .Values.imageRenderer.service.portName }} + containerPort: {{ .Values.imageRenderer.service.targetPort }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: {{ .Values.imageRenderer.service.portName }} + env: + - name: HTTP_PORT + value: {{ .Values.imageRenderer.service.targetPort | quote }} + {{- if .Values.imageRenderer.serviceMonitor.enabled }} + - name: ENABLE_METRICS + value: "true" + {{- end }} + {{- range $key, $value := .Values.imageRenderer.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: + {{- tpl (toYaml $value) $ | nindent 16 }} + {{- end }} + {{- range $key, $value := .Values.imageRenderer.env }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + {{- with .Values.imageRenderer.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - mountPath: /tmp + name: image-renderer-tmpfs + {{- range .Values.imageRenderer.extraConfigmapMounts }} + - name: {{ tpl .name $root }} + mountPath: {{ tpl .mountPath $root }} + subPath: {{ tpl (.subPath | default "") $root }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.imageRenderer.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + subPath: {{ .subPath | default "" }} + {{- end }} + {{- range .Values.imageRenderer.extraVolumeMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath | default "" }} + readOnly: {{ .readOnly }} + {{- end }} + {{- with .Values.imageRenderer.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.imageRenderer.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.imageRenderer.affinity }} + affinity: + {{- tpl (toYaml .) $root | nindent 8 }} + {{- end }} + {{- with .Values.imageRenderer.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: image-renderer-tmpfs + emptyDir: {} + {{- range .Values.imageRenderer.extraConfigmapMounts }} + - name: {{ tpl .name $root }} + configMap: + name: {{ tpl .configMap $root }} + {{- with .items }} + items: + {{- toYaml . | nindent 14 }} + {{- end }} + {{- end }} + {{- range .Values.imageRenderer.extraSecretMounts }} + {{- if .secretName }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + defaultMode: {{ .defaultMode }} + {{- with .items }} + items: + {{- toYaml . | nindent 14 }} + {{- end }} + {{- else if .projected }} + - name: {{ .name }} + projected: + {{- toYaml .projected | nindent 12 }} + {{- else if .csi }} + - name: {{ .name }} + csi: + {{- toYaml .csi | nindent 12 }} + {{- end }} + {{- end }} + {{- range .Values.imageRenderer.extraVolumes }} + - name: {{ .name }} + {{- if .existingClaim }} + persistentVolumeClaim: + claimName: {{ .existingClaim }} + {{- else if .hostPath }} + hostPath: + {{ toYaml .hostPath | nindent 12 }} + {{- else if .csi }} + csi: + {{- toYaml .csi | nindent 12 }} + {{- else if .configMap }} + configMap: + {{- toYaml .configMap | nindent 12 }} + {{- else if .emptyDir }} + emptyDir: + {{- toYaml .emptyDir | nindent 12 }} + {{- else }} + emptyDir: {} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-hpa.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-hpa.yaml new file mode 100644 index 000000000..b0f0059b7 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-hpa.yaml @@ -0,0 +1,47 @@ +{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.autoscaling.enabled }} +apiVersion: {{ include "grafana.hpa.apiVersion" . }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "grafana.fullname" . }}-image-renderer + namespace: {{ include "grafana.namespace" . }} + labels: + app.kubernetes.io/name: {{ include "grafana.name" . }}-image-renderer + helm.sh/chart: {{ include "grafana.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "grafana.fullname" . }}-image-renderer + minReplicas: {{ .Values.imageRenderer.autoscaling.minReplicas }} + maxReplicas: {{ .Values.imageRenderer.autoscaling.maxReplicas }} + metrics: + {{- if .Values.imageRenderer.autoscaling.targetMemory }} + - type: Resource + resource: + name: memory + {{- if eq (include "grafana.hpa.apiVersion" .) "autoscaling/v2beta1" }} + targetAverageUtilization: {{ .Values.imageRenderer.autoscaling.targetMemory }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.imageRenderer.autoscaling.targetMemory }} + {{- end }} + {{- end }} + {{- if .Values.imageRenderer.autoscaling.targetCPU }} + - type: Resource + resource: + name: cpu + {{- if eq (include "grafana.hpa.apiVersion" .) "autoscaling/v2beta1" }} + targetAverageUtilization: {{ .Values.imageRenderer.autoscaling.targetCPU }} + {{- else }} + target: + type: Utilization + averageUtilization: {{ .Values.imageRenderer.autoscaling.targetCPU }} + {{- end }} + {{- end }} + {{- if .Values.imageRenderer.autoscaling.behavior }} + behavior: {{ toYaml .Values.imageRenderer.autoscaling.behavior | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-network-policy.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-network-policy.yaml new file mode 100644 index 000000000..bcbd24976 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-network-policy.yaml @@ -0,0 +1,79 @@ +{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.networkPolicy.limitIngress }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "grafana.fullname" . }}-image-renderer-ingress + namespace: {{ include "grafana.namespace" . }} + annotations: + comment: Limit image-renderer ingress traffic from grafana +spec: + podSelector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} + {{- with .Values.imageRenderer.podLabels }} + {{- toYaml . | nindent 6 }} + {{- end }} + + policyTypes: + - Ingress + ingress: + - ports: + - port: {{ .Values.imageRenderer.service.targetPort }} + protocol: TCP + from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ include "grafana.namespace" . }} + podSelector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 14 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 14 }} + {{- end }} + {{- with .Values.imageRenderer.networkPolicy.extraIngressSelectors -}} + {{ toYaml . | nindent 8 }} + {{- end }} +{{- end }} + +{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.networkPolicy.limitEgress }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "grafana.fullname" . }}-image-renderer-egress + namespace: {{ include "grafana.namespace" . }} + annotations: + comment: Limit image-renderer egress traffic to grafana +spec: + podSelector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} + {{- with .Values.imageRenderer.podLabels }} + {{- toYaml . | nindent 6 }} + {{- end }} + + policyTypes: + - Egress + egress: + # allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # talk only to grafana + - ports: + - port: {{ .Values.service.targetPort }} + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: {{ include "grafana.namespace" . }} + podSelector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 14 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 14 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-service.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-service.yaml new file mode 100644 index 000000000..f8da127cf --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-service.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.imageRenderer.enabled .Values.imageRenderer.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "grafana.fullname" . }}-image-renderer + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.imageRenderer.labels" . | nindent 4 }} + {{- with .Values.imageRenderer.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.imageRenderer.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + {{- with .Values.imageRenderer.service.clusterIP }} + clusterIP: {{ . }} + {{- end }} + ports: + - name: {{ .Values.imageRenderer.service.portName }} + port: {{ .Values.imageRenderer.service.port }} + protocol: TCP + targetPort: {{ .Values.imageRenderer.service.targetPort }} + {{- with .Values.imageRenderer.appProtocol }} + appProtocol: {{ . }} + {{- end }} + selector: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-servicemonitor.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-servicemonitor.yaml new file mode 100644 index 000000000..5d9f09d26 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/image-renderer-servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- if .Values.imageRenderer.serviceMonitor.enabled }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "grafana.fullname" . }}-image-renderer + {{- if .Values.imageRenderer.serviceMonitor.namespace }} + namespace: {{ tpl .Values.imageRenderer.serviceMonitor.namespace . }} + {{- else }} + namespace: {{ include "grafana.namespace" . }} + {{- end }} + labels: + {{- include "grafana.imageRenderer.labels" . | nindent 4 }} + {{- with .Values.imageRenderer.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: {{ .Values.imageRenderer.service.portName }} + {{- with .Values.imageRenderer.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.imageRenderer.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + honorLabels: true + path: {{ .Values.imageRenderer.serviceMonitor.path }} + scheme: {{ .Values.imageRenderer.serviceMonitor.scheme }} + {{- with .Values.imageRenderer.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.imageRenderer.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + jobLabel: "{{ .Release.Name }}-image-renderer" + selector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} + namespaceSelector: + matchNames: + - {{ include "grafana.namespace" . }} + {{- with .Values.imageRenderer.serviceMonitor.targetLabels }} + targetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/ingress.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/ingress.yaml new file mode 100644 index 000000000..b2ffd8109 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/ingress.yaml @@ -0,0 +1,78 @@ +{{- if .Values.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "grafana.ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "grafana.ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "grafana.ingress.supportsPathType" .) "true" -}} +{{- $fullName := include "grafana.fullname" . -}} +{{- $servicePort := .Values.service.port -}} +{{- $ingressPath := .Values.ingress.path -}} +{{- $ingressPathType := .Values.ingress.pathType -}} +{{- $extraPaths := .Values.ingress.extraPaths -}} +apiVersion: {{ include "grafana.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.ingress.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ingress.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ tpl $value $ | quote }} + {{- end }} + {{- end }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- end -}} + {{- with .Values.ingress.tls }} + tls: + {{- tpl (toYaml .) $ | nindent 4 }} + {{- end }} + rules: + {{- if .Values.ingress.hosts }} + {{- range .Values.ingress.hosts }} + - host: {{ tpl . $ | quote }} + http: + paths: + {{- with $extraPaths }} + {{- toYaml . | nindent 10 }} + {{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end }} + {{- else }} + - http: + paths: + - backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- with $ingressPath }} + path: {{ . }} + {{- end }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + {{- end -}} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/networkpolicy.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/networkpolicy.yaml new file mode 100644 index 000000000..4cd3ed697 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/networkpolicy.yaml @@ -0,0 +1,61 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + policyTypes: + {{- if .Values.networkPolicy.ingress }} + - Ingress + {{- end }} + {{- if .Values.networkPolicy.egress.enabled }} + - Egress + {{- end }} + podSelector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} + + {{- if .Values.networkPolicy.egress.enabled }} + egress: + {{- if not .Values.networkPolicy.egress.blockDNSResolution }} + - ports: + - port: 53 + protocol: UDP + {{- end }} + - ports: + {{ .Values.networkPolicy.egress.ports | toJson }} + {{- with .Values.networkPolicy.egress.to }} + to: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.networkPolicy.ingress }} + ingress: + - ports: + - port: {{ .Values.service.targetPort }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ include "grafana.fullname" . }}-client: "true" + {{- with .Values.networkPolicy.explicitNamespacesSelector }} + - namespaceSelector: + {{- toYaml . | nindent 12 }} + {{- end }} + - podSelector: + matchLabels: + {{- include "grafana.labels" . | nindent 14 }} + role: read + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/poddisruptionbudget.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..05251214a --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if .Values.podDisruptionBudget }} +apiVersion: {{ include "grafana.podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ . }} + {{- end }} + {{- with .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ . }} + {{- end }} + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/podsecuritypolicy.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..eed7af95b --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/podsecuritypolicy.yaml @@ -0,0 +1,49 @@ +{{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "grafana.fullname" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.rbac.pspUseAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + # Default set from Docker, with DAC_OVERRIDE and CHOWN + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'csi' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/pvc.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/pvc.yaml new file mode 100644 index 000000000..d1c4b2de2 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/pvc.yaml @@ -0,0 +1,39 @@ +{{- if and (not .Values.useStatefulSet) .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "pvc")}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.persistence.extraPvcLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.persistence.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.persistence.finalizers }} + finalizers: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if and (.Values.persistence.lookupVolumeName) (lookup "v1" "PersistentVolumeClaim" (include "grafana.namespace" .) (include "grafana.fullname" .)) }} + volumeName: {{ (lookup "v1" "PersistentVolumeClaim" (include "grafana.namespace" .) (include "grafana.fullname" .)).spec.volumeName }} + {{- end }} + {{- with .Values.persistence.storageClassName }} + storageClassName: {{ . }} + {{- end }} + {{- with .Values.persistence.selectorLabels }} + selector: + matchLabels: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/role.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/role.yaml new file mode 100644 index 000000000..4b5edd978 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/role.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.rbac.create (not .Values.rbac.useExistingRole) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- if or .Values.rbac.pspEnabled (and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled .Values.rbac.extraRoleRules)) }} +rules: + {{- if and .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} + - apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "grafana.fullname" . }}] + {{- end }} + {{- if and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled .Values.sidecar.plugins.enabled) }} + - apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] + {{- end }} + {{- with .Values.rbac.extraRoleRules }} + {{- toYaml . | nindent 2 }} + {{- end}} +{{- else }} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/rolebinding.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/rolebinding.yaml new file mode 100644 index 000000000..58f77c6b0 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + {{- if .Values.rbac.useExistingRole }} + name: {{ .Values.rbac.useExistingRole }} + {{- else }} + name: {{ include "grafana.fullname" . }} + {{- end }} +subjects: +- kind: ServiceAccount + name: {{ include "grafana.serviceAccountName" . }} + namespace: {{ include "grafana.namespace" . }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/secret-env.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/secret-env.yaml new file mode 100644 index 000000000..eb14aac70 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/secret-env.yaml @@ -0,0 +1,14 @@ +{{- if .Values.envRenderSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "grafana.fullname" . }}-env + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +type: Opaque +data: +{{- range $key, $val := .Values.envRenderSecret }} + {{ $key }}: {{ tpl ($val | toString) $ | b64enc | quote }} +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/secret.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/secret.yaml new file mode 100644 index 000000000..fd2ca50f4 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/secret.yaml @@ -0,0 +1,16 @@ +{{- if or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret)) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- include "grafana.secretsData" . | nindent 2 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/service.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/service.yaml new file mode 100644 index 000000000..022328c11 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/service.yaml @@ -0,0 +1,67 @@ +{{- if .Values.service.enabled }} +{{- $root := . }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.service.annotations }} + annotations: + {{- tpl (toYaml . | nindent 4) $root }} + {{- end }} +spec: + {{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} + type: ClusterIP + {{- with .Values.service.clusterIP }} + clusterIP: {{ . }} + {{- end }} + {{- else if eq .Values.service.type "LoadBalancer" }} + type: LoadBalancer + {{- with .Values.service.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- with .Values.service.loadBalancerClass }} + loadBalancerClass: {{ . }} + {{- end }} + {{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- else }} + type: {{ .Values.service.type }} + {{- end }} + {{- if .Values.service.ipFamilyPolicy }} + ipFamilyPolicy: {{ .Values.service.ipFamilyPolicy }} + {{- end }} + {{- if .Values.service.ipFamilies }} + ipFamilies: {{ .Values.service.ipFamilies | toYaml | nindent 2 }} + {{- end }} + {{- with .Values.service.externalIPs }} + externalIPs: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ . }} + {{- end }} + ports: + - name: {{ .Values.service.portName }} + port: {{ .Values.service.port }} + protocol: TCP + targetPort: {{ .Values.service.targetPort }} + {{- with .Values.service.appProtocol }} + appProtocol: {{ . }} + {{- end }} + {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + {{- with .Values.extraExposePorts }} + {{- tpl (toYaml . | nindent 4) $root }} + {{- end }} + selector: + {{- include "grafana.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/serviceaccount.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/serviceaccount.yaml new file mode 100644 index 000000000..ffca0717a --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.autoMount | default .Values.serviceAccount.automountServiceAccountToken }} +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- tpl (toYaml . | nindent 4) $ }} + {{- end }} + name: {{ include "grafana.serviceAccountName" . }} + namespace: {{ include "grafana.namespace" . }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/servicemonitor.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/servicemonitor.yaml new file mode 100644 index 000000000..035901352 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/servicemonitor.yaml @@ -0,0 +1,52 @@ +{{- if .Values.serviceMonitor.enabled }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "grafana.fullname" . }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ tpl .Values.serviceMonitor.namespace . }} + {{- else }} + namespace: {{ include "grafana.namespace" . }} + {{- end }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.serviceMonitor.labels }} + {{- tpl (toYaml . | nindent 4) $ }} + {{- end }} +spec: + endpoints: + - port: {{ .Values.service.portName }} + {{- with .Values.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + honorLabels: true + path: {{ .Values.serviceMonitor.path }} + scheme: {{ .Values.serviceMonitor.scheme }} + {{- with .Values.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + jobLabel: "{{ .Release.Name }}" + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} + namespaceSelector: + matchNames: + - {{ include "grafana.namespace" . }} + {{- with .Values.serviceMonitor.targetLabels }} + targetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/statefulset.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/statefulset.yaml new file mode 100644 index 000000000..7546c1887 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/statefulset.yaml @@ -0,0 +1,58 @@ +{{- $sts := list "sts" "StatefulSet" "statefulset" -}} +{{- if (or (.Values.useStatefulSet) (and .Values.persistence.enabled (not .Values.persistence.existingClaim) (has .Values.persistence.type $sts)))}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "grafana.fullname" . }} + namespace: {{ include "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} + serviceName: {{ include "grafana.fullname" . }}-headless + template: + metadata: + labels: + {{- include "grafana.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} + checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }} + {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- end }} + kubectl.kubernetes.io/default-container: {{ .Chart.Name }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- include "grafana.pod" . | nindent 6 }} + {{- if .Values.persistence.enabled}} + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: storage + spec: + accessModes: {{ .Values.persistence.accessModes }} + storageClassName: {{ .Values.persistence.storageClassName }} + resources: + requests: + storage: {{ .Values.persistence.size }} + {{- with .Values.persistence.selectorLabels }} + selector: + matchLabels: + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-configmap.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-configmap.yaml new file mode 100644 index 000000000..1e81bee90 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-configmap.yaml @@ -0,0 +1,20 @@ +{{- if .Values.testFramework.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "grafana.fullname" . }}-test + namespace: {{ include "grafana.namespace" . }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + labels: + {{- include "grafana.labels" . | nindent 4 }} +data: + run.sh: |- + @test "Test Health" { + url="http://{{ include "grafana.fullname" . }}/api/health" + + code=$(wget --server-response --spider --timeout 90 --tries 10 ${url} 2>&1 | awk '/^ HTTP/{print $2}') + [ "$code" == "200" ] + } +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-podsecuritypolicy.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-podsecuritypolicy.yaml new file mode 100644 index 000000000..c13a3bf66 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-podsecuritypolicy.yaml @@ -0,0 +1,32 @@ +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.testFramework.enabled .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "grafana.fullname" . }}-test + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + labels: + {{- include "grafana.labels" . | nindent 4 }} +spec: + allowPrivilegeEscalation: true + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + fsGroup: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + runAsUser: + rule: RunAsAny + volumes: + - configMap + - downwardAPI + - emptyDir + - projected + - csi + - secret +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-role.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-role.yaml new file mode 100644 index 000000000..75dddfdd3 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-role.yaml @@ -0,0 +1,17 @@ +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.testFramework.enabled .Values.rbac.pspEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "grafana.fullname" . }}-test + namespace: {{ include "grafana.namespace" . }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + labels: + {{- include "grafana.labels" . | nindent 4 }} +rules: + - apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "grafana.fullname" . }}-test] +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-rolebinding.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-rolebinding.yaml new file mode 100644 index 000000000..c0d2d39ef --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.testFramework.enabled .Values.rbac.pspEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "grafana.fullname" . }}-test + namespace: {{ include "grafana.namespace" . }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + labels: + {{- include "grafana.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "grafana.fullname" . }}-test +subjects: + - kind: ServiceAccount + name: {{ include "grafana.serviceAccountNameTest" . }} + namespace: {{ include "grafana.namespace" . }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-serviceaccount.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-serviceaccount.yaml new file mode 100644 index 000000000..7af898272 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test-serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if and .Values.testFramework.enabled .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} + name: {{ include "grafana.serviceAccountNameTest" . }} + namespace: {{ include "grafana.namespace" . }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test.yaml new file mode 100644 index 000000000..2484a96da --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/templates/tests/test.yaml @@ -0,0 +1,53 @@ +{{- if .Values.testFramework.enabled }} +{{- $root := . }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "grafana.fullname" . }}-test + labels: + {{- include "grafana.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + namespace: {{ include "grafana.namespace" . }} +spec: + serviceAccountName: {{ include "grafana.serviceAccountNameTest" . }} + {{- with .Values.testFramework.securityContext }} + securityContext: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- if or .Values.image.pullSecrets .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- include "grafana.imagePullSecrets" (dict "root" $root "imagePullSecrets" .Values.image.pullSecrets) | nindent 4 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- tpl (toYaml .) $root | nindent 4 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ .Release.Name }}-test + image: "{{ .Values.global.imageRegistry | default .Values.testFramework.image.registry }}/{{ .Values.testFramework.image.repository }}:{{ .Values.testFramework.image.tag }}" + imagePullPolicy: "{{ .Values.testFramework.imagePullPolicy}}" + command: ["/opt/bats/bin/bats", "-t", "/tests/run.sh"] + volumeMounts: + - mountPath: /tests + name: tests + readOnly: true + {{- with .Values.testFramework.resources }} + resources: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: tests + configMap: + name: {{ include "grafana.fullname" . }}-test + restartPolicy: Never +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/grafana/values.yaml b/charts/kasten/k10/7.0.1401/charts/grafana/values.yaml new file mode 100644 index 000000000..6beae1bf4 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/grafana/values.yaml @@ -0,0 +1,1392 @@ +global: + # -- Overrides the Docker registry globally for all images + imageRegistry: null + + # To help compatibility with other charts which use global.imagePullSecrets. + # Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). + # Can be templated. + # global: + # imagePullSecrets: + # - name: pullSecret1 + # - name: pullSecret2 + # or + # global: + # imagePullSecrets: + # - pullSecret1 + # - pullSecret2 + imagePullSecrets: [] + +rbac: + create: true + ## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true) + # useExistingRole: name-of-some-role + # useExistingClusterRole: name-of-some-clusterRole + pspEnabled: false + pspUseAppArmor: false + namespaced: false + extraRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] + extraClusterRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] +serviceAccount: + create: true + name: + nameTest: + ## ServiceAccount labels. + labels: {} + ## Service account annotations. Can be templated. + # annotations: + # eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here + + ## autoMount is deprecated in favor of automountServiceAccountToken + # autoMount: false + automountServiceAccountToken: false + +replicas: 1 + +## Create a headless service for the deployment +headlessService: false + +## Should the service account be auto mounted on the pod +automountServiceAccountToken: true + +## Create HorizontalPodAutoscaler object for deployment type +# +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPU: "60" + targetMemory: "" + behavior: {} + +## See `kubectl explain poddisruptionbudget.spec` for more +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +podDisruptionBudget: {} +# apiVersion: "" +# minAvailable: 1 +# maxUnavailable: 1 + +## See `kubectl explain deployment.spec.strategy` for more +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +deploymentStrategy: + type: RollingUpdate + +readinessProbe: + httpGet: + path: /api/health + port: 3000 + +livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + failureThreshold: 10 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: "default-scheduler" + +image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/grafana + # Overrides the Grafana image tag whose default is the chart appVersion + tag: "" + sha: "" + pullPolicy: IfNotPresent + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Can be templated. + ## + pullSecrets: [] + # - myRegistrKeySecretName + +testFramework: + enabled: true + image: + # -- The Docker registry + registry: docker.io + repository: bats/bats + tag: "v1.4.1" + imagePullPolicy: IfNotPresent + securityContext: {} + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +# dns configuration for pod +dnsPolicy: ~ +dnsConfig: {} + # nameservers: + # - 8.8.8.8 + # options: + # - name: ndots + # value: "2" + # - name: edns0 + +securityContext: + runAsNonRoot: true + runAsUser: 472 + runAsGroup: 472 + fsGroup: 472 + +containerSecurityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + +# Enable creating the grafana configmap +createConfigmap: true + +# Extra configmaps to mount in grafana pods +# Values are templated. +extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /etc/grafana/ssl/ + # subPath: certificates.crt # (optional) + # configMap: certs-configmap + # readOnly: true + # optional: false + + +extraEmptyDirMounts: [] + # - name: provisioning-notifiers + # mountPath: /etc/grafana/provisioning/notifiers + + +# Apply extra labels to common labels. +extraLabels: {} + +## Assign a PriorityClassName to pods if set +# priorityClassName: + +downloadDashboardsImage: + # -- The Docker registry + registry: docker.io + repository: curlimages/curl + tag: 7.85.0 + sha: "" + pullPolicy: IfNotPresent + +downloadDashboards: + env: {} + envFromSecret: "" + resources: {} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + +## Pod Annotations +# podAnnotations: {} + +## ConfigMap Annotations +# configMapAnnotations: {} + # argocd.argoproj.io/sync-options: Replace=true + +## Pod Labels +# podLabels: {} + +podPortName: grafana +gossipPortName: gossip +## Deployment annotations +# annotations: {} + +## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service). +## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. +## ref: http://kubernetes.io/docs/user-guide/services/ +## +service: + enabled: true + type: ClusterIP + # Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services) + ipFamilyPolicy: "" + # Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6. + ipFamilies: [] + loadBalancerIP: "" + loadBalancerClass: "" + loadBalancerSourceRanges: [] + port: 80 + targetPort: 3000 + # targetPort: 4181 To be used with a proxy extraContainer + ## Service annotations. Can be templated. + annotations: {} + labels: {} + portName: service + # Adds the appProtocol field to the service. This allows to work with istio protocol selection. Ex: "http" or "tcp" + appProtocol: "" + +serviceMonitor: + ## If true, a ServiceMonitor CR is created for a prometheus operator + ## https://github.com/coreos/prometheus-operator + ## + enabled: false + path: /metrics + # namespace: monitoring (defaults to use the namespace this chart is deployed to) + labels: {} + interval: 30s + scheme: http + tlsConfig: {} + scrapeTimeout: 30s + relabelings: [] + metricRelabelings: [] + targetLabels: [] + +extraExposePorts: [] + # - name: keycloak + # port: 8080 + # targetPort: 8080 + +# overrides pod.spec.hostAliases in the grafana deployment's pods +hostAliases: [] + # - ip: "1.2.3.4" + # hostnames: + # - "my.host.com" + +ingress: + enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # Values can be templated + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + path: / + + # pathType is only for k8s >= 1.1= + pathType: Prefix + + hosts: + - chart-example.local + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + ## Or for k8s > 1.19 + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +## Node labels for pod assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +# +nodeSelector: {} + +## Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## Affinity for pod assignment (evaluated as template) +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +## Topology Spread Constraints +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +## +topologySpreadConstraints: [] + +## Additional init containers (evaluated as template) +## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +## +extraInitContainers: [] + +## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod +extraContainers: "" +# extraContainers: | +# - name: proxy +# image: quay.io/gambol99/keycloak-proxy:latest +# args: +# - -provider=github +# - -client-id= +# - -client-secret= +# - -github-org= +# - -email-domain=* +# - -cookie-secret= +# - -http-address=http://0.0.0.0:4181 +# - -upstream-url=http://127.0.0.1:3000 +# ports: +# - name: proxy-web +# containerPort: 4181 + +## Volumes that can be used in init containers that will not be mounted to deployment pods +extraContainerVolumes: [] +# - name: volume-from-secret +# secret: +# secretName: secret-to-mount +# - name: empty-dir-volume +# emptyDir: {} + +## Enable persistence using Persistent Volume Claims +## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + type: pvc + enabled: false + # storageClassName: default + accessModes: + - ReadWriteOnce + size: 10Gi + # annotations: {} + finalizers: + - kubernetes.io/pvc-protection + # selectorLabels: {} + ## Sub-directory of the PV to mount. Can be templated. + # subPath: "" + ## Name of an existing PVC. Can be templated. + # existingClaim: + ## Extra labels to apply to a PVC. + extraPvcLabels: {} + disableWarning: false + + ## If persistence is not enabled, this allows to mount the + ## local storage in-memory to improve performance + ## + inMemory: + enabled: false + ## The maximum usage on memory medium EmptyDir would be + ## the minimum value between the SizeLimit specified + ## here and the sum of memory limits of all containers in a pod + ## + # sizeLimit: 300Mi + + ## If 'lookupVolumeName' is set to true, Helm will attempt to retrieve + ## the current value of 'spec.volumeName' and incorporate it into the template. + lookupVolumeName: true + +initChownData: + ## If false, data ownership will not be reset at startup + ## This allows the grafana-server to be run with an arbitrary user + ## + enabled: true + + ## initChownData container image + ## + image: + # -- The Docker registry + registry: docker.io + repository: library/busybox + tag: "1.31.1" + sha: "" + pullPolicy: IfNotPresent + + ## initChownData resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + securityContext: + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + capabilities: + add: + - CHOWN + +# Administrator credentials when not using an existing secret (see below) +adminUser: admin +# adminPassword: strongpassword + +# Use an existing secret for the admin user. +admin: + ## Name of the secret. Can be templated. + existingSecret: "" + userKey: admin-user + passwordKey: admin-password + +## Define command to be executed at startup by grafana container +## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/) +## Default is "run.sh" as defined in grafana's Dockerfile +# command: +# - "sh" +# - "/run.sh" + +## Optionally define args if command is used +## Needed if using `hashicorp/envconsul` to manage secrets +## By default no arguments are set +# args: +# - "-secret" +# - "secret/grafana" +# - "./grafana" + +## Extra environment variables that will be pass onto deployment pods +## +## to provide grafana with access to CloudWatch on AWS EKS: +## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later) +## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the +## same oidc eks provider as noted before (same as the existing line) +## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name +## +## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana", +## +## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess +## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name) +## +## env: +## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here +## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token +## AWS_REGION: us-east-1 +## +## 5. uncomment the EKS section in extraSecretMounts: below +## 6. uncomment the annotation section in the serviceAccount: above +## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn + +env: {} + +## "valueFrom" environment variable references that will be added to deployment pods. Name is templated. +## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core +## Renders in container spec as: +## env: +## ... +## - name: +## valueFrom: +## +envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + +## The name of a secret in the same kubernetes namespace which contain values to be added to the environment +## This can be useful for auth tokens, etc. Value is templated. +envFromSecret: "" + +## Sensible environment variables that will be rendered as new secret object +## This can be useful for auth tokens, etc. +## If the secret values contains "{{", they'll need to be properly escaped so that they are not interpreted by Helm +## ref: https://helm.sh/docs/howto/charts_tips_and_tricks/#using-the-tpl-function +envRenderSecret: {} + +## The names of secrets in the same kubernetes namespace which contain values to be added to the environment +## Each entry should contain a name key, and can optionally specify whether the secret must be defined with an optional key. +## Name is templated. +envFromSecrets: [] +## - name: secret-name +## prefix: prefix +## optional: true + +## The names of conifgmaps in the same kubernetes namespace which contain values to be added to the environment +## Each entry should contain a name key, and can optionally specify whether the configmap must be defined with an optional key. +## Name is templated. +## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core +envFromConfigMaps: [] +## - name: configmap-name +## prefix: prefix +## optional: true + +# Inject Kubernetes services as environment variables. +# See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables +enableServiceLinks: true + +## Additional grafana server secret mounts +# Defines additional mounts with secrets. Secrets must be manually created in the namespace. +extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # secretName: grafana-secret-files + # readOnly: true + # optional: false + # subPath: "" + # + # for AWS EKS (cloudwatch) use the following (see also instruction in env: above) + # - name: aws-iam-token + # mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount + # readOnly: true + # projected: + # defaultMode: 420 + # sources: + # - serviceAccountToken: + # audience: sts.amazonaws.com + # expirationSeconds: 86400 + # path: token + # + # for CSI e.g. Azure Key Vault use the following + # - name: secrets-store-inline + # mountPath: /run/secrets + # readOnly: true + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "akv-grafana-spc" + # nodePublishSecretRef: # Only required when using service principal mode + # name: grafana-akv-creds # Only required when using service principal mode + +## Additional grafana server volume mounts +# Defines additional volume mounts. +extraVolumeMounts: [] + # - name: extra-volume-0 + # mountPath: /mnt/volume0 + # readOnly: true + # - name: extra-volume-1 + # mountPath: /mnt/volume1 + # readOnly: true + # - name: grafana-secrets + # mountPath: /mnt/volume2 + +## Additional Grafana server volumes +extraVolumes: [] + # - name: extra-volume-0 + # existingClaim: volume-claim + # - name: extra-volume-1 + # hostPath: + # path: /usr/shared/ + # type: "" + # - name: grafana-secrets + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "grafana-env-spc" + +## Container Lifecycle Hooks. Execute a specific bash command or make an HTTP request +lifecycleHooks: {} + # postStart: + # exec: + # command: [] + +## Pass the plugins you want installed as a list. +## +plugins: [] + # - digrich-bubblechart-panel + # - grafana-clock-panel + ## You can also use other plugin download URL, as long as they are valid zip files, + ## and specify the name of the plugin after the semicolon. Like this: + # - https://grafana.com/api/plugins/marcusolsson-json-datasource/versions/1.3.2/download;marcusolsson-json-datasource + +## Configure grafana datasources +## ref: http://docs.grafana.org/administration/provisioning/#datasources +## +datasources: {} +# datasources.yaml: +# apiVersion: 1 +# datasources: +# - name: Prometheus +# type: prometheus +# url: http://prometheus-prometheus-server +# access: proxy +# isDefault: true +# - name: CloudWatch +# type: cloudwatch +# access: proxy +# uid: cloudwatch +# editable: false +# jsonData: +# authType: default +# defaultRegion: us-east-1 +# deleteDatasources: [] +# - name: Prometheus + +## Configure grafana alerting (can be templated) +## ref: http://docs.grafana.org/administration/provisioning/#alerting +## +alerting: {} + # rules.yaml: + # apiVersion: 1 + # groups: + # - orgId: 1 + # name: '{{ .Chart.Name }}_my_rule_group' + # folder: my_first_folder + # interval: 60s + # rules: + # - uid: my_id_1 + # title: my_first_rule + # condition: A + # data: + # - refId: A + # datasourceUid: '-100' + # model: + # conditions: + # - evaluator: + # params: + # - 3 + # type: gt + # operator: + # type: and + # query: + # params: + # - A + # reducer: + # type: last + # type: query + # datasource: + # type: __expr__ + # uid: '-100' + # expression: 1==0 + # intervalMs: 1000 + # maxDataPoints: 43200 + # refId: A + # type: math + # dashboardUid: my_dashboard + # panelId: 123 + # noDataState: Alerting + # for: 60s + # annotations: + # some_key: some_value + # labels: + # team: sre_team_1 + # contactpoints.yaml: + # secret: + # apiVersion: 1 + # contactPoints: + # - orgId: 1 + # name: cp_1 + # receivers: + # - uid: first_uid + # type: pagerduty + # settings: + # integrationKey: XXX + # severity: critical + # class: ping failure + # component: Grafana + # group: app-stack + # summary: | + # {{ `{{ include "default.message" . }}` }} + +## Configure notifiers +## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels +## +notifiers: {} +# notifiers.yaml: +# notifiers: +# - name: email-notifier +# type: email +# uid: email1 +# # either: +# org_id: 1 +# # or +# org_name: Main Org. +# is_default: true +# settings: +# addresses: an_email_address@example.com +# delete_notifiers: + +## Configure grafana dashboard providers +## ref: http://docs.grafana.org/administration/provisioning/#dashboards +## +## `path` must be /var/lib/grafana/dashboards/ +## +dashboardProviders: {} +# dashboardproviders.yaml: +# apiVersion: 1 +# providers: +# - name: 'default' +# orgId: 1 +# folder: '' +# type: file +# disableDeletion: false +# editable: true +# options: +# path: /var/lib/grafana/dashboards/default + +## Configure grafana dashboard to import +## NOTE: To use dashboards you must also enable/configure dashboardProviders +## ref: https://grafana.com/dashboards +## +## dashboards per provider, use provider name as key. +## +dashboards: {} + # default: + # some-dashboard: + # json: | + # $RAW_JSON + # custom-dashboard: + # file: dashboards/custom-dashboard.json + # prometheus-stats: + # gnetId: 2 + # revision: 2 + # datasource: Prometheus + # local-dashboard: + # url: https://example.com/repository/test.json + # token: '' + # local-dashboard-base64: + # url: https://example.com/repository/test-b64.json + # token: '' + # b64content: true + # local-dashboard-gitlab: + # url: https://example.com/repository/test-gitlab.json + # gitlabToken: '' + # local-dashboard-bitbucket: + # url: https://example.com/repository/test-bitbucket.json + # bearerToken: '' + # local-dashboard-azure: + # url: https://example.com/repository/test-azure.json + # basic: '' + # acceptHeader: '*/*' + +## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value. +## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both. +## ConfigMap data example: +## +## data: +## example-dashboard.json: | +## RAW_JSON +## +dashboardsConfigMaps: {} +# default: "" + +## Grafana's primary configuration +## NOTE: values in map will be converted to ini format +## ref: http://docs.grafana.org/installation/configuration/ +## +grafana.ini: + paths: + data: /var/lib/grafana/ + logs: /var/log/grafana + plugins: /var/lib/grafana/plugins + provisioning: /etc/grafana/provisioning + analytics: + check_for_updates: true + log: + mode: console + grafana_net: + url: https://grafana.net + server: + domain: "{{ if (and .Values.ingress.enabled .Values.ingress.hosts) }}{{ tpl (.Values.ingress.hosts | first) . }}{{ else }}''{{ end }}" +## grafana Authentication can be enabled with the following values on grafana.ini + # server: + # The full public facing url you use in browser, used for redirects and emails + # root_url: + # https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana + # auth.github: + # enabled: false + # allow_sign_up: false + # scopes: user:email,read:org + # auth_url: https://github.com/login/oauth/authorize + # token_url: https://github.com/login/oauth/access_token + # api_url: https://api.github.com/user + # team_ids: + # allowed_organizations: + # client_id: + # client_secret: +## LDAP Authentication can be enabled with the following values on grafana.ini +## NOTE: Grafana will fail to start if the value for ldap.toml is invalid + # auth.ldap: + # enabled: true + # allow_sign_up: true + # config_file: /etc/grafana/ldap.toml + +## Grafana's LDAP configuration +## Templated by the template in _helpers.tpl +## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled +## ref: http://docs.grafana.org/installation/configuration/#auth-ldap +## ref: http://docs.grafana.org/installation/ldap/#configuration +ldap: + enabled: false + # `existingSecret` is a reference to an existing secret containing the ldap configuration + # for Grafana in a key `ldap-toml`. + existingSecret: "" + # `config` is the content of `ldap.toml` that will be stored in the created secret + config: "" + # config: |- + # verbose_logging = true + + # [[servers]] + # host = "my-ldap-server" + # port = 636 + # use_ssl = true + # start_tls = false + # ssl_skip_verify = false + # bind_dn = "uid=%s,ou=users,dc=myorg,dc=com" + +## Grafana's SMTP configuration +## NOTE: To enable, grafana.ini must be configured with smtp.enabled +## ref: http://docs.grafana.org/installation/configuration/#smtp +smtp: + # `existingSecret` is a reference to an existing secret containing the smtp configuration + # for Grafana. + existingSecret: "" + userKey: "user" + passwordKey: "password" + +## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders +## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards +sidecar: + image: + # -- The Docker registry + registry: quay.io + repository: kiwigrid/k8s-sidecar + tag: 1.28.0 + sha: "" + imagePullPolicy: IfNotPresent + resources: {} +# limits: +# cpu: 100m +# memory: 100Mi +# requests: +# cpu: 50m +# memory: 50Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + # skipTlsVerify Set to true to skip tls verification for kube api calls + # skipTlsVerify: true + enableUniqueFilenames: false + readinessProbe: {} + livenessProbe: {} + # Log level default for all sidecars. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. Defaults to INFO + # logLevel: INFO + alerts: + enabled: false + # Additional environment variables for the alerts sidecar + env: {} + # Do not reprocess already processed unchanged resources on k8s API reconnect. + # ignoreAlreadyProcessed: true + # label that the configmaps with alert are marked with + label: grafana_alert + # value of label that the configmaps with alert are set to + labelValue: "" + # Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. + # logLevel: INFO + # If specified, the sidecar will search for alert config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # Endpoint to send request to reload alerts + reloadURL: "http://localhost:3000/api/admin/provisioning/alerting/reload" + # Absolute path to shell script to execute after a alert got reloaded + script: null + skipReload: false + # This is needed if skipReload is true, to load any alerts defined at startup time. + # Deploy the alert sidecar as an initContainer. + initAlerts: false + # Additional alerts sidecar volume mounts + extraMounts: [] + # Sets the size limit of the alert sidecar emptyDir volume + sizeLimit: {} + dashboards: + enabled: false + # Additional environment variables for the dashboards sidecar + env: {} + ## "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + ## Renders in container spec as: + ## env: + ## ... + ## - name: + ## valueFrom: + ## + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # Do not reprocess already processed unchanged resources on k8s API reconnect. + # ignoreAlreadyProcessed: true + SCProvider: true + # label that the configmaps with dashboards are marked with + label: grafana_dashboard + # value of label that the configmaps with dashboards are set to + labelValue: "" + # Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. + # logLevel: INFO + # folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set) + folder: /tmp/dashboards + # The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead + defaultFolderName: null + # Namespaces list. If specified, the sidecar will search for config-maps/secrets inside these namespaces. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces. + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # If specified, the sidecar will look for annotation with this name to create folder and put graph here. + # You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure. + folderAnnotation: null + # Endpoint to send request to reload alerts + reloadURL: "http://localhost:3000/api/admin/provisioning/dashboards/reload" + # Absolute path to shell script to execute after a configmap got reloaded + script: null + skipReload: false + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # provider configuration that lets grafana manage the dashboards + provider: + # name of the provider, should be unique + name: sidecarProvider + # orgid as configured in grafana + orgid: 1 + # folder in which the dashboards should be imported in grafana + folder: '' + # folder UID. will be automatically generated if not specified + folderUid: '' + # type of the provider + type: file + # disableDelete to activate a import-only behaviour + disableDelete: false + # allow updating provisioned dashboards from the UI + allowUiUpdates: false + # allow Grafana to replicate dashboard structure from filesystem + foldersFromFilesStructure: false + # Additional dashboards sidecar volume mounts + extraMounts: [] + # Sets the size limit of the dashboard sidecar emptyDir volume + sizeLimit: {} + datasources: + enabled: false + # Additional environment variables for the datasourcessidecar + env: {} + ## "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + ## Renders in container spec as: + ## env: + ## ... + ## - name: + ## valueFrom: + ## + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + # Do not reprocess already processed unchanged resources on k8s API reconnect. + # ignoreAlreadyProcessed: true + # label that the configmaps with datasources are marked with + label: grafana_datasource + # value of label that the configmaps with datasources are set to + labelValue: "" + # Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. + # logLevel: INFO + # If specified, the sidecar will search for datasource config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # Endpoint to send request to reload datasources + reloadURL: "http://localhost:3000/api/admin/provisioning/datasources/reload" + # Absolute path to shell script to execute after a datasource got reloaded + script: null + skipReload: false + # This is needed if skipReload is true, to load any datasources defined at startup time. + # Deploy the datasources sidecar as an initContainer. + initDatasources: false + # Additional datasources sidecar volume mounts + extraMounts: [] + # Sets the size limit of the datasource sidecar emptyDir volume + sizeLimit: {} + plugins: + enabled: false + # Additional environment variables for the plugins sidecar + env: {} + # Do not reprocess already processed unchanged resources on k8s API reconnect. + # ignoreAlreadyProcessed: true + # label that the configmaps with plugins are marked with + label: grafana_plugin + # value of label that the configmaps with plugins are set to + labelValue: "" + # Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. + # logLevel: INFO + # If specified, the sidecar will search for plugin config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # Endpoint to send request to reload plugins + reloadURL: "http://localhost:3000/api/admin/provisioning/plugins/reload" + # Absolute path to shell script to execute after a plugin got reloaded + script: null + skipReload: false + # Deploy the datasource sidecar as an initContainer in addition to a container. + # This is needed if skipReload is true, to load any plugins defined at startup time. + initPlugins: false + # Additional plugins sidecar volume mounts + extraMounts: [] + # Sets the size limit of the plugin sidecar emptyDir volume + sizeLimit: {} + notifiers: + enabled: false + # Additional environment variables for the notifierssidecar + env: {} + # Do not reprocess already processed unchanged resources on k8s API reconnect. + # ignoreAlreadyProcessed: true + # label that the configmaps with notifiers are marked with + label: grafana_notifier + # value of label that the configmaps with notifiers are set to + labelValue: "" + # Log level. Can be one of: DEBUG, INFO, WARN, ERROR, CRITICAL. + # logLevel: INFO + # If specified, the sidecar will search for notifier config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # Endpoint to send request to reload notifiers + reloadURL: "http://localhost:3000/api/admin/provisioning/notifications/reload" + # Absolute path to shell script to execute after a notifier got reloaded + script: null + skipReload: false + # Deploy the notifier sidecar as an initContainer in addition to a container. + # This is needed if skipReload is true, to load any notifiers defined at startup time. + initNotifiers: false + # Additional notifiers sidecar volume mounts + extraMounts: [] + # Sets the size limit of the notifier sidecar emptyDir volume + sizeLimit: {} + +## Override the deployment namespace +## +namespaceOverride: "" + +## Number of old ReplicaSets to retain +## +revisionHistoryLimit: 10 + +## Add a seperate remote image renderer deployment/service +imageRenderer: + deploymentStrategy: {} + # Enable the image-renderer deployment & service + enabled: false + replicas: 1 + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPU: "60" + targetMemory: "" + behavior: {} + # The url of remote image renderer if it is not in the same namespace with the grafana instance + serverURL: "" + # The callback url of grafana instances if it is not in the same namespace with the remote image renderer + renderingCallbackURL: "" + image: + # -- The Docker registry + registry: docker.io + # image-renderer Image repository + repository: grafana/grafana-image-renderer + # image-renderer Image tag + tag: latest + # image-renderer Image sha (optional) + sha: "" + # image-renderer ImagePullPolicy + pullPolicy: Always + # extra environment variables + env: + HTTP_HOST: "0.0.0.0" + # RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758 + # RENDERING_MODE: clustered + # IGNORE_HTTPS_ERRORS: true + + ## "valueFrom" environment variable references that will be added to deployment pods. Name is templated. + ## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core + ## Renders in container spec as: + ## env: + ## ... + ## - name: + ## valueFrom: + ## + envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + + # image-renderer deployment serviceAccount + serviceAccountName: "" + # image-renderer deployment securityContext + securityContext: {} + # image-renderer deployment container securityContext + containerSecurityContext: + seccompProfile: + type: RuntimeDefault + capabilities: + drop: ['ALL'] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + ## image-renderer pod annotation + podAnnotations: {} + # image-renderer deployment Host Aliases + hostAliases: [] + # image-renderer deployment priority class + priorityClassName: '' + service: + # Enable the image-renderer service + enabled: true + # image-renderer service port name + portName: 'http' + # image-renderer service port used by both service and deployment + port: 8081 + targetPort: 8081 + # Adds the appProtocol field to the image-renderer service. This allows to work with istio protocol selection. Ex: "http" or "tcp" + appProtocol: "" + serviceMonitor: + ## If true, a ServiceMonitor CRD is created for a prometheus operator + ## https://github.com/coreos/prometheus-operator + ## + enabled: false + path: /metrics + # namespace: monitoring (defaults to use the namespace this chart is deployed to) + labels: {} + interval: 1m + scheme: http + tlsConfig: {} + scrapeTimeout: 30s + relabelings: [] + # See: https://doc.crds.dev/github.com/prometheus-operator/kube-prometheus/monitoring.coreos.com/ServiceMonitor/v1@v0.11.0#spec-targetLabels + targetLabels: [] + # - targetLabel1 + # - targetLabel2 + # If https is enabled in Grafana, this needs to be set as 'https' to correctly configure the callback used in Grafana + grafanaProtocol: http + # In case a sub_path is used this needs to be added to the image renderer callback + grafanaSubPath: "" + # name of the image-renderer port on the pod + podPortName: http + # number of image-renderer replica sets to keep + revisionHistoryLimit: 10 + networkPolicy: + # Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods + limitIngress: true + # Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods + limitEgress: false + # Allow additional services to access image-renderer (eg. Prometheus operator when ServiceMonitor is enabled) + extraIngressSelectors: [] + resources: {} +# limits: +# cpu: 100m +# memory: 100Mi +# requests: +# cpu: 50m +# memory: 50Mi + ## Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + # + nodeSelector: {} + + ## Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## Affinity for pod assignment (evaluated as template) + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: "default-scheduler" + + # Extra configmaps to mount in image-renderer pods + extraConfigmapMounts: [] + + # Extra secrets to mount in image-renderer pods + extraSecretMounts: [] + + # Extra volumes to mount in image-renderer pods + extraVolumeMounts: [] + + # Extra volumes for image-renderer pods + extraVolumes: [] + +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to grafana port defined. + ## When true, grafana will accept connections from any source + ## (with the correct destination port). + ## + ingress: true + ## @param networkPolicy.ingress When true enables the creation + ## an ingress network policy + ## + allowExternal: true + ## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed + ## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the grafana. + ## But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + ## + explicitNamespacesSelector: {} + ## + ## + ## + ## + ## + ## + egress: + ## @param networkPolicy.egress.enabled When enabled, an egress network policy will be + ## created allowing grafana to connect to external data sources from kubernetes cluster. + enabled: false + ## + ## @param networkPolicy.egress.blockDNSResolution When enabled, DNS resolution will be blocked + ## for all pods in the grafana namespace. + blockDNSResolution: false + ## + ## @param networkPolicy.egress.ports Add individual ports to be allowed by the egress + ports: [] + ## Add ports to the egress by specifying - port: + ## E.X. + ## - port: 80 + ## - port: 443 + ## + ## @param networkPolicy.egress.to Allow egress traffic to specific destinations + to: [] + ## Add destinations to the egress by specifying - ipBlock: + ## E.X. + ## to: + ## - namespaceSelector: + ## matchExpressions: + ## - {key: role, operator: In, values: [grafana]} + ## + ## + ## + ## + ## + +# Enable backward compatibility of kubernetes where version below 1.13 doesn't have the enableServiceLinks option +enableKubeBackwardCompatibility: false +useStatefulSet: false +# Create a dynamic manifests via values: +extraObjects: [] + # - apiVersion: "kubernetes-client.io/v1" + # kind: ExternalSecret + # metadata: + # name: grafana-secrets + # spec: + # backendType: gcpSecretsManager + # data: + # - key: grafana-admin-password + # name: adminPassword + +# assertNoLeakedSecrets is a helper function defined in _helpers.tpl that checks if secret +# values are not exposed in the rendered grafana.ini configmap. It is enabled by default. +# +# To pass values into grafana.ini without exposing them in a configmap, use variable expansion: +# https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion +# +# Alternatively, if you wish to allow secret values to be exposed in the rendered grafana.ini configmap, +# you can disable this check by setting assertNoLeakedSecrets to false. +assertNoLeakedSecrets: true diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/.helmignore b/charts/kasten/k10/7.0.1401/charts/prometheus/.helmignore new file mode 100644 index 000000000..825c00779 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +OWNERS diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/Chart.lock b/charts/kasten/k10/7.0.1401/charts/prometheus/Chart.lock new file mode 100644 index 000000000..557cf7ebf --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/Chart.lock @@ -0,0 +1,15 @@ +dependencies: +- name: alertmanager + repository: https://prometheus-community.github.io/helm-charts + version: 1.13.0 +- name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 5.26.0 +- name: prometheus-node-exporter + repository: https://prometheus-community.github.io/helm-charts + version: 4.40.0 +- name: prometheus-pushgateway + repository: https://prometheus-community.github.io/helm-charts + version: 2.15.0 +digest: "" +generated: "0001-01-01T00:00:00Z" diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/Chart.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/Chart.yaml new file mode 100644 index 000000000..779a3b594 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/Chart.yaml @@ -0,0 +1,53 @@ +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts + - name: Upstream Project + url: https://github.com/prometheus/prometheus +apiVersion: v2 +appVersion: v2.55.0 +dependencies: +- condition: alertmanager.enabled + name: alertmanager + repository: https://prometheus-community.github.io/helm-charts + version: 1.13.* +- condition: kube-state-metrics.enabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 5.26.* +- condition: prometheus-node-exporter.enabled + name: prometheus-node-exporter + repository: https://prometheus-community.github.io/helm-charts + version: 4.40.* +- condition: prometheus-pushgateway.enabled + name: prometheus-pushgateway + repository: https://prometheus-community.github.io/helm-charts + version: 2.15.* +description: Prometheus is a monitoring system and time series database. +home: https://prometheus.io/ +icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png +keywords: +- monitoring +- prometheus +kubeVersion: '>=1.19.0-0' +maintainers: +- email: gianrubio@gmail.com + name: gianrubio +- email: zanhsieh@gmail.com + name: zanhsieh +- email: miroslav.hadzhiev@gmail.com + name: Xtigyro +- email: naseem@transit.app + name: naseemkullah +- email: rootsandtrees@posteo.de + name: zeritti +name: prometheus +sources: +- https://github.com/prometheus/alertmanager +- https://github.com/prometheus/prometheus +- https://github.com/prometheus/pushgateway +- https://github.com/prometheus/node_exporter +- https://github.com/kubernetes/kube-state-metrics +type: application +version: 25.28.0 diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/OWNERS b/charts/kasten/k10/7.0.1401/charts/prometheus/OWNERS new file mode 100644 index 000000000..0cfd95021 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/OWNERS @@ -0,0 +1,6 @@ +approvers: +- mgoodness +- gianrubio +reviewers: +- mgoodness +- gianrubio diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/README.md b/charts/kasten/k10/7.0.1401/charts/prometheus/README.md new file mode 100644 index 000000000..2cb744ce8 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/README.md @@ -0,0 +1,382 @@ +# Prometheus + +[Prometheus](https://prometheus.io/), a [Cloud Native Computing Foundation](https://cncf.io/) project, is a systems and service monitoring system. It collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true. + +This chart bootstraps a [Prometheus](https://prometheus.io/) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.7+ + +## Get Repository Info + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update +``` + +_See [helm repository](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +Starting with version 16.0, the Prometheus chart requires Helm 3.7+ in order to install successfully. Please check your `helm` release before installation. + +```console +helm install [RELEASE_NAME] prometheus-community/prometheus +``` + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Dependencies + +By default this chart installs additional, dependent charts: + +- [alertmanager](https://github.com/prometheus-community/helm-charts/tree/main/charts/alertmanager) +- [kube-state-metrics](https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics) +- [prometheus-node-exporter](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-node-exporter) +- [prometheus-pushgateway](https://github.com/walker-tom/helm-charts/tree/main/charts/prometheus-pushgateway) + +To disable the dependency during installation, set `alertmanager.enabled`, `kube-state-metrics.enabled`, `prometheus-node-exporter.enabled` and `prometheus-pushgateway.enabled` to `false`. + +_See [helm dependency](https://helm.sh/docs/helm/helm_dependency/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Updating values.schema.json + +A [`values.schema.json`](https://helm.sh/docs/topics/charts/#schema-files) file has been added to validate chart values. When `values.yaml` file has a structure change (i.e. add a new field, change value type, etc.), modify `values.schema.json` file manually or run `helm schema-gen values.yaml > values.schema.json` to ensure the schema is aligned with the latest values. Refer to [helm plugin `helm-schema-gen`](https://github.com/karuppiah7890/helm-schema-gen) for plugin installation instructions. + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] prometheus-community/prometheus --install +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### To 25.0 + +The `server.remoteRead[].url` and `server.remoteWrite[].url` fields now support templating. Allowing for `url` values such as `https://{{ .Release.Name }}.example.com`. + +Any entries in these which previously included `{{` or `}}` must be escaped with `{{ "{{" }}` and `{{ "}}" }}` respectively. Entries which did not previously include the template-like syntax will not be affected. + +### To 24.0 + +Require Kubernetes 1.19+ + +Release 1.0.0 of the _alertmanager_ replaced [configmap-reload](https://github.com/jimmidyson/configmap-reload) with [prometheus-config-reloader](https://github.com/prometheus-operator/prometheus-operator/tree/main/cmd/prometheus-config-reloader). +Extra command-line arguments specified via `configmapReload.prometheus.extraArgs` are not compatible and will break with the new prometheus-config-reloader. Please, refer to the [sources](https://github.com/prometheus-operator/prometheus-operator/blob/main/cmd/prometheus-config-reloader/main.go) in order to make the appropriate adjustment to the extra command-line arguments. + +### To 23.0 + +Release 5.0.0 of the _kube-state-metrics_ chart introduced a separation of the `image.repository` value in two distinct values: + +```console + image: + registry: registry.k8s.io + repository: kube-state-metrics/kube-state-metrics +``` + +If a custom values file or CLI flags set `kube-state.metrics.image.repository`, please, set the new values accordingly. + +If you are upgrading _prometheus-pushgateway_ with the chart and _prometheus-pushgateway_ has been deployed as a statefulset with a persistent volume, the statefulset must be deleted before upgrading the chart, e.g.: + +```bash +kubectl delete sts -l app.kubernetes.io/name=prometheus-pushgateway -n monitoring --cascade=orphan +``` + +Users are advised to review changes in the corresponding chart releases before upgrading. + +### To 22.0 + +The `app.kubernetes.io/version` label has been removed from the pod selector. + +Therefore, you must delete the previous StatefulSet or Deployment before upgrading. Performing this operation will cause **Prometheus to stop functioning** until the upgrade is complete. + +```console +kubectl delete deploy,sts -l app.kubernetes.io/name=prometheus +``` + +### To 21.0 + +The Kubernetes labels have been updated to follow [Helm 3 label and annotation best practices](https://helm.sh/docs/chart_best_practices/labels/). +Specifically, labels mapping is listed below: + +| OLD | NEW | +|--------------------|------------------------------| +|heritage | app.kubernetes.io/managed-by | +|chart | helm.sh/chart | +|[container version] | app.kubernetes.io/version | +|app | app.kubernetes.io/name | +|release | app.kubernetes.io/instance | + +Therefore, depending on the way you've configured the chart, the previous StatefulSet or Deployment need to be deleted before upgrade. + +If `runAsStatefulSet: false` (this is the default): + +```console +kubectl delete deploy -l app=prometheus +``` + +If `runAsStatefulSet: true`: + +```console +kubectl delete sts -l app=prometheus +``` + +After that do the actual upgrade: + +```console +helm upgrade -i prometheus prometheus-community/prometheus +``` + +### To 20.0 + +The [configmap-reload](https://github.com/jimmidyson/configmap-reload) container was replaced by the [prometheus-config-reloader](https://github.com/prometheus-operator/prometheus-operator/tree/main/cmd/prometheus-config-reloader). +Extra command-line arguments specified via configmapReload.prometheus.extraArgs are not compatible and will break with the new prometheus-config-reloader, refer to the [sources](https://github.com/prometheus-operator/prometheus-operator/blob/main/cmd/prometheus-config-reloader/main.go) in order to make the appropriate adjustment to the extra command-line arguments. + +### To 19.0 + +Prometheus has been updated to version v2.40.5. + +Prometheus-pushgateway was updated to version 2.0.0 which adapted [Helm label and annotation best practices](https://helm.sh/docs/chart_best_practices/labels/). +See the [upgrade docs of the prometheus-pushgateway chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-pushgateway#to-200) to see whats to do, before you upgrade Prometheus! + +The condition in Chart.yaml to disable kube-state-metrics has been changed from `kubeStateMetrics.enabled` to `kube-state-metrics.enabled` + +The Docker image tag is used from appVersion field in Chart.yaml by default. + +Unused subchart configs has been removed and subchart config is now on the bottom of the config file. + +If Prometheus is used as deployment the updatestrategy has been changed to "Recreate" by default, so Helm updates work out of the box. + +`.Values.server.extraTemplates` & `.Values.server.extraObjects` has been removed in favour of `.Values.extraManifests`, which can do the same. + +`.Values.server.enabled` has been removed as it's useless now that all components are created by subcharts. + +All files in `templates/server` directory has been moved to `templates` directory. + +```bash +helm upgrade [RELEASE_NAME] prometheus-community/prometheus --version 19.0.0 +``` + +### To 18.0 + +Version 18.0.0 uses alertmanager service from the [alertmanager chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/alertmanager). If you've made some config changes, please check the old `alertmanager` and the new `alertmanager` configuration section in values.yaml for differences. + +Note that the `configmapReload` section for `alertmanager` was moved out of dedicated section (`configmapReload.alertmanager`) to alertmanager embedded (`alertmanager.configmapReload`). + +Before you update, please scale down the `prometheus-server` deployment to `0` then perform upgrade: + +```bash +# In 17.x +kubectl scale deploy prometheus-server --replicas=0 +# Upgrade +helm upgrade [RELEASE_NAME] prometheus-community/prometheus --version 18.0.0 +``` + +### To 17.0 + +Version 17.0.0 uses pushgateway service from the [prometheus-pushgateway chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-pushgateway). If you've made some config changes, please check the old `pushgateway` and the new `prometheus-pushgateway` configuration section in values.yaml for differences. + +Before you update, please scale down the `prometheus-server` deployment to `0` then perform upgrade: + +```bash +# In 16.x +kubectl scale deploy prometheus-server --replicas=0 +# Upgrade +helm upgrade [RELEASE_NAME] prometheus-community/prometheus --version 17.0.0 +``` + +### To 16.0 + +Starting from version 16.0 embedded services (like alertmanager, node-exporter etc.) are moved out of Prometheus chart and the respecting charts from this repository are used as dependencies. Version 16.0.0 moves node-exporter service to [prometheus-node-exporter chart](https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-node-exporter). If you've made some config changes, please check the old `nodeExporter` and the new `prometheus-node-exporter` configuration section in values.yaml for differences. + +Before you update, please scale down the `prometheus-server` deployment to `0` then perform upgrade: + +```bash +# In 15.x +kubectl scale deploy prometheus-server --replicas=0 +# Upgrade +helm upgrade [RELEASE_NAME] prometheus-community/prometheus --version 16.0.0 +``` + +### To 15.0 + +Version 15.0.0 changes the relabeling config, aligning it with the [Prometheus community conventions](https://github.com/prometheus/prometheus/pull/9832). If you've made manual changes to the relabeling config, you have to adapt your changes. + +Before you update please execute the following command, to be able to update kube-state-metrics: + +```bash +kubectl delete deployments.apps -l app.kubernetes.io/instance=prometheus,app.kubernetes.io/name=kube-state-metrics --cascade=orphan +``` + +### To 9.0 + +Version 9.0 adds a new option to enable or disable the Prometheus Server. This supports the use case of running a Prometheus server in one k8s cluster and scraping exporters in another cluster while using the same chart for each deployment. To install the server `server.enabled` must be set to `true`. + +### To 5.0 + +As of version 5.0, this chart uses Prometheus 2.x. This version of prometheus introduces a new data format and is not compatible with prometheus 1.x. It is recommended to install this as a new release, as updating existing releases will not work. See the [prometheus docs](https://prometheus.io/docs/prometheus/latest/migration/#storage) for instructions on retaining your old data. + +Prometheus version 2.x has made changes to alertmanager, storage and recording rules. Check out the migration guide [here](https://prometheus.io/docs/prometheus/2.0/migration/). + +Users of this chart will need to update their alerting rules to the new format before they can upgrade. + +### Example Migration + +Assuming you have an existing release of the prometheus chart, named `prometheus-old`. In order to update to prometheus 2.x while keeping your old data do the following: + +1. Update the `prometheus-old` release. Disable scraping on every component besides the prometheus server, similar to the configuration below: + + ```yaml + alertmanager: + enabled: false + alertmanagerFiles: + alertmanager.yml: "" + kubeStateMetrics: + enabled: false + nodeExporter: + enabled: false + pushgateway: + enabled: false + server: + extraArgs: + storage.local.retention: 720h + serverFiles: + alerts: "" + prometheus.yml: "" + rules: "" + ``` + +1. Deploy a new release of the chart with version 5.0+ using prometheus 2.x. In the values.yaml set the scrape config as usual, and also add the `prometheus-old` instance as a remote-read target. + + ```yaml + prometheus.yml: + ... + remote_read: + - url: http://prometheus-old/api/v1/read + ... + ``` + + Old data will be available when you query the new prometheus instance. + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: + +```console +helm show values prometheus-community/prometheus +``` + +You may similarly use the above configuration commands on each chart [dependency](#dependencies) to see its configurations. + +### Scraping Pod Metrics via Annotations + +This chart uses a default configuration that causes prometheus to scrape a variety of kubernetes resource types, provided they have the correct annotations. In this section we describe how to configure pods to be scraped; for information on how other resource types can be scraped you can do a `helm template` to get the kubernetes resource definitions, and then reference the prometheus configuration in the ConfigMap against the prometheus documentation for [relabel_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) and [kubernetes_sd_config](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config). + +In order to get prometheus to scrape pods, you must add annotations to the pods as below: + +```yaml +metadata: + annotations: + prometheus.io/scrape: "true" + prometheus.io/path: /metrics + prometheus.io/port: "8080" +``` + +You should adjust `prometheus.io/path` based on the URL that your pod serves metrics from. `prometheus.io/port` should be set to the port that your pod serves metrics from. Note that the values for `prometheus.io/scrape` and `prometheus.io/port` must be enclosed in double quotes. + +### Sharing Alerts Between Services + +Note that when [installing](#install-chart) or [upgrading](#upgrading-chart) you may use multiple values override files. This is particularly useful when you have alerts belonging to multiple services in the cluster. For example, + +```yaml +# values.yaml +# ... + +# service1-alert.yaml +serverFiles: + alerts: + service1: + - alert: anAlert + # ... + +# service2-alert.yaml +serverFiles: + alerts: + service2: + - alert: anAlert + # ... +``` + +```console +helm install [RELEASE_NAME] prometheus-community/prometheus -f values.yaml -f service1-alert.yaml -f service2-alert.yaml +``` + +### RBAC Configuration + +Roles and RoleBindings resources will be created automatically for `server` service. + +To manually setup RBAC you need to set the parameter `rbac.create=false` and specify the service account to be used for each service by setting the parameters: `serviceAccounts.{{ component }}.create` to `false` and `serviceAccounts.{{ component }}.name` to the name of a pre-existing service account. + +> **Tip**: You can refer to the default `*-clusterrole.yaml` and `*-clusterrolebinding.yaml` files in [templates](templates/) to customize your own. + +### ConfigMap Files + +AlertManager is configured through [alertmanager.yml](https://prometheus.io/docs/alerting/configuration/). This file (and any others listed in `alertmanagerFiles`) will be mounted into the `alertmanager` pod. + +Prometheus is configured through [prometheus.yml](https://prometheus.io/docs/operating/configuration/). This file (and any others listed in `serverFiles`) will be mounted into the `server` pod. + +### Ingress TLS + +If your cluster allows automatic creation/retrieval of TLS certificates (e.g. [cert-manager](https://github.com/jetstack/cert-manager)), please refer to the documentation for that mechanism. + +To manually configure TLS, first create/retrieve a key & certificate pair for the address(es) you wish to protect. Then create a TLS secret in the namespace: + +```console +kubectl create secret tls prometheus-server-tls --cert=path/to/tls.cert --key=path/to/tls.key +``` + +Include the secret's name, along with the desired hostnames, in the alertmanager/server Ingress TLS section of your custom `values.yaml` file: + +```yaml +server: + ingress: + ## If true, Prometheus server Ingress will be created + ## + enabled: true + + ## Prometheus server Ingress hostnames + ## Must be provided if Ingress is enabled + ## + hosts: + - prometheus.domain.com + + ## Prometheus server Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: + - secretName: prometheus-server-tls + hosts: + - prometheus.domain.com +``` + +### NetworkPolicy + +Enabling Network Policy for Prometheus will secure connections to Alert Manager and Kube State Metrics by only accepting connections from Prometheus Server. All inbound connections to Prometheus Server are still allowed. + +To enable network policy for Prometheus, install a networking plugin that implements the Kubernetes NetworkPolicy spec, and set `networkPolicy.enabled` to true. + +If NetworkPolicy is enabled for Prometheus' scrape targets, you may also need to manually create a networkpolicy which allows it. diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/.helmignore b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/.helmignore new file mode 100644 index 000000000..7653e97e6 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/.helmignore @@ -0,0 +1,25 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +unittests/ diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/Chart.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/Chart.yaml new file mode 100644 index 000000000..bf2bfa160 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts +apiVersion: v2 +appVersion: v0.27.0 +description: The Alertmanager handles alerts sent by client applications such as the + Prometheus server. +home: https://prometheus.io/ +icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png +keywords: +- monitoring +kubeVersion: '>=1.19.0-0' +maintainers: +- email: monotek23@gmail.com + name: monotek +- email: naseem@transit.app + name: naseemkullah +name: alertmanager +sources: +- https://github.com/prometheus/alertmanager +type: application +version: 1.13.0 diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/README.md b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/README.md new file mode 100644 index 000000000..d3f4df73a --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/README.md @@ -0,0 +1,62 @@ +# Alertmanager + +As per [prometheus.io documentation](https://prometheus.io/docs/alerting/latest/alertmanager/): +> The Alertmanager handles alerts sent by client applications such as the +> Prometheus server. It takes care of deduplicating, grouping, and routing them +> to the correct receiver integration such as email, PagerDuty, or OpsGenie. It +> also takes care of silencing and inhibition of alerts. + +## Prerequisites + +Kubernetes 1.14+ + +## Get Repository Info + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update +``` + +_See [`helm repo`](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +helm install [RELEASE_NAME] prometheus-community/alertmanager +``` + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] [CHART] --install +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### To 1.0 + +The [configmap-reload](https://github.com/jimmidyson/configmap-reload) container was replaced by the [prometheus-config-reloader](https://github.com/prometheus-operator/prometheus-operator/tree/main/cmd/prometheus-config-reloader). +Extra command-line arguments specified via configmapReload.prometheus.extraArgs are not compatible and will break with the new prometheus-config-reloader, refer to the [sources](https://github.com/prometheus-operator/prometheus-operator/blob/main/cmd/prometheus-config-reloader/main.go) in order to make the appropriate adjustment to the extea command-line arguments. +The `networking.k8s.io/v1beta1` is no longer supported. use [`networking.k8s.io/v1`](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingressclass-v122). + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: + +```console +helm show values prometheus-community/alertmanager +``` diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/ci/config-reload-values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/ci/config-reload-values.yaml new file mode 100644 index 000000000..cba5de8e2 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/ci/config-reload-values.yaml @@ -0,0 +1,2 @@ +configmapReload: + enabled: true diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/NOTES.txt b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/NOTES.txt new file mode 100644 index 000000000..46ea5bee5 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/NOTES.txt @@ -0,0 +1,21 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ include "alertmanager.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "alertmanager.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ include "alertmanager.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ include "alertmanager.namespace" . }} svc -w {{ include "alertmanager.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ include "alertmanager.namespace" . }} {{ include "alertmanager.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ include "alertmanager.namespace" . }} -l "app.kubernetes.io/name={{ include "alertmanager.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:{{ .Values.service.port }} to use your application" + kubectl --namespace {{ include "alertmanager.namespace" . }} port-forward $POD_NAME {{ .Values.service.port }}:80 +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/_helpers.tpl b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/_helpers.tpl new file mode 100644 index 000000000..827b6ee9f --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/_helpers.tpl @@ -0,0 +1,92 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "alertmanager.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "alertmanager.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "alertmanager.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "alertmanager.labels" -}} +helm.sh/chart: {{ include "alertmanager.chart" . }} +{{ include "alertmanager.selectorLabels" . }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "alertmanager.selectorLabels" -}} +app.kubernetes.io/name: {{ include "alertmanager.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "alertmanager.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "alertmanager.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Define Ingress apiVersion +*/}} +{{- define "alertmanager.ingress.apiVersion" -}} +{{- printf "networking.k8s.io/v1" }} +{{- end }} + +{{/* +Define Pdb apiVersion +*/}} +{{- define "alertmanager.pdb.apiVersion" -}} +{{- if $.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +{{- printf "policy/v1" }} +{{- else }} +{{- printf "policy/v1beta1" }} +{{- end }} +{{- end }} + +{{/* +Allow overriding alertmanager namespace +*/}} +{{- define "alertmanager.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/configmap.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/configmap.yaml new file mode 100644 index 000000000..9e5882dc8 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/configmap.yaml @@ -0,0 +1,21 @@ +{{- if .Values.config.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "alertmanager.fullname" . }} + labels: + {{- include "alertmanager.labels" . | nindent 4 }} + {{- with .Values.configAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ include "alertmanager.namespace" . }} +data: + alertmanager.yml: | + {{- $config := omit .Values.config "enabled" }} + {{- toYaml $config | default "{}" | nindent 4 }} + {{- range $key, $value := .Values.templates }} + {{ $key }}: |- + {{- $value | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/ingress.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/ingress.yaml new file mode 100644 index 000000000..e729a8ad3 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/ingress.yaml @@ -0,0 +1,44 @@ +{{- if .Values.ingress.enabled }} +{{- $fullName := include "alertmanager.fullname" . }} +{{- $svcPort := .Values.service.port }} +apiVersion: {{ include "alertmanager.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "alertmanager.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ include "alertmanager.namespace" . }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + pathType: {{ .pathType }} + backend: + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/ingressperreplica.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/ingressperreplica.yaml new file mode 100644 index 000000000..6f5a02350 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/ingressperreplica.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.servicePerReplica.enabled .Values.ingressPerReplica.enabled }} +{{- $pathType := .Values.ingressPerReplica.pathType }} +{{- $count := .Values.replicaCount | int -}} +{{- $servicePort := .Values.service.port -}} +{{- $ingressValues := .Values.ingressPerReplica -}} +{{- $fullName := include "alertmanager.fullname" . }} +apiVersion: v1 +kind: List +metadata: + name: {{ $fullName }}-ingressperreplica + namespace: {{ include "alertmanager.namespace" . }} +items: +{{- range $i, $e := until $count }} + - kind: Ingress + apiVersion: {{ include "alertmanager.ingress.apiVersion" $ }} + metadata: + name: {{ $fullName }}-{{ $i }} + namespace: {{ include "alertmanager.namespace" $ }} + labels: + {{- include "alertmanager.labels" $ | nindent 8 }} + {{- if $ingressValues.labels }} +{{ toYaml $ingressValues.labels | indent 8 }} + {{- end }} + {{- if $ingressValues.annotations }} + annotations: +{{ toYaml $ingressValues.annotations | indent 8 }} + {{- end }} + spec: + {{- if $ingressValues.className }} + ingressClassName: {{ $ingressValues.className }} + {{- end }} + rules: + - host: {{ $ingressValues.hostPrefix }}-{{ $i }}.{{ $ingressValues.hostDomain }} + http: + paths: + {{- range $p := $ingressValues.paths }} + - path: {{ tpl $p $ }} + pathType: {{ $pathType }} + backend: + service: + name: {{ $fullName }}-{{ $i }} + port: + name: http + {{- end -}} + {{- if or $ingressValues.tlsSecretName $ingressValues.tlsSecretPerReplica.enabled }} + tls: + - hosts: + - {{ $ingressValues.hostPrefix }}-{{ $i }}.{{ $ingressValues.hostDomain }} + {{- if $ingressValues.tlsSecretPerReplica.enabled }} + secretName: {{ $ingressValues.tlsSecretPerReplica.prefix }}-{{ $i }} + {{- else }} + secretName: {{ $ingressValues.tlsSecretName }} + {{- end }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/pdb.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/pdb.yaml new file mode 100644 index 000000000..103e9ecde --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.podDisruptionBudget }} +apiVersion: {{ include "alertmanager.pdb.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ include "alertmanager.fullname" . }} + labels: + {{- include "alertmanager.labels" . | nindent 4 }} + namespace: {{ include "alertmanager.namespace" . }} +spec: + selector: + matchLabels: + {{- include "alertmanager.selectorLabels" . | nindent 6 }} + {{- toYaml .Values.podDisruptionBudget | nindent 2 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/serviceaccount.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/serviceaccount.yaml new file mode 100644 index 000000000..bc9ccaaff --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "alertmanager.serviceAccountName" . }} + labels: + {{- include "alertmanager.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ include "alertmanager.namespace" . }} +automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/serviceperreplica.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/serviceperreplica.yaml new file mode 100644 index 000000000..faa75b3ba --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/serviceperreplica.yaml @@ -0,0 +1,44 @@ +{{- if and .Values.servicePerReplica.enabled }} +{{- $count := .Values.replicaCount | int -}} +{{- $serviceValues := .Values.servicePerReplica -}} +apiVersion: v1 +kind: List +metadata: + name: {{ include "alertmanager.fullname" . }}-serviceperreplica + namespace: {{ include "alertmanager.namespace" . }} +items: +{{- range $i, $e := until $count }} + - apiVersion: v1 + kind: Service + metadata: + name: {{ include "alertmanager.fullname" $ }}-{{ $i }} + namespace: {{ include "alertmanager.namespace" $ }} + labels: + {{- include "alertmanager.labels" $ | nindent 8 }} + {{- if $serviceValues.annotations }} + annotations: +{{ toYaml $serviceValues.annotations | indent 8 }} + {{- end }} + spec: + {{- if $serviceValues.clusterIP }} + clusterIP: {{ $serviceValues.clusterIP }} + {{- end }} + {{- if $serviceValues.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := $serviceValues.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} + {{- end }} + {{- if ne $serviceValues.type "ClusterIP" }} + externalTrafficPolicy: {{ $serviceValues.externalTrafficPolicy }} + {{- end }} + ports: + - name: http + port: {{ $.Values.service.port }} + targetPort: http + selector: + {{- include "alertmanager.selectorLabels" $ | nindent 8 }} + statefulset.kubernetes.io/pod-name: {{ include "alertmanager.fullname" $ }}-{{ $i }} + type: "{{ $serviceValues.type }}" +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/services.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/services.yaml new file mode 100644 index 000000000..eefb9ce16 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/services.yaml @@ -0,0 +1,75 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "alertmanager.fullname" . }} + labels: + {{- include "alertmanager.labels" . | nindent 4 }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ include "alertmanager.namespace" . }} +spec: + {{- if .Values.service.ipDualStack.enabled }} + ipFamilies: {{ toYaml .Values.service.ipDualStack.ipFamilies | nindent 4 }} + ipFamilyPolicy: {{ .Values.service.ipDualStack.ipFamilyPolicy }} + {{- end }} + type: {{ .Values.service.type }} + {{- with .Values.service.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- with .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := . }} + - {{ $cidr }} + {{- end }} + {{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + {{- if (and (eq .Values.service.type "NodePort") .Values.service.nodePort) }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + {{- with .Values.service.extraPorts }} + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + {{- include "alertmanager.selectorLabels" . | nindent 4 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "alertmanager.fullname" . }}-headless + labels: + {{- include "alertmanager.labels" . | nindent 4 }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ include "alertmanager.namespace" . }} +spec: + clusterIP: None + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + {{- if or (gt (int .Values.replicaCount) 1) (.Values.additionalPeers) }} + - port: {{ .Values.service.clusterPort }} + targetPort: clusterpeer-tcp + protocol: TCP + name: cluster-tcp + - port: {{ .Values.service.clusterPort }} + targetPort: clusterpeer-udp + protocol: UDP + name: cluster-udp + {{- end }} + {{- with .Values.service.extraPorts }} + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + {{- include "alertmanager.selectorLabels" . | nindent 4 }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/statefulset.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/statefulset.yaml new file mode 100644 index 000000000..0bc765c2f --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/statefulset.yaml @@ -0,0 +1,254 @@ +{{- $svcClusterPort := .Values.service.clusterPort }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "alertmanager.fullname" . }} + labels: + {{- include "alertmanager.labels" . | nindent 4 }} + {{- with .Values.statefulSet.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ include "alertmanager.namespace" . }} +spec: + replicas: {{ .Values.replicaCount }} + minReadySeconds: {{ .Values.minReadySeconds }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "alertmanager.selectorLabels" . | nindent 6 }} + serviceName: {{ include "alertmanager.fullname" . }}-headless + template: + metadata: + labels: + {{- include "alertmanager.selectorLabels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- if not .Values.configmapReload.enabled }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "alertmanager.serviceAccountName" . }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.hostAliases }} + hostAliases: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.schedulerName }} + schedulerName: {{ . }} + {{- end }} + {{- if or .Values.podAntiAffinity .Values.affinity }} + affinity: + {{- end }} + {{- with .Values.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if eq .Values.podAntiAffinity "hard" }} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.podAntiAffinityTopologyKey }} + labelSelector: + matchExpressions: + - {key: app.kubernetes.io/name, operator: In, values: [{{ include "alertmanager.name" . }}]} + {{- else if eq .Values.podAntiAffinity "soft" }} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: {{ .Values.podAntiAffinityTopologyKey }} + labelSelector: + matchExpressions: + - {key: app.kubernetes.io/name, operator: In, values: [{{ include "alertmanager.name" . }}]} + {{- end }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- with .Values.extraInitContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + {{- if .Values.configmapReload.enabled }} + - name: {{ .Chart.Name }}-{{ .Values.configmapReload.name }} + image: "{{ .Values.configmapReload.image.repository }}:{{ .Values.configmapReload.image.tag }}" + imagePullPolicy: "{{ .Values.configmapReload.image.pullPolicy }}" + {{- with .Values.configmapReload.extraEnv }} + env: + {{- toYaml . | nindent 12 }} + {{- end }} + args: + {{- if and (hasKey .Values.configmapReload.extraArgs "config-file" | not) (hasKey .Values.configmapReload.extraArgs "watched-dir" | not) }} + - --watched-dir=/etc/alertmanager + {{- end }} + {{- if not (hasKey .Values.configmapReload.extraArgs "reload-url") }} + - --reload-url=http://127.0.0.1:9093/-/reload + {{- end }} + {{- range $key, $value := .Values.configmapReload.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + resources: + {{- toYaml .Values.configmapReload.resources | nindent 12 }} + {{- with .Values.configmapReload.containerPort }} + ports: + - containerPort: {{ . }} + {{- end }} + {{- with .Values.configmapReload.securityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/alertmanager + {{- if .Values.configmapReload.extraVolumeMounts }} + {{- toYaml .Values.configmapReload.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- end }} + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + env: + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + {{- if .Values.extraEnv }} + {{- toYaml .Values.extraEnv | nindent 12 }} + {{- end }} + {{- with .Values.command }} + command: + {{- toYaml . | nindent 12 }} + {{- end }} + args: + - --storage.path=/alertmanager + {{- if not (hasKey .Values.extraArgs "config.file") }} + - --config.file=/etc/alertmanager/alertmanager.yml + {{- end }} + {{- if or (gt (int .Values.replicaCount) 1) (.Values.additionalPeers) }} + - --cluster.advertise-address=[$(POD_IP)]:{{ $svcClusterPort }} + - --cluster.listen-address=0.0.0.0:{{ $svcClusterPort }} + {{- end }} + {{- if gt (int .Values.replicaCount) 1}} + {{- $fullName := include "alertmanager.fullname" . }} + {{- range $i := until (int .Values.replicaCount) }} + - --cluster.peer={{ $fullName }}-{{ $i }}.{{ $fullName }}-headless:{{ $svcClusterPort }} + {{- end }} + {{- end }} + {{- if .Values.additionalPeers }} + {{- range $item := .Values.additionalPeers }} + - --cluster.peer={{ $item }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.baseURL }} + - --web.external-url={{ .Values.baseURL }} + {{- end }} + ports: + - name: http + containerPort: 9093 + protocol: TCP + {{- if or (gt (int .Values.replicaCount) 1) (.Values.additionalPeers) }} + - name: clusterpeer-tcp + containerPort: {{ $svcClusterPort }} + protocol: TCP + - name: clusterpeer-udp + containerPort: {{ $svcClusterPort }} + protocol: UDP + {{- end }} + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + {{- if .Values.config.enabled }} + - name: config + mountPath: /etc/alertmanager + {{- end }} + {{- range .Values.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + - name: storage + mountPath: /alertmanager + {{- if .Values.extraVolumeMounts }} + {{- toYaml .Values.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- with .Values.extraContainers }} + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + {{- if .Values.config.enabled }} + - name: config + configMap: + name: {{ include "alertmanager.fullname" . }} + {{- end }} + {{- range .Values.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 8 }} + {{- end }} + {{- if .Values.extraPodConfigs }} + {{- toYaml .Values.extraPodConfigs | nindent 6 }} + {{- end }} + {{- if .Values.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: storage + spec: + accessModes: + {{- toYaml .Values.persistence.accessModes | nindent 10 }} + resources: + requests: + storage: {{ .Values.persistence.size }} + {{- if .Values.persistence.storageClass }} + {{- if (eq "-" .Values.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: {{ .Values.persistence.storageClass }} + {{- end }} + {{- end }} + {{- else }} + - name: storage + emptyDir: {} + {{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/tests/test-connection.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/tests/test-connection.yaml new file mode 100644 index 000000000..410eba5bd --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/tests/test-connection.yaml @@ -0,0 +1,20 @@ +{{- if .Values.testFramework.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "alertmanager.fullname" . }}-test-connection" + labels: + {{- include "alertmanager.labels" . | nindent 4 }} + {{- with .Values.testFramework.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + namespace: {{ include "alertmanager.namespace" . }} +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "alertmanager.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/vpa.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/vpa.yaml new file mode 100644 index 000000000..53f70a28e --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/templates/vpa.yaml @@ -0,0 +1,26 @@ +{{- if .Values.verticalPodAutoscaler.enabled }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ include "alertmanager.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + {{- if .Values.verticalPodAutoscaler.recommenders }} + recommenders: + {{- range .Values.verticalPodAutoscaler.recommenders }} + - name: {{ .name }} + {{- end }} + {{- end }} + targetRef: + apiVersion: apps/v1 + kind: StatefulSet + name: {{ include "alertmanager.fullname" . }} + {{- if .Values.verticalPodAutoscaler.updatePolicy }} + updatePolicy: + {{- toYaml .Values.verticalPodAutoscaler.updatePolicy | nindent 4 }} + {{- end }} + {{- if .Values.verticalPodAutoscaler.resourcePolicy }} + resourcePolicy: + {{- toYaml .Values.verticalPodAutoscaler.resourcePolicy | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/values.schema.json b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/values.schema.json new file mode 100644 index 000000000..d3be015cf --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/values.schema.json @@ -0,0 +1,946 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema", + "title": "alertmanager", + "description": "The Alertmanager handles alerts sent by client applications such as the Prometheus server.", + "type": "object", + "required": [ + "replicaCount", + "image", + "serviceAccount", + "service", + "persistence", + "config" + ], + "definitions": { + "image": { + "description": "Container image parameters.", + "type": "object", + "required": ["repository"], + "additionalProperties": false, + "properties": { + "repository": { + "description": "Image repository. Path to the image with registry(quay.io) or without(prometheus/alertmanager) for docker.io.", + "type": "string" + }, + "pullPolicy": { + "description": "Image pull policy. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.", + "type": "string", + "enum": [ + "Never", + "IfNotPresent", + "Always" + ], + "default": "IfNotPresent" + }, + "tag": { + "description": "Use chart appVersion by default.", + "type": "string", + "default": "" + } + } + }, + "resources": { + "description": "Resource limits and requests for the Container.", + "type": "object", + "properties": { + "limits": { + "description": "Resource limits for the Container.", + "type": "object", + "properties": { + "cpu": { + "description": "CPU request for the Container.", + "type": "string" + }, + "memory": { + "description": "Memory request for the Container.", + "type": "string" + } + } + }, + "requests": { + "description": "Resource requests for the Container.", + "type": "object", + "properties": { + "cpu": { + "description": "CPU request for the Container.", + "type": "string" + }, + "memory": { + "description": "Memory request for the Container.", + "type": "string" + } + } + } + } + }, + "securityContext": { + "description": "Security context for the container.", + "type": "object", + "properties": { + "capabilities": { + "description": "Specifies the capabilities to be dropped by the container.", + "type": "object", + "properties": { + "drop": { + "description": "List of capabilities to be dropped.", + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "readOnlyRootFilesystem": { + "description": "Specifies whether the root file system should be mounted as read-only.", + "type": "boolean" + }, + "runAsUser": { + "description": "Specifies the UID (User ID) to run the container as.", + "type": "integer" + }, + "runAsNonRoot": { + "description": "Specifies whether to run the container as a non-root user.", + "type": "boolean" + }, + "runAsGroup": { + "description": "Specifies the GID (Group ID) to run the container as.", + "type": "integer" + } + } + }, + "volumeMounts": { + "description": "List of volume mounts for the Container.", + "type": "array", + "items": { + "description": "Volume mounts for the Container.", + "type": "object", + "required": ["name", "mountPath"], + "properties": { + "name": { + "description": "The name of the volume to mount.", + "type": "string" + }, + "mountPath": { + "description": "The mount path for the volume.", + "type": "string" + }, + "readOnly": { + "description": "Specifies if the volume should be mounted in read-only mode.", + "type": "boolean" + } + } + } + }, + "env": { + "description": "List of environment variables for the Container.", + "type": "array", + "items": { + "description": "Environment variables for the Container.", + "type": "object", + "required": ["name"], + "properties": { + "name": { + "description": "The name of the environment variable.", + "type": "string" + }, + "value": { + "description": "The value of the environment variable.", + "type": "string" + } + } + } + }, + "config": { + "description": "https://prometheus.io/docs/alerting/latest/configuration/", + "duration": { + "type": "string", + "pattern": "^((([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?|0)$" + }, + "labelname": { + "type": "string", + "pattern": "^[a-zA-Z_][a-zA-Z0-9_]*$|^...$" + }, + "route": { + "description": "Alert routing configuration.", + "type": "object", + "properties": { + "receiver": { + "description": "The default receiver to send alerts to.", + "type": "string" + }, + "group_by": { + "description": "The labels by which incoming alerts are grouped together.", + "type": "array", + "items": { + "type": "string", + "$ref": "#/definitions/config/labelname" + } + }, + "continue": { + "description": "Whether an alert should continue matching subsequent sibling nodes.", + "type": "boolean", + "default": false + }, + "matchers": { + "description": "A list of matchers that an alert has to fulfill to match the node.", + "type": "array", + "items": { + "type": "string" + } + }, + "group_wait": { + "description": "How long to initially wait to send a notification for a group of alerts.", + "$ref": "#/definitions/config/duration" + }, + "group_interval": { + "description": "How long to wait before sending a notification about new alerts that are added to a group of alerts for which an initial notification has already been sent.", + "$ref": "#/definitions/config/duration" + }, + "repeat_interval": { + "description": "How long to wait before sending a notification again if it has already been sent successfully for an alert.", + "$ref": "#/definitions/config/duration" + }, + "mute_time_intervals": { + "description": "Times when the route should be muted.", + "type": "array", + "items": { + "type": "string" + } + }, + "active_time_intervals": { + "description": "Times when the route should be active.", + "type": "array", + "items": { + "type": "string" + } + }, + "routes": { + "description": "Zero or more child routes.", + "type": "array", + "items": { + "type": "object", + "$ref": "#/definitions/config/route" + } + } + } + } + } + }, + "properties": { + "replicaCount": { + "description": "Number of desired pods.", + "type": "integer", + "default": 1, + "minimum": 0 + }, + "image": { + "description": "Container image parameters.", + "$ref": "#/definitions/image" + }, + "baseURL": { + "description": "External URL where alertmanager is reachable.", + "type": "string", + "default": "", + "examples": [ + "https://alertmanager.example.com" + ] + }, + "extraArgs": { + "description": "Additional alertmanager container arguments. Use args without '--', only 'key: value' syntax.", + "type": "object", + "default": {} + }, + "extraSecretMounts": { + "description": "Additional Alertmanager Secret mounts.", + "type": "array", + "default": [], + "items": { + "type": "object", + "required": ["name", "mountPath", "secretName"], + "properties": { + "name": { + "type": "string" + }, + "mountPath": { + "type": "string" + }, + "subPath": { + "type": "string", + "default": "" + }, + "secretName": { + "type": "string" + }, + "readOnly": { + "type": "boolean", + "default": false + } + } + } + }, + "imagePullSecrets": { + "description": "The property allows you to configure multiple image pull secrets.", + "type": "array", + "default": [], + "items": { + "type": "object", + "required": ["name"], + "properties": { + "name": { + "description": "Specifies the Secret name of the image pull secret.", + "type": "string" + } + } + } + }, + "nameOverride": { + "description": "Override value for the name of the Helm chart.", + "type": "string", + "default": "" + }, + "fullnameOverride": { + "description": "Override value for the fully qualified app name.", + "type": "string", + "default": "" + }, + "namespaceOverride": { + "description": "Override deployment namespace.", + "type": "string", + "default": "" + }, + "automountServiceAccountToken": { + "description": "Specifies whether to automatically mount the ServiceAccount token into the Pod's filesystem.", + "type": "boolean", + "default": true + }, + "serviceAccount": { + "description": "Contains properties related to the service account configuration.", + "type": "object", + "required": ["create"], + "properties": { + "create": { + "description": "Specifies whether a service account should be created.", + "type": "boolean", + "default": true + }, + "annotations": { + "description": "Annotations to add to the service account.", + "type": "object", + "default": {} + }, + "name": { + "description": "The name of the service account to use. If not set and create is true, a name is generated using the fullname template.", + "type": "string", + "default": "" + } + } + }, + "schedulerName": { + "description": "Sets the schedulerName in the alertmanager pod.", + "type": "string", + "default": "" + }, + "priorityClassName": { + "description": "Sets the priorityClassName in the alertmanager pod.", + "type": "string", + "default": "" + }, + "podSecurityContext": { + "description": "Pod security context configuration.", + "type": "object", + "properties": { + "fsGroup": { + "description": "The fsGroup value for the pod's security context.", + "type": "integer", + "default": 65534 + }, + "runAsUser": { + "description": "The UID to run the pod's containers as.", + "type": "integer" + }, + "runAsGroup": { + "description": "The GID to run the pod's containers as.", + "type": "integer" + } + } + }, + "dnsConfig": { + "description": "DNS configuration for the pod.", + "type": "object", + "properties": { + "nameservers": { + "description": "List of DNS server IP addresses.", + "type": "array", + "items": { + "type": "string" + } + }, + "searches": { + "description": "List of DNS search domains.", + "type": "array", + "items": { + "type": "string" + } + }, + "options": { + "description": "List of DNS options.", + "type": "array", + "items": { + "description": "DNS options.", + "type": "object", + "required": ["name"], + "properties": { + "name": { + "description": "The name of the DNS option.", + "type": "string" + }, + "value": { + "description": "The value of the DNS option.", + "type": "string" + } + } + } + } + } + }, + "hostAliases": { + "description": "List of host aliases.", + "type": "array", + "items": { + "description": "Host aliases configuration.", + "type": "object", + "required": ["ip", "hostnames"], + "properties": { + "ip": { + "description": "IP address associated with the host alias.", + "type": "string" + }, + "hostnames": { + "description": "List of hostnames associated with the IP address.", + "type": "array", + "items": { + "type": "string" + } + } + } + } + }, + "securityContext": { + "description": "Security context for the container.", + "$ref": "#/definitions/securityContext" + }, + "additionalPeers": { + "description": "Additional peers for a alertmanager.", + "type": "array", + "items": { + "type": "string" + } + }, + "extraInitContainers": { + "description": "Additional InitContainers to initialize the pod.", + "type": "array", + "default": [], + "items": { + "required": ["name", "image"], + "properties": { + "name": { + "description": "The name of the InitContainer.", + "type": "string" + }, + "image": { + "description": "The container image to use for the InitContainer.", + "type": "string" + }, + "pullPolicy": { + "description": "Image pull policy. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.", + "type": "string", + "enum": [ + "Never", + "IfNotPresent", + "Always" + ], + "default": "IfNotPresent" + }, + "command": { + "description": "The command to run in the InitContainer.", + "type": "array", + "items": { + "type": "string" + } + }, + "args": { + "description": "Additional command arguments for the InitContainer.", + "type": "array", + "items": { + "type": "string" + } + }, + "ports": { + "description": "List of ports to expose from the container.", + "type": "array", + "items": { + "type": "object" + } + }, + "env": { + "description": "List of environment variables for the InitContainer.", + "$ref": "#/definitions/env" + }, + "envFrom": { + "description": "List of sources to populate environment variables in the container.", + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "description": "List of volume mounts for the InitContainer.", + "$ref": "#/definitions/volumeMounts" + }, + "resources": { + "description": "Resource requirements for the InitContainer.", + "$ref": "#/definitions/resources" + }, + "securityContext": { + "$ref": "#/definitions/securityContext", + "description": "The security context for the InitContainer." + } + } + } + }, + "extraContainers": { + "description": "Additional containers to add to the stateful set.", + "type": "array", + "default": [], + "items": { + "required": ["name", "image"], + "properties": { + "name": { + "description": "The name of the InitContainer.", + "type": "string" + }, + "image": { + "description": "The container image to use for the InitContainer.", + "type": "string" + }, + "pullPolicy": { + "description": "Image pull policy. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.", + "type": "string", + "enum": [ + "Never", + "IfNotPresent", + "Always" + ], + "default": "IfNotPresent" + }, + "command": { + "description": "The command to run in the InitContainer.", + "type": "array", + "items": { + "type": "string" + } + }, + "args": { + "description": "Additional command arguments for the InitContainer.", + "type": "array", + "items": { + "type": "string" + } + }, + "ports": { + "description": "List of ports to expose from the container.", + "type": "array", + "items": { + "type": "object" + } + }, + "env": { + "description": "List of environment variables for the InitContainer.", + "$ref": "#/definitions/env" + }, + "envFrom": { + "description": "List of sources to populate environment variables in the container.", + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "description": "List of volume mounts for the InitContainer.", + "$ref": "#/definitions/volumeMounts" + }, + "resources": { + "description": "Resource requirements for the InitContainer.", + "$ref": "#/definitions/resources" + }, + "securityContext": { + "$ref": "#/definitions/securityContext", + "description": "The security context for the InitContainer." + } + } + } + }, + "resources": { + "description": "Resource limits and requests for the pod.", + "$ref": "#/definitions/resources" + }, + "livenessProbe": { + "description": "Liveness probe configuration.", + "type": "object" + }, + "readinessProbe": { + "description": "Readiness probe configuration.", + "type": "object" + }, + "service": { + "description": "Service configuration.", + "type": "object", + "required": ["type", "port"], + "properties": { + "annotations": { + "description": "Annotations to add to the service.", + "type": "object" + }, + "type": { + "description": "Service type.", + "type": "string" + }, + "port": { + "description": "Port number for the service.", + "type": "integer" + }, + "clusterPort": { + "description": "Port number for the cluster.", + "type": "integer" + }, + "loadBalancerIP": { + "description": "External IP to assign when the service type is LoadBalancer.", + "type": "string" + }, + "loadBalancerSourceRanges": { + "description": "IP ranges to allow access to the loadBalancerIP.", + "type": "array", + "items": { + "type": "string" + } + }, + "nodePort": { + "description": "Specific nodePort to force when service type is NodePort.", + "type": "integer" + } + } + }, + "ingress": { + "description": "Ingress configuration.", + "type": "object", + "properties": { + "enabled": { + "description": "Indicates if Ingress is enabled.", + "type": "boolean" + }, + "className": { + "description": "Ingress class name.", + "type": "string" + }, + "annotations": { + "description": "Annotations to add to the Ingress.", + "type": "object" + }, + "hosts": { + "description": "Host and path configuration for the Ingress.", + "type": "array", + "items": { + "type": "object", + "properties": { + "host": { + "description": "Host name for the Ingress.", + "type": "string" + }, + "paths": { + "description": "Path configuration for the Ingress.", + "type": "array", + "items": { + "type": "object", + "properties": { + "path": { + "description": "Path for the Ingress.", + "type": "string" + }, + "pathType": { + "description": "Path type for the Ingress.", + "type": "string" + } + } + } + } + } + } + }, + "tls": { + "description": "TLS configuration for the Ingress.", + "type": "array", + "items": { + "type": "object", + "properties": { + "secretName": { + "description": "Name of the secret for TLS.", + "type": "string" + }, + "hosts": { + "description": "Host names for the TLS configuration.", + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } + }, + "nodeSelector": { + "description": "Node selector for pod assignment.", + "type": "object" + }, + "tolerations": { + "description": "Tolerations for pod assignment.", + "type": "array" + }, + "affinity": { + "description": "Affinity rules for pod assignment.", + "type": "object" + }, + "podAntiAffinity": { + "description": "Pod anti-affinity configuration.", + "type": "string", + "enum": ["", "soft", "hard"], + "default": "" + }, + "podAntiAffinityTopologyKey": { + "description": "Topology key to use for pod anti-affinity.", + "type": "string" + }, + "topologySpreadConstraints": { + "description": "Topology spread constraints for pod assignment.", + "type": "array", + "items": { + "type": "object", + "required": ["maxSkew", "topologyKey", "whenUnsatisfiable", "labelSelector"], + "properties": { + "maxSkew": { + "type": "integer" + }, + "topologyKey": { + "type": "string" + }, + "whenUnsatisfiable": { + "type": "string", + "enum": ["DoNotSchedule", "ScheduleAnyway"] + }, + "labelSelector": { + "type": "object", + "required": ["matchLabels"], + "properties": { + "matchLabels": { + "type": "object" + } + } + } + } + } + }, + "statefulSet": { + "description": "StatefulSet configuration for managing pods.", + "type": "object", + "properties": { + "annotations": { + "type": "object" + } + } + }, + "podAnnotations": { + "description": "Annotations to add to the pods.", + "type": "object" + }, + "podLabels": { + "description": "Labels to add to the pods.", + "type": "object" + }, + "podDisruptionBudget": { + "description": "Pod disruption budget configuration.", + "type": "object", + "properties": { + "maxUnavailable": { + "type": "integer" + }, + "minAvailable": { + "type": "integer" + } + } + }, + "command": { + "description": "The command to be executed in the container.", + "type": "array", + "items": { + "type": "string" + } + }, + "persistence": { + "description": "Persistence configuration for storing data.", + "type": "object", + "required": ["enabled", "size"], + "properties": { + "enabled": { + "type": "boolean" + }, + "storageClass": { + "type": "string" + }, + "accessModes": { + "type": "array", + "items": { + "type": "string" + } + }, + "size": { + "type": "string" + } + } + }, + "configAnnotations": { + "description": "Annotations to be added to the Alertmanager configuration.", + "type": "object" + }, + "config": { + "description": "Alertmanager configuration.", + "type": "object", + "properties": { + "enabled": { + "description": "Whether to create alermanager configmap or not.", + "type": "boolean" + }, + "global": { + "description": "Global configuration options.", + "type": "object" + }, + "templates": { + "description": "Alertmanager template files.", + "type": "array", + "items": { + "type": "string" + } + }, + "receivers": { + "description": "Alert receivers configuration.", + "type": "array", + "items": { + "type": "object", + "required": ["name"], + "properties": { + "name": { + "description": "The unique name of the receiver.", + "type": "string" + } + } + } + }, + "route": { + "description": "Alert routing configuration.", + "type": "object", + "$ref": "#/definitions/config/route" + } + } + }, + "configmapReload": { + "description": "Monitors ConfigMap changes and POSTs to a URL.", + "type": "object", + "properties": { + "enabled": { + "description": "Specifies whether the configmap-reload container should be deployed.", + "type": "boolean", + "default": false + }, + "name": { + "description": "The name of the configmap-reload container.", + "type": "string" + }, + "image": { + "description": "The container image for the configmap-reload container.", + "$ref": "#/definitions/image" + }, + "containerPort": { + "description": "Port number for the configmap-reload container.", + "type": "integer" + }, + "resources": { + "description": "Resource requests and limits for the configmap-reload container.", + "$ref": "#/definitions/resources" + } + } + }, + "templates": { + "description": "Custom templates used by Alertmanager.", + "type": "object" + }, + "extraVolumeMounts": { + "description": "List of volume mounts for the Container.", + "$ref": "#/definitions/volumeMounts" + }, + "extraVolumes": { + "description": "Additional volumes to be mounted in the Alertmanager pod.", + "type": "array", + "default": [], + "items": { + "type": "object", + "required": ["name"], + "properties": { + "name": { + "type": "string" + } + } + } + }, + "extraEnv": { + "description": "List of environment variables for the Container.", + "$ref": "#/definitions/env" + }, + "testFramework": { + "description": "Configuration for the test Pod.", + "type": "object", + "properties": { + "enabled": { + "description": "Specifies whether the test Pod is enabled.", + "type": "boolean", + "default": false + }, + "annotations": { + "description": "Annotations to be added to the test Pod.", + "type": "object" + } + } + }, + "verticalPodAutoscaler": { + "description": "Vertical Pod Autoscaling configuration.", + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "default": false + }, + "recommenders": { + "type": "array" + }, + "updatePolicy": { + "type": "object" + }, + "resourcePolicy": { + "type": "object" + } + } + }, + "extraPodConfigs": { + "description": "Object to allow users to add additional Pod configuration like dnsPolicy or hostNetwork", + "type": "object" + } + } +} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/values.yaml new file mode 100644 index 000000000..133f438c9 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/alertmanager/values.yaml @@ -0,0 +1,404 @@ +# yaml-language-server: $schema=values.schema.json +# Default values for alertmanager. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +# Number of old history to retain to allow rollback +# Default Kubernetes value is set to 10 +revisionHistoryLimit: 10 + +image: + repository: quay.io/prometheus/alertmanager + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +# Full external URL where alertmanager is reachable, used for backlinks. +baseURL: "" + +extraArgs: {} + +## Additional Alertmanager Secret mounts +# Defines additional mounts with secrets. Secrets must be manually created in the namespace. +extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: alertmanager-secret-files + # readOnly: true + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" +## namespaceOverride overrides the namespace which the resources will be deployed in +namespaceOverride: "" + +automountServiceAccountToken: true + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +# Sets priorityClassName in alertmanager pod +priorityClassName: "" + +# Sets schedulerName in alertmanager pod +schedulerName: "" + +podSecurityContext: + fsGroup: 65534 +dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 +hostAliases: [] + # - ip: "127.0.0.1" + # hostnames: + # - "foo.local" + # - "bar.local" + # - ip: "10.1.2.3" + # hostnames: + # - "foo.remote" + # - "bar.remote" +securityContext: + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + +additionalPeers: [] + +## Additional InitContainers to initialize the pod +## +extraInitContainers: [] + +## Additional containers to add to the stateful set. This will allow to setup sidecarContainers like a proxy to integrate +## alertmanager with an external tool like teams that has not direct integration. +## +extraContainers: [] + +livenessProbe: + httpGet: + path: / + port: http + +readinessProbe: + httpGet: + path: / + port: http + +service: + annotations: {} + labels: {} + type: ClusterIP + port: 9093 + clusterPort: 9094 + loadBalancerIP: "" # Assign ext IP when Service type is LoadBalancer + loadBalancerSourceRanges: [] # Only allow access to loadBalancerIP from these IPs + # if you want to force a specific nodePort. Must be use with service.type=NodePort + # nodePort: + + # Optionally specify extra list of additional ports exposed on both services + extraPorts: [] + + # ip dual stack + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + +# Configuration for creating a separate Service for each statefulset Alertmanager replica +# +servicePerReplica: + enabled: false + annotations: {} + + # Loadbalancer source IP ranges + # Only used if servicePerReplica.type is "LoadBalancer" + loadBalancerSourceRanges: [] + + # Denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints + # + externalTrafficPolicy: Cluster + + # Service type + # + type: ClusterIP + +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: alertmanager.domain.com + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - alertmanager.domain.com + +# Configuration for creating an Ingress that will map to each Alertmanager replica service +# alertmanager.servicePerReplica must be enabled +# +ingressPerReplica: + enabled: false + + # className for the ingresses + # + className: "" + + annotations: {} + labels: {} + + # Final form of the hostname for each per replica ingress is + # {{ ingressPerReplica.hostPrefix }}-{{ $replicaNumber }}.{{ ingressPerReplica.hostDomain }} + # + # Prefix for the per replica ingress that will have `-$replicaNumber` + # appended to the end + hostPrefix: "alertmanager" + # Domain that will be used for the per replica ingress + hostDomain: "domain.com" + + # Paths to use for ingress rules + # + paths: + - / + + # PathType for ingress rules + # + pathType: ImplementationSpecific + + # Secret name containing the TLS certificate for alertmanager per replica ingress + # Secret must be manually created in the namespace + tlsSecretName: "" + + # Separated secret for each per replica Ingress. Can be used together with cert-manager + # + tlsSecretPerReplica: + enabled: false + # Final form of the secret for each per replica ingress is + # {{ tlsSecretPerReplica.prefix }}-{{ $replicaNumber }} + # + prefix: "alertmanager" + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 32Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +## Pod anti-affinity can prevent the scheduler from placing Alertmanager replicas on the same node. +## The default value "soft" means that the scheduler should *prefer* to not schedule two replica pods onto the same node but no guarantee is provided. +## The value "hard" means that the scheduler is *required* to not schedule two replica pods onto the same node. +## The value "" will disable pod anti-affinity so that no anti-affinity rules will be configured. +## +podAntiAffinity: "" + +## If anti-affinity is enabled sets the topologyKey to use for anti-affinity. +## This can be changed to, for example, failure-domain.beta.kubernetes.io/zone +## +podAntiAffinityTopologyKey: kubernetes.io/hostname + +## Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in. +## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: [] + # - maxSkew: 1 + # topologyKey: failure-domain.beta.kubernetes.io/zone + # whenUnsatisfiable: DoNotSchedule + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: alertmanager + +statefulSet: + annotations: {} + +## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing for it to +## be considered available. Defaults to 0 (pod will be considered available as soon as it is ready). +## This is an alpha field from kubernetes 1.22 until 1.24 which requires enabling the StatefulSetMinReadySeconds +## feature gate. +## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#minimum-ready-seconds +minReadySeconds: 0 + +podAnnotations: {} +podLabels: {} + +# Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +podDisruptionBudget: {} + # maxUnavailable: 1 + # minAvailable: 1 + +command: [] + +persistence: + enabled: true + ## Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. + ## + # storageClass: "-" + accessModes: + - ReadWriteOnce + size: 50Mi + +configAnnotations: {} + ## For example if you want to provide private data from a secret vault + ## https://github.com/banzaicloud/bank-vaults/tree/main/charts/vault-secrets-webhook + ## P.s.: Add option `configMapMutation: true` for vault-secrets-webhook + # vault.security.banzaicloud.io/vault-role: "admin" + # vault.security.banzaicloud.io/vault-addr: "https://vault.vault.svc.cluster.local:8200" + # vault.security.banzaicloud.io/vault-skip-verify: "true" + # vault.security.banzaicloud.io/vault-path: "kubernetes" + ## Example for inject secret + # slack_api_url: '${vault:secret/data/slack-hook-alerts#URL}' + +config: + enabled: true + global: {} + # slack_api_url: '' + + templates: + - '/etc/alertmanager/*.tmpl' + + receivers: + - name: default-receiver + # slack_configs: + # - channel: '@you' + # send_resolved: true + + route: + group_wait: 10s + group_interval: 5m + receiver: default-receiver + repeat_interval: 3h + +## Monitors ConfigMap changes and POSTs to a URL +## Ref: https://github.com/prometheus-operator/prometheus-operator/tree/main/cmd/prometheus-config-reloader +## +configmapReload: + ## If false, the configmap-reload container will not be deployed + ## + enabled: false + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: quay.io/prometheus-operator/prometheus-config-reloader + tag: v0.66.0 + pullPolicy: IfNotPresent + + # containerPort: 9533 + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: {} + + extraArgs: {} + + ## Optionally specify extra list of additional volumeMounts + extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true + + ## Optionally specify extra environment variables to add to alertmanager container + extraEnv: [] + # - name: FOO + # value: BAR + + securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsUser: 65534 + # runAsNonRoot: true + # runAsGroup: 65534 + +templates: {} +# alertmanager.tmpl: |- + +## Optionally specify extra list of additional volumeMounts +extraVolumeMounts: [] + # - name: extras + # mountPath: /usr/share/extras + # readOnly: true + +## Optionally specify extra list of additional volumes +extraVolumes: [] + # - name: extras + # emptyDir: {} + +## Optionally specify extra environment variables to add to alertmanager container +extraEnv: [] + # - name: FOO + # value: BAR + +testFramework: + enabled: false + annotations: + "helm.sh/hook": test-success + # "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + +# --- Vertical Pod Autoscaler +verticalPodAutoscaler: + # -- Use VPA for alertmanager + enabled: false + # recommenders: + # - name: 'alternative' + # updatePolicy: + # updateMode: "Auto" + # minReplicas: 1 + # resourcePolicy: + # containerPolicies: + # - containerName: '*' + # minAllowed: + # cpu: 100m + # memory: 128Mi + # maxAllowed: + # cpu: 1 + # memory: 500Mi + # controlledResources: ["cpu", "memory"] + +# --- Extra Pod Configs +extraPodConfigs: {} + # dnsPolicy: ClusterFirstWithHostNet + # hostNetwork: true diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/.helmignore b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/Chart.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/Chart.yaml new file mode 100644 index 000000000..755213319 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts +apiVersion: v2 +appVersion: 2.13.0 +description: Install kube-state-metrics to generate and expose cluster-level metrics +home: https://github.com/kubernetes/kube-state-metrics/ +keywords: +- metric +- monitoring +- prometheus +- kubernetes +maintainers: +- email: tariq.ibrahim@mulesoft.com + name: tariq1890 +- email: manuel@rueg.eu + name: mrueg +- email: david@0xdc.me + name: dotdc +name: kube-state-metrics +sources: +- https://github.com/kubernetes/kube-state-metrics/ +type: application +version: 5.26.0 diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/README.md b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/README.md new file mode 100644 index 000000000..843be89e6 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/README.md @@ -0,0 +1,85 @@ +# kube-state-metrics Helm Chart + +Installs the [kube-state-metrics agent](https://github.com/kubernetes/kube-state-metrics). + +## Get Repository Info + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + + +## Install Chart + +```console +helm install [RELEASE_NAME] prometheus-community/kube-state-metrics [flags] +``` + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] prometheus-community/kube-state-metrics [flags] +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### Migrating from stable/kube-state-metrics and kubernetes/kube-state-metrics + +You can upgrade in-place: + +1. [get repository info](#get-repository-info) +1. [upgrade](#upgrading-chart) your existing release name using the new chart repository + +## Upgrading to v3.0.0 + +v3.0.0 includes kube-state-metrics v2.0, see the [changelog](https://github.com/kubernetes/kube-state-metrics/blob/release-2.0/CHANGELOG.md) for major changes on the application-side. + +The upgraded chart now the following changes: + +* Dropped support for helm v2 (helm v3 or later is required) +* collectors key was renamed to resources +* namespace key was renamed to namespaces + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments: + +```console +helm show values prometheus-community/kube-state-metrics +``` + +### kube-rbac-proxy + +You can enable `kube-state-metrics` endpoint protection using `kube-rbac-proxy`. By setting `kubeRBACProxy.enabled: true`, this chart will deploy one RBAC proxy container per endpoint (metrics & telemetry). +To authorize access, authenticate your requests (via a `ServiceAccount` for example) with a `ClusterRole` attached such as: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kube-state-metrics-read +rules: + - apiGroups: [ "" ] + resources: ["services/kube-state-metrics"] + verbs: + - get +``` + +See [kube-rbac-proxy examples](https://github.com/brancz/kube-rbac-proxy/tree/master/examples/resource-attributes) for more details. diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/NOTES.txt b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/NOTES.txt new file mode 100644 index 000000000..3589c24ec --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/NOTES.txt @@ -0,0 +1,23 @@ +kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects. +The exposed metrics can be found here: +https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics + +The metrics are exported on the HTTP endpoint /metrics on the listening port. +In your case, {{ template "kube-state-metrics.fullname" . }}.{{ template "kube-state-metrics.namespace" . }}.svc.cluster.local:{{ .Values.service.port }}/metrics + +They are served either as plaintext or protobuf depending on the Accept header. +They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint. + +{{- if .Values.kubeRBACProxy.enabled}} + +kube-rbac-proxy endpoint protections is enabled: +- Metrics endpoints are now HTTPS +- Ensure that the client authenticates the requests (e.g. via service account) with the following role permissions: +``` +rules: + - apiGroups: [ "" ] + resources: ["services/{{ template "kube-state-metrics.fullname" . }}"] + verbs: + - get +``` +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/_helpers.tpl b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/_helpers.tpl new file mode 100644 index 000000000..3dd326da4 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/_helpers.tpl @@ -0,0 +1,156 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kube-state-metrics.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kube-state-metrics.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "kube-state-metrics.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kube-state-metrics.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kube-state-metrics.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kube-state-metrics.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate basic labels +*/}} +{{- define "kube-state-metrics.labels" }} +helm.sh/chart: {{ template "kube-state-metrics.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: metrics +app.kubernetes.io/part-of: {{ template "kube-state-metrics.name" . }} +{{- include "kube-state-metrics.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if .Values.customLabels }} +{{ tpl (toYaml .Values.customLabels) . }} +{{- end }} +{{- if .Values.releaseLabel }} +release: {{ .Release.Name }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kube-state-metrics.selectorLabels" }} +{{- if .Values.selectorOverride }} +{{ toYaml .Values.selectorOverride }} +{{- else }} +app.kubernetes.io/name: {{ include "kube-state-metrics.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} +{{- end }} + +{{/* Sets default scrape limits for servicemonitor */}} +{{- define "servicemonitor.scrapeLimits" -}} +{{- with .sampleLimit }} +sampleLimit: {{ . }} +{{- end }} +{{- with .targetLimit }} +targetLimit: {{ . }} +{{- end }} +{{- with .labelLimit }} +labelLimit: {{ . }} +{{- end }} +{{- with .labelNameLengthLimit }} +labelNameLengthLimit: {{ . }} +{{- end }} +{{- with .labelValueLengthLimit }} +labelValueLengthLimit: {{ . }} +{{- end }} +{{- end -}} + +{{/* +Formats imagePullSecrets. Input is (dict "Values" .Values "imagePullSecrets" .{specific imagePullSecrets}) +*/}} +{{- define "kube-state-metrics.imagePullSecrets" -}} +{{- range (concat .Values.global.imagePullSecrets .imagePullSecrets) }} + {{- if eq (typeOf .) "map[string]interface {}" }} +- {{ toYaml . | trim }} + {{- else }} +- name: {{ . }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +The image to use for kube-state-metrics +*/}} +{{- define "kube-state-metrics.image" -}} +{{- if .Values.image.sha }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }} +{{- else }} +{{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.sha }} +{{- end }} +{{- else }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- else }} +{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +The image to use for kubeRBACProxy +*/}} +{{- define "kubeRBACProxy.image" -}} +{{- if .Values.kubeRBACProxy.image.sha }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.kubeRBACProxy.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.kubeRBACProxy.image.tag) .Values.kubeRBACProxy.image.sha }} +{{- else }} +{{- printf "%s/%s:%s@%s" .Values.kubeRBACProxy.image.registry .Values.kubeRBACProxy.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.kubeRBACProxy.image.tag) .Values.kubeRBACProxy.image.sha }} +{{- end }} +{{- else }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s" .Values.global.imageRegistry .Values.kubeRBACProxy.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.kubeRBACProxy.image.tag) }} +{{- else }} +{{- printf "%s/%s:%s" .Values.kubeRBACProxy.image.registry .Values.kubeRBACProxy.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.kubeRBACProxy.image.tag) }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/ciliumnetworkpolicy.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/ciliumnetworkpolicy.yaml new file mode 100644 index 000000000..025cd47a8 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/ciliumnetworkpolicy.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "cilium") }} +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +spec: + endpointSelector: + matchLabels: + {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} + egress: + {{- if and .Values.networkPolicy.cilium .Values.networkPolicy.cilium.kubeApiServerSelector }} + {{ toYaml .Values.networkPolicy.cilium.kubeApiServerSelector | nindent 6 }} + {{- else }} + - toEntities: + - kube-apiserver + {{- end }} + ingress: + - toPorts: + - ports: + - port: {{ .Values.service.port | quote }} + protocol: TCP + {{- if .Values.selfMonitor.enabled }} + - port: {{ .Values.selfMonitor.telemetryPort | default 8081 | quote }} + protocol: TCP + {{ end }} +{{ end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/clusterrolebinding.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..cf9f628d0 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.rbac.create .Values.rbac.useClusterRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: {{ template "kube-state-metrics.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- if .Values.rbac.useExistingRole }} + name: {{ .Values.rbac.useExistingRole }} +{{- else }} + name: {{ template "kube-state-metrics.fullname" . }} +{{- end }} +subjects: +- kind: ServiceAccount + name: {{ template "kube-state-metrics.serviceAccountName" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/crs-configmap.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/crs-configmap.yaml new file mode 100644 index 000000000..d38a75a51 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/crs-configmap.yaml @@ -0,0 +1,16 @@ +{{- if .Values.customResourceState.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kube-state-metrics.fullname" . }}-customresourcestate-config + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} +data: + config.yaml: | + {{- toYaml .Values.customResourceState.config | nindent 4 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml new file mode 100644 index 000000000..2aff18888 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml @@ -0,0 +1,336 @@ +apiVersion: apps/v1 +{{- if .Values.autosharding.enabled }} +kind: StatefulSet +{{- else }} +kind: Deployment +{{- end }} +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + {{- if .Values.annotations }} + annotations: +{{ toYaml .Values.annotations | indent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} + replicas: {{ .Values.replicas }} + {{- if not .Values.autosharding.enabled }} + strategy: + type: {{ .Values.updateStrategy | default "RollingUpdate" }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- if .Values.autosharding.enabled }} + serviceName: {{ template "kube-state-metrics.fullname" . }} + volumeClaimTemplates: [] + {{- end }} + template: + metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.podAnnotations }} + annotations: + {{ toYaml .Values.podAnnotations | nindent 8 }} + {{- end }} + spec: + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + hostNetwork: {{ .Values.hostNetwork }} + serviceAccountName: {{ template "kube-state-metrics.serviceAccountName" . }} + {{- if .Values.securityContext.enabled }} + securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- with .Values.initContainers }} + initContainers: + {{- toYaml . | nindent 6 }} + {{- end }} + containers: + {{- $servicePort := ternary 9090 (.Values.service.port | default 8080) .Values.kubeRBACProxy.enabled}} + {{- $telemetryPort := ternary 9091 (.Values.selfMonitor.telemetryPort | default 8081) .Values.kubeRBACProxy.enabled}} + - name: {{ template "kube-state-metrics.name" . }} + {{- if .Values.autosharding.enabled }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- end }} + args: + {{- if .Values.extraArgs }} + {{- .Values.extraArgs | toYaml | nindent 8 }} + {{- end }} + - --port={{ $servicePort }} + {{- if .Values.collectors }} + - --resources={{ .Values.collectors | join "," }} + {{- end }} + {{- if .Values.metricLabelsAllowlist }} + - --metric-labels-allowlist={{ .Values.metricLabelsAllowlist | join "," }} + {{- end }} + {{- if .Values.metricAnnotationsAllowList }} + - --metric-annotations-allowlist={{ .Values.metricAnnotationsAllowList | join "," }} + {{- end }} + {{- if .Values.metricAllowlist }} + - --metric-allowlist={{ .Values.metricAllowlist | join "," }} + {{- end }} + {{- if .Values.metricDenylist }} + - --metric-denylist={{ .Values.metricDenylist | join "," }} + {{- end }} + {{- $namespaces := list }} + {{- if .Values.namespaces }} + {{- range $ns := join "," .Values.namespaces | split "," }} + {{- $namespaces = append $namespaces (tpl $ns $) }} + {{- end }} + {{- end }} + {{- if .Values.releaseNamespace }} + {{- $namespaces = append $namespaces ( include "kube-state-metrics.namespace" . ) }} + {{- end }} + {{- if $namespaces }} + - --namespaces={{ $namespaces | mustUniq | join "," }} + {{- end }} + {{- if .Values.namespacesDenylist }} + - --namespaces-denylist={{ tpl (.Values.namespacesDenylist | join ",") $ }} + {{- end }} + {{- if .Values.autosharding.enabled }} + - --pod=$(POD_NAME) + - --pod-namespace=$(POD_NAMESPACE) + {{- end }} + {{- if .Values.kubeconfig.enabled }} + - --kubeconfig=/opt/k8s/.kube/config + {{- end }} + {{- if .Values.kubeRBACProxy.enabled }} + - --telemetry-host=127.0.0.1 + - --telemetry-port={{ $telemetryPort }} + {{- else }} + {{- if .Values.selfMonitor.telemetryHost }} + - --telemetry-host={{ .Values.selfMonitor.telemetryHost }} + {{- end }} + {{- if .Values.selfMonitor.telemetryPort }} + - --telemetry-port={{ $telemetryPort }} + {{- end }} + {{- end }} + {{- if .Values.customResourceState.enabled }} + - --custom-resource-state-config-file=/etc/customresourcestate/config.yaml + {{- end }} + {{- if or (.Values.kubeconfig.enabled) (.Values.customResourceState.enabled) (.Values.volumeMounts) }} + volumeMounts: + {{- if .Values.kubeconfig.enabled }} + - name: kubeconfig + mountPath: /opt/k8s/.kube/ + readOnly: true + {{- end }} + {{- if .Values.customResourceState.enabled }} + - name: customresourcestate-config + mountPath: /etc/customresourcestate + readOnly: true + {{- end }} + {{- if .Values.volumeMounts }} +{{ toYaml .Values.volumeMounts | indent 8 }} + {{- end }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: {{ include "kube-state-metrics.image" . }} + {{- if eq .Values.kubeRBACProxy.enabled false }} + ports: + - containerPort: {{ .Values.service.port | default 8080}} + name: "http" + {{- if .Values.selfMonitor.enabled }} + - containerPort: {{ $telemetryPort }} + name: "metrics" + {{- end }} + {{- end }} + {{- if .Values.startupProbe.enabled }} + startupProbe: + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + httpGet: + {{- if .Values.hostNetwork }} + host: 127.0.0.1 + {{- end }} + httpHeaders: + {{- range $_, $header := .Values.startupProbe.httpGet.httpHeaders }} + - name: {{ $header.name }} + value: {{ $header.value }} + {{- end }} + path: /healthz + port: {{ $servicePort }} + scheme: {{ upper .Values.startupProbe.httpGet.scheme }} + initialDelaySeconds: {{ .Values.startupProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + successThreshold: {{ .Values.startupProbe.successThreshold }} + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + {{- end }} + livenessProbe: + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + httpGet: + {{- if .Values.hostNetwork }} + host: 127.0.0.1 + {{- end }} + httpHeaders: + {{- range $_, $header := .Values.livenessProbe.httpGet.httpHeaders }} + - name: {{ $header.name }} + value: {{ $header.value }} + {{- end }} + path: /livez + port: {{ $servicePort }} + scheme: {{ upper .Values.livenessProbe.httpGet.scheme }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + readinessProbe: + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + httpGet: + {{- if .Values.hostNetwork }} + host: 127.0.0.1 + {{- end }} + httpHeaders: + {{- range $_, $header := .Values.readinessProbe.httpGet.httpHeaders }} + - name: {{ $header.name }} + value: {{ $header.value }} + {{- end }} + path: /readyz + port: {{ $servicePort }} + scheme: {{ upper .Values.readinessProbe.httpGet.scheme }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + resources: +{{ toYaml .Values.resources | indent 10 }} +{{- if .Values.containerSecurityContext }} + securityContext: +{{ toYaml .Values.containerSecurityContext | indent 10 }} +{{- end }} + {{- if .Values.kubeRBACProxy.enabled }} + - name: kube-rbac-proxy-http + args: + {{- if .Values.kubeRBACProxy.extraArgs }} + {{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 8 }} + {{- end }} + - --secure-listen-address=:{{ .Values.service.port | default 8080}} + - --upstream=http://127.0.0.1:{{ $servicePort }}/ + - --proxy-endpoints-port=8888 + - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml + volumeMounts: + - name: kube-rbac-proxy-config + mountPath: /etc/kube-rbac-proxy-config + {{- with .Values.kubeRBACProxy.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} + image: {{ include "kubeRBACProxy.image" . }} + ports: + - containerPort: {{ .Values.service.port | default 8080}} + name: "http" + - containerPort: 8888 + name: "http-healthz" + readinessProbe: + httpGet: + scheme: HTTPS + port: 8888 + path: healthz + initialDelaySeconds: 5 + timeoutSeconds: 5 + {{- if .Values.kubeRBACProxy.resources }} + resources: +{{ toYaml .Values.kubeRBACProxy.resources | indent 10 }} +{{- end }} +{{- if .Values.kubeRBACProxy.containerSecurityContext }} + securityContext: +{{ toYaml .Values.kubeRBACProxy.containerSecurityContext | indent 10 }} +{{- end }} + {{- if .Values.selfMonitor.enabled }} + - name: kube-rbac-proxy-telemetry + args: + {{- if .Values.kubeRBACProxy.extraArgs }} + {{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 8 }} + {{- end }} + - --secure-listen-address=:{{ .Values.selfMonitor.telemetryPort | default 8081 }} + - --upstream=http://127.0.0.1:{{ $telemetryPort }}/ + - --proxy-endpoints-port=8889 + - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml + volumeMounts: + - name: kube-rbac-proxy-config + mountPath: /etc/kube-rbac-proxy-config + {{- with .Values.kubeRBACProxy.volumeMounts }} + {{- toYaml . | nindent 10 }} + {{- end }} + imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} + image: {{ include "kubeRBACProxy.image" . }} + ports: + - containerPort: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + name: "metrics" + - containerPort: 8889 + name: "metrics-healthz" + readinessProbe: + httpGet: + scheme: HTTPS + port: 8889 + path: healthz + initialDelaySeconds: 5 + timeoutSeconds: 5 + {{- if .Values.kubeRBACProxy.resources }} + resources: +{{ toYaml .Values.kubeRBACProxy.resources | indent 10 }} +{{- end }} +{{- if .Values.kubeRBACProxy.containerSecurityContext }} + securityContext: +{{ toYaml .Values.kubeRBACProxy.containerSecurityContext | indent 10 }} +{{- end }} + {{- end }} + {{- end }} + {{- with .Values.containers }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- include "kube-state-metrics.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.imagePullSecrets) | indent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: +{{ tpl (toYaml .) $ | indent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: +{{ tpl (toYaml .) $ | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.topologySpreadConstraints | indent 8 }} + {{- end }} + {{- if or (.Values.kubeconfig.enabled) (.Values.customResourceState.enabled) (.Values.volumes) (.Values.kubeRBACProxy.enabled) }} + volumes: + {{- if .Values.kubeconfig.enabled}} + - name: kubeconfig + secret: + secretName: {{ template "kube-state-metrics.fullname" . }}-kubeconfig + {{- end }} + {{- if .Values.kubeRBACProxy.enabled}} + - name: kube-rbac-proxy-config + configMap: + name: {{ template "kube-state-metrics.fullname" . }}-rbac-config + {{- end }} + {{- if .Values.customResourceState.enabled}} + - name: customresourcestate-config + configMap: + name: {{ template "kube-state-metrics.fullname" . }}-customresourcestate-config + {{- end }} + {{- if .Values.volumes }} +{{ toYaml .Values.volumes | indent 8 }} + {{- end }} + {{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/extra-manifests.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/extra-manifests.yaml new file mode 100644 index 000000000..567f7bf32 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraManifests }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/kubeconfig-secret.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/kubeconfig-secret.yaml new file mode 100644 index 000000000..6af008450 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/kubeconfig-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.kubeconfig.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kube-state-metrics.fullname" . }}-kubeconfig + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +type: Opaque +data: + config: '{{ .Values.kubeconfig.secret }}' +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/networkpolicy.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/networkpolicy.yaml new file mode 100644 index 000000000..309b38ec5 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/networkpolicy.yaml @@ -0,0 +1,43 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.networkPolicy.flavor "kubernetes") }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +spec: + {{- if .Values.networkPolicy.egress }} + ## Deny all egress by default + egress: + {{- toYaml .Values.networkPolicy.egress | nindent 4 }} + {{- end }} + ingress: + {{- if .Values.networkPolicy.ingress }} + {{- toYaml .Values.networkPolicy.ingress | nindent 4 }} + {{- else }} + ## Allow ingress on default ports by default + - ports: + - port: {{ .Values.service.port | default 8080 }} + protocol: TCP + {{- if .Values.selfMonitor.enabled }} + {{- $telemetryPort := ternary 9091 (.Values.selfMonitor.telemetryPort | default 8081) .Values.kubeRBACProxy.enabled}} + - port: {{ $telemetryPort }} + protocol: TCP + {{- end }} + {{- end }} + podSelector: + {{- if .Values.networkPolicy.podSelector }} + {{- toYaml .Values.networkPolicy.podSelector | nindent 4 }} + {{- else }} + matchLabels: + {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} + {{- end }} + policyTypes: + - Ingress + - Egress +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/pdb.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/pdb.yaml new file mode 100644 index 000000000..3771b511d --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/pdb.yaml @@ -0,0 +1,18 @@ +{{- if .Values.podDisruptionBudget -}} +{{ if $.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} +apiVersion: policy/v1 +{{- else -}} +apiVersion: policy/v1beta1 +{{- end }} +kind: PodDisruptionBudget +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} +{{ toYaml .Values.podDisruptionBudget | indent 2 }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..8905e113e --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + volumes: + - 'secret' +{{- if .Values.podSecurityPolicy.additionalVolumes }} +{{ toYaml .Values.podSecurityPolicy.additionalVolumes | indent 4 }} +{{- end }} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrole.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrole.yaml new file mode 100644 index 000000000..654e4a3d5 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrole.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: psp-{{ template "kube-state-metrics.fullname" . }} +rules: +{{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }} +{{- if semverCompare "> 1.15.0-0" $kubeTargetVersion }} +- apiGroups: ['policy'] +{{- else }} +- apiGroups: ['extensions'] +{{- end }} + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "kube-state-metrics.fullname" . }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml new file mode 100644 index 000000000..5b62a18bd --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: psp-{{ template "kube-state-metrics.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp-{{ template "kube-state-metrics.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kube-state-metrics.serviceAccountName" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/rbac-configmap.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/rbac-configmap.yaml new file mode 100644 index 000000000..671dc9d66 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/rbac-configmap.yaml @@ -0,0 +1,22 @@ +{{- if .Values.kubeRBACProxy.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kube-state-metrics.fullname" . }}-rbac-config + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + {{- if .Values.annotations }} + annotations: + {{ toYaml .Values.annotations | nindent 4 }} + {{- end }} +data: + config-file.yaml: |+ + authorization: + resourceAttributes: + namespace: {{ template "kube-state-metrics.namespace" . }} + apiVersion: v1 + resource: services + subresource: {{ template "kube-state-metrics.fullname" . }} + name: {{ template "kube-state-metrics.fullname" . }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/role.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/role.yaml new file mode 100644 index 000000000..d33687f2d --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/role.yaml @@ -0,0 +1,212 @@ +{{- if and (eq .Values.rbac.create true) (not .Values.rbac.useExistingRole) -}} +{{- range (ternary (join "," .Values.namespaces | split "," ) (list "") (eq $.Values.rbac.useClusterRole false)) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +{{- if eq $.Values.rbac.useClusterRole false }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: + labels: + {{- include "kube-state-metrics.labels" $ | indent 4 }} + name: {{ template "kube-state-metrics.fullname" $ }} +{{- if eq $.Values.rbac.useClusterRole false }} + namespace: {{ . }} +{{- end }} +rules: +{{ if has "certificatesigningrequests" $.Values.collectors }} +- apiGroups: ["certificates.k8s.io"] + resources: + - certificatesigningrequests + verbs: ["list", "watch"] +{{ end -}} +{{ if has "configmaps" $.Values.collectors }} +- apiGroups: [""] + resources: + - configmaps + verbs: ["list", "watch"] +{{ end -}} +{{ if has "cronjobs" $.Values.collectors }} +- apiGroups: ["batch"] + resources: + - cronjobs + verbs: ["list", "watch"] +{{ end -}} +{{ if has "daemonsets" $.Values.collectors }} +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "deployments" $.Values.collectors }} +- apiGroups: ["extensions", "apps"] + resources: + - deployments + verbs: ["list", "watch"] +{{ end -}} +{{ if has "endpoints" $.Values.collectors }} +- apiGroups: [""] + resources: + - endpoints + verbs: ["list", "watch"] +{{ end -}} +{{ if has "endpointslices" $.Values.collectors }} +- apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: ["list", "watch"] +{{ end -}} +{{ if has "horizontalpodautoscalers" $.Values.collectors }} +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: ["list", "watch"] +{{ end -}} +{{ if has "ingresses" $.Values.collectors }} +- apiGroups: ["extensions", "networking.k8s.io"] + resources: + - ingresses + verbs: ["list", "watch"] +{{ end -}} +{{ if has "jobs" $.Values.collectors }} +- apiGroups: ["batch"] + resources: + - jobs + verbs: ["list", "watch"] +{{ end -}} +{{ if has "leases" $.Values.collectors }} +- apiGroups: ["coordination.k8s.io"] + resources: + - leases + verbs: ["list", "watch"] +{{ end -}} +{{ if has "limitranges" $.Values.collectors }} +- apiGroups: [""] + resources: + - limitranges + verbs: ["list", "watch"] +{{ end -}} +{{ if has "mutatingwebhookconfigurations" $.Values.collectors }} +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + verbs: ["list", "watch"] +{{ end -}} +{{ if has "namespaces" $.Values.collectors }} +- apiGroups: [""] + resources: + - namespaces + verbs: ["list", "watch"] +{{ end -}} +{{ if has "networkpolicies" $.Values.collectors }} +- apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: ["list", "watch"] +{{ end -}} +{{ if has "nodes" $.Values.collectors }} +- apiGroups: [""] + resources: + - nodes + verbs: ["list", "watch"] +{{ end -}} +{{ if has "persistentvolumeclaims" $.Values.collectors }} +- apiGroups: [""] + resources: + - persistentvolumeclaims + verbs: ["list", "watch"] +{{ end -}} +{{ if has "persistentvolumes" $.Values.collectors }} +- apiGroups: [""] + resources: + - persistentvolumes + verbs: ["list", "watch"] +{{ end -}} +{{ if has "poddisruptionbudgets" $.Values.collectors }} +- apiGroups: ["policy"] + resources: + - poddisruptionbudgets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "pods" $.Values.collectors }} +- apiGroups: [""] + resources: + - pods + verbs: ["list", "watch"] +{{ end -}} +{{ if has "replicasets" $.Values.collectors }} +- apiGroups: ["extensions", "apps"] + resources: + - replicasets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "replicationcontrollers" $.Values.collectors }} +- apiGroups: [""] + resources: + - replicationcontrollers + verbs: ["list", "watch"] +{{ end -}} +{{ if has "resourcequotas" $.Values.collectors }} +- apiGroups: [""] + resources: + - resourcequotas + verbs: ["list", "watch"] +{{ end -}} +{{ if has "secrets" $.Values.collectors }} +- apiGroups: [""] + resources: + - secrets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "services" $.Values.collectors }} +- apiGroups: [""] + resources: + - services + verbs: ["list", "watch"] +{{ end -}} +{{ if has "statefulsets" $.Values.collectors }} +- apiGroups: ["apps"] + resources: + - statefulsets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "storageclasses" $.Values.collectors }} +- apiGroups: ["storage.k8s.io"] + resources: + - storageclasses + verbs: ["list", "watch"] +{{ end -}} +{{ if has "validatingwebhookconfigurations" $.Values.collectors }} +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - validatingwebhookconfigurations + verbs: ["list", "watch"] +{{ end -}} +{{ if has "volumeattachments" $.Values.collectors }} +- apiGroups: ["storage.k8s.io"] + resources: + - volumeattachments + verbs: ["list", "watch"] +{{ end -}} +{{- if $.Values.kubeRBACProxy.enabled }} +- apiGroups: ["authentication.k8s.io"] + resources: + - tokenreviews + verbs: ["create"] +- apiGroups: ["authorization.k8s.io"] + resources: + - subjectaccessreviews + verbs: ["create"] +{{- end }} +{{- if $.Values.customResourceState.enabled }} +- apiGroups: ["apiextensions.k8s.io"] + resources: + - customresourcedefinitions + verbs: ["list", "watch"] +{{- end }} +{{ if $.Values.rbac.extraRules }} +{{ toYaml $.Values.rbac.extraRules }} +{{ end }} +{{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/rolebinding.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/rolebinding.yaml new file mode 100644 index 000000000..330651b73 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/rolebinding.yaml @@ -0,0 +1,24 @@ +{{- if and (eq .Values.rbac.create true) (eq .Values.rbac.useClusterRole false) -}} +{{- range (join "," $.Values.namespaces) | split "," }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "kube-state-metrics.labels" $ | indent 4 }} + name: {{ template "kube-state-metrics.fullname" $ }} + namespace: {{ . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- if (not $.Values.rbac.useExistingRole) }} + name: {{ template "kube-state-metrics.fullname" $ }} +{{- else }} + name: {{ $.Values.rbac.useExistingRole }} +{{- end }} +subjects: +- kind: ServiceAccount + name: {{ template "kube-state-metrics.serviceAccountName" $ }} + namespace: {{ template "kube-state-metrics.namespace" $ }} +{{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/service.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/service.yaml new file mode 100644 index 000000000..90c235148 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/service.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + annotations: + {{- if .Values.prometheusScrape }} + prometheus.io/scrape: '{{ .Values.prometheusScrape }}' + {{- end }} + {{- if .Values.service.annotations }} + {{- toYaml .Values.service.annotations | nindent 4 }} + {{- end }} +spec: + type: "{{ .Values.service.type }}" + {{- if .Values.service.ipDualStack.enabled }} + ipFamilies: {{ toYaml .Values.service.ipDualStack.ipFamilies | nindent 4 }} + ipFamilyPolicy: {{ .Values.service.ipDualStack.ipFamilyPolicy }} + {{- end }} + ports: + - name: "http" + protocol: TCP + port: {{ .Values.service.port | default 8080}} + {{- if .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + targetPort: {{ .Values.service.port | default 8080}} + {{ if .Values.selfMonitor.enabled }} + - name: "metrics" + protocol: TCP + port: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + targetPort: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + {{- if .Values.selfMonitor.telemetryNodePort }} + nodePort: {{ .Values.selfMonitor.telemetryNodePort }} + {{- end }} + {{ end }} +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} +{{- if .Values.autosharding.enabled }} + clusterIP: None +{{- else if .Values.service.clusterIP }} + clusterIP: "{{ .Values.service.clusterIP }}" +{{- end }} + selector: + {{- include "kube-state-metrics.selectorLabels" . | indent 4 }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml new file mode 100644 index 000000000..c302bc7ca --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: {{ template "kube-state-metrics.serviceAccountName" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +{{- if .Values.serviceAccount.annotations }} + annotations: +{{ toYaml .Values.serviceAccount.annotations | indent 4 }} +{{- end }} +{{- if or .Values.serviceAccount.imagePullSecrets .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- include "kube-state-metrics.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.serviceAccount.imagePullSecrets) | indent 2 }} +{{- end }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml new file mode 100644 index 000000000..99d7fa924 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml @@ -0,0 +1,120 @@ +{{- if .Values.prometheus.monitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + {{- with .Values.prometheus.monitor.additionalLabels }} + {{- tpl (toYaml . | nindent 4) $ }} + {{- end }} + {{- with .Values.prometheus.monitor.annotations }} + annotations: + {{- tpl (toYaml . | nindent 4) $ }} + {{- end }} +spec: + jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }} + {{- with .Values.prometheus.monitor.targetLabels }} + targetLabels: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + {{- with .Values.prometheus.monitor.podTargetLabels }} + podTargetLabels: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + {{- include "servicemonitor.scrapeLimits" .Values.prometheus.monitor | indent 2 }} + {{- if .Values.prometheus.monitor.namespaceSelector }} + namespaceSelector: + matchNames: + {{- with .Values.prometheus.monitor.namespaceSelector }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- end }} + selector: + matchLabels: + {{- with .Values.prometheus.monitor.selectorOverride }} + {{- toYaml . | nindent 6 }} + {{- else }} + {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} + {{- end }} + endpoints: + - port: http + {{- if or .Values.prometheus.monitor.http.interval .Values.prometheus.monitor.interval }} + interval: {{ .Values.prometheus.monitor.http.interval | default .Values.prometheus.monitor.interval }} + {{- end }} + {{- if or .Values.prometheus.monitor.http.scrapeTimeout .Values.prometheus.monitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.prometheus.monitor.http.scrapeTimeout | default .Values.prometheus.monitor.scrapeTimeout }} + {{- end }} + {{- if or .Values.prometheus.monitor.http.proxyUrl .Values.prometheus.monitor.proxyUrl }} + proxyUrl: {{ .Values.prometheus.monitor.http.proxyUrl | default .Values.prometheus.monitor.proxyUrl }} + {{- end }} + {{- if or .Values.prometheus.monitor.http.enableHttp2 .Values.prometheus.monitor.enableHttp2 }} + enableHttp2: {{ .Values.prometheus.monitor.http.enableHttp2 | default .Values.prometheus.monitor.enableHttp2 }} + {{- end }} + {{- if or .Values.prometheus.monitor.http.honorLabels .Values.prometheus.monitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if or .Values.prometheus.monitor.http.metricRelabelings .Values.prometheus.monitor.metricRelabelings }} + metricRelabelings: + {{- toYaml (.Values.prometheus.monitor.http.metricRelabelings | default .Values.prometheus.monitor.metricRelabelings) | nindent 8 }} + {{- end }} + {{- if or .Values.prometheus.monitor.http.relabelings .Values.prometheus.monitor.relabelings }} + relabelings: + {{- toYaml (.Values.prometheus.monitor.http.relabelings | default .Values.prometheus.monitor.relabelings) | nindent 8 }} + {{- end }} + {{- if or .Values.prometheus.monitor.http.scheme .Values.prometheus.monitor.scheme }} + scheme: {{ .Values.prometheus.monitor.http.scheme | default .Values.prometheus.monitor.scheme }} + {{- end }} + {{- if or .Values.prometheus.monitor.http.tlsConfig .Values.prometheus.monitor.tlsConfig }} + tlsConfig: + {{- toYaml (.Values.prometheus.monitor.http.tlsConfig | default .Values.prometheus.monitor.tlsConfig) | nindent 8 }} + {{- end }} + {{- if or .Values.prometheus.monitor.http.bearerTokenFile .Values.prometheus.monitor.bearerTokenFile }} + bearerTokenFile: {{ .Values.prometheus.monitor.http.bearerTokenFile | default .Values.prometheus.monitor.bearerTokenFile }} + {{- end }} + {{- with (.Values.prometheus.monitor.http.bearerTokenSecret | default .Values.prometheus.monitor.bearerTokenSecret) }} + bearerTokenSecret: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.selfMonitor.enabled }} + - port: metrics + {{- if or .Values.prometheus.monitor.metrics.interval .Values.prometheus.monitor.interval }} + interval: {{ .Values.prometheus.monitor.metrics.interval | default .Values.prometheus.monitor.interval }} + {{- end }} + {{- if or .Values.prometheus.monitor.metrics.scrapeTimeout .Values.prometheus.monitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.prometheus.monitor.metrics.scrapeTimeout | default .Values.prometheus.monitor.scrapeTimeout }} + {{- end }} + {{- if or .Values.prometheus.monitor.metrics.proxyUrl .Values.prometheus.monitor.proxyUrl }} + proxyUrl: {{ .Values.prometheus.monitor.metrics.proxyUrl | default .Values.prometheus.monitor.proxyUrl }} + {{- end }} + {{- if or .Values.prometheus.monitor.metrics.enableHttp2 .Values.prometheus.monitor.enableHttp2 }} + enableHttp2: {{ .Values.prometheus.monitor.metrics.enableHttp2 | default .Values.prometheus.monitor.enableHttp2 }} + {{- end }} + {{- if or .Values.prometheus.monitor.metrics.honorLabels .Values.prometheus.monitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if or .Values.prometheus.monitor.metrics.metricRelabelings .Values.prometheus.monitor.metricRelabelings }} + metricRelabelings: + {{- toYaml (.Values.prometheus.monitor.metrics.metricRelabelings | default .Values.prometheus.monitor.metricRelabelings) | nindent 8 }} + {{- end }} + {{- if or .Values.prometheus.monitor.metrics.relabelings .Values.prometheus.monitor.relabelings }} + relabelings: + {{- toYaml (.Values.prometheus.monitor.metrics.relabelings | default .Values.prometheus.monitor.relabelings) | nindent 8 }} + {{- end }} + {{- if or .Values.prometheus.monitor.metrics.scheme .Values.prometheus.monitor.scheme }} + scheme: {{ .Values.prometheus.monitor.metrics.scheme | default .Values.prometheus.monitor.scheme }} + {{- end }} + {{- if or .Values.prometheus.monitor.metrics.tlsConfig .Values.prometheus.monitor.tlsConfig }} + tlsConfig: + {{- toYaml (.Values.prometheus.monitor.metrics.tlsConfig | default .Values.prometheus.monitor.tlsConfig) | nindent 8 }} + {{- end }} + {{- if or .Values.prometheus.monitor.metrics.bearerTokenFile .Values.prometheus.monitor.bearerTokenFile }} + bearerTokenFile: {{ .Values.prometheus.monitor.metrics.bearerTokenFile | default .Values.prometheus.monitor.bearerTokenFile }} + {{- end }} + {{- with (.Values.prometheus.monitor.metrics.bearerTokenSecret | default .Values.prometheus.monitor.bearerTokenSecret) }} + bearerTokenSecret: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-role.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-role.yaml new file mode 100644 index 000000000..489de147c --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-role.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.autosharding.enabled .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resourceNames: + - {{ template "kube-state-metrics.fullname" . }} + resources: + - statefulsets + verbs: + - get + - list + - watch +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-rolebinding.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-rolebinding.yaml new file mode 100644 index 000000000..73b37a4f6 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.autosharding.enabled .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kube-state-metrics.serviceAccountName" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml new file mode 100644 index 000000000..f46305b51 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/templates/verticalpodautoscaler.yaml @@ -0,0 +1,44 @@ +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.verticalPodAutoscaler.enabled) }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +spec: + {{- with .Values.verticalPodAutoscaler.recommenders }} + recommenders: + {{- toYaml . | nindent 4 }} + {{- end }} + resourcePolicy: + containerPolicies: + - containerName: {{ template "kube-state-metrics.name" . }} + {{- with .Values.verticalPodAutoscaler.controlledResources }} + controlledResources: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.verticalPodAutoscaler.controlledValues }} + controlledValues: {{ .Values.verticalPodAutoscaler.controlledValues }} + {{- end }} + {{- if .Values.verticalPodAutoscaler.maxAllowed }} + maxAllowed: + {{ toYaml .Values.verticalPodAutoscaler.maxAllowed | nindent 8 }} + {{- end }} + {{- if .Values.verticalPodAutoscaler.minAllowed }} + minAllowed: + {{ toYaml .Values.verticalPodAutoscaler.minAllowed | nindent 8 }} + {{- end }} + targetRef: + apiVersion: apps/v1 + {{- if .Values.autosharding.enabled }} + kind: StatefulSet + {{- else }} + kind: Deployment + {{- end }} + name: {{ template "kube-state-metrics.fullname" . }} + {{- with .Values.verticalPodAutoscaler.updatePolicy }} + updatePolicy: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/values.yaml new file mode 100644 index 000000000..a7b2bdad6 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/kube-state-metrics/values.yaml @@ -0,0 +1,542 @@ +# Default values for kube-state-metrics. +prometheusScrape: true +image: + registry: registry.k8s.io + repository: kube-state-metrics/kube-state-metrics + # If unset use v + .Charts.appVersion + tag: "" + sha: "" + pullPolicy: IfNotPresent + +imagePullSecrets: [] +# - name: "image-pull-secret" + +global: + # To help compatibility with other charts which use global.imagePullSecrets. + # Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). + # global: + # imagePullSecrets: + # - name: pullSecret1 + # - name: pullSecret2 + # or + # global: + # imagePullSecrets: + # - pullSecret1 + # - pullSecret2 + imagePullSecrets: [] + # + # Allow parent charts to override registry hostname + imageRegistry: "" + +# If set to true, this will deploy kube-state-metrics as a StatefulSet and the data +# will be automatically sharded across <.Values.replicas> pods using the built-in +# autodiscovery feature: https://github.com/kubernetes/kube-state-metrics#automated-sharding +# This is an experimental feature and there are no stability guarantees. +autosharding: + enabled: false + +replicas: 1 + +# Change the deployment strategy when autosharding is disabled. +# ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +# The default is "RollingUpdate" as per Kubernetes defaults. +# During a release, 'RollingUpdate' can lead to two running instances for a short period of time while 'Recreate' can create a small gap in data. +# updateStrategy: Recreate + +# Number of old history to retain to allow rollback +# Default Kubernetes value is set to 10 +revisionHistoryLimit: 10 + +# List of additional cli arguments to configure kube-state-metrics +# for example: --enable-gzip-encoding, --log-file, etc. +# all the possible args can be found here: https://github.com/kubernetes/kube-state-metrics/blob/master/docs/cli-arguments.md +extraArgs: [] + +# If false then the user will opt out of automounting API credentials. +automountServiceAccountToken: true + +service: + port: 8080 + # Default to clusterIP for backward compatibility + type: ClusterIP + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + nodePort: 0 + loadBalancerIP: "" + # Only allow access to the loadBalancerIP from these IPs + loadBalancerSourceRanges: [] + clusterIP: "" + annotations: {} + +## Additional labels to add to all resources +customLabels: {} + # app: kube-state-metrics + +## Override selector labels +selectorOverride: {} + +## set to true to add the release label so scraping of the servicemonitor with kube-prometheus-stack works out of the box +releaseLabel: false + +hostNetwork: false + +rbac: + # If true, create & use RBAC resources + create: true + + # Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to it, rolename set here. + # useExistingRole: your-existing-role + + # If set to false - Run without Cluteradmin privs needed - ONLY works if namespace is also set (if useExistingRole is set this name is used as ClusterRole or Role to bind to) + useClusterRole: true + + # Add permissions for CustomResources' apiGroups in Role/ClusterRole. Should be used in conjunction with Custom Resource State Metrics configuration + # Example: + # - apiGroups: ["monitoring.coreos.com"] + # resources: ["prometheuses"] + # verbs: ["list", "watch"] + extraRules: [] + +# Configure kube-rbac-proxy. When enabled, creates one kube-rbac-proxy container per exposed HTTP endpoint (metrics and telemetry if enabled). +# The requests are served through the same service but requests are then HTTPS. +kubeRBACProxy: + enabled: false + image: + registry: quay.io + repository: brancz/kube-rbac-proxy + tag: v0.18.0 + sha: "" + pullPolicy: IfNotPresent + + # List of additional cli arguments to configure kube-rbac-prxy + # for example: --tls-cipher-suites, --log-file, etc. + # all the possible args can be found here: https://github.com/brancz/kube-rbac-proxy#usage + extraArgs: [] + + ## Specify security settings for a Container + ## Allows overrides and additional options compared to (Pod) securityContext + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + + ## volumeMounts enables mounting custom volumes in rbac-proxy containers + ## Useful for TLS certificates and keys + volumeMounts: [] + # - mountPath: /etc/tls + # name: kube-rbac-proxy-tls + # readOnly: true + +serviceAccount: + # Specifies whether a ServiceAccount should be created, require rbac true + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + # Reference to one or more secrets to be used when pulling images + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imagePullSecrets: [] + # ServiceAccount annotations. + # Use case: AWS EKS IAM roles for service accounts + # ref: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html + annotations: {} + # If false then the user will opt out of automounting API credentials. + automountServiceAccountToken: true + +prometheus: + monitor: + enabled: false + annotations: {} + additionalLabels: {} + namespace: "" + namespaceSelector: [] + jobLabel: "" + targetLabels: [] + podTargetLabels: [] + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + selectorOverride: {} + + ## kube-state-metrics endpoint + http: + interval: "" + scrapeTimeout: "" + proxyUrl: "" + ## Whether to enable HTTP2 for servicemonitor + enableHttp2: false + honorLabels: false + metricRelabelings: [] + relabelings: [] + scheme: "" + ## File to read bearer token for scraping targets + bearerTokenFile: "" + ## Secret to mount to read bearer token for scraping targets. The secret needs + ## to be in the same namespace as the service monitor and accessible by the + ## Prometheus Operator + bearerTokenSecret: {} + # name: secret-name + # key: key-name + tlsConfig: {} + + ## selfMonitor endpoint + metrics: + interval: "" + scrapeTimeout: "" + proxyUrl: "" + ## Whether to enable HTTP2 for servicemonitor + enableHttp2: false + honorLabels: false + metricRelabelings: [] + relabelings: [] + scheme: "" + ## File to read bearer token for scraping targets + bearerTokenFile: "" + ## Secret to mount to read bearer token for scraping targets. The secret needs + ## to be in the same namespace as the service monitor and accessible by the + ## Prometheus Operator + bearerTokenSecret: {} + # name: secret-name + # key: key-name + tlsConfig: {} + +## Specify if a Pod Security Policy for kube-state-metrics must be created +## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + enabled: false + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + additionalVolumes: [] + +## Configure network policy for kube-state-metrics +networkPolicy: + enabled: false + # networkPolicy.flavor -- Flavor of the network policy to use. + # Can be: + # * kubernetes for networking.k8s.io/v1/NetworkPolicy + # * cilium for cilium.io/v2/CiliumNetworkPolicy + flavor: kubernetes + + ## Configure the cilium network policy kube-apiserver selector + # cilium: + # kubeApiServerSelector: + # - toEntities: + # - kube-apiserver + + # egress: + # - {} + # ingress: + # - {} + # podSelector: + # matchLabels: + # app.kubernetes.io/name: kube-state-metrics + +securityContext: + enabled: true + runAsGroup: 65534 + runAsUser: 65534 + fsGroup: 65534 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + +## Specify security settings for a Container +## Allows overrides and additional options compared to (Pod) securityContext +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +nodeSelector: {} + +## Affinity settings for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +affinity: {} + +## Tolerations for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +## Topology spread constraints for pod assignment +## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: [] + +# Annotations to be added to the deployment/statefulset +annotations: {} + +# Annotations to be added to the pod +podAnnotations: {} + +# Labels to be added to the pod +podLabels: {} + +## Assign a PriorityClassName to pods if set +# priorityClassName: "" + +# Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +podDisruptionBudget: {} + +# Comma-separated list of metrics to be exposed. +# This list comprises of exact metric names and/or regex patterns. +# The allowlist and denylist are mutually exclusive. +metricAllowlist: [] + +# Comma-separated list of metrics not to be enabled. +# This list comprises of exact metric names and/or regex patterns. +# The allowlist and denylist are mutually exclusive. +metricDenylist: [] + +# Comma-separated list of additional Kubernetes label keys that will be used in the resource's +# labels metric. By default the metric contains only name and namespace labels. +# To include additional labels, provide a list of resource names in their plural form and Kubernetes +# label keys you would like to allow for them (Example: '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. +# A single '*' can be provided per resource instead to allow any labels, but that has +# severe performance implications (Example: '=pods=[*]'). +metricLabelsAllowlist: [] + # - namespaces=[k8s-label-1,k8s-label-n] + +# Comma-separated list of Kubernetes annotations keys that will be used in the resource' +# labels metric. By default the metric contains only name and namespace labels. +# To include additional annotations provide a list of resource names in their plural form and Kubernetes +# annotation keys you would like to allow for them (Example: '=namespaces=[kubernetes.io/team,...],pods=[kubernetes.io/team],...)'. +# A single '*' can be provided per resource instead to allow any annotations, but that has +# severe performance implications (Example: '=pods=[*]'). +metricAnnotationsAllowList: [] + # - pods=[k8s-annotation-1,k8s-annotation-n] + +# Available collectors for kube-state-metrics. +# By default, all available resources are enabled, comment out to disable. +collectors: + - certificatesigningrequests + - configmaps + - cronjobs + - daemonsets + - deployments + - endpoints + - horizontalpodautoscalers + - ingresses + - jobs + - leases + - limitranges + - mutatingwebhookconfigurations + - namespaces + - networkpolicies + - nodes + - persistentvolumeclaims + - persistentvolumes + - poddisruptionbudgets + - pods + - replicasets + - replicationcontrollers + - resourcequotas + - secrets + - services + - statefulsets + - storageclasses + - validatingwebhookconfigurations + - volumeattachments + +# Enabling kubeconfig will pass the --kubeconfig argument to the container +kubeconfig: + enabled: false + # base64 encoded kube-config file + secret: + +# Enabling support for customResourceState, will create a configMap including your config that will be read from kube-state-metrics +customResourceState: + enabled: false + # Add (Cluster)Role permissions to list/watch the customResources defined in the config to rbac.extraRules + config: {} + +# Enable only the release namespace for collecting resources. By default all namespaces are collected. +# If releaseNamespace and namespaces are both set a merged list will be collected. +releaseNamespace: false + +# Comma-separated list(string) or yaml list of namespaces to be enabled for collecting resources. By default all namespaces are collected. +namespaces: "" + +# Comma-separated list of namespaces not to be enabled. If namespaces and namespaces-denylist are both set, +# only namespaces that are excluded in namespaces-denylist will be used. +namespacesDenylist: "" + +## Override the deployment namespace +## +namespaceOverride: "" + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + +## Provide a k8s version to define apiGroups for podSecurityPolicy Cluster Role. +## For example: kubeTargetVersionOverride: 1.14.9 +## +kubeTargetVersionOverride: "" + +# Enable self metrics configuration for service and Service Monitor +# Default values for telemetry configuration can be overridden +# If you set telemetryNodePort, you must also set service.type to NodePort +selfMonitor: + enabled: false + # telemetryHost: 0.0.0.0 + # telemetryPort: 8081 + # telemetryNodePort: 0 + +# Enable vertical pod autoscaler support for kube-state-metrics +verticalPodAutoscaler: + enabled: false + + # Recommender responsible for generating recommendation for the object. + # List should be empty (then the default recommender will generate the recommendation) + # or contain exactly one recommender. + # recommenders: [] + # - name: custom-recommender-performance + + # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + controlledResources: [] + # Specifies which resource values should be controlled: RequestsOnly or RequestsAndLimits. + # controlledValues: RequestsAndLimits + + # Define the max allowed resources for the pod + maxAllowed: {} + # cpu: 200m + # memory: 100Mi + # Define the min allowed resources for the pod + minAllowed: {} + # cpu: 200m + # memory: 100Mi + + # updatePolicy: + # Specifies minimal number of replicas which need to be alive for VPA Updater to attempt pod eviction + # minReplicas: 1 + # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates + # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto". + # updateMode: Auto + +# volumeMounts are used to add custom volume mounts to deployment. +# See example below +volumeMounts: [] +# - mountPath: /etc/config +# name: config-volume + +# volumes are used to add custom volumes to deployment +# See example below +volumes: [] +# - configMap: +# name: cm-for-volume +# name: config-volume + +# Extra manifests to deploy as an array +extraManifests: [] + # - apiVersion: v1 + # kind: ConfigMap + # metadata: + # labels: + # name: prometheus-extra + # data: + # extra-data: "value" + +## Containers allows injecting additional containers. +containers: [] + # - name: crd-init + # image: kiwigrid/k8s-sidecar:latest + +## InitContainers allows injecting additional initContainers. +initContainers: [] + # - name: crd-sidecar + # image: kiwigrid/k8s-sidecar:latest + +## Settings for startup, liveness and readiness probes +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ +## + +## Startup probe can optionally be enabled. +## +startupProbe: + enabled: false + failureThreshold: 3 + httpGet: + httpHeaders: [] + scheme: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + +## Liveness probe +## +livenessProbe: + failureThreshold: 3 + httpGet: + httpHeaders: [] + scheme: http + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + +## Readiness probe +## +readinessProbe: + failureThreshold: 3 + httpGet: + httpHeaders: [] + scheme: http + initialDelaySeconds: 5 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/.helmignore b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/Chart.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/Chart.yaml new file mode 100644 index 000000000..626592ca5 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts +apiVersion: v2 +appVersion: 1.8.2 +description: A Helm chart for prometheus node-exporter +home: https://github.com/prometheus/node_exporter/ +keywords: +- node-exporter +- prometheus +- exporter +maintainers: +- email: gianrubio@gmail.com + name: gianrubio +- email: zanhsieh@gmail.com + name: zanhsieh +- email: rootsandtrees@posteo.de + name: zeritti +name: prometheus-node-exporter +sources: +- https://github.com/prometheus/node_exporter/ +type: application +version: 4.40.0 diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/README.md b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/README.md new file mode 100644 index 000000000..ef8384410 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/README.md @@ -0,0 +1,96 @@ +# Prometheus Node Exporter + +Prometheus exporter for hardware and OS metrics exposed by *NIX kernels, written in Go with pluggable metric collectors. + +This chart bootstraps a Prometheus [Node Exporter](http://github.com/prometheus/node_exporter) daemonset on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +## Get Repository Info + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +helm install [RELEASE_NAME] prometheus-community/prometheus-node-exporter +``` + +_See [configuration](#configuring) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] prometheus-community/prometheus-node-exporter --install +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### 3.x to 4.x + +Starting from version 4.0.0, the `node exporter` chart is using the [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). Therefore you have to delete the daemonset before you upgrade. + +```console +kubectl delete daemonset -l app=prometheus-node-exporter +helm upgrade -i prometheus-node-exporter prometheus-community/prometheus-node-exporter +``` + +If you use your own custom [ServiceMonitor](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor) or [PodMonitor](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#podmonitor), please ensure to upgrade their `selector` fields accordingly to the new labels. + +### From 2.x to 3.x + +Change the following: + +```yaml +hostRootFsMount: true +``` + +to: + +```yaml +hostRootFsMount: + enabled: true + mountPropagation: HostToContainer +``` + +## Configuring + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: + +```console +helm show values prometheus-community/prometheus-node-exporter +``` + +### kube-rbac-proxy + +You can enable `prometheus-node-exporter` endpoint protection using `kube-rbac-proxy`. By setting `kubeRBACProxy.enabled: true`, this chart will deploy a RBAC proxy container protecting the node-exporter endpoint. +To authorize access, authenticate your requests (via a `ServiceAccount` for example) with a `ClusterRole` attached such as: + +```yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: prometheus-node-exporter-read +rules: + - apiGroups: [ "" ] + resources: ["services/node-exporter-prometheus-node-exporter"] + verbs: + - get +``` + +See [kube-rbac-proxy examples](https://github.com/brancz/kube-rbac-proxy/tree/master/examples/resource-attributes) for more details. diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/common-labels-values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/common-labels-values.yaml new file mode 100644 index 000000000..719e9356e --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/common-labels-values.yaml @@ -0,0 +1,4 @@ +--- +commonLabels: + foo: bar + baz: '{{ include "prometheus-node-exporter.fullname" . }}' diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/default-values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/default-values.yaml new file mode 100644 index 000000000..39d98f716 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/default-values.yaml @@ -0,0 +1 @@ +## Default values test case diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/networkpolicy-values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/networkpolicy-values.yaml new file mode 100644 index 000000000..bcea8de49 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/networkpolicy-values.yaml @@ -0,0 +1,5 @@ +networkPolicy: + enabled: true + ingress: + - ports: + - port: 9100 diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/pod-labels-values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/pod-labels-values.yaml new file mode 100644 index 000000000..7de36a6ab --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/pod-labels-values.yaml @@ -0,0 +1,4 @@ +--- +podLabels: + foo: bar + baz: '{{ .Chart.AppVersion }}' diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/port-values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/port-values.yaml new file mode 100644 index 000000000..dbfb4b67f --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/port-values.yaml @@ -0,0 +1,3 @@ +service: + targetPort: 9102 + port: 9102 diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/service-labels-values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/service-labels-values.yaml new file mode 100644 index 000000000..9c5e36506 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/service-labels-values.yaml @@ -0,0 +1,5 @@ +--- +service: + labels: + foo: bar + baz: quux diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/serviceport-values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/serviceport-values.yaml new file mode 100644 index 000000000..b0b7be656 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/ci/serviceport-values.yaml @@ -0,0 +1,3 @@ +--- +service: + servicePort: 80 diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/NOTES.txt b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/NOTES.txt new file mode 100644 index 000000000..db8584def --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/NOTES.txt @@ -0,0 +1,29 @@ +1. Get the application URL by running these commands: +{{- if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ template "prometheus-node-exporter.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus-node-exporter.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ template "prometheus-node-exporter.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ template "prometheus-node-exporter.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ template "prometheus-node-exporter.namespace" . }} {{ template "prometheus-node-exporter.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ template "prometheus-node-exporter.namespace" . }} -l "app.kubernetes.io/name={{ template "prometheus-node-exporter.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:9100 to use your application" + kubectl port-forward --namespace {{ template "prometheus-node-exporter.namespace" . }} $POD_NAME 9100 +{{- end }} + +{{- if .Values.kubeRBACProxy.enabled}} + +kube-rbac-proxy endpoint protections is enabled: +- Metrics endpoints is now HTTPS +- Ensure that the client authenticates the requests (e.g. via service account) with the following role permissions: +``` +rules: + - apiGroups: [ "" ] + resources: ["services/{{ template "prometheus-node-exporter.fullname" . }}"] + verbs: + - get +``` +{{- end }} \ No newline at end of file diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/_helpers.tpl b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/_helpers.tpl new file mode 100644 index 000000000..6f6518b71 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/_helpers.tpl @@ -0,0 +1,202 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "prometheus-node-exporter.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "prometheus-node-exporter.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "prometheus-node-exporter.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "prometheus-node-exporter.labels" -}} +helm.sh/chart: {{ include "prometheus-node-exporter.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: metrics +app.kubernetes.io/part-of: {{ include "prometheus-node-exporter.name" . }} +{{ include "prometheus-node-exporter.selectorLabels" . }} +{{- with .Chart.AppVersion }} +app.kubernetes.io/version: {{ . | quote }} +{{- end }} +{{- with .Values.commonLabels }} +{{ tpl (toYaml .) $ }} +{{- end }} +{{- if .Values.releaseLabel }} +release: {{ .Release.Name }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "prometheus-node-exporter.selectorLabels" -}} +app.kubernetes.io/name: {{ include "prometheus-node-exporter.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + +{{/* +Create the name of the service account to use +*/}} +{{- define "prometheus-node-exporter.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "prometheus-node-exporter.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +The image to use +*/}} +{{- define "prometheus-node-exporter.image" -}} +{{- if .Values.image.sha }} +{{- fail "image.sha forbidden. Use image.digest instead" }} +{{- else if .Values.image.digest }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s@%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.digest }} +{{- else }} +{{- printf "%s/%s:%s@%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) .Values.image.digest }} +{{- end }} +{{- else }} +{{- if .Values.global.imageRegistry }} +{{- printf "%s/%s:%s" .Values.global.imageRegistry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- else }} +{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository (default (printf "v%s" .Chart.AppVersion) .Values.image.tag) }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "prometheus-node-exporter.namespace" -}} +{{- if .Values.namespaceOverride }} +{{- .Values.namespaceOverride }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end }} + +{{/* +Create the namespace name of the service monitor +*/}} +{{- define "prometheus-node-exporter.monitor-namespace" -}} +{{- if .Values.namespaceOverride }} +{{- .Values.namespaceOverride }} +{{- else }} +{{- if .Values.prometheus.monitor.namespace }} +{{- .Values.prometheus.monitor.namespace }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Sets default scrape limits for servicemonitor */}} +{{- define "servicemonitor.scrapeLimits" -}} +{{- with .sampleLimit }} +sampleLimit: {{ . }} +{{- end }} +{{- with .targetLimit }} +targetLimit: {{ . }} +{{- end }} +{{- with .labelLimit }} +labelLimit: {{ . }} +{{- end }} +{{- with .labelNameLengthLimit }} +labelNameLengthLimit: {{ . }} +{{- end }} +{{- with .labelValueLengthLimit }} +labelValueLengthLimit: {{ . }} +{{- end }} +{{- end }} + +{{/* +Formats imagePullSecrets. Input is (dict "Values" .Values "imagePullSecrets" .{specific imagePullSecrets}) +*/}} +{{- define "prometheus-node-exporter.imagePullSecrets" -}} +{{- range (concat .Values.global.imagePullSecrets .imagePullSecrets) }} + {{- if eq (typeOf .) "map[string]interface {}" }} +- {{ toYaml . | trim }} + {{- else }} +- name: {{ . }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +Create the namespace name of the pod monitor +*/}} +{{- define "prometheus-node-exporter.podmonitor-namespace" -}} +{{- if .Values.namespaceOverride }} +{{- .Values.namespaceOverride }} +{{- else }} +{{- if .Values.prometheus.podMonitor.namespace }} +{{- .Values.prometheus.podMonitor.namespace }} +{{- else }} +{{- .Release.Namespace }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Sets default scrape limits for podmonitor */}} +{{- define "podmonitor.scrapeLimits" -}} +{{- with .sampleLimit }} +sampleLimit: {{ . }} +{{- end }} +{{- with .targetLimit }} +targetLimit: {{ . }} +{{- end }} +{{- with .labelLimit }} +labelLimit: {{ . }} +{{- end }} +{{- with .labelNameLengthLimit }} +labelNameLengthLimit: {{ . }} +{{- end }} +{{- with .labelValueLengthLimit }} +labelValueLengthLimit: {{ . }} +{{- end }} +{{- end }} + +{{/* Sets sidecar volumeMounts */}} +{{- define "prometheus-node-exporter.sidecarVolumeMounts" -}} +{{- range $_, $mount := $.Values.sidecarVolumeMount }} +- name: {{ $mount.name }} + mountPath: {{ $mount.mountPath }} + readOnly: {{ $mount.readOnly }} +{{- end }} +{{- range $_, $mount := $.Values.sidecarHostVolumeMounts }} +- name: {{ $mount.name }} + mountPath: {{ $mount.mountPath }} + readOnly: {{ $mount.readOnly }} +{{- if $mount.mountPropagation }} + mountPropagation: {{ $mount.mountPropagation }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/clusterrole.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/clusterrole.yaml new file mode 100644 index 000000000..c256dba73 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/clusterrole.yaml @@ -0,0 +1,19 @@ +{{- if and (eq .Values.rbac.create true) (eq .Values.kubeRBACProxy.enabled true) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} +rules: + {{- if $.Values.kubeRBACProxy.enabled }} + - apiGroups: [ "authentication.k8s.io" ] + resources: + - tokenreviews + verbs: [ "create" ] + - apiGroups: [ "authorization.k8s.io" ] + resources: + - subjectaccessreviews + verbs: [ "create" ] + {{- end }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/clusterrolebinding.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..653305ad9 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and (eq .Values.rbac.create true) (eq .Values.kubeRBACProxy.enabled true) -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + name: {{ template "prometheus-node-exporter.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- if .Values.rbac.useExistingRole }} + name: {{ .Values.rbac.useExistingRole }} +{{- else }} + name: {{ template "prometheus-node-exporter.fullname" . }} +{{- end }} +subjects: +- kind: ServiceAccount + name: {{ template "prometheus-node-exporter.serviceAccountName" . }} + namespace: {{ template "prometheus-node-exporter.namespace" . }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/daemonset.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/daemonset.yaml new file mode 100644 index 000000000..37ac60e67 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/daemonset.yaml @@ -0,0 +1,315 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + {{- with .Values.daemonsetAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + {{- with .Values.updateStrategy }} + updateStrategy: + {{- toYaml . | nindent 4 }} + {{- end }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + spec: + automountServiceAccountToken: {{ ternary true false (or .Values.serviceAccount.automountServiceAccountToken .Values.kubeRBACProxy.enabled) }} + {{- with .Values.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.extraInitContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "prometheus-node-exporter.serviceAccountName" . }} + {{- with .Values.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ . }} + {{- end }} + containers: + {{- $servicePort := ternary .Values.kubeRBACProxy.port .Values.service.port .Values.kubeRBACProxy.enabled }} + - name: node-exporter + image: {{ include "prometheus-node-exporter.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - --path.procfs=/host/proc + - --path.sysfs=/host/sys + {{- if .Values.hostRootFsMount.enabled }} + - --path.rootfs=/host/root + {{- if semverCompare ">=1.4.0-0" (coalesce .Values.version .Values.image.tag .Chart.AppVersion) }} + - --path.udev.data=/host/root/run/udev/data + {{- end }} + {{- end }} + - --web.listen-address=[$(HOST_IP)]:{{ $servicePort }} + {{- with .Values.extraArgs }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + env: + - name: HOST_IP + {{- if .Values.kubeRBACProxy.enabled }} + value: 127.0.0.1 + {{- else if .Values.service.listenOnAllInterfaces }} + value: 0.0.0.0 + {{- else }} + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + {{- end }} + {{- range $key, $value := .Values.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- if eq .Values.kubeRBACProxy.enabled false }} + ports: + - name: {{ .Values.service.portName }} + containerPort: {{ .Values.service.port }} + protocol: TCP + {{- end }} + livenessProbe: + failureThreshold: {{ .Values.livenessProbe.failureThreshold }} + httpGet: + {{- if .Values.kubeRBACProxy.enabled }} + host: 127.0.0.1 + {{- end }} + httpHeaders: + {{- range $_, $header := .Values.livenessProbe.httpGet.httpHeaders }} + - name: {{ $header.name }} + value: {{ $header.value }} + {{- end }} + path: / + port: {{ $servicePort }} + scheme: {{ upper .Values.livenessProbe.httpGet.scheme }} + initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + successThreshold: {{ .Values.livenessProbe.successThreshold }} + timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }} + readinessProbe: + failureThreshold: {{ .Values.readinessProbe.failureThreshold }} + httpGet: + {{- if .Values.kubeRBACProxy.enabled }} + host: 127.0.0.1 + {{- end }} + httpHeaders: + {{- range $_, $header := .Values.readinessProbe.httpGet.httpHeaders }} + - name: {{ $header.name }} + value: {{ $header.value }} + {{- end }} + path: / + port: {{ $servicePort }} + scheme: {{ upper .Values.readinessProbe.httpGet.scheme }} + initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + successThreshold: {{ .Values.readinessProbe.successThreshold }} + timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.terminationMessageParams.enabled }} + {{- with .Values.terminationMessageParams }} + terminationMessagePath: {{ .terminationMessagePath }} + terminationMessagePolicy: {{ .terminationMessagePolicy }} + {{- end }} + {{- end }} + volumeMounts: + - name: proc + mountPath: /host/proc + {{- with .Values.hostProcFsMount.mountPropagation }} + mountPropagation: {{ . }} + {{- end }} + readOnly: true + - name: sys + mountPath: /host/sys + {{- with .Values.hostSysFsMount.mountPropagation }} + mountPropagation: {{ . }} + {{- end }} + readOnly: true + {{- if .Values.hostRootFsMount.enabled }} + - name: root + mountPath: /host/root + {{- with .Values.hostRootFsMount.mountPropagation }} + mountPropagation: {{ . }} + {{- end }} + readOnly: true + {{- end }} + {{- range $_, $mount := .Values.extraHostVolumeMounts }} + - name: {{ $mount.name }} + mountPath: {{ $mount.mountPath }} + readOnly: {{ $mount.readOnly }} + {{- with $mount.mountPropagation }} + mountPropagation: {{ . }} + {{- end }} + {{- end }} + {{- range $_, $mount := .Values.sidecarVolumeMount }} + - name: {{ $mount.name }} + mountPath: {{ $mount.mountPath }} + readOnly: true + {{- end }} + {{- range $_, $mount := .Values.configmaps }} + - name: {{ $mount.name }} + mountPath: {{ $mount.mountPath }} + {{- end }} + {{- range $_, $mount := .Values.secrets }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + {{- end }} + {{- range .Values.sidecars }} + {{- $overwrites := dict "volumeMounts" (concat (include "prometheus-node-exporter.sidecarVolumeMounts" $ | fromYamlArray) (.volumeMounts | default list) | default list) }} + {{- $defaults := dict "image" (include "prometheus-node-exporter.image" $) "securityContext" $.Values.containerSecurityContext "imagePullPolicy" $.Values.image.pullPolicy }} + - {{- toYaml (merge $overwrites . $defaults) | nindent 10 }} + {{- end }} + {{- if .Values.kubeRBACProxy.enabled }} + - name: kube-rbac-proxy + args: + {{- if .Values.kubeRBACProxy.extraArgs }} + {{- .Values.kubeRBACProxy.extraArgs | toYaml | nindent 12 }} + {{- end }} + - --secure-listen-address=:{{ .Values.service.port}} + - --upstream=http://127.0.0.1:{{ $servicePort }}/ + - --proxy-endpoints-port={{ .Values.kubeRBACProxy.proxyEndpointsPort }} + - --config-file=/etc/kube-rbac-proxy-config/config-file.yaml + volumeMounts: + - name: kube-rbac-proxy-config + mountPath: /etc/kube-rbac-proxy-config + imagePullPolicy: {{ .Values.kubeRBACProxy.image.pullPolicy }} + {{- if .Values.kubeRBACProxy.image.sha }} + image: "{{ .Values.global.imageRegistry | default .Values.kubeRBACProxy.image.registry}}/{{ .Values.kubeRBACProxy.image.repository }}:{{ .Values.kubeRBACProxy.image.tag }}@sha256:{{ .Values.kubeRBACProxy.image.sha }}" + {{- else }} + image: "{{ .Values.global.imageRegistry | default .Values.kubeRBACProxy.image.registry}}/{{ .Values.kubeRBACProxy.image.repository }}:{{ .Values.kubeRBACProxy.image.tag }}" + {{- end }} + ports: + - containerPort: {{ .Values.service.port}} + name: {{ .Values.kubeRBACProxy.portName }} + {{- if .Values.kubeRBACProxy.enableHostPort }} + hostPort: {{ .Values.service.port }} + {{- end }} + - containerPort: {{ .Values.kubeRBACProxy.proxyEndpointsPort }} + {{- if .Values.kubeRBACProxy.enableProxyEndpointsHostPort }} + hostPort: {{ .Values.kubeRBACProxy.proxyEndpointsPort }} + {{- end }} + name: "http-healthz" + readinessProbe: + httpGet: + scheme: HTTPS + port: {{ .Values.kubeRBACProxy.proxyEndpointsPort }} + path: healthz + initialDelaySeconds: 5 + timeoutSeconds: 5 + {{- if .Values.kubeRBACProxy.resources }} + resources: + {{- toYaml .Values.kubeRBACProxy.resources | nindent 12 }} + {{- end }} + {{- if .Values.terminationMessageParams.enabled }} + {{- with .Values.terminationMessageParams }} + terminationMessagePath: {{ .terminationMessagePath }} + terminationMessagePolicy: {{ .terminationMessagePolicy }} + {{- end }} + {{- end }} + {{- with .Values.kubeRBACProxy.env }} + env: + {{- range $key, $value := $.Values.kubeRBACProxy.env }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- end }} + {{- if .Values.kubeRBACProxy.containerSecurityContext }} + securityContext: + {{ toYaml .Values.kubeRBACProxy.containerSecurityContext | nindent 12 }} + {{- end }} + {{- end }} + {{- if or .Values.imagePullSecrets .Values.global.imagePullSecrets }} + imagePullSecrets: + {{- include "prometheus-node-exporter.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.imagePullSecrets) | indent 8 }} + {{- end }} + hostNetwork: {{ .Values.hostNetwork }} + hostPID: {{ .Values.hostPID }} + hostIPC: {{ .Values.hostIPC }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.dnsConfig }} + dnsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.restartPolicy }} + restartPolicy: {{ . }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: proc + hostPath: + path: /proc + - name: sys + hostPath: + path: /sys + {{- if .Values.hostRootFsMount.enabled }} + - name: root + hostPath: + path: / + {{- end }} + {{- range $_, $mount := .Values.extraHostVolumeMounts }} + - name: {{ $mount.name }} + hostPath: + path: {{ $mount.hostPath }} + {{- with $mount.type }} + type: {{ . }} + {{- end }} + {{- end }} + {{- range $_, $mount := .Values.sidecarVolumeMount }} + - name: {{ $mount.name }} + emptyDir: + medium: Memory + {{- end }} + {{- range $_, $mount := .Values.sidecarHostVolumeMounts }} + - name: {{ $mount.name }} + hostPath: + path: {{ $mount.hostPath }} + {{- end }} + {{- range $_, $mount := .Values.configmaps }} + - name: {{ $mount.name }} + configMap: + name: {{ $mount.name }} + {{- end }} + {{- range $_, $mount := .Values.secrets }} + - name: {{ $mount.name }} + secret: + secretName: {{ $mount.name }} + {{- end }} + {{- if .Values.kubeRBACProxy.enabled }} + - name: kube-rbac-proxy-config + configMap: + name: {{ template "prometheus-node-exporter.fullname" . }}-rbac-config + {{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/endpoints.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/endpoints.yaml new file mode 100644 index 000000000..45eeb8d96 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/endpoints.yaml @@ -0,0 +1,18 @@ +{{- if .Values.endpoints }} +apiVersion: v1 +kind: Endpoints +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} +subsets: + - addresses: + {{- range .Values.endpoints }} + - ip: {{ . }} + {{- end }} + ports: + - name: {{ .Values.service.portName }} + port: 9100 + protocol: TCP +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/extra-manifests.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/extra-manifests.yaml new file mode 100644 index 000000000..2b21b7106 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraManifests }} +--- +{{ tpl . $ }} +{{ end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/networkpolicy.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/networkpolicy.yaml new file mode 100644 index 000000000..ee4090210 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/networkpolicy.yaml @@ -0,0 +1,27 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" $ | nindent 4 }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ingress: + {{- if .Values.networkPolicy.ingress }} + {{- toYaml .Values.networkPolicy.ingress | nindent 4 }} + {{- else }} + - ports: + - port: {{ .Values.service.port }} + {{- end }} + policyTypes: + - Egress + - Ingress + podSelector: + matchLabels: + {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/podmonitor.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/podmonitor.yaml new file mode 100644 index 000000000..f88da6a34 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/podmonitor.yaml @@ -0,0 +1,91 @@ +{{- if .Values.prometheus.podMonitor.enabled }} +apiVersion: {{ .Values.prometheus.podMonitor.apiVersion | default "monitoring.coreos.com/v1" }} +kind: PodMonitor +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.podmonitor-namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + {{- with .Values.prometheus.podMonitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.podMonitor.jobLabel }} + {{- include "podmonitor.scrapeLimits" .Values.prometheus.podMonitor | nindent 2 }} + selector: + matchLabels: + {{- with .Values.prometheus.podMonitor.selectorOverride }} + {{- toYaml . | nindent 6 }} + {{- else }} + {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ include "prometheus-node-exporter.namespace" . }} + {{- with .Values.prometheus.podMonitor.attachMetadata }} + attachMetadata: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.podTargetLabels }} + podTargetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} + podMetricsEndpoints: + - port: {{ .Values.service.portName }} + {{- with .Values.prometheus.podMonitor.scheme }} + scheme: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.path }} + path: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.basicAuth }} + basicAuth: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.bearerTokenSecret }} + bearerTokenSecret: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.authorization }} + authorization: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.oauth2 }} + oauth2: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.proxyUrl }} + proxyUrl: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.honorTimestamps }} + honorTimestamps: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.honorLabels }} + honorLabels: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.prometheus.podMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.podMonitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + enableHttp2: {{ default false .Values.prometheus.podMonitor.enableHttp2 }} + filterRunning: {{ default true .Values.prometheus.podMonitor.filterRunning }} + followRedirects: {{ default false .Values.prometheus.podMonitor.followRedirects }} + {{- with .Values.prometheus.podMonitor.params }} + params: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/psp-clusterrole.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/psp-clusterrole.yaml new file mode 100644 index 000000000..895731724 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/psp-clusterrole.yaml @@ -0,0 +1,14 @@ +{{- if and .Values.rbac.create .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: psp-{{ include "prometheus-node-exporter.fullname" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ include "prometheus-node-exporter.fullname" . }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/psp-clusterrolebinding.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/psp-clusterrolebinding.yaml new file mode 100644 index 000000000..333370173 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/psp-clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.rbac.create .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: psp-{{ include "prometheus-node-exporter.fullname" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp-{{ include "prometheus-node-exporter.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/psp.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/psp.yaml new file mode 100644 index 000000000..4896c84da --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/psp.yaml @@ -0,0 +1,49 @@ +{{- if and .Values.rbac.create .Values.rbac.pspEnabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + {{- with .Values.rbac.pspAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + privileged: false + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + - 'hostPath' + hostNetwork: true + hostIPC: false + hostPID: true + hostPorts: + - min: 0 + max: 65535 + runAsUser: + # Permits the container to run with root privileges as well. + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Allow adding the root group. + - min: 0 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Allow adding the root group. + - min: 0 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/rbac-configmap.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/rbac-configmap.yaml new file mode 100644 index 000000000..814e11033 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/rbac-configmap.yaml @@ -0,0 +1,16 @@ +{{- if .Values.kubeRBACProxy.enabled}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "prometheus-node-exporter.fullname" . }}-rbac-config + namespace: {{ include "prometheus-node-exporter.namespace" . }} +data: + config-file.yaml: |+ + authorization: + resourceAttributes: + namespace: {{ template "prometheus-node-exporter.namespace" . }} + apiVersion: v1 + resource: services + subresource: {{ template "prometheus-node-exporter.fullname" . }} + name: {{ template "prometheus-node-exporter.fullname" . }} +{{- end }} \ No newline at end of file diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/service.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/service.yaml new file mode 100644 index 000000000..abaa31b7f --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/service.yaml @@ -0,0 +1,38 @@ +{{- if .Values.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" $ | nindent 4 }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.service.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.service.ipDualStack.enabled }} + ipFamilies: {{ toYaml .Values.service.ipDualStack.ipFamilies | nindent 4 }} + ipFamilyPolicy: {{ .Values.service.ipDualStack.ipFamilyPolicy }} +{{- end }} +{{- if .Values.service.externalTrafficPolicy }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} +{{- end }} + type: {{ .Values.service.type }} +{{- if and (eq .Values.service.type "ClusterIP") .Values.service.clusterIP }} + clusterIP: "{{ .Values.service.clusterIP }}" +{{- end }} + ports: + - port: {{ .Values.service.servicePort | default .Values.service.port }} + {{- if ( and (eq .Values.service.type "NodePort" ) (not (empty .Values.service.nodePort)) ) }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + targetPort: {{ .Values.service.targetPort }} + protocol: TCP + name: {{ .Values.service.portName }} + selector: + {{- include "prometheus-node-exporter.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/serviceaccount.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/serviceaccount.yaml new file mode 100644 index 000000000..462b0cda4 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/serviceaccount.yaml @@ -0,0 +1,18 @@ +{{- if and .Values.rbac.create .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "prometheus-node-exporter.serviceAccountName" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- if or .Values.serviceAccount.imagePullSecrets .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- include "prometheus-node-exporter.imagePullSecrets" (dict "Values" .Values "imagePullSecrets" .Values.serviceAccount.imagePullSecrets) | indent 2 }} +{{- end }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/servicemonitor.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/servicemonitor.yaml new file mode 100644 index 000000000..0d7a42eae --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/servicemonitor.yaml @@ -0,0 +1,61 @@ +{{- if .Values.prometheus.monitor.enabled }} +apiVersion: {{ .Values.prometheus.monitor.apiVersion | default "monitoring.coreos.com/v1" }} +kind: ServiceMonitor +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.monitor-namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} + {{- with .Values.prometheus.monitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }} + {{- include "servicemonitor.scrapeLimits" .Values.prometheus.monitor | nindent 2 }} + {{- with .Values.prometheus.monitor.podTargetLabels }} + podTargetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- with .Values.prometheus.monitor.selectorOverride }} + {{- toYaml . | nindent 6 }} + {{- else }} + {{- include "prometheus-node-exporter.selectorLabels" . | nindent 6 }} + {{- end }} + {{- with .Values.prometheus.monitor.attachMetadata }} + attachMetadata: + {{- toYaml . | nindent 4 }} + {{- end }} + endpoints: + - port: {{ .Values.service.portName }} + scheme: {{ .Values.prometheus.monitor.scheme }} + {{- with .Values.prometheus.monitor.basicAuth }} + basicAuth: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.monitor.bearerTokenFile }} + bearerTokenFile: {{ . }} + {{- end }} + {{- with .Values.prometheus.monitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.monitor.proxyUrl }} + proxyUrl: {{ . }} + {{- end }} + {{- with .Values.prometheus.monitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.prometheus.monitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .Values.prometheus.monitor.relabelings }} + relabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.prometheus.monitor.metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/verticalpodautoscaler.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/verticalpodautoscaler.yaml new file mode 100644 index 000000000..2c2705f87 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/templates/verticalpodautoscaler.yaml @@ -0,0 +1,40 @@ +{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1") (.Values.verticalPodAutoscaler.enabled) }} +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: {{ include "prometheus-node-exporter.fullname" . }} + namespace: {{ include "prometheus-node-exporter.namespace" . }} + labels: + {{- include "prometheus-node-exporter.labels" . | nindent 4 }} +spec: + {{- with .Values.verticalPodAutoscaler.recommenders }} + recommenders: + {{- toYaml . | nindent 4 }} + {{- end }} + resourcePolicy: + containerPolicies: + - containerName: node-exporter + {{- with .Values.verticalPodAutoscaler.controlledResources }} + controlledResources: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.verticalPodAutoscaler.controlledValues }} + controlledValues: {{ . }} + {{- end }} + {{- with .Values.verticalPodAutoscaler.maxAllowed }} + maxAllowed: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.verticalPodAutoscaler.minAllowed }} + minAllowed: + {{- toYaml . | nindent 8 }} + {{- end }} + targetRef: + apiVersion: apps/v1 + kind: DaemonSet + name: {{ include "prometheus-node-exporter.fullname" . }} + {{- with .Values.verticalPodAutoscaler.updatePolicy }} + updatePolicy: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/values.yaml new file mode 100644 index 000000000..73a8f4a2e --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-node-exporter/values.yaml @@ -0,0 +1,566 @@ +# Default values for prometheus-node-exporter. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. +image: + registry: quay.io + repository: prometheus/node-exporter + # Overrides the image tag whose default is {{ printf "v%s" .Chart.AppVersion }} + tag: "" + pullPolicy: IfNotPresent + digest: "" + +imagePullSecrets: [] +# - name: "image-pull-secret" +nameOverride: "" +fullnameOverride: "" + +# Number of old history to retain to allow rollback +# Default Kubernetes value is set to 10 +revisionHistoryLimit: 10 + +global: + # To help compatibility with other charts which use global.imagePullSecrets. + # Allow either an array of {name: pullSecret} maps (k8s-style), or an array of strings (more common helm-style). + # global: + # imagePullSecrets: + # - name: pullSecret1 + # - name: pullSecret2 + # or + # global: + # imagePullSecrets: + # - pullSecret1 + # - pullSecret2 + imagePullSecrets: [] + # + # Allow parent charts to override registry hostname + imageRegistry: "" + +# Configure kube-rbac-proxy. When enabled, creates a kube-rbac-proxy to protect the node-exporter http endpoint. +# The requests are served through the same service but requests are HTTPS. +kubeRBACProxy: + enabled: false + ## Set environment variables as name/value pairs + env: {} + # VARIABLE: value + image: + registry: quay.io + repository: brancz/kube-rbac-proxy + tag: v0.18.0 + sha: "" + pullPolicy: IfNotPresent + + # List of additional cli arguments to configure kube-rbac-proxy + # for example: --tls-cipher-suites, --log-file, etc. + # all the possible args can be found here: https://github.com/brancz/kube-rbac-proxy#usage + extraArgs: [] + + ## Specify security settings for a Container + ## Allows overrides and additional options compared to (Pod) securityContext + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + containerSecurityContext: {} + + # Specify the port used for the Node exporter container (upstream port) + port: 8100 + # Specify the name of the container port + portName: http + # Configure a hostPort. If true, hostPort will be enabled in the container and set to service.port. + enableHostPort: false + + # Configure Proxy Endpoints Port + # This is the port being probed for readiness + proxyEndpointsPort: 8888 + # Configure a hostPort. If true, hostPort will be enabled in the container and set to proxyEndpointsPort. + enableProxyEndpointsHostPort: false + + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 64Mi + # requests: + # cpu: 10m + # memory: 32Mi + +## Service configuration +service: + ## Creating a service is enabled by default + enabled: true + + ## Service type + type: ClusterIP + ## IP address for type ClusterIP + clusterIP: "" + ## Default service port. Sets the port of the exposed container as well (NE or kubeRBACProxy). + ## Use "servicePort" below if changing the service port only is desired. + port: 9100 + ## Service port. Use this field if you wish to set a different service port + ## without changing the container port ("port" above). + servicePort: "" + ## Targeted port in the pod. Must refer to an open container port ("port" or "portName"). + ## (IntOrString) + targetPort: 9100 + ## Name of the service port. Sets the port name of the main container (NE) as well. + portName: metrics + ## Port number for service type NodePort + nodePort: null + + ## If true, node exporter will listen on all interfaces + listenOnAllInterfaces: true + + ## Additional annotations and labels for the service + annotations: + prometheus.io/scrape: "true" + labels: {} + + ## Dual stack settings for the service + ## https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + + ## External traffic policy setting (Cluster, Local) + externalTrafficPolicy: "" + +# Set a NetworkPolicy with: +# ingress only on service.port or custom policy +# no egress permitted +networkPolicy: + enabled: false + + # ingress: + # - {} + +# Additional environment variables that will be passed to the daemonset +env: {} +## env: +## VARIABLE: value + +prometheus: + monitor: + enabled: false + additionalLabels: {} + namespace: "" + + jobLabel: "" + + # List of pod labels to add to node exporter metrics + # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor + podTargetLabels: [] + + scheme: http + basicAuth: {} + bearerTokenFile: + tlsConfig: {} + + ## proxyUrl: URL of a proxy that should be used for scraping. + ## + proxyUrl: "" + + ## Override serviceMonitor selector + ## + selectorOverride: {} + + ## Attach node metadata to discovered targets. Requires Prometheus v2.35.0 and above. + ## + attachMetadata: + node: false + + relabelings: [] + metricRelabelings: [] + interval: "" + scrapeTimeout: 10s + ## prometheus.monitor.apiVersion ApiVersion for the serviceMonitor Resource(defaults to "monitoring.coreos.com/v1") + apiVersion: "" + + ## SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + ## + sampleLimit: 0 + + ## TargetLimit defines a limit on the number of scraped targets that will be accepted. + ## + targetLimit: 0 + + ## Per-scrape limit on number of labels that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelLimit: 0 + + ## Per-scrape limit on length of labels name that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelNameLengthLimit: 0 + + ## Per-scrape limit on length of labels value that will be accepted for a sample. Only valid in Prometheus versions 2.27.0 and newer. + ## + labelValueLengthLimit: 0 + + # PodMonitor defines monitoring for a set of pods. + # ref. https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.PodMonitor + # Using a PodMonitor may be preferred in some environments where there is very large number + # of Node Exporter endpoints (1000+) behind a single service. + # The PodMonitor is disabled by default. When switching from ServiceMonitor to PodMonitor, + # the time series resulting from the configuration through PodMonitor may have different labels. + # For instance, there will not be the service label any longer which might + # affect PromQL queries selecting that label. + podMonitor: + enabled: false + # Namespace in which to deploy the pod monitor. Defaults to the release namespace. + namespace: "" + # Additional labels, e.g. setting a label for pod monitor selector as set in prometheus + additionalLabels: {} + # release: kube-prometheus-stack + # PodTargetLabels transfers labels of the Kubernetes Pod onto the target. + podTargetLabels: [] + # apiVersion defaults to monitoring.coreos.com/v1. + apiVersion: "" + # Override pod selector to select pod objects. + selectorOverride: {} + # Attach node metadata to discovered targets. Requires Prometheus v2.35.0 and above. + attachMetadata: + node: false + # The label to use to retrieve the job name from. Defaults to label app.kubernetes.io/name. + jobLabel: "" + + # Scheme/protocol to use for scraping. + scheme: "http" + # Path to scrape metrics at. + path: "/metrics" + + # BasicAuth allow an endpoint to authenticate over basic authentication. + # More info: https://prometheus.io/docs/operating/configuration/#endpoint + basicAuth: {} + # Secret to mount to read bearer token for scraping targets. + # The secret needs to be in the same namespace as the pod monitor and accessible by the Prometheus Operator. + # https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#secretkeyselector-v1-core + bearerTokenSecret: {} + # TLS configuration to use when scraping the endpoint. + tlsConfig: {} + # Authorization section for this endpoint. + # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.SafeAuthorization + authorization: {} + # OAuth2 for the URL. Only valid in Prometheus versions 2.27.0 and newer. + # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#monitoring.coreos.com/v1.OAuth2 + oauth2: {} + + # ProxyURL eg http://proxyserver:2195. Directs scrapes through proxy to this endpoint. + proxyUrl: "" + # Interval at which endpoints should be scraped. If not specified Prometheus’ global scrape interval is used. + interval: "" + # Timeout after which the scrape is ended. If not specified, the Prometheus global scrape interval is used. + scrapeTimeout: "" + # HonorTimestamps controls whether Prometheus respects the timestamps present in scraped data. + honorTimestamps: true + # HonorLabels chooses the metric’s labels on collisions with target labels. + honorLabels: true + # Whether to enable HTTP2. Default false. + enableHttp2: "" + # Drop pods that are not running. (Failed, Succeeded). + # Enabled by default. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase + filterRunning: "" + # FollowRedirects configures whether scrape requests follow HTTP 3xx redirects. Default false. + followRedirects: "" + # Optional HTTP URL parameters + params: {} + + # RelabelConfigs to apply to samples before scraping. Prometheus Operator automatically adds + # relabelings for a few standard Kubernetes fields. The original scrape job’s name + # is available via the __tmp_prometheus_job_name label. + # More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config + relabelings: [] + # MetricRelabelConfigs to apply to samples before ingestion. + metricRelabelings: [] + + # SampleLimit defines per-scrape limit on number of scraped samples that will be accepted. + sampleLimit: 0 + # TargetLimit defines a limit on the number of scraped targets that will be accepted. + targetLimit: 0 + # Per-scrape limit on number of labels that will be accepted for a sample. + # Only valid in Prometheus versions 2.27.0 and newer. + labelLimit: 0 + # Per-scrape limit on length of labels name that will be accepted for a sample. + # Only valid in Prometheus versions 2.27.0 and newer. + labelNameLengthLimit: 0 + # Per-scrape limit on length of labels value that will be accepted for a sample. + # Only valid in Prometheus versions 2.27.0 and newer. + labelValueLengthLimit: 0 + +## Customize the updateStrategy if set +updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 200m + # memory: 50Mi + # requests: + # cpu: 100m + # memory: 30Mi + +# Specify the container restart policy passed to the Node Export container +# Possible Values: Always (default)|OnFailure|Never +restartPolicy: null + +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + annotations: {} + imagePullSecrets: [] + automountServiceAccountToken: false + +securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + +containerSecurityContext: + readOnlyRootFilesystem: true + # capabilities: + # add: + # - SYS_TIME + +rbac: + ## If true, create & use RBAC resources + ## + create: true + ## If true, create & use Pod Security Policy resources + ## https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + pspEnabled: true + pspAnnotations: {} + +# for deployments that have node_exporter deployed outside of the cluster, list +# their addresses here +endpoints: [] + +# Expose the service to the host network +hostNetwork: true + +# Share the host process ID namespace +hostPID: true + +# Share the host ipc namespace +hostIPC: false + +# Mount the node's root file system (/) at /host/root in the container +hostRootFsMount: + enabled: true + # Defines how new mounts in existing mounts on the node or in the container + # are propagated to the container or node, respectively. Possible values are + # None, HostToContainer, and Bidirectional. If this field is omitted, then + # None is used. More information on: + # https://kubernetes.io/docs/concepts/storage/volumes/#mount-propagation + mountPropagation: HostToContainer + +# Mount the node's proc file system (/proc) at /host/proc in the container +hostProcFsMount: + # Possible values are None, HostToContainer, and Bidirectional + mountPropagation: "" + +# Mount the node's sys file system (/sys) at /host/sys in the container +hostSysFsMount: + # Possible values are None, HostToContainer, and Bidirectional + mountPropagation: "" + +## Assign a group of affinity scheduling rules +## +affinity: {} +# nodeAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# nodeSelectorTerms: +# - matchFields: +# - key: metadata.name +# operator: In +# values: +# - target-host-name + +# Annotations to be added to node exporter pods +podAnnotations: + # Fix for very slow GKE cluster upgrades + cluster-autoscaler.kubernetes.io/safe-to-evict: "true" + +# Extra labels to add to node exporter pods (can be templated) +podLabels: {} + +## Extra labels to attach to all resources (can be templated) +commonLabels: {} + +# Annotations to be added to node exporter daemonset +daemonsetAnnotations: {} + +## set to true to add the release label so scraping of the servicemonitor with kube-prometheus-stack works out of the box +releaseLabel: false + +# Custom DNS configuration to be added to prometheus-node-exporter pods +dnsConfig: {} +# nameservers: +# - 1.2.3.4 +# searches: +# - ns1.svc.cluster-domain.example +# - my.dns.search.suffix +# options: +# - name: ndots +# value: "2" +# - name: edns0 + +## Assign a nodeSelector if operating a hybrid cluster +## +nodeSelector: + kubernetes.io/os: linux + # kubernetes.io/arch: amd64 + +# Specify grace period for graceful termination of pods. Defaults to 30 if null or not specified +terminationGracePeriodSeconds: null + +tolerations: + - effect: NoSchedule + operator: Exists + +# Enable or disable container termination message settings +# https://kubernetes.io/docs/tasks/debug/debug-application/determine-reason-pod-failure/ +terminationMessageParams: + enabled: false + # If enabled, specify the path for termination messages + terminationMessagePath: /dev/termination-log + # If enabled, specify the policy for termination messages + terminationMessagePolicy: File + + +## Assign a PriorityClassName to pods if set +# priorityClassName: "" + +## Additional container arguments +## +extraArgs: [] +# - --collector.diskstats.ignored-devices=^(ram|loop|fd|(h|s|v)d[a-z]|nvme\\d+n\\d+p)\\d+$ +# - --collector.textfile.directory=/run/prometheus + +## Additional mounts from the host to node-exporter container +## +extraHostVolumeMounts: [] +# - name: +# hostPath: +# https://kubernetes.io/docs/concepts/storage/volumes/#hostpath-volume-types +# type: "" (Default)|DirectoryOrCreate|Directory|FileOrCreate|File|Socket|CharDevice|BlockDevice +# mountPath: +# readOnly: true|false +# mountPropagation: None|HostToContainer|Bidirectional + +## Additional configmaps to be mounted. +## +configmaps: [] +# - name: +# mountPath: +secrets: [] +# - name: +# mountPath: +## Override the deployment namespace +## +namespaceOverride: "" + +## Additional containers for export metrics to text file; fields image,imagePullPolicy,securityContext take default value from main container +## +sidecars: [] +# - name: nvidia-dcgm-exporter +# image: nvidia/dcgm-exporter:1.4.3 +# volumeMounts: +# - name: tmp +# mountPath: /tmp + +## Volume for sidecar containers +## +sidecarVolumeMount: [] +# - name: collector-textfiles +# mountPath: /run/prometheus +# readOnly: false + +## Additional mounts from the host to sidecar containers +## +sidecarHostVolumeMounts: [] +# - name: +# hostPath: +# mountPath: +# readOnly: true|false +# mountPropagation: None|HostToContainer|Bidirectional + +## Additional InitContainers to initialize the pod +## +extraInitContainers: [] + +## Liveness probe +## +livenessProbe: + failureThreshold: 3 + httpGet: + httpHeaders: [] + scheme: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + +## Readiness probe +## +readinessProbe: + failureThreshold: 3 + httpGet: + httpHeaders: [] + scheme: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + +# Enable vertical pod autoscaler support for prometheus-node-exporter +verticalPodAutoscaler: + enabled: false + + # Recommender responsible for generating recommendation for the object. + # List should be empty (then the default recommender will generate the recommendation) + # or contain exactly one recommender. + # recommenders: + # - name: custom-recommender-performance + + # List of resources that the vertical pod autoscaler can control. Defaults to cpu and memory + controlledResources: [] + # Specifies which resource values should be controlled: RequestsOnly or RequestsAndLimits. + # controlledValues: RequestsAndLimits + + # Define the max allowed resources for the pod + maxAllowed: {} + # cpu: 200m + # memory: 100Mi + # Define the min allowed resources for the pod + minAllowed: {} + # cpu: 200m + # memory: 100Mi + + # updatePolicy: + # Specifies minimal number of replicas which need to be alive for VPA Updater to attempt pod eviction + # minReplicas: 1 + # Specifies whether recommended updates are applied when a Pod is started and whether recommended updates + # are applied during the life of a Pod. Possible values are "Off", "Initial", "Recreate", and "Auto". + # updateMode: Auto + +# Extra manifests to deploy as an array +extraManifests: [] + # - | + # apiVersion: v1 + # kind: ConfigMap + # metadata: + # name: prometheus-extra + # data: + # extra-data: "value" + +# Override version of app, required if image.tag is defined and does not follow semver +version: "" diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/.helmignore b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/.helmignore new file mode 100644 index 000000000..e90c9f6d2 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj + +# OWNERS file for Kubernetes +OWNERS \ No newline at end of file diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/Chart.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/Chart.yaml new file mode 100644 index 000000000..501e8a69a --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Chart Source + url: https://github.com/prometheus-community/helm-charts +apiVersion: v2 +appVersion: v1.10.0 +description: A Helm chart for prometheus pushgateway +home: https://github.com/prometheus/pushgateway +keywords: +- pushgateway +- prometheus +maintainers: +- email: gianrubio@gmail.com + name: gianrubio +- email: christian.staude@staffbase.com + name: cstaud +- email: rootsandtrees@posteo.de + name: zeritti +name: prometheus-pushgateway +sources: +- https://github.com/prometheus/pushgateway +type: application +version: 2.15.0 diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/README.md b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/README.md new file mode 100644 index 000000000..cc6645fdf --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/README.md @@ -0,0 +1,88 @@ +# Prometheus Pushgateway + +This chart bootstraps a Prometheus [Pushgateway](http://github.com/prometheus/pushgateway) deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +An optional prometheus `ServiceMonitor` can be enabled, should you wish to use this gateway with [Prometheus Operator](https://github.com/coreos/prometheus-operator). + +## Get Repository Info + +```console +helm repo add prometheus-community https://prometheus-community.github.io/helm-charts +helm repo update +``` + +_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._ + +## Install Chart + +```console +helm install [RELEASE_NAME] prometheus-community/prometheus-pushgateway +``` + +_See [configuration](#configuration) below._ + +_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._ + +## Uninstall Chart + +```console +helm uninstall [RELEASE_NAME] +``` + +This removes all the Kubernetes components associated with the chart and deletes the release. + +_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._ + +## Upgrading Chart + +```console +helm upgrade [RELEASE_NAME] prometheus-community/prometheus-pushgateway --install +``` + +_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._ + +### To 2.0.0 + +Chart API version has been upgraded to v2 so Helm 3 is needed from now on. + +Docker image tag is used from Chart.yaml appVersion field by default now. + +Version 2.0.0 also adapted [Helm label and annotation best practices](https://helm.sh/docs/chart_best_practices/labels/). Specifically, labels mapping is listed below: + +```console +OLD => NEW +---------------------------------------- +heritage => app.kubernetes.io/managed-by +chart => helm.sh/chart +[container version] => app.kubernetes.io/version +app => app.kubernetes.io/name +release => app.kubernetes.io/instance +``` + +Therefore, depending on the way you've configured the chart, the previous StatefulSet or Deployment need to be deleted before upgrade. + +If `runAsStatefulSet: false` (this is the default): + +```console +kubectl delete deploy -l app=prometheus-pushgateway +``` + +If `runAsStatefulSet: true`: + +```console +kubectl delete sts -l app=prometheus-pushgateway +``` + +After that do the actual upgrade: + +```console +helm upgrade -i prometheus-pushgateway prometheus-community/prometheus-pushgateway +``` + +## Configuration + +See [Customizing the Chart Before Installing](https://helm.sh/docs/intro/using_helm/#customizing-the-chart-before-installing). To see all configurable options with detailed comments, visit the chart's [values.yaml](./values.yaml), or run these configuration commands: + +```console +helm show values prometheus-community/prometheus-pushgateway +``` diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/NOTES.txt b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/NOTES.txt new file mode 100644 index 000000000..263b1d8d4 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/NOTES.txt @@ -0,0 +1,19 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range .Values.ingress.hosts }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ template "prometheus-pushgateway.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus-pushgateway.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ template "prometheus-pushgateway.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ template "prometheus-pushgateway.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ template "prometheus-pushgateway.namespace" . }} {{ template "prometheus-pushgateway.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ template "prometheus-pushgateway.namespace" . }} -l "app.kubernetes.io/name={{ template "prometheus-pushgateway.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl port-forward $POD_NAME 9091 + echo "Visit http://127.0.0.1:9091 to use your application" +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/_helpers.tpl b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/_helpers.tpl new file mode 100644 index 000000000..dcd42ff36 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/_helpers.tpl @@ -0,0 +1,304 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "prometheus-pushgateway.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Namespace to set on the resources +*/}} +{{- define "prometheus-pushgateway.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "prometheus-pushgateway.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "prometheus-pushgateway.chart" -}} +{{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "prometheus-pushgateway.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "prometheus-pushgateway.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Create default labels +*/}} +{{- define "prometheus-pushgateway.defaultLabels" -}} +helm.sh/chart: {{ include "prometheus-pushgateway.chart" . }} +{{ include "prometheus-pushgateway.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.podLabels }} +{{ toYaml . }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "prometheus-pushgateway.selectorLabels" -}} +app.kubernetes.io/name: {{ include "prometheus-pushgateway.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "prometheus-pushgateway.networkPolicy.apiVersion" -}} +{{- if semverCompare ">=1.4-0, <1.7-0" .Capabilities.KubeVersion.GitVersion }} +{{- print "extensions/v1beta1" }} +{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.GitVersion }} +{{- print "networking.k8s.io/v1" }} +{{- end }} +{{- end }} + +{{/* +Define PDB apiVersion +*/}} +{{- define "prometheus-pushgateway.pdb.apiVersion" -}} +{{- if $.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" }} +{{- print "policy/v1" }} +{{- else }} +{{- print "policy/v1beta1" }} +{{- end }} +{{- end }} + +{{/* +Define Ingress apiVersion +*/}} +{{- define "prometheus-pushgateway.ingress.apiVersion" -}} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }} +{{- print "networking.k8s.io/v1" }} +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion }} +{{- print "networking.k8s.io/v1beta1" }} +{{- else }} +{{- print "extensions/v1beta1" }} +{{- end }} +{{- end }} + +{{/* +Define webConfiguration +*/}} +{{- define "prometheus-pushgateway.webConfiguration" -}} +basic_auth_users: +{{- range $k, $v := .Values.webConfiguration.basicAuthUsers }} + {{ $k }}: {{ htpasswd "" $v | trimPrefix ":"}} +{{- end }} +{{- end }} + +{{/* +Define Authorization +*/}} +{{- define "prometheus-pushgateway.Authorization" -}} +{{- $users := keys .Values.webConfiguration.basicAuthUsers }} +{{- $user := first $users }} +{{- $password := index .Values.webConfiguration.basicAuthUsers $user }} +{{- $user }}:{{ $password }} +{{- end }} + +{{/* +Returns pod spec +*/}} +{{- define "prometheus-pushgateway.podSpec" -}} +serviceAccountName: {{ include "prometheus-pushgateway.serviceAccountName" . }} +automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} +{{- with .Values.priorityClassName }} +priorityClassName: {{ . | quote }} +{{- end }} +{{- with .Values.hostAliases }} +hostAliases: +{{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.extraInitContainers }} +initContainers: + {{- toYaml . | nindent 2 }} +{{- end }} +containers: + {{- with .Values.extraContainers }} + {{- toYaml . | nindent 2 }} + {{- end }} + - name: pushgateway + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.extraVars }} + env: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- if or .Values.extraArgs .Values.webConfiguration }} + args: + {{- with .Values.extraArgs }} + {{- toYaml . | nindent 6 }} + {{- end }} + {{- if .Values.webConfiguration }} + - --web.config.file=/etc/config/web-config.yaml + {{- end }} + {{- end }} + ports: + - name: metrics + containerPort: 9091 + protocol: TCP + {{- if .Values.liveness.enabled }} + {{- $livenessCommon := omit .Values.liveness.probe "httpGet" }} + livenessProbe: + {{- with .Values.liveness.probe }} + httpGet: + path: {{ .httpGet.path }} + port: {{ .httpGet.port }} + {{- if or .httpGet.httpHeaders $.Values.webConfiguration.basicAuthUsers }} + httpHeaders: + {{- if $.Values.webConfiguration.basicAuthUsers }} + - name: Authorization + value: Basic {{ include "prometheus-pushgateway.Authorization" $ | b64enc }} + {{- end }} + {{- with .httpGet.httpHeaders }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- toYaml $livenessCommon | nindent 6 }} + {{- end }} + {{- end }} + {{- if .Values.readiness.enabled }} + {{- $readinessCommon := omit .Values.readiness.probe "httpGet" }} + readinessProbe: + {{- with .Values.readiness.probe }} + httpGet: + path: {{ .httpGet.path }} + port: {{ .httpGet.port }} + {{- if or .httpGet.httpHeaders $.Values.webConfiguration.basicAuthUsers }} + httpHeaders: + {{- if $.Values.webConfiguration.basicAuthUsers }} + - name: Authorization + value: Basic {{ include "prometheus-pushgateway.Authorization" $ | b64enc }} + {{- end }} + {{- with .httpGet.httpHeaders }} + {{- toYaml . | nindent 10 }} + {{- end }} + {{- end }} + {{- toYaml $readinessCommon | nindent 6 }} + {{- end }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 6 }} + {{- end }} + volumeMounts: + - name: storage-volume + mountPath: "{{ .Values.persistentVolume.mountPath }}" + subPath: "{{ .Values.persistentVolume.subPath }}" + {{- if .Values.webConfiguration }} + - name: web-config + mountPath: "/etc/config" + {{- end }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 6 }} + {{- end }} +{{- with .Values.nodeSelector }} +nodeSelector: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.tolerations }} +tolerations: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- if or .Values.podAntiAffinity .Values.affinity }} +affinity: +{{- end }} + {{- with .Values.affinity }} + {{- toYaml . | nindent 2 }} + {{- end }} + {{- if eq .Values.podAntiAffinity "hard" }} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.podAntiAffinityTopologyKey }} + labelSelector: + matchExpressions: + - {key: app.kubernetes.io/name, operator: In, values: [{{ include "prometheus-pushgateway.name" . }}]} + {{- else if eq .Values.podAntiAffinity "soft" }} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: {{ .Values.podAntiAffinityTopologyKey }} + labelSelector: + matchExpressions: + - {key: app.kubernetes.io/name, operator: In, values: [{{ include "prometheus-pushgateway.name" . }}]} + {{- end }} +{{- with .Values.topologySpreadConstraints }} +topologySpreadConstraints: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- with .Values.securityContext }} +securityContext: + {{- toYaml . | nindent 2 }} +{{- end }} +volumes: + {{- $storageVolumeAsPVCTemplate := and .Values.runAsStatefulSet .Values.persistentVolume.enabled -}} + {{- if not $storageVolumeAsPVCTemplate }} + - name: storage-volume + {{- if .Values.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.persistentVolume.existingClaim }}{{ .Values.persistentVolume.existingClaim }}{{- else }}{{ include "prometheus-pushgateway.fullname" . }}{{- end }} + {{- else }} + emptyDir: {} + {{- end }} + {{- if .Values.webConfiguration }} + - name: web-config + secret: + secretName: {{ include "prometheus-pushgateway.fullname" . }} + {{- end }} + {{- end }} + {{- if .Values.extraVolumes }} + {{- toYaml .Values.extraVolumes | nindent 2 }} + {{- else if $storageVolumeAsPVCTemplate }} + {{- if .Values.webConfiguration }} + - name: web-config + secret: + secretName: {{ include "prometheus-pushgateway.fullname" . }} + {{- else }} + [] + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/deployment.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/deployment.yaml new file mode 100644 index 000000000..5d3fafde7 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/deployment.yaml @@ -0,0 +1,29 @@ +{{- if not .Values.runAsStatefulSet }} +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 4 }} + name: {{ include "prometheus-pushgateway.fullname" . }} + namespace: {{ template "prometheus-pushgateway.namespace" . }} +spec: + replicas: {{ .Values.replicaCount }} + {{- with .Values.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "prometheus-pushgateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 8 }} + {{- include "k10.azMarketPlace.billingIdentifier" . | nindent 8 }} + spec: + {{- include "prometheus-pushgateway.podSpec" . | nindent 6 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/extra-manifests.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/extra-manifests.yaml new file mode 100644 index 000000000..bafee9518 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/extra-manifests.yaml @@ -0,0 +1,8 @@ +{{- range .Values.extraManifests }} +--- + {{- if typeIs "string" . }} + {{- tpl . $ }} + {{- else }} + {{- tpl (. | toYaml | nindent 0) $ }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/ingress.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/ingress.yaml new file mode 100644 index 000000000..237ac4a12 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/ingress.yaml @@ -0,0 +1,50 @@ +{{- if .Values.ingress.enabled }} +{{- $serviceName := include "prometheus-pushgateway.fullname" . }} +{{- $servicePort := .Values.service.port }} +{{- $ingressPath := .Values.ingress.path }} +{{- $ingressClassName := .Values.ingress.className }} +{{- $ingressPathType := .Values.ingress.pathType }} +{{- $extraPaths := .Values.ingress.extraPaths }} +apiVersion: {{ include "prometheus-pushgateway.ingress.apiVersion" . }} +kind: Ingress +metadata: + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 4 }} + name: {{ include "prometheus-pushgateway.fullname" . }} + namespace: {{ template "prometheus-pushgateway.namespace" . }} +spec: + {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion }} + ingressClassName: {{ $ingressClassName }} + {{- end }} + rules: + {{- range $host := .Values.ingress.hosts }} + - host: {{ $host }} + http: + paths: + {{- with $extraPaths }} + {{- toYaml . | nindent 10 }} + {{- end }} + - path: {{ $ingressPath }} + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} + {{- with .Values.ingress.tls }} + tls: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/networkpolicy.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/networkpolicy.yaml new file mode 100644 index 000000000..d3b8019e3 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/networkpolicy.yaml @@ -0,0 +1,26 @@ +{{- if .Values.networkPolicy }} +apiVersion: {{ include "prometheus-pushgateway.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 4 }} + {{- if .Values.networkPolicy.customSelectors }} + name: ingress-allow-customselector-{{ template "prometheus-pushgateway.name" . }} + {{- else if .Values.networkPolicy.allowAll }} + name: ingress-allow-all-{{ template "prometheus-pushgateway.name" . }} + {{- else -}} + {{- fail "One of `allowAll` or `customSelectors` must be specified." }} + {{- end }} + namespace: {{ template "prometheus-pushgateway.namespace" . }} +spec: + podSelector: + matchLabels: + {{- include "prometheus-pushgateway.selectorLabels" . | nindent 6 }} + ingress: + - ports: + - port: {{ .Values.service.targetPort }} + {{- with .Values.networkPolicy.customSelectors }} + from: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/pdb.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/pdb.yaml new file mode 100644 index 000000000..6051133c6 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.podDisruptionBudget }} +apiVersion: {{ include "prometheus-pushgateway.pdb.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 4 }} + name: {{ include "prometheus-pushgateway.fullname" . }} + namespace: {{ template "prometheus-pushgateway.namespace" . }} +spec: + selector: + matchLabels: + {{- include "prometheus-pushgateway.selectorLabels" . | nindent 6 }} + {{- toYaml .Values.podDisruptionBudget | nindent 2 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/pushgateway-pvc.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/pushgateway-pvc.yaml new file mode 100644 index 000000000..d2a85f424 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/pushgateway-pvc.yaml @@ -0,0 +1,29 @@ +{{- if and (not .Values.runAsStatefulSet) .Values.persistentVolume.enabled (not .Values.persistentVolume.existingClaim) }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- with .Values.persistentVolume.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 4 }} + {{- with .Values.persistentVolumeLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "prometheus-pushgateway.fullname" . }} + namespace: {{ template "prometheus-pushgateway.namespace" . }} +spec: + accessModes: + {{- toYaml .Values.persistentVolume.accessModes | nindent 4 }} + {{- if .Values.persistentVolume.storageClass }} + {{- if (eq "-" .Values.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.persistentVolume.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: "{{ .Values.persistentVolume.size }}" +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/secret.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/secret.yaml new file mode 100644 index 000000000..a8142d138 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/secret.yaml @@ -0,0 +1,10 @@ +{{- if .Values.webConfiguration }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "prometheus-pushgateway.fullname" . }} + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 4 }} +data: + web-config.yaml: {{ include "prometheus-pushgateway.webConfiguration" . | b64enc}} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/service.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/service.yaml new file mode 100644 index 000000000..15029f7e3 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/service.yaml @@ -0,0 +1,45 @@ +{{- $stsNoHeadlessSvcTypes := list "LoadBalancer" "NodePort" -}} +apiVersion: v1 +kind: Service +metadata: + {{- with .Values.serviceAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 4 }} + {{- with .Values.serviceLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "prometheus-pushgateway.fullname" . }} + namespace: {{ template "prometheus-pushgateway.namespace" . }} +spec: + {{- if .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{ else if and .Values.runAsStatefulSet (not (has .Values.service.type $stsNoHeadlessSvcTypes)) }} + clusterIP: None # Headless service + {{- end }} + {{- if .Values.service.ipDualStack.enabled }} + ipFamilies: {{ toYaml .Values.service.ipDualStack.ipFamilies | nindent 4 }} + ipFamilyPolicy: {{ .Values.service.ipDualStack.ipFamilyPolicy }} + {{- end }} + type: {{ .Values.service.type }} + {{- with .Values.service.loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} + {{- end }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + {{- if and (eq .Values.service.type "NodePort") .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + protocol: TCP + name: {{ .Values.service.portName }} + selector: + {{- include "prometheus-pushgateway.selectorLabels" . | nindent 4 }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/serviceaccount.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/serviceaccount.yaml new file mode 100644 index 000000000..88f147048 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 4 }} + {{- with .Values.serviceAccountLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "prometheus-pushgateway.serviceAccountName" . }} + namespace: {{ template "prometheus-pushgateway.namespace" . }} +automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/servicemonitor.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/servicemonitor.yaml new file mode 100644 index 000000000..ae173199b --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/servicemonitor.yaml @@ -0,0 +1,51 @@ +{{- if .Values.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 4 }} + {{- if .Values.serviceMonitor.additionalLabels }} + {{- toYaml .Values.serviceMonitor.additionalLabels | nindent 4 }} + {{- end }} + name: {{ include "prometheus-pushgateway.fullname" . }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} + {{- else }} + namespace: {{ template "prometheus-pushgateway.namespace" . }} + {{- end }} +spec: + endpoints: + - port: {{ .Values.service.portName }} + {{- with .Values.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.scheme }} + scheme: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.bearerTokenFile }} + bearerTokenFile: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml .| nindent 6 }} + {{- end }} + {{- with .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + path: {{ .Values.serviceMonitor.telemetryPath }} + honorLabels: {{ .Values.serviceMonitor.honorLabels }} + {{- with .Values.serviceMonitor.metricRelabelings }} + metricRelabelings: + {{- tpl (toYaml . | nindent 6) $ }} + {{- end }} + {{- with .Values.serviceMonitor.relabelings }} + relabelings: + {{- toYaml . | nindent 6 }} + {{- end }} + namespaceSelector: + matchNames: + - {{ template "prometheus-pushgateway.namespace" . }} + selector: + matchLabels: + {{- include "prometheus-pushgateway.selectorLabels" . | nindent 6 }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/statefulset.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/statefulset.yaml new file mode 100644 index 000000000..8d486a306 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/templates/statefulset.yaml @@ -0,0 +1,49 @@ +{{- if .Values.runAsStatefulSet }} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 4 }} + name: {{ include "prometheus-pushgateway.fullname" . }} + namespace: {{ template "prometheus-pushgateway.namespace" . }} +spec: + replicas: {{ .Values.replicaCount }} + serviceName: {{ include "prometheus-pushgateway.fullname" . }} + selector: + matchLabels: + {{- include "prometheus-pushgateway.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 8 }} + spec: + {{- include "prometheus-pushgateway.podSpec" . | nindent 6 }} + {{- if .Values.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + {{- with .Values.persistentVolume.annotations }} + annotations: + {{- toYaml . | nindent 10 }} + {{- end }} + labels: + {{- include "prometheus-pushgateway.defaultLabels" . | nindent 10 }} + name: storage-volume + spec: + accessModes: + {{ toYaml .Values.persistentVolume.accessModes }} + {{- if .Values.persistentVolume.storageClass }} + {{- if (eq "-" .Values.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.persistentVolume.storageClass }}" + {{- end }} + {{- end }} + resources: + requests: + storage: "{{ .Values.persistentVolume.size }}" + {{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/values.yaml new file mode 100644 index 000000000..85f267fdb --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/charts/prometheus-pushgateway/values.yaml @@ -0,0 +1,371 @@ +# Default values for prometheus-pushgateway. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Provide a name in place of prometheus-pushgateway for `app:` labels +nameOverride: "" + +# Provide a name to substitute for the full names of resources +fullnameOverride: "" + +# Provide a namespace to substitude for the namespace on resources +namespaceOverride: "" + +image: + repository: quay.io/prometheus/pushgateway + # if not set appVersion field from Chart.yaml is used + tag: "" + pullPolicy: IfNotPresent + +# Optional pod imagePullSecrets +imagePullSecrets: [] + +service: + type: ClusterIP + port: 9091 + targetPort: 9091 + # nodePort: 32100 + portName: http + + # Optional - Can be used for headless if value is "None" + clusterIP: "" + + ipDualStack: + enabled: false + ipFamilies: ["IPv6", "IPv4"] + ipFamilyPolicy: "PreferDualStack" + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + +# Whether to automatically mount a service account token into the pod +automountServiceAccountToken: true + +# Optional pod annotations +podAnnotations: {} + +# Optional pod labels +podLabels: {} + +# Optional service annotations +serviceAnnotations: {} + +# Optional service labels +serviceLabels: {} + +# Optional serviceAccount labels +serviceAccountLabels: {} + +# Optional persistentVolume labels +persistentVolumeLabels: {} + +# Optional additional environment variables +extraVars: [] + +## Additional pushgateway container arguments +## +## example: +## extraArgs: +## - --persistence.file=/data/pushgateway.data +## - --persistence.interval=5m +extraArgs: [] + +## Additional InitContainers to initialize the pod +## +extraInitContainers: [] + +# Optional additional containers (sidecar) +extraContainers: [] + # - name: oAuth2-proxy + # args: + # - -https-address=:9092 + # - -upstream=http://localhost:9091 + # - -skip-auth-regex=^/metrics + # - -openshift-delegate-urls={"/":{"group":"monitoring.coreos.com","resource":"prometheuses","verb":"get"}} + # image: openshift/oauth-proxy:v1.1.0 + # ports: + # - containerPort: 9092 + # name: proxy + # resources: + # limits: + # memory: 16Mi + # requests: + # memory: 4Mi + # cpu: 20m + # volumeMounts: + # - mountPath: /etc/prometheus/secrets/pushgateway-tls + # name: secret-pushgateway-tls + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 200m + # memory: 50Mi + # requests: + # cpu: 100m + # memory: 30Mi + +# -- Sets web configuration +# To enable basic authentication, provide basicAuthUsers as a map +webConfiguration: {} + # basicAuthUsers: + # username: password + +liveness: + enabled: true + probe: + httpGet: + path: /-/healthy + port: 9091 + initialDelaySeconds: 10 + timeoutSeconds: 10 + +readiness: + enabled: true + probe: + httpGet: + path: /-/ready + port: 9091 + initialDelaySeconds: 10 + timeoutSeconds: 10 + +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + +## Configure ingress resource that allow you to access the +## pushgateway installation. Set up the URL +## ref: http://kubernetes.io/docs/user-guide/ingress/ +## +ingress: + ## Enable Ingress. + ## + enabled: false + # AWS ALB requires path of /* + className: "" + path: / + pathType: ImplementationSpecific + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## Annotations. + ## + # annotations: + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## Hostnames. + ## Must be provided if Ingress is enabled. + ## + # hosts: + # - pushgateway.domain.com + + ## TLS configuration. + ## Secrets must be manually created in the namespace. + ## + # tls: + # - secretName: pushgateway-tls + # hosts: + # - pushgateway.domain.com + +tolerations: [] + # - effect: NoSchedule + # operator: Exists + +## Node labels for pushgateway pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +replicaCount: 1 + +hostAliases: [] + # - ip: "127.0.0.1" + # hostnames: + # - "foo.local" + # - "bar.local" + # - ip: "10.1.2.3" + # hostnames: + # - "foo.remote" + # - "bar.remote" + +## When running more than one replica alongside with persistence, different volumes are needed +## per replica, since sharing a `persistence.file` across replicas does not keep metrics synced. +## For this purpose, you can enable the `runAsStatefulSet` to deploy the pushgateway as a +## StatefulSet instead of as a Deployment. +runAsStatefulSet: false + +## Security context to be added to push-gateway pods +## +securityContext: + fsGroup: 65534 + runAsUser: 65534 + runAsNonRoot: true + +## Security context to be added to push-gateway containers +## Having a separate variable as securityContext differs for pods and containers. +containerSecurityContext: {} +# allowPrivilegeEscalation: false +# readOnlyRootFilesystem: true +# runAsUser: 65534 +# runAsNonRoot: true + +## Affinity for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +affinity: {} + +## Pod anti-affinity can prevent the scheduler from placing pushgateway replicas on the same node. +## The value "soft" means that the scheduler should *prefer* to not schedule two replica pods onto the same node but no guarantee is provided. +## The value "hard" means that the scheduler is *required* to not schedule two replica pods onto the same node. +## The default value "" will disable pod anti-affinity so that no anti-affinity rules will be configured (unless set in `affinity`). +## +podAntiAffinity: "" + +## If anti-affinity is enabled sets the topologyKey to use for anti-affinity. +## This can be changed to, for example, failure-domain.beta.kubernetes.io/zone +## +podAntiAffinityTopologyKey: kubernetes.io/hostname + +## Topology spread constraints for pods +## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: [] + +# Enable this if you're using https://github.com/coreos/prometheus-operator +serviceMonitor: + enabled: false + namespace: monitoring + + # telemetryPath: HTTP resource path from which to fetch metrics. + # Telemetry path, default /metrics, has to be prefixed accordingly if pushgateway sets a route prefix at start-up. + # + telemetryPath: "/metrics" + + # Fallback to the prometheus default unless specified + # interval: 10s + + ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. + # scheme: "" + + ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS. + ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig + # tlsConfig: {} + + # bearerTokenFile: + # Fallback to the prometheus default unless specified + # scrapeTimeout: 30s + + ## Used to pass Labels that are used by the Prometheus installed in your cluster to select Service Monitors to work with + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec + additionalLabels: {} + + # Retain the job and instance labels of the metrics pushed to the Pushgateway + # [Scraping Pushgateway](https://github.com/prometheus/pushgateway#configure-the-pushgateway-as-a-target-to-scrape) + honorLabels: true + + ## Metric relabel configs to apply to samples before ingestion. + ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) + metricRelabelings: [] + # - action: keep + # regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+' + # sourceLabels: [__name__] + + ## Relabel configs to apply to samples before ingestion. + ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config) + relabelings: [] + # - sourceLabels: [__meta_kubernetes_pod_node_name] + # separator: ; + # regex: ^(.*)$ + # targetLabel: nodename + # replacement: $1 + # action: replace + +# The values to set in the PodDisruptionBudget spec (minAvailable/maxUnavailable) +# If not set then a PodDisruptionBudget will not be created +podDisruptionBudget: {} + +priorityClassName: + +# Deployment Strategy type +strategy: + type: Recreate + +persistentVolume: + ## If true, pushgateway will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: false + + ## pushgateway data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## pushgateway data Persistent Volume Claim annotations + ## + annotations: {} + + ## pushgateway data Persistent Volume existing claim name + ## Requires pushgateway.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## pushgateway data Persistent Volume mount root path + ## + mountPath: /data + + ## pushgateway data Persistent Volume size + ## + size: 2Gi + + ## pushgateway data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## Subdirectory of pushgateway data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + +extraVolumes: [] + # - name: extra + # emptyDir: {} +extraVolumeMounts: [] + # - name: extra + # mountPath: /usr/share/extras + # readOnly: true + +# Configuration for clusters with restrictive network policies in place: +# - allowAll allows access to the PushGateway from any namespace +# - customSelector is a list of pod/namespaceSelectors to allow access from +# These options are mutually exclusive and the latter will take precedence. +networkPolicy: {} + # allowAll: true + # customSelectors: + # - namespaceSelector: + # matchLabels: + # type: admin + # - podSelector: + # matchLabels: + # app: myapp + +# Array of extra K8s objects to deploy (evaluated as a template) +# The value can hold an array of strings as well as objects +extraManifests: [] diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/NOTES.txt b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/NOTES.txt new file mode 100644 index 000000000..fc03c2a5b --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/NOTES.txt @@ -0,0 +1,113 @@ +The Prometheus server can be accessed via port {{ .Values.server.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.server.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.server.ingress.enabled -}} +From outside the cluster, the server URL(s) are: +{{- range .Values.server.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the Prometheus server URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.server.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.server.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.server.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.server.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.server.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.server.service.servicePort }} +{{- else if contains "ClusterIP" .Values.server.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "prometheus.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9090 +{{- end }} + + +{{- if .Values.server.persistentVolume.enabled }} +{{- else }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the Server pod is terminated. ##### +################################################################################# +{{- end }} +{{- end }} + +{{ if .Values.alertmanager.enabled }} +The Prometheus alertmanager can be accessed via port {{ .Values.alertmanager.service.port }} on the following DNS name from within your cluster: +{{ template "prometheus.alertmanager.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.alertmanager.ingress.enabled -}} +From outside the cluster, the alertmanager URL(s) are: +{{- range .Values.alertmanager.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the Alertmanager URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.alertmanager.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.alertmanager.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.alertmanager.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.alertmanager.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.alertmanager.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.alertmanager.service.servicePort }} +{{- else if contains "ClusterIP" .Values.alertmanager.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "alertmanager.name" .Subcharts.alertmanager }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9093 +{{- end }} +{{- end }} + +{{- if .Values.alertmanager.persistence.enabled }} +{{- else }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the AlertManager pod is terminated. ##### +################################################################################# +{{- end }} +{{- end }} + +{{- if (index .Values "prometheus-node-exporter" "enabled") }} +################################################################################# +###### WARNING: Pod Security Policy has been disabled by default since ##### +###### it deprecated after k8s 1.25+. use ##### +###### (index .Values "prometheus-node-exporter" "rbac" ##### +###### . "pspEnabled") with (index .Values ##### +###### "prometheus-node-exporter" "rbac" "pspAnnotations") ##### +###### in case you still need it. ##### +################################################################################# +{{- end }} + +{{ if (index .Values "prometheus-pushgateway" "enabled") }} +The Prometheus PushGateway can be accessed via port {{ index .Values "prometheus-pushgateway" "service" "port" }} on the following DNS name from within your cluster: +{{ include "prometheus-pushgateway.fullname" (index .Subcharts "prometheus-pushgateway") }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if (index .Values "prometheus-pushgateway" "ingress" "enabled") -}} +From outside the cluster, the pushgateway URL(s) are: +{{- range (index .Values "prometheus-pushgateway" "ingress" "hosts") }} +http://{{ . }} +{{- end }} +{{- else }} +Get the PushGateway URL by running these commands in the same shell: +{{- $pushgateway_svc_type := index .Values "prometheus-pushgateway" "service" "type" -}} +{{- if contains "NodePort" $pushgateway_svc_type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "prometheus-pushgateway.fullname" (index .Subcharts "prometheus-pushgateway") }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" $pushgateway_svc_type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "prometheus-pushgateway.fullname" (index .Subcharts "prometheus-pushgateway") }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "prometheus-pushgateway.fullname" (index .Subcharts "prometheus-pushgateway") }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ index .Values "prometheus-pushgateway" "service" "port" }} +{{- else if contains "ClusterIP" $pushgateway_svc_type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ include "prometheus.name" (index .Subcharts "prometheus-pushgateway") }},component=pushgateway" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9091 +{{- end }} +{{- end }} +{{- end }} + +For more information on running Prometheus, visit: +https://prometheus.io/ diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/_helpers.tpl b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/_helpers.tpl new file mode 100644 index 000000000..3d8078f02 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/_helpers.tpl @@ -0,0 +1,238 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "prometheus.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "prometheus.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create labels for prometheus +*/}} +{{- define "prometheus.common.matchLabels" -}} +app.kubernetes.io/name: {{ include "prometheus.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Create unified labels for prometheus components +*/}} +{{- define "prometheus.common.metaLabels" -}} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +helm.sh/chart: {{ include "prometheus.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: {{ include "prometheus.name" . }} +{{- with .Values.commonMetaLabels}} +{{ toYaml . }} +{{- end }} +{{- end -}} + +{{- define "prometheus.server.labels" -}} +{{ include "prometheus.server.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.server.matchLabels" -}} +app.kubernetes.io/component: {{ .Values.server.name }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified ClusterRole name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.clusterRoleName" -}} +{{- if .Values.server.clusterRoleNameOverride -}} +{{ .Values.server.clusterRoleNameOverride | trunc 63 | trimSuffix "-" }} +{{- else -}} +{{ include "prometheus.server.fullname" . }} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified alertmanager name for communicating and check to ensure that `alertmanager` exists before trying to use it with the user via NOTES.txt +*/}} +{{- define "prometheus.alertmanager.fullname" -}} +{{- if .Subcharts.alertmanager -}} +{{- template "alertmanager.fullname" .Subcharts.alertmanager -}} +{{- else -}} +{{- "alertmanager not found" -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified Prometheus server name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.server.fullname" -}} +{{- if .Values.server.fullnameOverride -}} +{{- .Values.server.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get KubeVersion removing pre-release information. +*/}} +{{- define "prometheus.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "prometheus.deployment.apiVersion" -}} +{{- print "apps/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "prometheus.networkPolicy.apiVersion" -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "prometheus.podDisruptionBudget.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "policy/v1" }} +{{- print "policy/v1" -}} +{{- else -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for rbac. +*/}} +{{- define "rbac.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19.x" (include "prometheus.kubeVersion" .)) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "ingress.isStable" -}} + {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "ingress.supportsIngressClassName" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}} +{{- end -}} + +{{/* +Return if ingress supports pathType. +*/}} +{{- define "ingress.supportsPathType" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the server component +*/}} +{{- define "prometheus.serviceAccountName.server" -}} +{{- if .Values.serviceAccounts.server.create -}} + {{ default (include "prometheus.server.fullname" .) .Values.serviceAccounts.server.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.server.name }} +{{- end -}} +{{- end -}} + +{{/* +Define the prometheus.namespace template if set with forceNamespace or .Release.Namespace is set +*/}} +{{- define "prometheus.namespace" -}} + {{- default .Release.Namespace .Values.forceNamespace -}} +{{- end }} + +{{/* +Define template prometheus.namespaces producing a list of namespaces to monitor +*/}} +{{- define "prometheus.namespaces" -}} +{{- $namespaces := list }} +{{- if and .Values.rbac.create .Values.server.useExistingClusterRoleName }} + {{- if .Values.server.namespaces -}} + {{- range $ns := join "," .Values.server.namespaces | split "," }} + {{- $namespaces = append $namespaces (tpl $ns $) }} + {{- end -}} + {{- end -}} + {{- if .Values.server.releaseNamespace -}} + {{- $namespaces = append $namespaces (include "prometheus.namespace" .) }} + {{- end -}} +{{- end -}} +{{ mustToJson $namespaces }} +{{- end -}} + +{{/* +Define prometheus.server.remoteWrite producing a list of remoteWrite configurations with URL templating +*/}} +{{- define "prometheus.server.remoteWrite" -}} +{{- $remoteWrites := list }} +{{- range $remoteWrite := .Values.server.remoteWrite }} + {{- $remoteWrites = tpl $remoteWrite.url $ | set $remoteWrite "url" | append $remoteWrites }} +{{- end -}} +{{ toYaml $remoteWrites }} +{{- end -}} + +{{/* +Define prometheus.server.remoteRead producing a list of remoteRead configurations with URL templating +*/}} +{{- define "prometheus.server.remoteRead" -}} +{{- $remoteReads := list }} +{{- range $remoteRead := .Values.server.remoteRead }} + {{- $remoteReads = tpl $remoteRead.url $ | set $remoteRead "url" | append $remoteReads }} +{{- end -}} +{{ toYaml $remoteReads }} +{{- end -}} + diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/clusterrole.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/clusterrole.yaml new file mode 100644 index 000000000..25e3cec45 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/clusterrole.yaml @@ -0,0 +1,56 @@ +{{- if and .Values.rbac.create (empty .Values.server.useExistingClusterRoleName) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ include "prometheus.clusterRoleName" . }} +rules: +{{- if and .Values.podSecurityPolicy.enabled (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.server.fullname" . }} +{{- end }} + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "discovery.k8s.io" + resources: + - endpointslices + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/clusterrolebinding.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..28f4bda77 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.rbac.create (empty .Values.server.namespaces) (empty .Values.server.useExistingClusterRoleName) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ include "prometheus.clusterRoleName" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.server" . }} + namespace: {{ include "prometheus.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "prometheus.clusterRoleName" . }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/cm.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/cm.yaml new file mode 100644 index 000000000..8713bd1ea --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/cm.yaml @@ -0,0 +1,103 @@ +{{- if (empty .Values.server.configMapOverrideName) -}} +apiVersion: v1 +kind: ConfigMap +metadata: +{{- with .Values.server.configMapAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + {{- with .Values.server.extraConfigmapLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ include "prometheus.namespace" . }} +data: + allow-snippet-annotations: "false" +{{- $root := . -}} +{{- range $key, $value := .Values.ruleFiles }} + {{ $key }}: {{- toYaml $value | indent 2 }} +{{- end }} +{{- range $key, $value := .Values.serverFiles }} + {{ $key }}: | +{{- if eq $key "prometheus.yml" }} + global: +{{ $root.Values.server.global | toYaml | trimSuffix "\n" | indent 6 }} +{{- if $root.Values.server.remoteWrite }} + remote_write: +{{- include "prometheus.server.remoteWrite" $root | nindent 4 }} +{{- end }} +{{- if $root.Values.server.remoteRead }} + remote_read: +{{- include "prometheus.server.remoteRead" $root | nindent 4 }} +{{- end }} +{{- if or $root.Values.server.tsdb $root.Values.server.exemplars }} + storage: +{{- if $root.Values.server.tsdb }} + tsdb: +{{ $root.Values.server.tsdb | toYaml | indent 8 }} +{{- end }} +{{- if $root.Values.server.exemplars }} + exemplars: +{{ $root.Values.server.exemplars | toYaml | indent 8 }} +{{- end }} +{{- end }} +{{- if $root.Values.scrapeConfigFiles }} + scrape_config_files: +{{ toYaml $root.Values.scrapeConfigFiles | indent 4 }} +{{- end }} +{{- end }} +{{- if eq $key "alerts" }} +{{- if and (not (empty $value)) (empty $value.groups) }} + groups: +{{- range $ruleKey, $ruleValue := $value }} + - name: {{ $ruleKey -}}.rules + rules: +{{ $ruleValue | toYaml | trimSuffix "\n" | indent 6 }} +{{- end }} +{{- else }} +{{ toYaml $value | indent 4 }} +{{- end }} +{{- else }} +{{ toYaml $value | default "{}" | indent 4 }} +{{- end }} +{{- if eq $key "prometheus.yml" -}} +{{- if $root.Values.extraScrapeConfigs }} +{{ tpl $root.Values.extraScrapeConfigs $root | indent 4 }} +{{- end -}} +{{- if or ($root.Values.alertmanager.enabled) ($root.Values.server.alertmanagers) }} + alerting: +{{- if $root.Values.alertRelabelConfigs }} +{{ $root.Values.alertRelabelConfigs | toYaml | trimSuffix "\n" | indent 6 }} +{{- end }} + alertmanagers: +{{- if $root.Values.server.alertmanagers }} +{{ toYaml $root.Values.server.alertmanagers | indent 8 }} +{{- else }} + - kubernetes_sd_configs: + - role: pod + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + {{- if $root.Values.alertmanager.prefixURL }} + path_prefix: {{ $root.Values.alertmanager.prefixURL }} + {{- end }} + relabel_configs: + - source_labels: [__meta_kubernetes_namespace] + regex: {{ $root.Release.Namespace }} + action: keep + - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_instance] + regex: {{ $root.Release.Name }} + action: keep + - source_labels: [__meta_kubernetes_pod_label_app_kubernetes_io_name] + regex: {{ default "alertmanager" $root.Values.alertmanager.nameOverride | trunc 63 | trimSuffix "-" }} + action: keep + - source_labels: [__meta_kubernetes_pod_container_port_number] + regex: "9093" + action: keep +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/deploy.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/deploy.yaml new file mode 100644 index 000000000..9c786ee42 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/deploy.yaml @@ -0,0 +1,410 @@ +{{- if not .Values.server.statefulSet.enabled -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.server.deploymentAnnotations }} + annotations: + {{ toYaml .Values.server.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ include "prometheus.namespace" . }} +spec: + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + replicas: {{ .Values.server.replicaCount }} + revisionHistoryLimit: {{ .Values.server.revisionHistoryLimit }} + {{- if .Values.server.strategy }} + strategy: +{{ toYaml .Values.server.strategy | trim | indent 4 }} + {{ if eq .Values.server.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: + {{ toYaml .Values.server.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 8 }} + {{- if .Values.server.podLabels}} + {{ toYaml .Values.server.podLabels | nindent 8 }} + {{- end}} + {{- include "k10.azMarketPlace.billingIdentifier" . | nindent 8 }} + spec: +{{- if .Values.server.priorityClassName }} + priorityClassName: "{{ .Values.server.priorityClassName }}" +{{- end }} +{{- if .Values.server.schedulerName }} + schedulerName: "{{ .Values.server.schedulerName }}" +{{- end }} +{{- if semverCompare ">=1.13-0" .Capabilities.KubeVersion.GitVersion }} + {{- if or (.Values.server.enableServiceLinks) (eq (.Values.server.enableServiceLinks | toString) "") }} + enableServiceLinks: true + {{- else }} + enableServiceLinks: false + {{- end }} +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} +{{- if kindIs "bool" .Values.server.automountServiceAccountToken }} + automountServiceAccountToken: {{ .Values.server.automountServiceAccountToken }} +{{- end }} + {{- if .Values.server.extraInitContainers }} + initContainers: +{{ toYaml .Values.server.extraInitContainers | indent 8 }} + {{- end }} + containers: + {{- if .Values.configmapReload.prometheus.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} + {{- if .Values.configmapReload.prometheus.image.digest }} + image: "{{ .Values.configmapReload.prometheus.image.repository }}@{{ .Values.configmapReload.prometheus.image.digest }}" + {{- else }} + image: "{{ .Values.configmapReload.prometheus.image.repository }}:{{ .Values.configmapReload.prometheus.image.tag }}" + {{- end }} + imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" + {{- with .Values.configmapReload.prometheus.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + args: + - --watched-dir=/etc/config + {{- $default_url := "http://127.0.0.1:9090/-/reload" }} + {{- with .Values.server.prefixURL }} + {{- $default_url = printf "http://127.0.0.1:9090%s/-/reload" . }} + {{- end }} + {{- if .Values.configmapReload.prometheus.containerPort }} + - --listen-address=0.0.0.0:{{ .Values.configmapReload.prometheus.containerPort }} + {{- end }} + - --reload-url={{ default $default_url .Values.configmapReload.reloadUrl }} + {{- range $key, $value := .Values.configmapReload.prometheus.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} + - --watched-dir={{ . }} + {{- end }} + {{- with .Values.configmapReload.env }} + env: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.configmapReload.prometheus.containerPort }} + ports: + - containerPort: {{ .Values.configmapReload.prometheus.containerPort }} + {{- if .Values.configmapReload.prometheus.containerPortName }} + name: {{ .Values.configmapReload.prometheus.containerPortName }} + {{- end }} + {{- end }} + {{- with .Values.configmapReload.prometheus.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.configmapReload.prometheus.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.configmapReload.prometheus.startupProbe.enabled }} + {{- $startupProbe := omit .Values.configmapReload.prometheus.startupProbe "enabled" }} + startupProbe: + {{- toYaml $startupProbe | nindent 12 }} + {{- end }} + {{- with .Values.configmapReload.prometheus.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- with .Values.configmapReload.prometheus.extraVolumeMounts }} + {{ toYaml . | nindent 12 }} + {{- end }} + {{- end }} + + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} + {{- if .Values.server.image.digest }} + image: "{{ .Values.server.image.repository }}@{{ .Values.server.image.digest }}" + {{- else }} + image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default .Chart.AppVersion}}" + {{- end }} + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + {{- with .Values.server.command }} + command: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.server.env }} + env: +{{ toYaml .Values.server.env | indent 12}} + {{- end }} + args: + {{- if .Values.server.defaultFlagsOverride }} + {{ toYaml .Values.server.defaultFlagsOverride | nindent 12}} + {{- else }} + {{- if .Values.server.retention }} + - --storage.tsdb.retention.time={{ .Values.server.retention }} + {{- end }} + {{- if .Values.server.retentionSize }} + - --storage.tsdb.retention.size={{ .Values.server.retentionSize }} + {{- end }} + - --config.file={{ .Values.server.configPath }} + {{- if .Values.server.storagePath }} + - --storage.tsdb.path={{ .Values.server.storagePath }} + {{- else }} + - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} + {{- end }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + {{- range .Values.server.extraFlags }} + - --{{ . }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- if .Values.server.prefixURL }} + - --web.route-prefix={{ .Values.server.prefixURL }} + {{- end }} + {{- if .Values.server.baseURL }} + - --web.external-url={{ .Values.server.baseURL }} + {{- end }} + {{- end }} + ports: + - containerPort: 9090 + {{- if .Values.server.portName }} + name: {{ .Values.server.portName }} + {{- end }} + {{- if .Values.server.hostPort }} + hostPort: {{ .Values.server.hostPort }} + {{- end }} + readinessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/ready + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- with .Values.server.probeHeaders }} + httpHeaders: +{{- toYaml . | nindent 14 }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.readinessProbeInitialDelay }} + periodSeconds: {{ .Values.server.readinessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.readinessProbeTimeout }} + failureThreshold: {{ .Values.server.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.server.readinessProbeSuccessThreshold }} + livenessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- with .Values.server.probeHeaders }} + httpHeaders: +{{- toYaml . | nindent 14 }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.livenessProbeInitialDelay }} + periodSeconds: {{ .Values.server.livenessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.livenessProbeTimeout }} + failureThreshold: {{ .Values.server.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.server.livenessProbeSuccessThreshold }} + {{- if .Values.server.startupProbe.enabled }} + startupProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- if .Values.server.probeHeaders }} + httpHeaders: + {{- range .Values.server.probeHeaders}} + - name: {{ .name }} + value: {{ .value }} + {{- end }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + failureThreshold: {{ .Values.server.startupProbe.failureThreshold }} + periodSeconds: {{ .Values.server.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.server.startupProbe.timeoutSeconds }} + {{- end }} + {{- with .Values.server.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: "{{ .Values.server.persistentVolume.subPath }}" + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.server.extraVolumeMounts }} + {{ toYaml .Values.server.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- with .Values.server.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecarContainers }} + {{- range $name, $spec := .Values.server.sidecarContainers }} + - name: {{ $name }} + {{- if kindIs "string" $spec }} + {{- tpl $spec $ | nindent 10 }} + {{- else }} + {{- toYaml $spec | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.server.hostNetwork }} + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + {{- else }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.server.hostAliases }} + hostAliases: +{{ toYaml .Values.server.hostAliases | indent 8 }} + {{- end }} + {{- if .Values.server.dnsConfig }} + dnsConfig: +{{ toYaml .Values.server.dnsConfig | indent 8 }} + {{- end }} + {{- with .Values.server.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: +{{ toYaml .Values.server.tolerations | indent 8 }} + {{- end }} + {{- if or .Values.server.affinity .Values.server.podAntiAffinity }} + affinity: + {{- end }} + {{- with .Values.server.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if eq .Values.server.podAntiAffinity "hard" }} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.server.podAntiAffinityTopologyKey }} + labelSelector: + matchExpressions: + - {key: app.kubernetes.io/name, operator: In, values: [{{ template "prometheus.name" . }}]} + {{- else if eq .Values.server.podAntiAffinity "soft" }} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: {{ .Values.server.podAntiAffinityTopologyKey }} + labelSelector: + matchExpressions: + - {key: app.kubernetes.io/name, operator: In, values: [{{ template "prometheus.name" . }}]} + {{- end }} + {{- with .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + volumes: + - name: config-volume + {{- if empty .Values.server.configFromSecret }} + configMap: + name: {{ if .Values.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.server.configFromSecret }} + {{- end }} + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.server.extraVolumes }} +{{ toYaml .Values.server.extraVolumes | indent 8}} +{{- end }} + - name: storage-volume + {{- if .Values.server.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.server.persistentVolume.existingClaim }}{{ .Values.server.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + emptyDir: + {{- if .Values.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} + {{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/extra-manifests.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/extra-manifests.yaml new file mode 100644 index 000000000..2b21b7106 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraManifests }} +--- +{{ tpl . $ }} +{{ end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/headless-svc.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/headless-svc.yaml new file mode 100644 index 000000000..df9db9914 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/headless-svc.yaml @@ -0,0 +1,35 @@ +{{- if .Values.server.statefulSet.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.server.statefulSet.headless.annotations }} + annotations: +{{ toYaml .Values.server.statefulSet.headless.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- if .Values.server.statefulSet.headless.labels }} +{{ toYaml .Values.server.statefulSet.headless.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }}-headless + namespace: {{ include "prometheus.namespace" . }} +spec: + clusterIP: None + ports: + - name: http + port: {{ .Values.server.statefulSet.headless.servicePort }} + protocol: TCP + targetPort: 9090 + {{- if .Values.server.statefulSet.headless.gRPC.enabled }} + - name: grpc + port: {{ .Values.server.statefulSet.headless.gRPC.servicePort }} + protocol: TCP + targetPort: 10901 + {{- if .Values.server.statefulSet.headless.gRPC.nodePort }} + nodePort: {{ .Values.server.statefulSet.headless.gRPC.nodePort }} + {{- end }} + {{- end }} + + selector: + {{- include "prometheus.server.matchLabels" . | nindent 4 }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/ingress.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/ingress.yaml new file mode 100644 index 000000000..84341a9c2 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/ingress.yaml @@ -0,0 +1,57 @@ +{{- if .Values.server.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.server.fullname" . }} +{{- $servicePort := .Values.server.ingress.servicePort | default .Values.server.service.servicePort -}} +{{- $ingressPath := .Values.server.ingress.path -}} +{{- $ingressPathType := .Values.server.ingress.pathType -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.server.ingress.annotations }} + annotations: +{{ toYaml .Values.server.ingress.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- range $key, $value := .Values.server.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ include "prometheus.namespace" . }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.server.ingress.ingressClassName }} + ingressClassName: {{ .Values.server.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.server.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.server.ingress.tls }} + tls: +{{ toYaml .Values.server.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/network-policy.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/network-policy.yaml new file mode 100644 index 000000000..3254ffc04 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/network-policy.yaml @@ -0,0 +1,16 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ include "prometheus.namespace" . }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + ingress: + - ports: + - port: 9090 +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/pdb.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/pdb.yaml new file mode 100644 index 000000000..7ffe67307 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/pdb.yaml @@ -0,0 +1,15 @@ +{{- if .Values.server.podDisruptionBudget.enabled }} +{{- $pdbSpec := omit .Values.server.podDisruptionBudget "enabled" }} +apiVersion: {{ template "prometheus.podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ include "prometheus.namespace" . }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + {{- toYaml $pdbSpec | nindent 2 }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/psp.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/psp.yaml new file mode 100644 index 000000000..5776e2541 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/psp.yaml @@ -0,0 +1,53 @@ +{{- if and .Values.rbac.create .Values.podSecurityPolicy.enabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.server.fullname" . }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + {{- with .Values.server.podSecurityPolicy.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: + - 'CHOWN' + volumes: + - 'configMap' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'secret' + - 'hostPath' + allowedHostPaths: + - pathPrefix: /etc + readOnly: true + - pathPrefix: {{ .Values.server.persistentVolume.mountPath }} + {{- range .Values.server.extraHostPathMounts }} + - pathPrefix: {{ .hostPath }} + readOnly: {{ .readOnly }} + {{- end }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/pvc.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/pvc.yaml new file mode 100644 index 000000000..a9dc4fce0 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/pvc.yaml @@ -0,0 +1,43 @@ +{{- if not .Values.server.statefulSet.enabled -}} +{{- if .Values.server.persistentVolume.enabled -}} +{{- if not .Values.server.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.server.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + {{- with .Values.server.persistentVolume.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ include "prometheus.namespace" . }} +spec: + accessModes: +{{ toYaml .Values.server.persistentVolume.accessModes | indent 4 }} +{{- if .Values.server.persistentVolume.storageClass }} +{{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" +{{- end }} +{{- end }} +{{- if .Values.server.persistentVolume.volumeBindingMode }} + volumeBindingMode: "{{ .Values.server.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.server.persistentVolume.size }}" +{{- if .Values.server.persistentVolume.selector }} + selector: + {{- toYaml .Values.server.persistentVolume.selector | nindent 4 }} +{{- end -}} +{{- if .Values.server.persistentVolume.volumeName }} + volumeName: "{{ .Values.server.persistentVolume.volumeName }}" +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/rolebinding.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/rolebinding.yaml new file mode 100644 index 000000000..721b38816 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/rolebinding.yaml @@ -0,0 +1,18 @@ +{{- range include "prometheus.namespaces" . | fromJsonArray }} +--- +apiVersion: {{ template "rbac.apiVersion" $ }} +kind: RoleBinding +metadata: + labels: + {{- include "prometheus.server.labels" $ | nindent 4 }} + name: {{ template "prometheus.server.fullname" $ }} + namespace: {{ . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.server" $ }} + namespace: {{ include "prometheus.namespace" $ }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $.Values.server.useExistingClusterRoleName }} +{{ end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/service.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/service.yaml new file mode 100644 index 000000000..069f3270d --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/service.yaml @@ -0,0 +1,63 @@ +{{- if .Values.server.service.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.server.service.annotations }} + annotations: +{{ toYaml .Values.server.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- if .Values.server.service.labels }} +{{ toYaml .Values.server.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ include "prometheus.namespace" . }} +spec: +{{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} +{{- end }} +{{- if .Values.server.service.externalIPs }} + externalIPs: +{{ toYaml .Values.server.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.server.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.server.service.loadBalancerIP }} +{{- end }} +{{- if .Values.server.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.server.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.server.service.servicePort }} + protocol: TCP + targetPort: 9090 + {{- if .Values.server.service.nodePort }} + nodePort: {{ .Values.server.service.nodePort }} + {{- end }} + {{- if .Values.server.service.gRPC.enabled }} + - name: grpc + port: {{ .Values.server.service.gRPC.servicePort }} + protocol: TCP + targetPort: 10901 + {{- if .Values.server.service.gRPC.nodePort }} + nodePort: {{ .Values.server.service.gRPC.nodePort }} + {{- end }} + {{- end }} +{{- if .Values.server.service.additionalPorts }} +{{ toYaml .Values.server.service.additionalPorts | indent 4 }} +{{- end }} + selector: + {{- if and .Values.server.statefulSet.enabled .Values.server.service.statefulsetReplica.enabled }} + statefulset.kubernetes.io/pod-name: {{ template "prometheus.server.fullname" . }}-{{ .Values.server.service.statefulsetReplica.replica }} + {{- else -}} + {{- include "prometheus.server.matchLabels" . | nindent 4 }} +{{- if .Values.server.service.sessionAffinity }} + sessionAffinity: {{ .Values.server.service.sessionAffinity }} +{{- end }} + {{- end }} + type: "{{ .Values.server.service.type }}" +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/serviceaccount.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/serviceaccount.yaml new file mode 100644 index 000000000..6d5ab0c7d --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/serviceaccount.yaml @@ -0,0 +1,16 @@ +{{- if .Values.serviceAccounts.server.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.server" . }} + namespace: {{ include "prometheus.namespace" . }} + annotations: +{{ toYaml .Values.serviceAccounts.server.annotations | indent 4 }} +{{- if kindIs "bool" .Values.server.automountServiceAccountToken }} +automountServiceAccountToken: {{ .Values.server.automountServiceAccountToken }} +{{- else if kindIs "bool" .Values.serviceAccounts.server.automountServiceAccountToken }} +automountServiceAccountToken: {{ .Values.serviceAccounts.server.automountServiceAccountToken }} +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/sts.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/sts.yaml new file mode 100644 index 000000000..6200555df --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/sts.yaml @@ -0,0 +1,436 @@ +{{- if .Values.server.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: +{{- if .Values.server.statefulSet.annotations }} + annotations: + {{ toYaml .Values.server.statefulSet.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + {{- if .Values.server.statefulSet.labels}} + {{ toYaml .Values.server.statefulSet.labels | nindent 4 }} + {{- end}} + name: {{ template "prometheus.server.fullname" . }} + namespace: {{ include "prometheus.namespace" . }} +spec: + {{- if semverCompare ">= 1.27.x" (include "prometheus.kubeVersion" .) }} + persistentVolumeClaimRetentionPolicy: + whenDeleted: {{ ternary "Delete" "Retain" .Values.server.statefulSet.pvcDeleteOnStsDelete }} + whenScaled: {{ ternary "Delete" "Retain" .Values.server.statefulSet.pvcDeleteOnStsScale }} + {{- end }} + serviceName: {{ template "prometheus.server.fullname" . }}-headless + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + replicas: {{ .Values.server.replicaCount }} + revisionHistoryLimit: {{ .Values.server.revisionHistoryLimit }} + podManagementPolicy: {{ .Values.server.statefulSet.podManagementPolicy }} + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: + {{ toYaml .Values.server.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 8 }} + {{- if .Values.server.podLabels}} + {{ toYaml .Values.server.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.server.priorityClassName }} + priorityClassName: "{{ .Values.server.priorityClassName }}" +{{- end }} +{{- if .Values.server.schedulerName }} + schedulerName: "{{ .Values.server.schedulerName }}" +{{- end }} +{{- if semverCompare ">=1.13-0" .Capabilities.KubeVersion.GitVersion }} + {{- if or (.Values.server.enableServiceLinks) (eq (.Values.server.enableServiceLinks | toString) "") }} + enableServiceLinks: true + {{- else }} + enableServiceLinks: false + {{- end }} +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} +{{- if kindIs "bool" .Values.server.automountServiceAccountToken }} + automountServiceAccountToken: {{ .Values.server.automountServiceAccountToken }} +{{- end }} + {{- if .Values.server.extraInitContainers }} + initContainers: +{{ toYaml .Values.server.extraInitContainers | indent 8 }} + {{- end }} + containers: + {{- if .Values.configmapReload.prometheus.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} + {{- if .Values.configmapReload.prometheus.image.digest }} + image: "{{ .Values.configmapReload.prometheus.image.repository }}@{{ .Values.configmapReload.prometheus.image.digest }}" + {{- else }} + image: "{{ .Values.configmapReload.prometheus.image.repository }}:{{ .Values.configmapReload.prometheus.image.tag }}" + {{- end }} + imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" + {{- with .Values.configmapReload.prometheus.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + args: + - --watched-dir=/etc/config + {{- $default_url := "http://127.0.0.1:9090/-/reload" }} + {{- with .Values.server.prefixURL }} + {{- $default_url = printf "http://127.0.0.1:9090%s/-/reload" . }} + {{- end }} + {{- if .Values.configmapReload.prometheus.containerPort }} + - --listen-address=0.0.0.0:{{ .Values.configmapReload.prometheus.containerPort }} + {{- end }} + - --reload-url={{ default $default_url .Values.configmapReload.reloadUrl }} + {{- range $key, $value := .Values.configmapReload.prometheus.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} + - --watched-dir={{ . }} + {{- end }} + {{- with .Values.configmapReload.env }} + env: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.configmapReload.prometheus.containerPort }} + ports: + - containerPort: {{ .Values.configmapReload.prometheus.containerPort }} + {{- if .Values.configmapReload.prometheus.containerPortName }} + name: {{ .Values.configmapReload.prometheus.containerPortName }} + {{- end }} + {{- end }} + {{- with .Values.configmapReload.prometheus.livenessProbe }} + livenessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- with .Values.configmapReload.prometheus.readinessProbe }} + readinessProbe: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.configmapReload.prometheus.startupProbe }} + {{- $startupProbe := omit .Values.configmapReload.prometheus.startupProbe "enabled" }} + startupProbe: + {{- toYaml $startupProbe | nindent 12 }} + {{- end }} + {{- with .Values.configmapReload.prometheus.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- with .Values.configmapReload.prometheus.extraVolumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} + {{- if .Values.server.image.digest }} + image: "{{ .Values.server.image.repository }}@{{ .Values.server.image.digest }}" + {{- else }} + image: "{{ .Values.server.image.repository }}:{{ .Values.server.image.tag | default .Chart.AppVersion }}" + {{- end }} + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + {{- with .Values.server.command }} + command: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.server.env }} + env: +{{ toYaml .Values.server.env | indent 12}} + {{- end }} + args: + {{- if .Values.server.defaultFlagsOverride }} + {{ toYaml .Values.server.defaultFlagsOverride | nindent 12}} + {{- else }} + {{- if .Values.server.prefixURL }} + - --web.route-prefix={{ .Values.server.prefixURL }} + {{- end }} + {{- if .Values.server.retention }} + - --storage.tsdb.retention.time={{ .Values.server.retention }} + {{- end }} + {{- if .Values.server.retentionSize }} + - --storage.tsdb.retention.size={{ .Values.server.retentionSize }} + {{- end }} + - --config.file={{ .Values.server.configPath }} + {{- if .Values.server.storagePath }} + - --storage.tsdb.path={{ .Values.server.storagePath }} + {{- else }} + - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} + {{- end }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + {{- range .Values.server.extraFlags }} + - --{{ . }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + {{- if .Values.server.baseURL }} + - --web.external-url={{ .Values.server.baseURL }} + {{- end }} + {{- end }} + ports: + - containerPort: 9090 + {{- if .Values.server.portName }} + name: {{ .Values.server.portName }} + {{- end }} + {{- if .Values.server.hostPort }} + hostPort: {{ .Values.server.hostPort }} + {{- end }} + readinessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/ready + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- with .Values.server.probeHeaders }} + httpHeaders: +{{- toYaml . | nindent 14 }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.readinessProbeInitialDelay }} + periodSeconds: {{ .Values.server.readinessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.readinessProbeTimeout }} + failureThreshold: {{ .Values.server.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.server.readinessProbeSuccessThreshold }} + livenessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- with .Values.server.probeHeaders }} + httpHeaders: +{{- toYaml . | nindent 14 }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.livenessProbeInitialDelay }} + periodSeconds: {{ .Values.server.livenessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.livenessProbeTimeout }} + failureThreshold: {{ .Values.server.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.server.livenessProbeSuccessThreshold }} + {{- if .Values.server.startupProbe.enabled }} + startupProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- if .Values.server.probeHeaders }} + httpHeaders: + {{- range .Values.server.probeHeaders}} + - name: {{ .name }} + value: {{ .value }} + {{- end }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + failureThreshold: {{ .Values.server.startupProbe.failureThreshold }} + periodSeconds: {{ .Values.server.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.server.startupProbe.timeoutSeconds }} + {{- end }} + {{- with .Values.server.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: {{ ternary .Values.server.persistentVolume.statefulSetNameOverride "storage-volume" (and .Values.server.persistentVolume.enabled (not (empty .Values.server.persistentVolume.statefulSetNameOverride))) }} + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: "{{ .Values.server.persistentVolume.subPath }}" + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.server.extraVolumeMounts }} + {{ toYaml .Values.server.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- with .Values.server.containerSecurityContext }} + securityContext: + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecarContainers }} + {{- range $name, $spec := .Values.server.sidecarContainers }} + - name: {{ $name }} + {{- if kindIs "string" $spec }} + {{- tpl $spec $ | nindent 10 }} + {{- else }} + {{- toYaml $spec | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- if .Values.server.dnsPolicy }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.server.hostAliases }} + hostAliases: +{{ toYaml .Values.server.hostAliases | indent 8 }} + {{- end }} + {{- if .Values.server.dnsConfig }} + dnsConfig: +{{ toYaml .Values.server.dnsConfig | indent 8 }} + {{- end }} + {{- with .Values.server.securityContext }} + securityContext: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: +{{ toYaml .Values.server.tolerations | indent 8 }} + {{- end }} + {{- if or .Values.server.affinity .Values.server.podAntiAffinity }} + affinity: + {{- end }} + {{- with .Values.server.affinity }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if eq .Values.server.podAntiAffinity "hard" }} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: {{ .Values.server.podAntiAffinityTopologyKey }} + labelSelector: + matchExpressions: + - {key: app.kubernetes.io/name, operator: In, values: [{{ template "prometheus.name" . }}]} + {{- else if eq .Values.server.podAntiAffinity "soft" }} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + topologyKey: {{ .Values.server.podAntiAffinityTopologyKey }} + labelSelector: + matchExpressions: + - {key: app.kubernetes.io/name, operator: In, values: [{{ template "prometheus.name" . }}]} + {{- end }} + {{- with .Values.server.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + volumes: + - name: config-volume + {{- if empty .Values.server.configFromSecret }} + configMap: + name: {{ if .Values.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.server.configFromSecret }} + {{- end }} + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.server.extraVolumes }} +{{ toYaml .Values.server.extraVolumes | indent 8}} +{{- end }} +{{- if .Values.server.persistentVolume.enabled }} + volumeClaimTemplates: + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: {{ .Values.server.persistentVolume.statefulSetNameOverride | default "storage-volume" }} + {{- if .Values.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.server.persistentVolume.annotations | indent 10 }} + {{- end }} + {{- if .Values.server.persistentVolume.labels }} + labels: +{{ toYaml .Values.server.persistentVolume.labels | indent 10 }} + {{- end }} + spec: + accessModes: +{{ toYaml .Values.server.persistentVolume.accessModes | indent 10 }} + resources: + requests: + storage: "{{ .Values.server.persistentVolume.size }}" + {{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: storage-volume + emptyDir: + {{- if .Values.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/templates/vpa.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/vpa.yaml new file mode 100644 index 000000000..cd07ad8b7 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/templates/vpa.yaml @@ -0,0 +1,26 @@ +{{- if .Values.server.verticalAutoscaler.enabled -}} +{{- if .Capabilities.APIVersions.Has "autoscaling.k8s.io/v1/VerticalPodAutoscaler" }} +apiVersion: autoscaling.k8s.io/v1 +{{- else }} +apiVersion: autoscaling.k8s.io/v1beta2 +{{- end }} +kind: VerticalPodAutoscaler +metadata: + name: {{ template "prometheus.server.fullname" . }}-vpa + namespace: {{ include "prometheus.namespace" . }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +spec: + targetRef: + apiVersion: "apps/v1" +{{- if .Values.server.statefulSet.enabled }} + kind: StatefulSet +{{- else }} + kind: Deployment +{{- end }} + name: {{ template "prometheus.server.fullname" . }} + updatePolicy: + updateMode: {{ .Values.server.verticalAutoscaler.updateMode | default "Off" | quote }} + resourcePolicy: + containerPolicies: {{ .Values.server.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/values.schema.json b/charts/kasten/k10/7.0.1401/charts/prometheus/values.schema.json new file mode 100644 index 000000000..b2d8af26c --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/values.schema.json @@ -0,0 +1,752 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "alertRelabelConfigs": { + "type": "object" + }, + "alertmanager": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string" + } + } + }, + "podSecurityContext": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + } + } + } + }, + "configmapReload": { + "type": "object", + "properties": { + "env": { + "type": "array" + }, + "prometheus": { + "type": "object", + "properties": { + "containerSecurityContext": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "extraArgs": { + "type": "object" + }, + "extraConfigmapMounts": { + "type": "array" + }, + "extraVolumeDirs": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, + "image": { + "type": "object", + "properties": { + "digest": { + "type": "string" + }, + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "name": { + "type": "string" + }, + "resources": { + "type": "object" + } + } + }, + "reloadUrl": { + "type": "string" + } + } + }, + "extraManifests": { + "type": "array" + }, + "extraScrapeConfigs": { + "type": "string" + }, + "forceNamespace": { + "type": "string" + }, + "imagePullSecrets": { + "type": "array" + }, + "kube-state-metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "networkPolicy": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "podSecurityPolicy": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + }, + "prometheus-node-exporter": { + "type": "object", + "properties": { + "containerSecurityContext": { + "type": "object", + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + } + } + }, + "enabled": { + "type": "boolean" + }, + "rbac": { + "type": "object", + "properties": { + "pspEnabled": { + "type": "boolean" + } + } + } + } + }, + "prometheus-pushgateway": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "serviceAnnotations": { + "type": "object", + "properties": { + "prometheus.io/probe": { + "type": "string" + } + } + } + } + }, + "rbac": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "ruleFiles": { + "type": "object" + }, + "server": { + "type": "object", + "properties": { + "affinity": { + "type": "object" + }, + "alertmanagers": { + "type": "array" + }, + "baseURL": { + "type": "string" + }, + "clusterRoleNameOverride": { + "type": "string" + }, + "command": { + "type": "array" + }, + "configMapAnnotations": { + "type": "object" + }, + "configMapOverrideName": { + "type": "string" + }, + "configPath": { + "type": "string" + }, + "containerSecurityContext": { + "type": "object" + }, + "defaultFlagsOverride": { + "type": "array" + }, + "deploymentAnnotations": { + "type": "object" + }, + "dnsConfig": { + "type": "object" + }, + "dnsPolicy": { + "type": "string" + }, + "emptyDir": { + "type": "object", + "properties": { + "sizeLimit": { + "type": "string" + } + } + }, + "enableServiceLinks": { + "type": "boolean" + }, + "env": { + "type": "array" + }, + "exemplars": { + "type": "object" + }, + "extraArgs": { + "type": "object" + }, + "extraConfigmapLabels": { + "type": "object" + }, + "extraConfigmapMounts": { + "type": "array" + }, + "extraFlags": { + "type": "array", + "items": { + "type": "string" + } + }, + "extraHostPathMounts": { + "type": "array" + }, + "extraInitContainers": { + "type": "array" + }, + "extraSecretMounts": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "fullnameOverride": { + "type": "string" + }, + "global": { + "type": "object", + "properties": { + "evaluation_interval": { + "type": "string" + }, + "scrape_interval": { + "type": "string" + }, + "scrape_timeout": { + "type": "string" + } + } + }, + "hostAliases": { + "type": "array" + }, + "hostNetwork": { + "type": "boolean" + }, + "image": { + "type": "object", + "properties": { + "digest": { + "type": "string" + }, + "pullPolicy": { + "type": "string" + }, + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + } + }, + "ingress": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "extraLabels": { + "type": "object" + }, + "extraPaths": { + "type": "array" + }, + "hosts": { + "type": "array" + }, + "path": { + "type": "string" + }, + "pathType": { + "type": "string" + }, + "tls": { + "type": "array" + } + } + }, + "livenessProbeFailureThreshold": { + "type": "integer" + }, + "livenessProbeInitialDelay": { + "type": "integer" + }, + "livenessProbePeriodSeconds": { + "type": "integer" + }, + "livenessProbeSuccessThreshold": { + "type": "integer" + }, + "livenessProbeTimeout": { + "type": "integer" + }, + "name": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "persistentVolume": { + "type": "object", + "properties": { + "accessModes": { + "type": "array", + "items": { + "type": "string" + } + }, + "annotations": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "existingClaim": { + "type": "string" + }, + "labels": { + "type": "object" + }, + "mountPath": { + "type": "string" + }, + "size": { + "type": "string" + }, + "statefulSetNameOverride": { + "type": "string" + }, + "subPath": { + "type": "string" + } + } + }, + "podAnnotations": { + "type": "object" + }, + "podAntiAffinity": { + "type": "string", + "enum": ["", "soft", "hard"], + "default": "" + }, + "podAntiAffinityTopologyKey": { + "type": "string" + }, + "podDisruptionBudget": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxUnavailable": { + "type": [ + "string", + "integer" + ] + } + } + }, + "podLabels": { + "type": "object" + }, + "podSecurityPolicy": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + } + } + }, + "portName": { + "type": "string" + }, + "prefixURL": { + "type": "string" + }, + "priorityClassName": { + "type": "string" + }, + "probeHeaders": { + "type": "array" + }, + "probeScheme": { + "type": "string" + }, + "readinessProbeFailureThreshold": { + "type": "integer" + }, + "readinessProbeInitialDelay": { + "type": "integer" + }, + "readinessProbePeriodSeconds": { + "type": "integer" + }, + "readinessProbeSuccessThreshold": { + "type": "integer" + }, + "readinessProbeTimeout": { + "type": "integer" + }, + "releaseNamespace": { + "type": "boolean" + }, + "remoteRead": { + "type": "array" + }, + "remoteWrite": { + "type": "array" + }, + "replicaCount": { + "type": "integer" + }, + "resources": { + "type": "object" + }, + "retention": { + "type": "string" + }, + "retentionSize": { + "type": "string" + }, + "revisionHistoryLimit": { + "type": "integer" + }, + "securityContext": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + } + }, + "service": { + "type": "object", + "properties": { + "additionalPorts": { + "type": "array" + }, + "annotations": { + "type": "object" + }, + "clusterIP": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "externalIPs": { + "type": "array" + }, + "gRPC": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "servicePort": { + "type": "integer" + } + } + }, + "labels": { + "type": "object" + }, + "loadBalancerIP": { + "type": "string" + }, + "loadBalancerSourceRanges": { + "type": "array" + }, + "servicePort": { + "type": "integer" + }, + "sessionAffinity": { + "type": "string" + }, + "statefulsetReplica": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "replica": { + "type": "integer" + } + } + }, + "type": { + "type": "string" + } + } + }, + "sidecarContainers": { + "type": "object" + }, + "sidecarTemplateValues": { + "type": "object" + }, + "startupProbe": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "failureThreshold": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "statefulSet": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "headless": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "gRPC": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "servicePort": { + "type": "integer" + } + } + }, + "labels": { + "type": "object" + }, + "servicePort": { + "type": "integer" + } + } + }, + "labels": { + "type": "object" + }, + "podManagementPolicy": { + "type": "string" + }, + "pvcDeleteOnStsDelete": { + "type": "boolean" + }, + "pvcDeleteOnStsScale": { + "type": "boolean" + } + } + }, + "storagePath": { + "type": "string" + }, + "strategy": { + "type": "object", + "properties": { + "type": { + "type": "string" + } + } + }, + "tcpSocketProbeEnabled": { + "type": "boolean" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "tolerations": { + "type": "array" + }, + "topologySpreadConstraints": { + "type": "array" + }, + "tsdb": { + "type": "object" + }, + "verticalAutoscaler": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } + }, + "scrapeConfigFiles": { + "type": "array" + }, + "serverFiles": { + "type": "object", + "properties": { + "alerting_rules.yml": { + "type": "object" + }, + "alerts": { + "type": "object" + }, + "prometheus.yml": { + "type": "object", + "properties": { + "rule_files": { + "type": "array", + "items": { + "type": "string" + } + }, + "scrape_configs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "job_name": { + "type": "string" + }, + "static_configs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "targets": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } + } + } + } + }, + "recording_rules.yml": { + "type": "object" + }, + "rules": { + "type": "object" + } + } + }, + "serviceAccounts": { + "type": "object", + "properties": { + "server": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + }, + "automountServiceAccountToken": { + "type": "boolean" + } + } + } + } + } + } +} diff --git a/charts/kasten/k10/7.0.1401/charts/prometheus/values.yaml b/charts/kasten/k10/7.0.1401/charts/prometheus/values.yaml new file mode 100644 index 000000000..6d3733f56 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/charts/prometheus/values.yaml @@ -0,0 +1,1315 @@ +# yaml-language-server: $schema=values.schema.json +# Default values for prometheus. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +rbac: + create: true + +podSecurityPolicy: + enabled: false + +imagePullSecrets: [] +# - name: "image-pull-secret" + +## Define serviceAccount names for components. Defaults to component's fully qualified name. +## +serviceAccounts: + server: + create: true + name: "" + annotations: {} + + ## Opt out of automounting Kubernetes API credentials. + ## It will be overriden by server.automountServiceAccountToken value, if set. + # automountServiceAccountToken: false + +## Additional labels to attach to all resources +commonMetaLabels: {} + +## Monitors ConfigMap changes and POSTs to a URL +## Ref: https://github.com/prometheus-operator/prometheus-operator/tree/main/cmd/prometheus-config-reloader +## +configmapReload: + ## URL for configmap-reload to use for reloads + ## + reloadUrl: "" + + ## env sets environment variables to pass to the container. Can be set as name/value pairs, + ## read from secrets or configmaps. + env: [] + # - name: SOMEVAR + # value: somevalue + # - name: PASSWORD + # valueFrom: + # secretKeyRef: + # name: mysecret + # key: password + # optional: false + + prometheus: + ## If false, the configmap-reload container will not be deployed + ## + enabled: true + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + repository: quay.io/prometheus-operator/prometheus-config-reloader + tag: v0.76.2 + # When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). + digest: "" + pullPolicy: IfNotPresent + + ## config-reloader's container port and port name for probes and metrics + containerPort: 8080 + containerPortName: metrics + + ## Additional configmap-reload container arguments + ## Set to null for argumentless flags + ## + extraArgs: {} + + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + ## Additional configmap-reload volume mounts + ## + extraVolumeMounts: [] + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + ## Security context to be added to configmap-reload container + containerSecurityContext: {} + + ## Settings for Prometheus reloader's readiness, liveness and startup probes + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + ## + + livenessProbe: + httpGet: + path: /healthz + port: metrics + scheme: HTTP + periodSeconds: 10 + initialDelaySeconds: 2 + + readinessProbe: + httpGet: + path: /healthz + port: metrics + scheme: HTTP + periodSeconds: 10 + + startupProbe: + enabled: false + httpGet: + path: /healthz + port: metrics + scheme: HTTP + periodSeconds: 10 + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + requests: + cpu: 10m + memory: 50Mi + +server: + ## Prometheus server container name + ## + name: server + + ## Opt out of automounting Kubernetes API credentials. + ## If set it will override serviceAccounts.server.automountServiceAccountToken value for ServiceAccount. + # automountServiceAccountToken: false + + ## Use a ClusterRole (and ClusterRoleBinding) + ## - If set to false - we define a RoleBinding in the defined namespaces ONLY + ## + ## NB: because we need a Role with nonResourceURL's ("/metrics") - you must get someone with Cluster-admin privileges to define this role for you, before running with this setting enabled. + ## This makes prometheus work - for users who do not have ClusterAdmin privs, but wants prometheus to operate on their own namespaces, instead of clusterwide. + ## + ## You MUST also set namespaces to the ones you have access to and want monitored by Prometheus. + ## + # useExistingClusterRoleName: nameofclusterrole + + ## If set it will override prometheus.server.fullname value for ClusterRole and ClusterRoleBinding + ## + clusterRoleNameOverride: "" + + # Enable only the release namespace for monitoring. By default all namespaces are monitored. + # If releaseNamespace and namespaces are both set a merged list will be monitored. + releaseNamespace: false + + ## namespaces to monitor (instead of monitoring all - clusterwide). Needed if you want to run without Cluster-admin privileges. + # namespaces: + # - yournamespace + + # sidecarContainers - add more containers to prometheus server + # Key/Value where Key is the sidecar `- name: ` + # Example: + # sidecarContainers: + # webserver: + # image: nginx + # OR for adding OAuth authentication to Prometheus + # sidecarContainers: + # oauth-proxy: + # image: quay.io/oauth2-proxy/oauth2-proxy:v7.1.2 + # args: + # - --upstream=http://127.0.0.1:9090 + # - --http-address=0.0.0.0:8081 + # - ... + # ports: + # - containerPort: 8081 + # name: oauth-proxy + # protocol: TCP + # resources: {} + sidecarContainers: {} + + # sidecarTemplateValues - context to be used in template for sidecarContainers + # Example: + # sidecarTemplateValues: *your-custom-globals + # sidecarContainers: + # webserver: |- + # {{ include "webserver-container-template" . }} + # Template for `webserver-container-template` might looks like this: + # image: "{{ .Values.server.sidecarTemplateValues.repository }}:{{ .Values.server.sidecarTemplateValues.tag }}" + # ... + # + sidecarTemplateValues: {} + + ## Prometheus server container image + ## + image: + repository: quay.io/prometheus/prometheus + # if not set appVersion field from Chart.yaml is used + tag: "" + # When digest is set to a non-empty value, images will be pulled by digest (regardless of tag value). + digest: "" + pullPolicy: IfNotPresent + + ## Prometheus server command + ## + command: [] + + ## prometheus server priorityClassName + ## + priorityClassName: "" + + ## EnableServiceLinks indicates whether information about services should be injected + ## into pod's environment variables, matching the syntax of Docker links. + ## WARNING: the field is unsupported and will be skipped in K8s prior to v1.13.0. + ## + enableServiceLinks: true + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access prometheus + ## Maybe same with Ingress host name + baseURL: "" + + ## Additional server container environment variables + ## + ## You specify this manually like you would a raw deployment manifest. + ## This means you can bind in environment variables from secrets. + ## + ## e.g. static environment variable: + ## - name: DEMO_GREETING + ## value: "Hello from the environment" + ## + ## e.g. secret environment variable: + ## - name: USERNAME + ## valueFrom: + ## secretKeyRef: + ## name: mysecret + ## key: username + env: [] + + # List of flags to override default parameters, e.g: + # - --enable-feature=agent + # - --storage.agent.retention.max-time=30m + # - --config.file=/etc/config/prometheus.yml + defaultFlagsOverride: [] + + extraFlags: + - web.enable-lifecycle + ## web.enable-admin-api flag controls access to the administrative HTTP API which includes functionality such as + ## deleting time series. This is disabled by default. + # - web.enable-admin-api + ## + ## storage.tsdb.no-lockfile flag controls BD locking + # - storage.tsdb.no-lockfile + ## + ## storage.tsdb.wal-compression flag enables compression of the write-ahead log (WAL) + # - storage.tsdb.wal-compression + + ## Path to a configuration file on prometheus server container FS + configPath: /etc/config/prometheus.yml + + ### The data directory used by prometheus to set --storage.tsdb.path + ### When empty server.persistentVolume.mountPath is used instead + storagePath: "" + + global: + ## How frequently to scrape targets by default + ## + scrape_interval: 1m + ## How long until a scrape request times out + ## + scrape_timeout: 10s + ## How frequently to evaluate rules + ## + evaluation_interval: 1m + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write + ## + remoteWrite: [] + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read + ## + remoteRead: [] + + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#tsdb + ## + tsdb: {} + # out_of_order_time_window: 0s + + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#exemplars + ## Must be enabled via --enable-feature=exemplar-storage + ## + exemplars: {} + # max_exemplars: 100000 + + ## Custom HTTP headers for Liveness/Readiness/Startup Probe + ## + ## Useful for providing HTTP Basic Auth to healthchecks + probeHeaders: [] + # - name: "Authorization" + # value: "Bearer ABCDEabcde12345" + + ## Additional Prometheus server container arguments + ## Set to null for argumentless flags + ## + extraArgs: {} + # web.enable-remote-write-receiver: null + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## Additional Prometheus server Volume mounts + ## + extraVolumeMounts: [] + + ## Additional Prometheus server Volumes + ## + extraVolumes: [] + + ## Additional Prometheus server hostPath mounts + ## + extraHostPathMounts: [] + # - name: certs-dir + # mountPath: /etc/kubernetes/certs + # subPath: "" + # hostPath: /etc/kubernetes/certs + # readOnly: true + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # subPath: "" + # configMap: certs-configmap + # readOnly: true + + ## Additional Prometheus server Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: prom-secret-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.server.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/server-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ## Extra labels for Prometheus server ConfigMap (ConfigMap that holds serverFiles) + extraConfigmapLabels: {} + + ## Override the prometheus.server.fullname for all objects related to the Prometheus server + fullnameOverride: "" + + ingress: + ## If true, Prometheus server Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## Prometheus server Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## Prometheus server Ingress additional labels + ## + extraLabels: {} + + ## Redirect ingress to an additional defined port on the service + # servicePort: 8081 + + ## Prometheus server Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - prometheus.domain.com + # - domain.com/prometheus + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## Prometheus server Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-server-tls + # hosts: + # - prometheus.domain.com + + ## Server Deployment Strategy type + strategy: + type: Recreate + + ## hostAliases allows adding entries to /etc/hosts inside the containers + hostAliases: [] + # - ip: "127.0.0.1" + # hostnames: + # - "example.com" + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for Prometheus server pod assignment + ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## Pod anti-affinity can prevent the scheduler from placing Prometheus server replicas on the same node. + ## The value "soft" means that the scheduler should *prefer* to not schedule two replica pods onto the same node but no guarantee is provided. + ## The value "hard" means that the scheduler is *required* to not schedule two replica pods onto the same node. + ## The default value "" will disable pod anti-affinity so that no anti-affinity rules will be configured (unless set in `server.affinity`). + ## + podAntiAffinity: "" + + ## If anti-affinity is enabled sets the topologyKey to use for anti-affinity. + ## This can be changed to, for example, failure-domain.beta.kubernetes.io/zone + ## + podAntiAffinityTopologyKey: kubernetes.io/hostname + + ## Pod topology spread constraints + ## ref. https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/ + topologySpreadConstraints: [] + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + # minAvailable: 1 + ## unhealthyPodEvictionPolicy is available since 1.27.0 (beta) + ## https://kubernetes.io/docs/tasks/run-application/configure-pdb/#unhealthy-pod-eviction-policy + # unhealthyPodEvictionPolicy: IfHealthyBudget + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + ## If true, Prometheus server will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## If set it will override the name of the created persistent volume claim + ## generated by the stateful set. + ## + statefulSetNameOverride: "" + + ## Prometheus server data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## Prometheus server data Persistent Volume labels + ## + labels: {} + + ## Prometheus server data Persistent Volume annotations + ## + annotations: {} + + ## Prometheus server data Persistent Volume existing claim name + ## Requires server.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## Prometheus server data Persistent Volume mount root path + ## + mountPath: /data + + ## Prometheus server data Persistent Volume size + ## + size: 8Gi + + ## Prometheus server data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## Prometheus server data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of Prometheus server data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + ## Persistent Volume Claim Selector + ## Useful if Persistent Volumes have been provisioned in advance + ## Ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + ## + # selector: + # matchLabels: + # release: "stable" + # matchExpressions: + # - { key: environment, operator: In, values: [ dev ] } + + ## Persistent Volume Name + ## Useful if Persistent Volumes have been provisioned in advance and you want to use a specific one + ## + # volumeName: "" + + emptyDir: + ## Prometheus server emptyDir volume size limit + ## + sizeLimit: "" + + ## Annotations to be added to Prometheus server pods + ## + podAnnotations: {} + # iam.amazonaws.com/role: prometheus + + ## Labels to be added to Prometheus server pods + ## + podLabels: {} + + ## Prometheus AlertManager configuration + ## + alertmanagers: [] + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + ## Number of old history to retain to allow rollback + ## Default Kubernetes value is set to 10 + ## + revisionHistoryLimit: 10 + + ## Annotations to be added to ConfigMap + ## + configMapAnnotations: {} + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + annotations: {} + labels: {} + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + servicePort: 80 + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## Statefulset's persistent volume claim retention policy + ## pvcDeleteOnStsDelete and pvcDeleteOnStsScale determine whether + ## statefulset's PVCs are deleted (true) or retained (false) on scaling down + ## and deleting statefulset, respectively. Requires 1.27.0+. + ## Ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#persistentvolumeclaim-retention + ## + pvcDeleteOnStsDelete: false + pvcDeleteOnStsScale: false + + ## Prometheus server readiness and liveness probe initial delay and timeout + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + ## + tcpSocketProbeEnabled: false + probeScheme: HTTP + readinessProbeInitialDelay: 30 + readinessProbePeriodSeconds: 5 + readinessProbeTimeout: 4 + readinessProbeFailureThreshold: 3 + readinessProbeSuccessThreshold: 1 + livenessProbeInitialDelay: 30 + livenessProbePeriodSeconds: 15 + livenessProbeTimeout: 10 + livenessProbeFailureThreshold: 3 + livenessProbeSuccessThreshold: 1 + startupProbe: + enabled: false + periodSeconds: 5 + failureThreshold: 30 + timeoutSeconds: 10 + + ## Prometheus server resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + requests: + cpu: 20m + memory: 200Mi + # limits: + # cpu: 500m + # memory: 512Mi + # requests: + # cpu: 500m + # memory: 512Mi + + # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), + # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + ## + hostNetwork: false + + # When hostNetwork is enabled, this will set to ClusterFirstWithHostNet automatically + dnsPolicy: ClusterFirst + + # Use hostPort + # hostPort: 9090 + + # Use portName + portName: "" + + ## Vertical Pod Autoscaler config + ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler + verticalAutoscaler: + ## If true a VPA object will be created for the controller (either StatefulSet or Deployemnt, based on above configs) + enabled: false + # updateMode: "Auto" + # containerPolicies: + # - containerName: 'prometheus-server' + + # Custom DNS configuration to be added to prometheus server pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to server pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + + ## Security context to be added to server container + ## + containerSecurityContext: {} + + service: + ## If false, no Service will be created for the Prometheus server + ## + enabled: true + + annotations: {} + labels: {} + clusterIP: "" + + ## List of IP addresses at which the Prometheus server service is available + ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + sessionAffinity: None + type: ClusterIP + + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## If using a statefulSet (statefulSet.enabled=true), configure the + ## service to connect to a specific replica to have a consistent view + ## of the data. + statefulsetReplica: + enabled: false + replica: 0 + + ## Additional port to define in the Service + additionalPorts: [] + # additionalPorts: + # - name: authenticated + # port: 8081 + # targetPort: 8081 + + ## Prometheus server pod termination grace period + ## + terminationGracePeriodSeconds: 300 + + ## Prometheus data retention period (default if not specified is 15 days) + ## + retention: "15d" + + ## Prometheus' data retention size. Supported units: B, KB, MB, GB, TB, PB, EB. + ## + retentionSize: "" + +## Prometheus server ConfigMap entries for rule files (allow prometheus labels interpolation) +ruleFiles: {} + +## Prometheus server ConfigMap entries for scrape_config_files +## (allows scrape configs defined in additional files) +## +scrapeConfigFiles: [] + +## Prometheus server ConfigMap entries +## +serverFiles: + ## Alerts configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + alerting_rules.yml: {} + # groups: + # - name: Instances + # rules: + # - alert: InstanceDown + # expr: up == 0 + # for: 5m + # labels: + # severity: page + # annotations: + # description: '{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.' + # summary: 'Instance {{ $labels.instance }} down' + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use alerting_rules.yml + alerts: {} + + ## Records configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/ + recording_rules.yml: {} + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use recording_rules.yml + rules: {} + + prometheus.yml: + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + ## Below two files are DEPRECATED will be removed from this default values file + - /etc/config/rules + - /etc/config/alerts + + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + + # A scrape configuration for running Prometheus on a Kubernetes cluster. + # This uses separate scrape configs for cluster components (i.e. API server, node) + # and services to allow each to use different authentication configs. + # + # Kubernetes labels will be added as Prometheus labels on metrics via the + # `labelmap` relabeling action. + + # Scrape config for API servers. + # + # Kubernetes exposes API servers as endpoints to the default/kubernetes + # service so this uses `endpoints` role and uses relabelling to only keep + # the endpoints associated with the default/kubernetes service using the + # default named port `https`. This works for single API server deployments as + # well as HA API server deployments. + - job_name: 'kubernetes-apiservers' + + kubernetes_sd_configs: + - role: endpoints + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + # Keep only the default/kubernetes service endpoints for the https port. This + # will add targets for each API server which Kubernetes adds an endpoint to + # the default/kubernetes service. + relabel_configs: + - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: default;kubernetes;https + + - job_name: 'kubernetes-nodes' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics + + + - job_name: 'kubernetes-nodes-cadvisor' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + # This configuration will work only on kubelet 1.7.3+ + # As the scrape endpoints for cAdvisor have changed + # if you are using older version you need to change the replacement to + # replacement: /api/v1/nodes/$1:4194/proxy/metrics + # more info here https://github.com/coreos/prometheus-operator/issues/633 + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + + # Metric relabel configs to apply to samples before ingestion. + # [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs) + # metric_relabel_configs: + # - action: labeldrop + # regex: (kubernetes_io_hostname|failure_domain_beta_kubernetes_io_region|beta_kubernetes_io_os|beta_kubernetes_io_arch|beta_kubernetes_io_instance_type|failure_domain_beta_kubernetes_io_zone) + + # Scrape config for service endpoints. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape`: Only scrape services that have a value of + # `true`, except if `prometheus.io/scrape-slow` is set to `true` as well. + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + # * `prometheus.io/param_`: If the metrics endpoint uses parameters + # then you can set any parameter + - job_name: 'kubernetes-service-endpoints' + honor_labels: true + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] + action: drop + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: (.+?)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: service + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: node + + # Scrape config for slow service endpoints; same as above, but with a larger + # timeout and a larger interval + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape services that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + # * `prometheus.io/param_`: If the metrics endpoint uses parameters + # then you can set any parameter + - job_name: 'kubernetes-service-endpoints-slow' + honor_labels: true + + scrape_interval: 5m + scrape_timeout: 30s + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: (.+?)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: service + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: node + + - job_name: 'prometheus-pushgateway' + honor_labels: true + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: pushgateway + + # Example scrape config for probing services via the Blackbox Exporter. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/probe`: Only probe services that have a value of `true` + - job_name: 'kubernetes-services' + honor_labels: true + + metrics_path: /probe + params: + module: [http_2xx] + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: true + - source_labels: [__address__] + target_label: __param_target + - target_label: __address__ + replacement: blackbox + - source_labels: [__param_target] + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + target_label: namespace + - source_labels: [__meta_kubernetes_service_name] + target_label: service + + # Example scrape config for pods + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape`: Only scrape pods that have a value of `true`, + # except if `prometheus.io/scrape-slow` is set to `true` as well. + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: 'kubernetes-pods' + honor_labels: true + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow] + action: drop + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip] + action: replace + regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) + replacement: '[$2]:$1' + target_label: __address__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip] + action: replace + regex: (\d+);((([0-9]+?)(\.|$)){4}) + replacement: $2:$1 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + - source_labels: [__meta_kubernetes_pod_phase] + regex: Pending|Succeeded|Failed|Completed + action: drop + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: node + + # Example Scrape config for pods which should be scraped slower. An useful example + # would be stackriver-exporter which queries an API on every scrape of the pod + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape pods that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: 'kubernetes-pods-slow' + honor_labels: true + + scrape_interval: 5m + scrape_timeout: 30s + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip] + action: replace + regex: (\d+);(([A-Fa-f0-9]{1,4}::?){1,7}[A-Fa-f0-9]{1,4}) + replacement: '[$2]:$1' + target_label: __address__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_port, __meta_kubernetes_pod_ip] + action: replace + regex: (\d+);((([0-9]+?)(\.|$)){4}) + replacement: $2:$1 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + - source_labels: [__meta_kubernetes_pod_phase] + regex: Pending|Succeeded|Failed|Completed + action: drop + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: node + +# adds additional scrape configs to prometheus.yml +# must be a string so you have to add a | after extraScrapeConfigs: +# example adds prometheus-blackbox-exporter scrape config +extraScrapeConfigs: "" + # - job_name: 'prometheus-blackbox-exporter' + # metrics_path: /probe + # params: + # module: [http_2xx] + # static_configs: + # - targets: + # - https://example.com + # relabel_configs: + # - source_labels: [__address__] + # target_label: __param_target + # - source_labels: [__param_target] + # target_label: instance + # - target_label: __address__ + # replacement: prometheus-blackbox-exporter:9115 + +# Adds option to add alert_relabel_configs to avoid duplicate alerts in alertmanager +# useful in H/A prometheus with different external labels but the same alerts +alertRelabelConfigs: {} + # alert_relabel_configs: + # - source_labels: [dc] + # regex: (.+)\d+ + # target_label: dc + +networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + ## Customized for K10 + enabled: true + +# Force namespace of namespaced resources +forceNamespace: "" + +# Extra manifests to deploy as an array +extraManifests: [] + # - | + # apiVersion: v1 + # kind: ConfigMap + # metadata: + # labels: + # name: prometheus-extra + # data: + # extra-data: "value" + +# Configuration of subcharts defined in Chart.yaml + +## alertmanager sub-chart configurable values +## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/alertmanager +## +alertmanager: + ## If false, alertmanager will not be installed + ## + ## Customized for K10 + enabled: false + + persistence: + size: 2Gi + + podSecurityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + +## kube-state-metrics sub-chart configurable values +## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics +## +kube-state-metrics: + ## If false, kube-state-metrics sub-chart will not be installed + ## + ## Customized for K10 + enabled: false + +## prometheus-node-exporter sub-chart configurable values +## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-node-exporter +## +prometheus-node-exporter: + ## If false, node-exporter will not be installed + ## + ## Customized for K10 + enabled: false + + rbac: + pspEnabled: false + + containerSecurityContext: + allowPrivilegeEscalation: false + +## prometheus-pushgateway sub-chart configurable values +## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/prometheus-pushgateway +## +prometheus-pushgateway: + ## If false, pushgateway will not be installed + ## + ## Customized for K10 + enabled: false + + # Optional service annotations + serviceAnnotations: + prometheus.io/probe: pushgateway diff --git a/charts/kasten/k10/7.0.1401/config.json b/charts/kasten/k10/7.0.1401/config.json new file mode 100644 index 000000000..e69de29bb diff --git a/charts/kasten/k10/7.0.1401/eula.txt b/charts/kasten/k10/7.0.1401/eula.txt new file mode 100644 index 000000000..19f9fc076 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/eula.txt @@ -0,0 +1,459 @@ +KASTEN END USER LICENSE AGREEMENT + +This End User License Agreement is a binding agreement between Kasten, Inc., a +Delaware Corporation ("Kasten"), and you ("Licensee"), and establishes the terms +under which Licensee may use the Software and Documentation (as defined below), +including without limitation terms and conditions relating to license grant, +intellectual property rights, disclaimers /exclusions / limitations of warranty, +indemnity and liability, governing law and limitation periods. All components +collectively are referred to herein as the "Agreement." + +LICENSEE ACKNOWLEDGES IT HAS HAD THE OPPORTUNITY TO REVIEW THE AGREEMENT, PRIOR +TO ACCEPTANCE OF THIS AGREEMENT. LICENSEE'S ACCEPTANCE OF THIS AGREEMENT IS +EVIDENCED BY LICENSEE'S DOWNLOADING, COPYING, INSTALLING OR USING THE KASTEN +SOFTWARE. IF YOU ARE ACTING ON BEHALF OF A COMPANY, YOU REPRESENT THAT YOU ARE +AUTHORIZED TO BIND THE COMPANY. IF YOU DO NOT AGREE TO ALL TERMS OF THIS +AGREEMENT, DO NOT DOWNLOAD, COPY, INSTALL, OR USE THE SOFTWARE, AND PERMANENTLY +DELETE THE SOFTWARE. + +1. DEFINITIONS + +1.1 "Authorized Persons" means trained technical employees and contractors of +Licensee who are subject to a written agreement with Licensee that includes use +and confidentiality restrictions that are at least as protective as those set +forth in this Agreement. + +1.2 "Authorized Reseller" means a distributor or reseller, including cloud +computing platform providers, authorized by Kasten to resell licenses to the +Software through the channel through or in the territory in which Licensee is +purchasing. + +1.3 "Confidential Information" means all non-public information disclosed in +written, oral or visual form by either party to the other. Confidential +Information may include, but is not limited to, services, pricing information, +computer programs, source code, names and expertise of employees and +consultants, know-how, and other technical, business, financial and product +development information. "Confidential Information" does not include any +information that the receiving party can demonstrate by its written records (1) +was rightfully known to it without obligation of confidentiality prior to its +disclosure hereunder by the disclosing party; (2) is or becomes publicly known +through no wrongful act of the receiving party; (3) has been rightfully received +without obligation of confidentiality from a third party authorized to make such +a disclosure; or (4) is independently developed by the receiving party without +reference to confidential information disclosed hereunder. + +1.4 "Documentation" means any administration guides, installation and user +guides, and release notes that are provided by Kasten to Licensee with the +Software. + +1.5 "Intellectual Property Rights" means patents, design patents, copyrights, +trademarks, Confidential Information, know-how, trade secrets, moral rights, and +any other intellectual property rights recognized in any country or jurisdiction +in the world. + +1.6 "Node" means a single physical or virtual computing machine recognizable by +the Software as a unique device. Nodes must be owned or leased by Licensee or an +entity controlled by, controlling or under common control with Licensee. + +1.7 "Edition" means a unique identifier for each distinct product that is made +available by Kasten and that can be licensed, including summary information +regarding any associated functionality, features, or restrictions specific to +the Edition. + +1.8 "Open Source Software" means software delivered to Licensee hereunder that +is subject to the provisions of any open source license agreement. + +1.9 "Purchase Agreement" means a separate commercial agreement, if applicable, +between Kasten and the Licensee that contains the terms for the licensing of a +specific Edition of the Software. + +1.10 "Software" means any and all software product Editions licensed to Licensee +under this Agreement, all as developed by Kasten and delivered to Licensee +hereunder. Software also includes any Updates provided by Kasten to Licensee. +For the avoidance of doubt, the definition of Software shall exclude any +Third-Party Software and Open Source Software. + +1.11 "Third-Party Software" means certain software Kasten licenses from third +parties and provides to Licensee with the Software, which may include Open +Source Software. + +1.12 "Update" means a revision of the Software that Kasten makes available to +customers at no additional cost. The Update includes, if and when applicable and +available, bug fix patches, maintenance release, minor release, or new major +releases. Updates are limited only to the Software licensed by Licensee, and +specifically exclude new product offerings, features, options or functionality +of the Software that Kasten may choose to license separately, or for an +additional fee. + +1.13 "Use" means to install activate the processing capabilities of the +Software, load, execute, access, employ the Software, or display information +resulting from such capabilities. + + +2. LICENSE GRANT AND RESTRICTIONS + +2.1 Enterprise License. Subject to Licensee"s compliance with the terms and +conditions of this Agreement (including any additional restrictions on +Licensee"s use of the Software set forth in the Purchase Agreement, if one +exists, between Licensee and Kasten), Kasten grants to Licensee a non-exclusive, +non-transferable (except in connection with a permitted assignment of this +Agreement under Section 14.10 (Assignment), non-sublicensable, limited term +license to install and use the Software, in object code form only, solely for +Licensee"s use, unless terminated in accordance with Section 4 (Term and +Termination). + +2.2 Starter License. This section shall only apply when the Licensee licenses +Starter Edition of the Software. The license granted herein is for a maximum of +5 Nodes and for a period of 12 months from the date of the Software release that +embeds the specific license instance. Updating to a newer Software (minor or +major) release will always extend the validity of the license by 12 months. If +the Licensee wishes to upgrade to an Enterprise License instead, the Licensee +will have to enter into a Purchase Agreement with Kasten which will supersede +this Agreement. The Licensee is required to provide accurate email and company +information, if representing a company, when accepting this Agreement. Under no +circumstances will a Starter License be construed to mean that the Licensee is +authorized to distribute the Software to any third party for any reason +whatsoever. + +2.3 Evaluation License. This section shall only apply when the Licensee has +licensed the Software for an initial evaluation period. The license granted +herein is valid only one time 30 days, starting from date of installation, +unless otherwise explicitly designated by Kasten ("Evaluation Period"). Under +this license the Software can only be used for evaluation purposes. Under no +circumstances will an Evaluation License be construed to mean that the Licensee +is authorized to distribute the Software to any third party for any reason +whatsoever. If the Licensee wishes to upgrade to an Enterprise License instead, +the Licensee will have to enter into a Purchase Agreement with Kasten which will +supersede this Agreement.. If the Licensee does not wish to upgrade to an +Enterprise License at the end of the Evaluation Period the Licensee"s rights +under the Agreement shall terminate, and the Licensee shall delete all Kasten +Software. + +2.4 License Restrictions. Except to the extent permitted under this Agreement, +Licensee will not nor will Licensee allow any third party to: (i) copy, modify, +adapt, translate or otherwise create derivative works of the Software or the +Documentation; (ii) reverse engineer, decompile, disassemble or otherwise +attempt to discover the source code of the Software; (iii) rent, lease, sell, +assign or otherwise transfer rights in or to the Software or Documentation; (iv) +remove any proprietary notices or labels from the Software or Documentation; (v) +publicly disseminate performance information or analysis (including, without +limitation, benchmarks) relating to the Software. Licensee will comply with all +applicable laws and regulations in Licensee"s use of and access to the Software +and Documentation. + +2.5 Responsibility for Use. The Software and Documentation may be used only by +Authorized Persons and in conformance with this Agreement. Licensee shall be +responsible for the proper use and protection of the Software and Documentation +and is responsible for: (i) installing, managing, operating, and physically +controlling the Software and the results obtained from using the Software; (ii) +using the Software within the operating environment specified in the +Documentation; and; (iii) establishing and maintaining such recovery and data +protection and security procedures as necessary for Licensee's service and +operation and/or as may be specified by Kasten from time to time. + +2.6 United States Government Users. The Software licensed under this Agreement +is "commercial computer software" as that term is described in DFAR +252.227-7014(a)(1). If acquired by or on behalf of a civilian agency, the U.S. +Government acquires this commercial computer software and/or commercial computer +software documentation subject to the terms and this Agreement as specified in +48 C.F.R. 12.212 (Computer Software) and 12.211 (Technical Data) of the Federal +Acquisition Regulations ("FAR") and its successors. If acquired by or on behalf +of any agency within the Department of Defense ("DOD"), the U.S. Government +acquires this commercial computer software and/or commercial computer software +documentation subject to the terms of this Agreement as specified in 48 C.F.R. +227.7202 of the DOD FAR Supplement and its successors. + + +3. SUPPORT + +3.1 During the Term (as defined below) and subject to Licensee’s compliance +with the terms and conditions of this Agreement, Licensee may submit queries and +requests for support for Enterprise Licenses by submitting Service Requests via Veeam +Support Portal (https://my.veeam.com). Support is not provided for Starter and Evaluation +Licenses. Licensee shall be entitled to the support service-level agreement specified +in the relevant order form or purchase order (“Order Form”) between Licensee and the +Reseller and as set forth in Kasten’s Support Policy, a copy of which can be found +at https://www.kasten.io/support-services-policy. Licensee shall also be permitted to +download and install all Updates released by Kasten during the Term and made generally +available to users of the Software. Software versions with all updates and upgrades +installed is supported for six months from the date of release of that version. + +3.2 Starter Edition Support. If the Licensee has licensed Starter Edition of +the Software, you will have access to the Kasten K10 Support Community +(https://community.veeam.com/groups/kasten-k10-support-92), but Kasten cannot guarantee +a service level of any sort. Should a higher level of support be needed, Licensee has +the option to consider entering into a Purchase Agreement with Kasten for licensing a +different Edition of the Software. + + + +4. TERM AND TERMINATION + +4.1 Term. The term of this Agreement, except for Starter and Evaluation +Licenses, shall commence on the Effective Date and shall, unless terminated +earlier in accordance with the provisions of Section 4.2 below, remain in force +for the Subscription Period as set forth in the applicable Order Form(s) (the +"Term"). The parties may extend the Term of this Agreement beyond the +Subscription Period by executing additional Order Form(s) and Licensee"s payment +of additional licensing fees. The term of this Agreement for the Starter and +Evaluation Licenses will coincide with the term for Starter Edition (as stated +in section 2.2) and the term for Evaluation Period (as stated in section 2.3), +respectively + +4.2 Termination. Either party may immediately terminate this +Agreement and the licenses granted hereunder if the other party (1) becomes +insolvent and"becomes unwilling or unable to meet its obligations under this +Agreement, (2) files a petition in bankruptcy, (3) is subject to the filing of +an involuntary petition for bankruptcy which is not rescinded within a period of +forty-five (45) days, (4) fails to cure a material breach of any material term +or condition of this Agreement within thirty (30) days of receipt of written +notice specifying such breach, or (5) materially breaches its obligations of +confidentiality hereunder. + +4.3 Effects of Termination. Upon expiration or +termination of this Agreement for any reason, (i) any amounts owed to Kasten +under this Agreement will be immediately due and payable; (ii) all licensed +rights granted in this Agreement will immediately cease; and (iii) Licensee will +promptly discontinue all use of the Software and Documentation and return to +Kasten any Kasten Confidential Information in Licensee"s possession or control. + +4.4 Survival. The following Sections of this Agreement will remain in effect +following the expiration or termination of these General Terms for any reason: +4.3 (Effects of Termination), 4.4 (Survival), 5 (Third Party Software) 5 +(Confidentiality), 9 (Ownership), 10.2 (Third-Party Software), 10.3 (Warranty +Disclaimer), 11 (Limitations of Liability), 12.2 (Exceptions to Kasten +Obligation), 13 (Export) and 14 (General). + + +5. THIRD PARTY AND OPEN SOURCE SOFTWARE Certain Third-Party Software or Open +Source Software (Kasten can provide a list upon request) that may be provided +with the Software may be subject to various other terms and conditions imposed +by the licensors of such Third-Party Software or Open Source Software. The +terms of Licensee"s use of the Third-Party Software or Open Source Software is +subject to and governed by the respective Third-Party Software and Open Source +licenses, except that this Section 5 (Third-Party Software), Section 10.2 (Third +Party Software), 10.3 (Warranty Disclaimer), Section 11 (Limitations of +Liability), and Section 14 (General) of this Agreement also govern Licensee"s +use of the Third-Party Software. To the extent applicable to Licensee"s use of +such Third-Party Software and Open Source, Licensee agrees to comply with the +terms and conditions contained in all such Third-Party Software and Open Source +licenses. + + +6. CONFIDENTIALITY Neither party will use any Confidential Information of the +other party except as expressly permitted by this Agreement or as expressly +authorized in writing by the disclosing party. The receiving party shall use +the same degree of care to protect the disclosing party"s Confidential +Information as it uses to protect its own Confidential Information of like +nature, but in no circumstances less than a commercially reasonable standard of +care. The receiving party may not disclose the disclosing party"s Confidential +Information to any person or entity other than to (i) (a) Authorized Persons in +the case the receiving party is Licensee, and (b) Kasten"s employees and +contractors in the case the receiving party is Kasten, and (ii) who need access +to such Confidential Information solely for the purpose of fulfilling that +party"s obligations or exercising that party"s rights hereunder. The foregoing +obligations will not restrict the receiving party from disclosing Confidential +Information of the disclosing party: (1) pursuant to the order or requirement of +a court, administrative agency, or other governmental body, provided that the +receiving party required to make such a disclosure gives reasonable notice to +the disclosing party prior to such disclosure; and (2) on a confidential basis +to its legal and financial advisors. Kasten may identify Licensee in its +customer lists in online and print marketing materials. + + +7. FEES Fees for Enterprise License shall be set forth in separate Order Form(s) +attached to a Purchase Agreement, between the Licensee and Kasten. + +If Licensee has obtained the Software through an Authorized Reseller, fees for +licensing shall be invoiced directly by the Authorized Reseller. + +If no Purchase Agreement exists, during the term of this Agreement, Kasten +shall license the Starter Edition only and no other Edition of the Software +"at no charge" to Licensee. + + +8. USAGE DATA Kasten may collect, accumulate, and aggregate certain usage +statistics in order to analyze usage of the Software, make improvements, and +potentially develop new products. Kasten may use aggregated anonymized data for +any purpose that Kasten, at its own discretion, may consider appropriate. + + +9. OWNERSHIP As between Kasten and Licensee, all right, title and interest in +the Software, Documentation and any other Kasten materials furnished or made +available hereunder, all modifications and enhancements thereof, and all +suggestions, ideas and feedback proposed by Licensee regarding the Software and +Documentation, including all copyright rights, patent rights and other +Intellectual Property Rights in each of the foregoing, belong to and are +retained solely by Kasten or Kasten"s licensors and providers, as applicable. +Licensee hereby does and will irrevocably assign to Kasten all evaluations, +ideas, feedback and suggestions made by Licensee to Kasten regarding the +Software and Documentation (collectively, "Feedback") and all Intellectual +Property Rights in and to the Feedback. Except as expressly provided herein, no +licenses of any kind are granted hereunder, whether by implication, estoppel, or +otherwise. + + +10. LIMITED WARRANTY AND DISCLAIMERS + +10.1 Limited Warranty. Kasten warrants for a period of thirty (30) days from +the Effective Date that the Software will materially conform to Kasten"s +then-current Documentation (the "Warranty Period") when properly installed on a +computer for which a license is granted hereunder. Licensee"s exclusive remedy +for a breach of this Section 10.1 is that Kasten shall, at its option, use +commercially reasonable efforts to correct or replace the Software, or refund +all or a portion of the fees paid by Licensee pursuant to the Purchase +Agreement. Kasten, in its sole discretion, may revise this limited warranty from +time to time. + +10.2 Third-Party Software. Except as expressly set forth in this Agreement, +Third-Party Software (including any Open Source Software) are provided on an +"as-is" basis at the sole risk of Licensee. Notwithstanding any language to the +contrary in this Agreement, Kasten makes no express or implied warranties of any +kind with respect to Third-Party Software provided to Licensee and shall not be +liable for any damages regarding the use or operation of the Third-Party +Software furnished under this Agreement. Any and all express or implied +warranties, if any, arising from the license of Third-Party Software shall be +those warranties running from the third party manufacturer or licensor to +Licensee. + +10.3 Warranty Disclaimer. EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, +KASTEN AND ITS SUPPLIERS MAKE NO WARRANTY OF ANY KIND, WHETHER EXPRESS, IMPLIED, +STATUTORY OR OTHERWISE, RELATING TO THE SOFTWARE OR TO KASTEN"S MAINTENANCE, +PROFESSIONAL OR OTHER SERVICES. KASTEN SPECIFICALLY DISCLAIMS ALL IMPLIED +WARRANTIES OF DESIGN, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE +AND NON-INFRINGEMENT. KASTEN AND ITS SUPPLIERS AND LICENSORS DO NOT WARRANT OR +REPRESENT THAT THE SOFTWARE WILL BE FREE FROM BUGS OR THAT ITS USE WILL BE +UNINTERRUPTED OR ERROR-FREE. THIS DISCLAIMER SHALL APPLY NOTWITHSTANDING THE +FAILURE OF THE ESSENTIAL PURPOSE OF ANY LIMITED REMEDY PROVIDED HEREIN. EXCEPT +AS STATED ABOVE, KASTEN AND ITS SUPPLIERS PROVIDE THE SOFTWARE ON AN "AS IS" +BASIS. KASTEN PROVIDES NO WARRANTIES WITH RESPECT TO THIRD PARTY SOFTWARE AND +OPEN SOURCE SOFTWARE. + + +11. LIMITATIONS OF LIABILITY + +11.1 EXCLUSION OF CERTAIN DAMAGES. EXCEPT FOR BREACHES OF SECTION 6 +(CONFIDENTIALITY) OR SECTION 9 (OWNERSHIP), IN NO EVENT WILL EITHER PARTY BE +LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, EXEMPLARY, SPECIAL, INCIDENTAL OR +RELIANCE DAMAGES, INCLUDING ANY LOST DATA, LOSS OF USE AND LOST PROFITS, ARISING +FROM OR RELATING TO THIS AGREEMENT, THE SOFTWARE OR DOCUMENTATION, EVEN IF SUCH +PARTY KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF, OR COULD REASONABLY HAVE +PREVENTED, SUCH DAMAGES. + +11.2 LIMITATION OF DAMAGES. EXCEPT FOR THE BREACHES OF SECTION 6 +(CONFIDENTIALITY) OR SECTION 9 (OWNERSHIP), EACH PARTY"S TOTAL CUMULATIVE +LIABILITY ARISING FROM OR RELATED TO THIS AGREEMENT OR THE SOFTWARE, +DOCUMENTATION, OR SERVICES PROVIDED BY KASTEN, WILL NOT EXCEED THE AMOUNT OF +FEES PAID OR PAYABLE BY LICENSEE FOR THE SOFTWARE, DOCUMENTATION OR SERVICES +GIVING RISE TO THE CLAIM IN THE TWELVE (12) MONTHS FOLLOWING THE EFFECTIVE DATE. +LICENSEE AGREES THAT KASTEN"S SUPPLIERS AND LICENSORS WILL HAVE NO LIABILITY OF +ANY KIND UNDER OR AS A RESULT OF THIS AGREEMENT. IN THE CASE OF KASTEN"S +INDEMNIFICATION OBLIGATIONS, KASTEN"S CUMULATIVE LIABILITY UNDER THIS AGREEMENT +SHALL BE LIMITED TO THE SUM OF THE LICENSE FEES PAID OR PAYABLE BY LICENSEE FOR +THE SOFTWARE, DOCUMENTATION OR SERVICES GIVING RISE TO THE CLAIM IN THE TWELVE +(12) MONTHS FOLLOWING THE EFFECTIVE DATE. + +11.3 THIRD PARTY SOFTWARE. NOTWITHSTANDING ANY LANGUAGE TO THE CONTRARY IN THIS +AGREEMENT, KASTEN SHALL NOT BE LIABLE FOR ANY DAMAGES REGARDING THE USE OR +OPERATION OF ANY THIRD-PARTY SOFTWARE FURNISHED UNDER THIS AGREEMENT. + +11.4 LIMITATION OF ACTIONS. IN NO EVENT MAY LICENSEE BRING ANY CAUSE OF ACTION +RELATED TO THIS AGREEMENT MORE THAN ONE (1) YEAR AFTER THE OCCURRENCE OF THE +EVENT GIVING RISE TO THE LIABILITY. + + +12. EXPORT +The Software, Documentation and related technical data may be subject +to U.S. export control laws, including without limitation the U.S. Export +Administration Act and its associated regulations, and may be subject to export +or import regulations in other countries. Licensee shall comply with all such +regulations and agrees to obtain all necessary licenses to export, re-export, or +import the Software, Documentation and related technical data. + + +13. GENERAL + +13.1 No Agency. Kasten and Licensee each acknowledge and agree that the +relationship established by this Agreement is that of independent contractors, +and nothing contained in this Agreement shall be construed to: (1) give either +party the power to direct or control the daytoday activities of the other; (2) +deem the parties to be acting as partners, joint venturers, coowners or +otherwise as participants in a joint undertaking; or (3) permit either party or +any of either party"s officers, directors, employees, agents or representatives +to create or assume any obligation on behalf of or for the account of the other +party for any purpose whatsoever. + +13.2 Compliance with Laws. Each party agrees to comply with all applicable +laws, regulations, and ordinances relating to their performance hereunder. +Without limiting the foregoing, Licensee warrants and covenants that it will +comply with all then current laws and regulations of the United States and other +jurisdictions relating or applicable to Licensee"s use of the Software and +Documentation including, without limitation, those concerning Intellectual +Property Rights, invasion of privacy, defamation, and the import and export of +Software and Documentation. + +13.3 Force Majeure. Except for the duty to pay money, neither party shall be +liable hereunder by reason of any failure or delay in the performance of its +obligations hereunder on account of strikes, riots, fires, flood, storm, +explosions, acts of God, war, governmental action, earthquakes, or any other +cause which is beyond the reasonable control of such party. + +13.4 Governing Law; Venue and Jurisdiction. This Agreement shall be interpreted +according to the laws of the State of California without regard to or +application of choiceoflaw rules or principles. The parties expressly agree +that the United Nations Convention on Contracts for the International Sale of +Goods and the Uniform Computer Information Transactions Act will not apply. Any +legal action or proceeding arising under this Agreement will be brought +exclusively in the federal or state courts located in Santa Clara County, +California and the parties hereby consent to the personal jurisdiction and venue +therein. + +13.5 Injunctive Relief. The parties agree that monetary damages would not be an +adequate remedy for the breach of certain provisions of this Agreement, +including, without limitation, all provisions concerning infringement, +confidentiality and nondisclosure, or limitation on permitted use of the +Software or Documentation. The parties further agree that, in the event of such +breach, injunctive relief would be necessary to prevent irreparable injury. +Accordingly, either party shall have the right to seek injunctive relief or +similar equitable remedies to enforce such party's rights under the pertinent +provisions of this Agreement, without limiting its right to pursue any other +legal remedies available to it. + +13.6 Entire Agreement and Waiver. This Agreement and any exhibits hereto shall +constitute the entire agreement and contains all terms and conditions between +Kasten and Licensee with respect to the subject matter hereof and all prior +agreements, representations, and statement with respect to such subject matter +are superseded hereby. This Agreement may be changed only by written agreement +signed by both Kasten and Licensee. No failure of either party to exercise or +enforce any of its rights under this Agreement shall act as a waiver of +subsequent breaches; and the waiver of any breach shall not act as a waiver of +subsequent breaches. + +13.7 Severability. In the event any provision of this Agreement is held by a +court or other tribunal of competent jurisdiction to be unenforceable, that +provision will be enforced to the maximum extent permissible under applicable +law and the other provisions of this Agreement will remain in full force and +effect. The parties further agree that in the event such provision is an +essential part of this Agreement, they will begin negotiations for a suitable +replacement provision. + +13.8 Counterparts. This Agreement may be executed in any number of +counterparts, each of which, when so executed and delivered (including by +facsimile), shall be deemed an original, and all of which shall constitute one +and the same agreement. + +13.9 Binding Effect. This Agreement shall be binding upon and shall inure to +the benefit of the respective parties hereto, their respective successors and +permitted assigns. + +13.10 Assignment. Neither party may, without the prior written consent of the +other party (which shall not be unreasonably withheld), assign this Agreement, +in whole or in part, either voluntarily or by operation of law, and any attempt +to do so shall be a material default of this Agreement and shall be void. +Notwithstanding the foregoing, Kasten may assign its rights and benefits and +delegate its duties and obligations under this Agreement without the consent of +Licensee in connection with a merger, reorganization or sale of all or +substantially all relevant assets of the assigning party; in each case provided +that such successor assumes the assigning party"s obligations under this +Agreement. + diff --git a/charts/kasten/k10/7.0.1401/files/favicon.png b/charts/kasten/k10/7.0.1401/files/favicon.png new file mode 100644 index 000000000..fb617ce12 Binary files /dev/null and b/charts/kasten/k10/7.0.1401/files/favicon.png differ diff --git a/charts/kasten/k10/7.0.1401/files/kasten-logo.svg b/charts/kasten/k10/7.0.1401/files/kasten-logo.svg new file mode 100644 index 000000000..0d0ef14ee --- /dev/null +++ b/charts/kasten/k10/7.0.1401/files/kasten-logo.svg @@ -0,0 +1,24 @@ + + + + + + diff --git a/charts/kasten/k10/7.0.1401/files/styles.css b/charts/kasten/k10/7.0.1401/files/styles.css new file mode 100644 index 000000000..2d9205711 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/files/styles.css @@ -0,0 +1,113 @@ +.theme-body { + background-color: #efefef; + color: #333; + font-family: 'Source Sans Pro', Helvetica, sans-serif; +} + +.theme-navbar { + background-color: #fff; + box-shadow: 0 2px 2px rgba(0, 0, 0, 0.2); + color: #333; + font-size: 13px; + font-weight: 100; + height: 46px; + overflow: hidden; + padding: 0 10px; +} + +.theme-navbar__logo-wrap { + display: inline-block; + height: 100%; + overflow: hidden; + padding: 10px 15px; + width: 300px; +} + +.theme-navbar__logo { + height: 100%; + max-height: 25px; +} + +.theme-heading { + font-size: 20px; + font-weight: 500; + margin-bottom: 10px; + margin-top: 0; +} + +.theme-panel { + background-color: #fff; + box-shadow: 0 5px 15px rgba(0, 0, 0, 0.5); + padding: 30px; +} + +.theme-btn-provider { + background-color: #fff; + color: #333; + min-width: 250px; +} + +.theme-btn-provider:hover { + color: #999; +} + +.theme-btn--primary { + background-color: #333; + border: none; + color: #fff; + min-width: 200px; + padding: 6px 12px; +} + +.theme-btn--primary:hover { + background-color: #666; + color: #fff; +} + +.theme-btn--success { + background-color: #2FC98E; + color: #fff; + width: 250px; +} + +.theme-btn--success:hover { + background-color: #49E3A8; +} + +.theme-form-row { + display: block; + margin: 20px auto; +} + +.theme-form-input { + border-radius: 4px; + border: 1px solid #CCC; + box-shadow: inset 0 1px 1px rgba(0, 0, 0, 0.075); + color: #666; + display: block; + font-size: 14px; + height: 36px; + line-height: 1.42857143; + margin: auto; + padding: 6px 12px; + width: 250px; +} + +.theme-form-input:focus, +.theme-form-input:active { + border-color: #66AFE9; + outline: none; +} + +.theme-form-label { + font-size: 13px; + font-weight: 600; + margin: 4px auto; + position: relative; + text-align: left; + width: 250px; +} + +.theme-link-back { + margin-top: 4px; +} diff --git a/charts/kasten/k10/7.0.1401/grafana/dashboards/default/default.json b/charts/kasten/k10/7.0.1401/grafana/dashboards/default/default.json new file mode 100644 index 000000000..2c0e12e59 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/grafana/dashboards/default/default.json @@ -0,0 +1,6337 @@ +{ + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": 12, + "links": [], + "liveNow": false, + "panels": [ + { + "collapsed": false, + "datasource": "Prometheus", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 53, + "panels": [], + "targets": [ + { + "datasource": "Prometheus", + "refId": "A" + } + ], + "title": "K10 System Resource Usage", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 1 + }, + "id": 55, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "builder", + "expr": "sum(rate(process_cpu_seconds_total[5m]))", + "legendFormat": "Total CPU seconds", + "range": true, + "refId": "A" + } + ], + "title": "K10 CPU total seconds ", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "decbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 1 + }, + "id": 57, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "builder", + "expr": "sum(process_resident_memory_bytes)", + "hide": false, + "legendFormat": "Total memory consumption", + "range": true, + "refId": "C" + } + ], + "title": "K10 total memory consumption", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 81, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "builder", + "expr": "rate(process_cpu_seconds_total{job=\"httpServiceDiscovery\"}[5m])", + "legendFormat": "{{service}}", + "range": true, + "refId": "A" + }, + { + "datasource": "Prometheus", + "editorMode": "builder", + "expr": "sum(rate(process_cpu_seconds_total{job=\"k10-pods\"}[5m]))", + "hide": false, + "legendFormat": "executor", + "range": true, + "refId": "B" + }, + { + "datasource": "Prometheus", + "editorMode": "builder", + "expr": "sum(rate(process_cpu_seconds_total{job=\"pushAggregator\"}[5m]))", + "hide": false, + "legendFormat": "ephemeral pods", + "range": true, + "refId": "C" + }, + { + "datasource": "Prometheus", + "editorMode": "builder", + "expr": "sum(rate(process_cpu_seconds_total{job=\"prometheus\"}[5m]))", + "hide": false, + "legendFormat": "prometheus", + "range": true, + "refId": "D" + } + ], + "title": "CPU total seconds per service", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "decbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 82, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "builder", + "expr": "process_resident_memory_bytes{job=\"pushAggregator\"}", + "hide": false, + "legendFormat": "ephemeral pods", + "range": true, + "refId": "C" + }, + { + "datasource": "Prometheus", + "editorMode": "builder", + "expr": "process_resident_memory_bytes{job=\"httpServiceDiscovery\"}", + "hide": false, + "legendFormat": "{{service}}", + "range": true, + "refId": "A" + }, + { + "datasource": "Prometheus", + "editorMode": "builder", + "expr": "sum(process_resident_memory_bytes{job=\"k10-pods\"})", + "hide": false, + "legendFormat": "executor", + "range": true, + "refId": "B" + }, + { + "datasource": "Prometheus", + "editorMode": "builder", + "expr": "sum(process_resident_memory_bytes{job=\"prometheus\"})", + "hide": false, + "legendFormat": "prometheus", + "range": true, + "refId": "D" + } + ], + "title": "Memory consumption by service", + "type": "timeseries" + }, + { + "collapsed": false, + "datasource": "Prometheus", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 17 + }, + "id": 18, + "panels": [], + "targets": [ + { + "datasource": "Prometheus", + "refId": "A" + } + ], + "title": "Applications", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "yellow", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 5, + "x": 0, + "y": 18 + }, + "id": 24, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_backup_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Backups Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 5, + "y": 18 + }, + "id": 33, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_backup_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Backups Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 8, + "y": 18 + }, + "id": 34, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_backup_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Backups Skipped", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 5, + "x": 13, + "y": 18 + }, + "id": 35, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_restore_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Restores Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 18, + "y": 18 + }, + "id": 36, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_restore_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Restores Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 21, + "y": 18 + }, + "id": 23, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_restore_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Restores Skipped", + "type": "stat" + }, + { + "collapsed": false, + "datasource": "Prometheus", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 25 + }, + "id": 16, + "panels": [], + "targets": [ + { + "datasource": "Prometheus", + "refId": "A" + } + ], + "title": "Cluster", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "yellow", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 5, + "x": 0, + "y": 26 + }, + "id": 10, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_backup_cluster_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Cluster Backups Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 5, + "y": 26 + }, + "id": 19, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_backup_cluster_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Cluster Backups Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 8, + "y": 26 + }, + "id": 28, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_backup_cluster_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Cluster Backups Skipped", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 5, + "x": 13, + "y": 26 + }, + "id": 21, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_restore_cluster_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Cluster Restores Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 18, + "y": 26 + }, + "id": 22, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_restore_cluster_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Cluster Restores Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 3, + "x": 21, + "y": 26 + }, + "id": 25, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_restore_cluster_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Cluster Restores Skipped", + "type": "stat" + }, + { + "collapsed": false, + "datasource": "Prometheus", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 33 + }, + "id": 31, + "panels": [], + "targets": [ + { + "datasource": "Prometheus", + "refId": "A" + } + ], + "title": "Backup Exports", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 5, + "x": 0, + "y": 34 + }, + "id": 38, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_export_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Exports Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 5, + "y": 34 + }, + "id": 29, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_export_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Exports Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 8, + "y": 34 + }, + "id": 20, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_export_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Exports Skipped", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 5, + "x": 13, + "y": 34 + }, + "id": 27, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_import_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Imports Completed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 18, + "y": 34 + }, + "id": 39, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_import_ended_overall{cluster=\"$cluster\", state=~\"failed|cancelled\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Imports Failed", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "#EAB839", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 21, + "y": 34 + }, + "id": 37, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_import_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Imports Skipped", + "type": "stat" + }, + { + "collapsed": false, + "datasource": "Prometheus", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 40 + }, + "id": 14, + "panels": [], + "targets": [ + { + "datasource": "Prometheus", + "refId": "A" + } + ], + "title": "System", + "type": "row" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + }, + "unit": "runs" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 0, + "y": 41 + }, + "id": 12, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_run_ended_overall{cluster=\"$cluster\", state=\"succeeded\"}[$__range])))", + "format": "time_series", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Policy Runs", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "index": 0, + "text": "-" + } + }, + "type": "value" + } + ], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "yellow", + "value": 1 + } + ] + }, + "unit": "runs" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 3, + "y": 41 + }, + "id": 40, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "sum(round(increase(action_run_skipped_overall{cluster=\"$cluster\"}[$__range])))", + "format": "time_series", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Policy Runs Skipped", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 6, + "y": 41 + }, + "id": 6, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": true, + "expr": "catalog_persistent_volume_disk_space_used_bytes{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Catalog Volume Used", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 70 + }, + { + "color": "orange", + "value": 80 + }, + { + "color": "red", + "value": 90 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 9, + "y": 41 + }, + "id": 2, + "options": { + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": true, + "expr": "100-catalog_persistent_volume_free_space_percent{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Catalog Volume Used Space", + "type": "gauge" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 12, + "y": 41 + }, + "id": 8, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": true, + "expr": "jobs_persistent_volume_disk_space_used_bytes{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Jobs Volume Used", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 70 + }, + { + "color": "orange", + "value": 80 + }, + { + "color": "red", + "value": 90 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 15, + "y": 41 + }, + "id": 4, + "options": { + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": true, + "expr": "100-jobs_persistent_volume_free_space_percent{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Jobs Volume Used Space", + "type": "gauge" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 18, + "y": 41 + }, + "id": 7, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": true, + "expr": "logging_persistent_volume_disk_space_used_bytes{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Logging Volume Used", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "max": 100, + "min": 0, + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "yellow", + "value": 70 + }, + { + "color": "orange", + "value": 80 + }, + { + "color": "red", + "value": 90 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 21, + "y": 41 + }, + "id": 3, + "options": { + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": true, + "text": {} + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": true, + "expr": "100-logging_persistent_volume_free_space_percent{cluster=\"$cluster\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Logging Volume Used Space", + "type": "gauge" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + }, + { + "color": "green", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 0, + "y": 47 + }, + "id": 41, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "compliance_count{state=\"Compliant\"}", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Compliant Applications", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 3, + "y": 47 + }, + "id": 42, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "compliance_count{state=\"NotCompliant\"}", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Non-Compliant Applications", + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 1 + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 6, + "y": 47 + }, + "id": 43, + "interval": "1m", + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": false, + "expr": "compliance_count{state=\"Unmanaged\"}", + "hide": false, + "interval": "", + "legendFormat": "", + "refId": "B" + } + ], + "title": "Unmanaged Applications", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 12, + "y": 47 + }, + "id": 44, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": true, + "expr": "snapshot_storage_size_bytes{cluster=\"$cluster\", type=\"physical\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Snapshot Size (Physical)", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 15, + "y": 47 + }, + "id": 45, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": true, + "expr": "snapshot_storage_size_bytes{cluster=\"$cluster\", type=\"logical\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Snapshot Size (Logical)", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 18, + "y": 47 + }, + "id": 46, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": true, + "expr": "export_storage_size_bytes{cluster=\"$cluster\", type=\"physical\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Export Size (Physical)", + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "noValue": "-", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#ccccdc", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 6, + "w": 3, + "x": 21, + "y": 47 + }, + "id": 47, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "9.1.5", + "targets": [ + { + "datasource": "Prometheus", + "exemplar": true, + "expr": "export_storage_size_bytes{cluster=\"$cluster\", type=\"logical\"}", + "interval": "", + "legendFormat": "", + "queryType": "randomWalk", + "refId": "A" + } + ], + "title": "Export Size (Logical)", + "type": "stat" + }, + { + "collapsed": true, + "datasource": "Prometheus", + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 53 + }, + "id": 49, + "panels": [ + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "red", + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Worker Count" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "dark-red", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 54 + }, + "id": 57, + "interval": "5s", + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(exec_executor_worker_count)", + "legendFormat": "Worker Count", + "range": true, + "refId": "A" + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(exec_active_job_count) OR on() vector(0)", + "hide": false, + "legendFormat": "Worker Load", + "range": true, + "refId": "B" + } + ], + "title": "Executor Worker Load", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineStyle": { + "fill": "solid" + }, + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 54 + }, + "id": 68, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(rate(action_backup_duration_seconds_sum_overall[5m])) / sum(rate(action_backup_ended_overall[5m]))", + "hide": false, + "legendFormat": "Backup", + "range": true, + "refId": "A" + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(rate(action_backup_cluster_duration_seconds_overall_sum[5m])) / sum(rate(action_backup_cluster_ended_overall[5m]))", + "hide": false, + "legendFormat": "Backup Cluster", + "range": true, + "refId": "B" + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(rate(action_export_duration_seconds_sum_overall[5m])) / sum(rate(action_export_ended_overall[5m]))", + "hide": false, + "legendFormat": "Export", + "range": true, + "refId": "C" + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(rate(action_import_duration_seconds_sum_overall[5m])) / sum(rate(action_import_ended_overall[5m]))", + "hide": false, + "legendFormat": "Import", + "range": true, + "refId": "D" + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(rate(action_report_duration_seconds_sum_overall[5m])) / sum(rate(action_report_ended_overall[5m]))", + "hide": false, + "legendFormat": "Report", + "range": true, + "refId": "E" + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(rate(action_retire_duration_seconds_sum_overall[5m])) / sum(rate(action_retire_ended_overall[5m]))", + "hide": false, + "legendFormat": "Retire", + "range": true, + "refId": "F" + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(rate(action_restore_duration_seconds_sum_overall[5m])) / sum(rate(action_restore_ended_overall[5m]))", + "hide": false, + "legendFormat": "Restore", + "range": true, + "refId": "G" + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(rate(action_restore_cluster_duration_seconds_sum_overall[5m])) / sum(rate(action_restore_cluster_ended_overall[5m]))", + "hide": false, + "legendFormat": "Restore Cluster", + "range": true, + "refId": "H" + } + ], + "title": "Average Action Duration", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "axisSoftMax": 0, + "axisSoftMin": 0, + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "succeeded" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "failed" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "cancelled" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "skipped" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 61 + }, + "id": 74, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(round(increase(action_backup_ended_overall[1m:10s]))) by (state)", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Finished Backups", + "transformations": [], + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "axisSoftMax": 0, + "axisSoftMin": 0, + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "succeeded" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "failed" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "cancelled" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "skipped" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 61 + }, + "id": 69, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(round(increase(action_backup_cluster_ended_overall[1m:10s]))) by (state)", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Finished Cluster Backups", + "transformations": [], + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "axisSoftMax": 0, + "axisSoftMin": 0, + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "succeeded" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "failed" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "cancelled" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "skipped" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 61 + }, + "id": 75, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(round(increase(action_export_ended_overall[1m:10s]))) by (state)", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Finished Exports", + "transformations": [], + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "axisSoftMax": 0, + "axisSoftMin": 0, + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "succeeded" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "failed" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "cancelled" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "skipped" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 61 + }, + "id": 76, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(round(increase(action_import_ended_overall[1m:10s]))) by (state)", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Finished Imports", + "transformations": [], + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "axisSoftMax": 0, + "axisSoftMin": 0, + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "succeeded" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "failed" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "cancelled" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "skipped" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 0, + "y": 68 + }, + "id": 77, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(round(increase(action_report_ended_overall[1m:10s]))) by (state)", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Finished Reports", + "transformations": [], + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "axisSoftMax": 0, + "axisSoftMin": 0, + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "succeeded" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "failed" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "cancelled" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "skipped" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 6, + "y": 68 + }, + "id": 79, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(round(increase(action_retire_ended_overall[1m:10s]))) by (state)", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Finished Retires", + "transformations": [], + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "axisSoftMax": 0, + "axisSoftMin": 0, + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "succeeded" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "failed" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "cancelled" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "skipped" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 12, + "y": 68 + }, + "id": 80, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(round(increase(action_restore_ended_overall[1m:10s]))) by (state)", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Finished Restores", + "transformations": [], + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "axisSoftMax": 0, + "axisSoftMin": 0, + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "decimals": 0, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "succeeded" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "failed" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "cancelled" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-orange", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "skipped" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "semi-dark-blue", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 6, + "x": 18, + "y": 68 + }, + "id": 78, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(round(increase(action_restore_cluster_ended_overall[1m:10s]))) by (state)", + "hide": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Finished Cluster Restores", + "transformations": [], + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s" + }, + "overrides": [] + }, + "gridPos": { + "h": 7, + "w": 24, + "x": 0, + "y": 75 + }, + "id": 63, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(rate(limiter_request_seconds_sum{stage=\"hold\"}[5m])) by (operation) / sum(rate(limiter_request_seconds_count{stage=\"hold\"}[5m])) by (operation) ", + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Rate Limiter - avg operation duration", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "red", + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Limit" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "dark-red", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "inflight" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "green", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "pending" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "yellow", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 4.8, + "x": 0, + "y": 82 + }, + "id": 51, + "maxPerRow": 6, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "repeat": "operation", + "repeatDirection": "h", + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "limiter_inflight_count{operation=\"$operation\"}", + "legendFormat": "Inflight", + "range": true, + "refId": "A" + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "limiter_pending_count{operation=\"$operation\"}", + "hide": false, + "legendFormat": "Pending", + "range": true, + "refId": "B" + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "limiter_inflight_limit_value{operation=\"$operation\"}", + "hide": false, + "legendFormat": "Limit", + "range": true, + "refId": "C" + } + ], + "title": "Rate Limiter - $operation", + "type": "timeseries" + } + ], + "targets": [ + { + "datasource": "Prometheus", + "refId": "A" + } + ], + "title": "Execution Control", + "type": "row" + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 54 + }, + "id": 84, + "panels": [ + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": true, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 55 + }, + "id": 86, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(increase(action_export_transferred_bytes[5m:30s]))/sum((increase(action_export_processed_bytes[5m:30s])>0))", + "legendFormat": "Transferred/Processed across all actions", + "range": true, + "refId": "A" + } + ], + "title": "Transferred/Processed Ratio", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": true, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 55 + }, + "id": 88, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "(increase(action_export_transferred_bytes[5m:30s])/(increase(action_export_processed_bytes[5m:30s])>0))", + "legendFormat": "{{policy}}:{{app}}", + "range": true, + "refId": "A" + } + ], + "title": "Transferred/Processed Ratio per policy:app", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": true, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [ ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [ ] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 63 + }, + "id": 89, + "options": { + "legend": { + "calcs": [ ], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "increase(action_export_transferred_bytes[5m:30s]) > 0", + "legendFormat": "{{policy}}:{{app}}", + "range": true, + "refId": "A" + } + ], + "title": "Transferred bytes per policy:app", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": true, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [ ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [ ] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 63 + }, + "id": 90, + "options": { + "legend": { + "calcs": [ ], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "increase(action_export_processed_bytes[5m:30s]) > 0", + "legendFormat": "{{policy}}:{{app}}", + "range": true, + "refId": "A" + } + ], + "title": "Processed bytes per policy:app", + "type": "timeseries" + } + ], + "title": "Data reduction", + "type": "row" + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 55 + }, + "id": 1013, + "panels": [ + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisPlacement": "left", + "barAlignment": 0, + "drawStyle": "points", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "stepAfter", + "lineWidth": 1, + "pointSize": 4, + "scaleDistribution": { + "log": 2, + "type": "log" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s", + "unitScale": true + }, + "overrides": [ + { + "matcher": { + "id": "byRegexp", + "options": "/#.*/" + }, + "properties": [ + { + "id": "unit", + "value": "none" + }, + { + "id": "custom.axisPlacement", + "value": "right" + }, + { + "id": "decimals", + "value": 0 + }, + { + "id": "custom.scaleDistribution", + "value": { + "type": "linear" + } + }, + { + "id": "custom.drawStyle", + "value": "line" + }, + { + "id": "custom.lineInterpolation", + "value": "stepAfter" + }, + { + "id": "custom.showPoints", + "value": "never" + }, + { + "id": "custom.axisSoftMin", + "value": 0 + }, + { + "id": "custom.axisLabel", + "value": "# volumes" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "#Volumes" + }, + "properties": [ + { + "id": "displayName", + "value": "# Volumes Under Transfer" + }, + { + "id": "custom.lineStyle", + "value": { + "fill": "solid" + } + }, + { + "id": "custom.lineWidth", + "value": 0.4 + }, + { + "id": "custom.lineInterpolation", + "value": "stepAfter" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "#UploadSessionVolumes" + }, + "properties": [ + { + "id": "displayName", + "value": "# VBR Session Volumes" + }, + { + "id": "custom.lineWidth", + "value": 0 + }, + { + "id": "custom.fillOpacity", + "value": 25 + }, + { + "id": "color", + "value": { + "fixedColor": "dark-blue", + "mode": "shades" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 8 + }, + "id": 1006, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum (max_over_time(data_operation_volume_count{}[2m]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "#Volumes", + "range": true, + "refId": "VOLUME_COUNT", + "useBackend": false + }, + { + "datasource": "Prometheus", + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum by (repo_type) (max_over_time(data_upload_session_volume_count{repo_type=\"VBR\"}[2m]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "#UploadSessionVolumes", + "range": true, + "refId": "VBR_SESSION_COUNT", + "useBackend": false + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum by (data_format,operation,storage_class,repo_name) (rate(data_operation_normalized_duration_sum{}[2m])) / sum by (data_format,operation,storage_class,repo_name) (rate(data_operation_normalized_duration_count{}[2m]))", + "hide": false, + "instant": false, + "legendFormat": "{{operation}} {{storage_class}}/{{repo_name}} ({{data_format}})", + "range": true, + "refId": "NORMALIZED_DURATION_BY_STORAGE_CLASS_LOC" + } + ], + "title": "Normalized operation duration by storage class, location and data format (time/MiB)", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "left", + "barAlignment": 0, + "drawStyle": "points", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "stepAfter", + "lineWidth": 1, + "pointSize": 4, + "scaleDistribution": { + "log": 2, + "type": "log" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "s", + "unitScale": true + }, + "overrides": [ + { + "matcher": { + "id": "byRegexp", + "options": "/#.*/" + }, + "properties": [ + { + "id": "unit", + "value": "none" + }, + { + "id": "custom.axisPlacement", + "value": "right" + }, + { + "id": "decimals", + "value": 0 + }, + { + "id": "custom.scaleDistribution", + "value": { + "type": "linear" + } + }, + { + "id": "custom.drawStyle", + "value": "line" + }, + { + "id": "custom.lineInterpolation", + "value": "stepAfter" + }, + { + "id": "custom.showPoints", + "value": "never" + }, + { + "id": "custom.axisSoftMin", + "value": 0 + }, + { + "id": "custom.axisLabel", + "value": "# volumes" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "#Volumes" + }, + "properties": [ + { + "id": "displayName", + "value": "# Volumes Under Transfer" + }, + { + "id": "custom.lineStyle", + "value": { + "fill": "solid" + } + }, + { + "id": "custom.lineWidth", + "value": 0.4 + }, + { + "id": "custom.lineInterpolation", + "value": "stepAfter" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "#UploadSessionVolumes" + }, + "properties": [ + { + "id": "displayName", + "value": "# VBR Session Volumes" + }, + { + "id": "custom.lineWidth", + "value": 0 + }, + { + "id": "custom.fillOpacity", + "value": 25 + }, + { + "id": "color", + "value": { + "fixedColor": "dark-blue", + "mode": "shades" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 8 + }, + "id": 1012, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum (max_over_time(data_operation_volume_count{}[2m]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "#Volumes", + "range": true, + "refId": "VOLUME_COUNT", + "useBackend": false + }, + { + "datasource": "Prometheus", + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum by (repo_type) (max_over_time(data_upload_session_volume_count{repo_type=\"VBR\"}[2m]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "#UploadSessionVolumes", + "range": true, + "refId": "VBR_SESSION_COUNT", + "useBackend": false + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum by (data_format,operation,namespace,pvc_name) (rate(data_operation_duration_sum{}[2m])) / sum by (data_format,operation,namespace,pvc_name) (rate(data_operation_duration_count{}[2m]))", + "hide": false, + "instant": false, + "legendFormat": "{{operation}} {{namespace}}/{{pvc_name}} ({{data_format}})", + "range": true, + "refId": "DURATION_BY_PVC" + } + ], + "title": "Operation duration by pvc and data format", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "left", + "barAlignment": 0, + "drawStyle": "points", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "stepAfter", + "lineWidth": 1, + "pointSize": 4, + "scaleDistribution": { + "log": 2, + "type": "log" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "binBps", + "unitScale": true + }, + "overrides": [ + { + "matcher": { + "id": "byRegexp", + "options": "/#.*/" + }, + "properties": [ + { + "id": "unit", + "value": "none" + }, + { + "id": "custom.axisPlacement", + "value": "right" + }, + { + "id": "decimals", + "value": 0 + }, + { + "id": "custom.scaleDistribution", + "value": { + "type": "linear" + } + }, + { + "id": "custom.drawStyle", + "value": "line" + }, + { + "id": "custom.lineInterpolation", + "value": "stepAfter" + }, + { + "id": "custom.showPoints", + "value": "never" + }, + { + "id": "custom.axisSoftMin", + "value": 0 + }, + { + "id": "custom.axisLabel", + "value": "# volumes" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "#Volumes" + }, + "properties": [ + { + "id": "displayName", + "value": "# Volumes Under Transfer" + }, + { + "id": "custom.lineStyle", + "value": { + "fill": "solid" + } + }, + { + "id": "custom.lineWidth", + "value": 0.4 + }, + { + "id": "custom.lineInterpolation", + "value": "stepAfter" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "#UploadSessionVolumes" + }, + "properties": [ + { + "id": "displayName", + "value": "# VBR Session Volumes" + }, + { + "id": "custom.lineWidth", + "value": 0 + }, + { + "id": "custom.fillOpacity", + "value": 25 + }, + { + "id": "color", + "value": { + "fixedColor": "dark-blue", + "mode": "shades" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 16 + }, + "id": 1011, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum (max_over_time(data_operation_volume_count{}[2m]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "#Volumes", + "range": true, + "refId": "VOLUME_COUNT", + "useBackend": false + }, + { + "datasource": "Prometheus", + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum by (repo_type) (max_over_time(data_upload_session_volume_count{repo_type=\"VBR\"}[2m]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "#UploadSessionVolumes", + "range": true, + "refId": "VBR_SESSION_COUNT", + "useBackend": false + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "avg by (data_format, operation, storage_class, repo_name) (rate(data_operation_bytes{}[$__rate_interval]))", + "hide": false, + "instant": false, + "legendFormat": "{{operation}} {{storage_class}}/{{repo_name}} ({{data_format}})", + "range": true, + "refId": "RATE_BY_STORAGE_CLASS" + } + ], + "title": "Operation transfer rate by storage class, location and data format", + "type": "timeseries" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "left", + "barAlignment": 0, + "drawStyle": "points", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "stepAfter", + "lineWidth": 1, + "pointSize": 4, + "scaleDistribution": { + "log": 2, + "type": "log" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "binBps", + "unitScale": true + }, + "overrides": [ + { + "matcher": { + "id": "byRegexp", + "options": "/#.*/" + }, + "properties": [ + { + "id": "unit", + "value": "none" + }, + { + "id": "custom.axisPlacement", + "value": "right" + }, + { + "id": "decimals", + "value": 0 + }, + { + "id": "custom.scaleDistribution", + "value": { + "type": "linear" + } + }, + { + "id": "custom.drawStyle", + "value": "line" + }, + { + "id": "custom.lineInterpolation", + "value": "stepAfter" + }, + { + "id": "custom.showPoints", + "value": "never" + }, + { + "id": "custom.axisSoftMin", + "value": 0 + }, + { + "id": "custom.axisLabel", + "value": "# volumes" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "#Volumes" + }, + "properties": [ + { + "id": "displayName", + "value": "# Volumes Under Transfer" + }, + { + "id": "custom.lineStyle", + "value": { + "fill": "solid" + } + }, + { + "id": "custom.lineWidth", + "value": 0.4 + }, + { + "id": "custom.lineInterpolation", + "value": "stepAfter" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "#UploadSessionVolumes" + }, + "properties": [ + { + "id": "displayName", + "value": "# VBR Session Volumes" + }, + { + "id": "custom.lineWidth", + "value": 0 + }, + { + "id": "custom.fillOpacity", + "value": 25 + }, + { + "id": "color", + "value": { + "fixedColor": "dark-blue", + "mode": "shades" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 16 + }, + "id": 1004, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": "Prometheus", + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum (max_over_time(data_operation_volume_count{}[2m]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "#Volumes", + "range": true, + "refId": "VOLUME_COUNT", + "useBackend": false + }, + { + "datasource": "Prometheus", + "disableTextWrap": false, + "editorMode": "code", + "expr": "sum by (repo_type) (max_over_time(data_upload_session_volume_count{repo_type=\"VBR\"}[2m]))", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": false, + "legendFormat": "#UploadSessionVolumes", + "range": true, + "refId": "VBR_SESSION_COUNT", + "useBackend": false + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "avg by (data_format, operation, namespace, pvc_name) (rate(data_operation_bytes{}[$__rate_interval]))", + "hide": false, + "instant": false, + "legendFormat": "{{operation}} {{namespace}}/{{pvc_name}} ({{data_format}})", + "range": true, + "refId": "RATE_BY_PVC" + } + ], + "title": "Operation transfer rate by pvc and data format", + "type": "timeseries" + } + ], + "title": "Data transfer operations", + "type": "row" + }, + { + "collapsed": true, + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 56 + }, + "id": 1016, + "panels": [ + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 4, + "x": 0, + "y": 57 + }, + "id": 1031, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.1.5", + "targets": [ + { + "datasource": "Prometheus", + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "repository_data_pruned_bytes > 0", + "format": "time_series", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + } + ], + "title": "Recently recovered storage", + "transformations": [ + { + "id": "reduce", + "options": { + "includeTimeField": false, + "mode": "reduceFields", + "reducers": [ + "lastNotNull" + ] + } + }, + { + "id": "merge", + "options": {} + }, + { + "id": "reduce", + "options": { + "includeTimeField": false, + "mode": "reduceFields", + "reducers": [ + "sum" + ] + } + } + ], + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 8, + "x": 4, + "y": 57 + }, + "id": 1025, + "options": { + "displayMode": "basic", + "maxVizHeight": 300, + "minVizHeight": 16, + "minVizWidth": 8, + "namePlacement": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true, + "sizing": "auto", + "valueMode": "text" + }, + "pluginVersion": "11.1.5", + "targets": [ + { + "datasource": "Prometheus", + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "sum by(namespace) (repository_data_pruned_bytes{namespace!=\"kasten-io\"} > 0)", + "format": "time_series", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": false, + "interval": "", + "legendFormat": "__auto", + "range": true, + "refId": "A", + "useBackend": false + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(repository_data_pruned_bytes{namespace=\"kasten-io\"} > 0)", + "hide": false, + "instant": false, + "legendFormat": "metadata", + "range": true, + "refId": "B" + } + ], + "title": "Recently recovered storage per app", + "type": "bargauge" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 4, + "x": 12, + "y": 57 + }, + "id": 1015, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.1.5", + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(repository_data_pruned_bytes_total)", + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Total recovered storage", + "transformations": [ + { + "id": "reduce", + "options": { + "includeTimeField": false, + "mode": "reduceFields", + "reducers": [ + "lastNotNull" + ] + } + } + ], + "type": "stat" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 8, + "x": 16, + "y": 57 + }, + "id": 1018, + "options": { + "displayMode": "basic", + "maxVizHeight": 300, + "minVizHeight": 16, + "minVizWidth": 8, + "namePlacement": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true, + "sizing": "auto", + "valueMode": "text" + }, + "pluginVersion": "11.1.5", + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "exemplar": false, + "expr": "repository_data_pruned_bytes_total{namespace!=\"kasten-io\"} > 0", + "format": "time_series", + "instant": false, + "interval": "", + "legendFormat": "{{namespace}}", + "range": true, + "refId": "A" + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(repository_data_pruned_bytes_total{namespace=\"kasten-io\"} > 0)", + "hide": false, + "instant": false, + "legendFormat": "metadata", + "range": true, + "refId": "B" + } + ], + "title": "Total recovered storage per app", + "type": "bargauge" + }, + { + "datasource": "Prometheus", + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 4, + "x": 0, + "y": 62 + }, + "id": 1017, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "percentChangeColorMode": "standard", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.1.5", + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(repository_data_scheduled_for_pruning_bytes)", + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "A" + } + ], + "title": "Expired data marked for deletion", + "transformations": [ + { + "id": "reduce", + "options": { + "includeTimeField": false, + "mode": "reduceFields", + "reducers": [ + "lastNotNull" + ] + } + } + ], + "type": "stat" + }, + { + "datasource": "Prometheus", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "bytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 8, + "x": 4, + "y": 62 + }, + "id": 1019, + "options": { + "displayMode": "basic", + "maxVizHeight": 300, + "minVizHeight": 16, + "minVizWidth": 8, + "namePlacement": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showUnfilled": true, + "sizing": "auto", + "valueMode": "text" + }, + "pluginVersion": "11.1.5", + "targets": [ + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "repository_data_scheduled_for_pruning_bytes{namespace!=\"kasten-io\"} > 0", + "instant": false, + "legendFormat": "{{namespace}}", + "range": true, + "refId": "A" + }, + { + "datasource": "Prometheus", + "editorMode": "code", + "expr": "sum(repository_data_scheduled_for_pruning_bytes{namespace=\"kasten-io\"} > 0)", + "hide": false, + "instant": false, + "legendFormat": "metadata", + "range": true, + "refId": "B" + } + ], + "title": "Expired data marked for deletion per app", + "type": "bargauge" + } + ], + "title": "Backup Export Maintenance", + "type": "row" + } + ], + "schemaVersion": 39, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "hide": 2, + "label": "Cluster", + "name": "cluster", + "query": "", + "skipUrlSync": false, + "type": "constant" + }, + { + "current": { + "selected": false, + "text": "All", + "value": "$__all" + }, + "datasource": "Prometheus", + "definition": "limiter_pending_count", + "description": "", + "hide": 2, + "includeAll": true, + "label": "operation", + "multi": false, + "name": "operation", + "options": [], + "query": { + "query": "limiter_pending_count", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "/operation=\\\"([\\w]+)\\\"/", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timepicker": {}, + "timezone": "", + "title": "K10 Dashboard", + "uid": "8Ebb3xS7k", + "version": 3 +} \ No newline at end of file diff --git a/charts/kasten/k10/7.0.1401/license b/charts/kasten/k10/7.0.1401/license new file mode 100644 index 000000000..fb23dbb82 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/license @@ -0,0 +1 @@ +Y3VzdG9tZXJOYW1lOiBzdGFydGVyLWxpY2Vuc2UKZGF0ZUVuZDogJzIxMDAtMDEtMDFUMDA6MDA6MDAuMDAwWicKZGF0ZVN0YXJ0OiAnMjAyMC0wMS0wMVQwMDowMDowMC4wMDBaJwpmZWF0dXJlczogbnVsbAppZDogc3RhcnRlci00ZjE4NDJjMC0wNzQ1LTQxYTUtYWFhNy1hMDFkNzQ4YjFjMzAKcHJvZHVjdDogSzEwCnJlc3RyaWN0aW9uczoKICBub2RlczogJzEwJwpzZXJ2aWNlQWNjb3VudEtleTogbnVsbAp2ZXJzaW9uOiB2MS4wLjAKc2lnbmF0dXJlOiBqT1N5NDNQZG5ZMFVCZitValhOdU1oUEFSb1J2ZkpzWElQWnhBWFNCaGpKbUwxNlNodi8vVzgyV2NMeGZJM25NZTA0TThtRU03eThPcnArQks1ekxpeFd3clpncmZSbTBEaWlELyttRjR5U3l1Rko0QW1neHV6NDhQTmdnU1VyWUM3S1FVcFYxSEJZV1ZaNm9udEJDeE1rVWtkaDVqdzZJdWMzN3lDaktIYy92bWZaenBzTVhybmxUdGhha2RjVVk0azNyVHJDa3VDcnFUMkpjM1o1amFGalZSZW1Zd1NBVXpkRldNazdQdkp3eHVFdE5rNitPV0pCVERQbnNYdldKdjdNc3NneDBJTmdtNUlJWDRVeEVhQWI4QXpTNkMyQ21XQzlhWURFTDg1aEFpeWhONXUwU0tQczA3ZXB0R1VHYmc3cWtPUVN0d0NhcDFKUURvbDVDT0E9PQo= diff --git a/charts/kasten/k10/7.0.1401/questions.yaml b/charts/kasten/k10/7.0.1401/questions.yaml new file mode 100644 index 000000000..713fcb116 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/questions.yaml @@ -0,0 +1,295 @@ +questions: +# ======================== +# SECRETS And Configuration +# ======================== + +### AWS Configuration + +- variable: secrets.awsAccessKeyId + description: "AWS access key ID (required for AWS deployment)" + type: password + label: AWS Access Key ID + required: false + group: "AWS Configuration" + +- variable: secrets.awsSecretAccessKey + description: "AWS access key secret (required for AWS deployment)" + type: password + label: AWS Secret Access Key + required: false + group: "AWS Configuration" + +- variable: secrets.awsIamRole + description: "ARN of the AWS IAM role assumed by K10 to perform any AWS operation." + type: string + label: ARN of the AWS IAM role + required: false + group: "AWS Configuration" + +- variable: awsConfig.assumeRoleDuration + description: "Duration of a session token generated by AWS for an IAM role" + type: string + label: Role Duration + required: false + default: "" + group: "AWS Configuration" + +- variable: awsConfig.efsBackupVaultName + description: "Specifies the AWS EFS backup vault name" + type: string + label: EFS Backup Vault Name + required: false + default: "k10vault" + group: "AWS Configuration" + +### Google Cloud Configuration + +- variable: secrets.googleApiKey + description: "Required If cluster is deployed on Google Cloud" + type: multiline + label: Non-default base64 encoded GCP Service Account key file + required: false + group: "GoogleApi Configuration" + +### Azure Configuration + +- variable: secrets.azureTenantId + description: "Azure tenant ID (required for Azure deployment)" + type: string + label: Tenant ID + required: false + group: "Azure Configuration" + +- variable: secrets.azureClientId + description: "Azure Service App ID" + type: password + label: Service App ID + required: false + group: "Azure Configuration" + +- variable: secrets.azureClientSecret + description: "Azure Service App secret" + type: password + label: Service App secret + required: false + group: "Azure Configuration" + +- variable: secrets.azureResourceGroup + description: "Resource Group name that was created for the Kubernetes cluster" + type: string + label: Resource Group + required: false + group: "Azure Configuration" + +- variable: secrets.azureSubscriptionID + description: "Subscription ID in your Azure tenant" + type: string + label: Subscription ID + required: false + group: "Azure Configuration" + +- variable: secrets.azureResourceMgrEndpoint + description: "Resource management endpoint for the Azure Stack instance" + type: string + label: Resource management endpoint + required: false + group: "Azure Configuration" + +- variable: secrets.azureADEndpoint + description: "Azure Active Directory login endpoint" + type: string + label: Active Directory login endpoint + required: false + group: "Azure Configuration" + +- variable: secrets.azureADResourceID + description: "Azure Active Directory resource ID to obtain AD tokens" + type: string + label: Active Directory resource ID + required: false + group: "Azure Configuration" + +# ======================== +# Authentication +# ======================== + +- variable: auth.basicAuth.enabled + description: "Configures basic authentication for the K10 dashboard" + type: boolean + label: Enable Basic Authentication + required: false + group: "Authentication" + show_subquestion_if: true + subquestions: + - variable: auth.basicAuth.htpasswd + description: "A username and password pair separated by a colon character" + type: password + label: Authentication Details (htpasswd) + - variable: auth.basicAuth.secretName + description: "Name of an existing Secret that contains a file generated with htpasswd" + type: string + label: Secret Name + +- variable: auth.tokenAuth.enabled + description: "Configures token based authentication for the K10 dashboard" + type: boolean + label: Enable Token Based Authentication + required: false + group: "Authentication" + +- variable: auth.oidcAuth.enabled + description: "Configures Open ID Connect based authentication for the K10 dashboard" + type: boolean + label: Enable OpenID Connect Based Authentication + required: false + group: "Authentication" + show_subquestion_if: true + subquestions: + - variable: auth.oidcAuth.providerURL + description: "URL for the OIDC Provider" + type: string + label: OIDC Provider URL + - variable: auth.oidcAuth.redirectURL + description: "URL for the K10 gateway Provider" + type: string + label: OIDC Redirect URL + - variable: auth.oidcAuth.scopes + description: "Space separated OIDC scopes required for userinfo. Example: `profile email`" + type: string + label: OIDC scopes + - variable: auth.oidcAuth.prompt + description: "The type of prompt to be used during authentication (none, consent, login, or select_account)" + type: enum + options: + - none + - consent + - login + - select_account + default: none + label: The type of prompt to be used during authentication (none, consent, login, or select_account) + - variable: auth.oidcAuth.clientID + description: "Client ID given by the OIDC provider for K10" + type: password + label: OIDC Client ID + - variable: auth.oidcAuth.clientSecret + description: "Client secret given by the OIDC provider for K10" + type: password + label: OIDC Client Secret + - variable: auth.oidcAuth.usernameClaim + description: "The claim to be used as the username" + type: string + label: OIDC UserName Claim + - variable: auth.oidcAuth.usernamePrefix + description: "Prefix that has to be used with the username obtained from the username claim" + type: string + label: OIDC UserName Prefix + - variable: auth.oidcAuth.groupClaim + description: "Name of a custom OpenID Connect claim for specifying user groups" + type: string + label: OIDC group Claim + - variable: auth.oidcAuth.groupPrefix + description: "All groups will be prefixed with this value to prevent conflicts" + type: string + label: OIDC group Prefix + +# ======================== +# External Gateway +# ======================== + +- variable: externalGateway.create + description: "Configures an external gateway for K10 API services" + type: boolean + label: Create External Gateway + required: false + group: "External Gateway" + show_subquestion_if: true + subquestions: + - variable: externalGateway.annotations + description: "Standard annotations for the services" + type: multiline + default: "" + label: Annotation + - variable: externalGateway.fqdn.name + description: "Domain name for the K10 API services" + type: string + label: Domain Name + - variable: externalGateway.fqdn.type + description: "Supported gateway type: `route53-mapper` or `external-dns`" + type: string + label: Gateway Type route53-mapper or external-dns + - variable: externalGateway.awsSSLCertARN + description: "ARN for the AWS ACM SSL certificate used in the K10 API server" + type: multiline + label: ARN for the AWS ACM SSL certificate + +# ======================== +# Storage Management +# ======================== + +- variable: global.persistence.storageClass + label: StorageClass Name + description: "Specifies StorageClass Name to be used for PVCs" + type: string + required: false + default: "" + group: "Storage Management" + +- variable: prometheus.server.persistentVolume.storageClass + type: string + label: StorageClass Name for Prometheus PVC + description: "StorageClassName used to create Prometheus PVC. Setting this option overwrites global StorageClass value" + default: "" + required: false + group: "Storage Management" + +- variable: prometheus.server.persistentVolume.enabled + type: boolean + label: Enable PVC for Prometheus server + description: "If true, K10 Prometheus server will create a Persistent Volume Claim" + default: true + required: false + group: "Storage Management" + +- variable: global.persistence.enabled + type: boolean + label: Storage Enabled + description: "If true, K10 will use Persistent Volume Claim" + default: true + required: false + group: "Storage Management" + +# ======================== +# Service Account +# ======================== + +- variable: serviceAccount.name + description: "Name of a service account in the target namespace that has cluster-admin permissions. This is needed for the K10 to be able to protect cluster resources." + type: string + label: Service Account Name + required: false + group: "Service Account" + +# ======================== +# License +# ======================== + +- variable: license + description: "License string obtained from Kasten" + type: multiline + label: License String + group: "License" +- variable: eula.accept + description: "Whether to enable accept EULA before installation" + type: boolean + label: Enable accept EULA before installation + group: "License" + show_subquestion_if: true + subquestions: + - variable: eula.company + description: "Company name. Required field if EULA is accepted" + type: string + label: Company Name + - variable: eula.email + description: "Contact email. Required field if EULA is accepted" + type: string + label: Contact Email diff --git a/charts/kasten/k10/7.0.1401/templates/NOTES.txt b/charts/kasten/k10/7.0.1401/templates/NOTES.txt new file mode 100644 index 000000000..b07806ce2 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/NOTES.txt @@ -0,0 +1,222 @@ +Thank you for installing Kasten’s K10 Data Management Platform {{ .Chart.Version }}! +{{- if .Values.fips.enabled }} + +You are operating in FIPS mode. +{{- end }} + +Documentation can be found at https://docs.kasten.io/. + +How to access the K10 Dashboard: + +{{- if .Values.ingress.create }} + +You are using the system's default ingress controller. Please ask your +administrator for instructions on how to access the cluster. + +WebUI location: https://{{ default "Your ingress endpoint" .Values.ingress.host }}/{{ default .Release.Name .Values.ingress.urlPath }} + +In addition, +{{- end }} + +{{- if .Values.route.enabled }} +WebUI location: https://{{ default "k10-route endpoint" .Values.route.host}}/{{ default .Release.Name .Values.route.path }}/ + +In addition, +{{- end }} + +{{- if .Values.externalGateway.create }} +{{- if .Values.externalGateway.fqdn.name }} + +The K10 Dashboard is accessible via {{ if or .Values.secrets.tlsSecret (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) .Values.externalGateway.awsSSLCertARN }}https{{ else }}http{{ end }}://{{ .Values.externalGateway.fqdn.name }}/{{ .Release.Name }}/#/ + +In addition, +{{- else }} + +The K10 Dashboard is accessible via a LoadBalancer. Find the service's EXTERNAL IP using: + `kubectl get svc gateway-ext --namespace {{ .Release.Namespace }} -o wide` +And use it in following URL + `http://SERVICE_EXTERNAL_IP/{{ .Release.Name }}/#/` + +In addition, +{{- end }} +{{- end }} + +To establish a connection to it use the following `kubectl` command: + +`kubectl --namespace {{ .Release.Namespace }} port-forward service/gateway 8080:{{ .Values.gateway.service.externalPort }}` + +The Kasten dashboard will be available at: `http{{ if or .Values.secrets.tlsSecret (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) .Values.externalGateway.awsSSLCertARN }}s{{ end }}://127.0.0.1:8080/{{ .Release.Name }}/#/` +{{ if and ( .Values.metering.awsManagedLicense ) ( not .Values.metering.licenseConfigSecretName ) }} + +IAM Role created during installation need to have permissions that allow K10 to +perform operations on EBS and, if needed, EFS and S3. Please create a policy +with required permissions, and use the commands below to attach the policy to +the service account. + +`ROLE_NAME=$(kubectl get serviceaccount {{ .Values.serviceAccount.name }} -n {{ .Release.Namespace }} -ojsonpath="{.metadata.annotations['eks\.amazonaws\.com/role-arn']}" | awk -F '/' '{ print $(NF) }')` +`aws iam attach-role-policy --role-name "${ROLE_NAME}" --policy-arn ` + +Refer to `https://docs.kasten.io/latest/install/aws-containers-anywhere/aws-containers-anywhere.html#attaching-permissions-for-eks-installations` +for more information. + +{{ end }} + +{{- if .Values.restore }} +{{- if or (empty .Values.restore.copyImagePullSecrets) (.Values.restore.copyImagePullSecrets) }} +-------------------- +Removal warning: The helm field `restore.copyImagePullSecrets` has been removed in version 6.0.12. K10 no longer copies the `imagePullSecret` to the application namespace. +-------------------- +{{- end }} +{{- end }} + +{{- if or (not (empty .Values.garbagecollector.importRunActions)) (not (empty .Values.garbagecollector.backupRunActions)) (not (empty .Values.garbagecollector.retireActions)) }} +Deprecation warning: The `garbagecollector.importRunActions`, `garbagecollector.backupRunActions`, `garbagecollector.retireActions` +blocks within the helm chart values have been replaced with `garbagecollector.actions`. +{{- end }} + +{{- if .Values.secrets.azureADEndpoint }} +-------------------- +Deprecation warning: The helm field `secret.azureADEndpoint` is deprecated and will be removed in upcoming release, we recommend you to use correct respective field, i.e., `secrets.microsoftEntraIDEndpoint`. +-------------------- +{{- end }} + + +{{- if .Values.secrets.azureADResourceID }} +-------------------- +Deprecation warning: The helm field `secret.azureADResourceID` is deprecated and will be removed in upcoming release, we recommend you to use correct respective field, i.e., `secrets.microsoftEntraIDResourceID` +-------------------- +{{- end }} + +{{- if .Values.grafana.enabled }} +-------------------- +Deprecation warning: Grafana will no longer be included in the Veeam Kasten installation process from the upcoming release 7.5.0. Upon upgrading to this (7.5.0) version, the integrated version of Grafana will be removed. It is important to install Grafana separately and follow the procedure described in our knowledge base article (https://www.veeam.com/kb4635) to configure the Kasten dashboards and alerts before upgrading Kasten to version 7.5.0. +-------------------- +{{- end }} + +{{- if or .Values.kanisterPodCustomLabels .Values.kanisterPodCustomAnnotations }} +-------------------- +Deprecation warning: The Helm values `kanisterPodCustomLabels` and `kanisterPodCustomAnnotations` are deprecated and will be removed in an upcoming release. Please use `global.podLabels` and `global.podAnnotations` to set labels and annotations to all the Kasten pods globally. +-------------------- +{{- end }} + +{{- if or .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }} +-------------------- +Deprecation warning: The Helm values `secrets.apiTlsCrt` and `secrets.apiTlsKey` are deprecated and will be removed in an upcoming release. Please use `secrets.tlsSecret` to specify the name of a secret of type `kubernetes.io/tls`. This reduces the security risk of caching the certificates and keys in the shell history. +-------------------- +{{- end }} + +{{- if .Values.executorReplicas }} +-------------------- +Deprecation warning: The Helm value 'executorReplicas' is deprecated and will be removed in an upcoming release. Please use 'limiter.executorReplicas' instead. +-------------------- +{{- end }} +{{- if .Values.kanisterPodMetricSidecar.enabled }} +-------------------- +Deprecation warning: The Helm value 'kanisterPodMetricSidecar.enabled' is deprecated and will be removed in an upcoming release. Please use 'workerPodMetricSidecar.enabled' instead. +-------------------- +{{- end }} +{{- if .Values.services.executor.workerCount }} +-------------------- +Deprecation warning: The Helm value 'services.executor.workerCount' is deprecated and will be removed in an upcoming release. Please use 'limiter.executorThreads' instead. +-------------------- +{{- end }} +{{- if .Values.services.executor.maxConcurrentRestoreCsiSnapshots }} +-------------------- +Deprecation warning: The Helm value 'services.executor.maxConcurrentRestoreCsiSnapshots' is deprecated and will be removed in an upcoming release. Please use 'limiter.csiSnapshotRestoresPerAction' instead. +-------------------- +{{- end }} +{{- if .Values.services.executor.maxConcurrentRestoreGenericVolumeSnapshots }} +-------------------- +Deprecation warning: The Helm value 'services.executor.maxConcurrentRestoreGenericVolumeSnapshots' is deprecated and will be removed in an upcoming release. Please use 'limiter.volumeRestoresPerAction' instead. +-------------------- +{{- end }} +{{- if .Values.services.executor.maxConcurrentRestoreWorkloads }} +-------------------- +Deprecation warning: The Helm value 'services.executor.maxConcurrentRestoreWorkloads' is deprecated and will be removed in an upcoming release. Please use 'limiter.workloadRestoresPerAction' instead. +-------------------- +{{- end }} +{{- if .Values.kanister.backupTimeout }} +-------------------- +Deprecation warning: The Helm value 'kanister.backupTimeout' is deprecated and will be removed in an upcoming release. Please use 'timeout.blueprintBackup' instead. +-------------------- +{{- end }} +{{- if .Values.kanister.restoreTimeout }} +-------------------- +Deprecation warning: The Helm value 'kanister.restoreTimeout' is deprecated and will be removed in an upcoming release. Please use 'timeout.blueprintRestore' instead. +-------------------- +{{- end }} +{{- if .Values.kanister.deleteTimeout }} +-------------------- +Deprecation warning: The Helm value 'kanister.deleteTimeout' is deprecated and will be removed in an upcoming release. Please use 'timeout.blueprintDelete' instead. +-------------------- +{{- end }} +{{- if .Values.kanister.hookTimeout }} +-------------------- +Deprecation warning: The Helm value 'kanister.hookTimeout' is deprecated and will be removed in an upcoming release. Please use 'timeout.blueprintHooks' instead. +-------------------- +{{- end }} +{{- if .Values.kanister.checkRepoTimeout }} +-------------------- +Deprecation warning: The Helm value 'kanister.checkRepoTimeout' is deprecated and will be removed in an upcoming release. Please use 'timeout.checkRepoPodReady' instead. +-------------------- +{{- end }} +{{- if .Values.kanister.statsTimeout }} +-------------------- +Deprecation warning: The Helm value 'kanister.statsTimeout' is deprecated and will be removed in an upcoming release. Please use 'timeout.statsPodReady' instead. +-------------------- +{{- end }} +{{- if .Values.kanister.efsPostRestoreTimeout }} +-------------------- +Deprecation warning: The Helm value 'kanister.efsPostRestoreTimeout' is deprecated and will be removed in an upcoming release. Please use 'timeout.efsRestorePodReady' instead. +-------------------- +{{- end }} +{{- if .Values.kanister.podReadyWaitTimeout }} +-------------------- +Deprecation warning: The Helm value 'kanister.podReadyWaitTimeout' is deprecated and will be removed in an upcoming release. Please use 'timeout.workerPodReady' instead. +-------------------- +{{- end }} +{{- if .Values.limiter.concurrentSnapConversions }} +-------------------- +Deprecation warning: The Helm value 'limiter.concurrentSnapConversions' is deprecated and will be removed in an upcoming release. Please use 'limiter.snapshotExportsPerAction' instead. +-------------------- +{{- end }} +{{- if .Values.limiter.genericVolumeSnapshots }} +-------------------- +Deprecation warning: The Helm value 'limiter.genericVolumeSnapshots' is deprecated and will be removed in an upcoming release. Please use 'limiter.genericVolumeBackupsPerCluster' instead. +-------------------- +{{- end }} +{{- if .Values.limiter.genericVolumeCopies }} +-------------------- +Deprecation warning: The Helm value 'limiter.genericVolumeCopies' is deprecated and will be removed in an upcoming release. Please use 'limiter.snapshotExportsPerCluster' instead. +-------------------- +{{- end }} +{{- if .Values.limiter.genericVolumeRestores }} +-------------------- +Deprecation warning: The Helm value 'limiter.genericVolumeRestores' is deprecated and will be removed in an upcoming release. Please use 'limiter.volumeRestoresPerCluster' instead. +-------------------- +{{- end }} +{{- if .Values.limiter.csiSnapshots }} +-------------------- +Deprecation warning: The Helm value 'limiter.csiSnapshots' is deprecated and will be removed in an upcoming release. Please use 'limiter.csiSnapshotsPerCluster' instead. +-------------------- +{{- end }} +{{- if .Values.limiter.providerSnapshots }} +-------------------- +Deprecation warning: The Helm value 'limiter.providerSnapshots' is deprecated and will be removed in an upcoming release. Please use 'limiter.directSnapshotsPerCluster' instead. +-------------------- +{{- end }} +{{- if .Values.limiter.imageCopies }} +-------------------- +Deprecation warning: The Helm value 'limiter.imageCopies' is deprecated and will be removed in an upcoming release. Please use 'limiter.imageCopiesPerCluster' instead. +-------------------- +{{- end }} +{{- if .Values.maxJobWaitDuration }} +-------------------- +Deprecation warning: The Helm value 'maxJobWaitDuration' is deprecated and will be removed in an upcoming release. Please use 'timeout.jobWait' instead. +-------------------- +{{- end }} +{{- if .Values.forceRootInKanisterHooks }} +-------------------- +Deprecation warning: The Helm value 'forceRootInKanisterHooks' is deprecated and will be removed in an upcoming release. Please use 'forceRootInBlueprintActions' instead. +-------------------- +{{- end }} \ No newline at end of file diff --git a/charts/kasten/k10/7.0.1401/templates/_definitions.tpl b/charts/kasten/k10/7.0.1401/templates/_definitions.tpl new file mode 100644 index 000000000..a10ca3b4e --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/_definitions.tpl @@ -0,0 +1,256 @@ +{{/* Code generated automatically. DO NOT EDIT. */}} +{{/* K10 services can be disabled by customers via helm value based feature flags. +Therefore, fetching of a list or yaml with service names should be done with the get.enabled* helper functions. +For example, the k10.restServices list can be fetched with get.enabledRestServices */}} +{{- define "k10.additionalServices" -}}frontend kanister{{- end -}} +{{- define "k10.restServices" -}}auth bloblifecyclemanager catalog controllermanager crypto dashboardbff events executor garbagecollector jobs logging metering repositories state vbrintegrationapi{{- end -}} +{{- define "k10.services" -}}aggregatedapis gateway{{- end -}} +{{- define "k10.exposedServices" -}}auth dashboardbff vbrintegrationapi{{- end -}} +{{- define "k10.statelessServices" -}}aggregatedapis auth bloblifecyclemanager controllermanager crypto dashboardbff events executor garbagecollector repositories gateway state vbrintegrationapi{{- end -}} +{{- define "k10.colocatedServices" -}} +bloblifecyclemanager: + port: 8001 + primary: crypto +events: + port: 8001 + primary: state +garbagecollector: + port: 8002 + primary: crypto +repositories: + port: 8003 + primary: crypto +vbrintegrationapi: + port: 8001 + primary: dashboardbff +{{- end -}} +{{- define "k10.colocatedServiceLookup" -}} +crypto: +- bloblifecyclemanager +- garbagecollector +- repositories +dashboardbff: +- vbrintegrationapi +state: +- events +{{- end -}} +{{- define "k10.aggregatedAPIs" -}}actions apps repositories vault dr{{- end -}} +{{- define "k10.configAPIs" -}}config{{- end -}} +{{- define "k10.profiles" -}}profiles{{- end -}} +{{- define "k10.policies" -}}policies{{- end -}} +{{- define "k10.policypresets" -}}policypresets{{- end -}} +{{- define "k10.transformsets" -}}transformsets{{- end -}} +{{- define "k10.blueprintbindings" -}}blueprintbindings{{- end -}} +{{- define "k10.auditconfigs" -}}auditconfigs{{- end -}} +{{- define "k10.storagesecuritycontexts" -}}storagesecuritycontexts{{- end -}} +{{- define "k10.storagesecuritycontextbindings" -}}storagesecuritycontextbindings{{- end -}} +{{- define "k10.reportingAPIs" -}}reporting{{- end -}} +{{- define "k10.distAPIs" -}}dist{{- end -}} +{{- define "k10.actionsAPIs" -}}actions{{- end -}} +{{- define "k10.backupActions" -}}backupactions{{- end -}} +{{- define "k10.backupActionsDetails" -}}backupactions/details{{- end -}} +{{- define "k10.reportActions" -}}reportactions{{- end -}} +{{- define "k10.reportActionsDetails" -}}reportactions/details{{- end -}} +{{- define "k10.storageRepositories" -}}storagerepositories{{- end -}} +{{- define "k10.restoreActions" -}}restoreactions{{- end -}} +{{- define "k10.restoreActionsDetails" -}}restoreactions/details{{- end -}} +{{- define "k10.importActions" -}}importactions{{- end -}} +{{- define "k10.exportActions" -}}exportactions{{- end -}} +{{- define "k10.exportActionsDetails" -}}exportactions/details{{- end -}} +{{- define "k10.retireActions" -}}retireactions{{- end -}} +{{- define "k10.runActions" -}}runactions{{- end -}} +{{- define "k10.runActionsDetails" -}}runactions/details{{- end -}} +{{- define "k10.backupClusterActions" -}}backupclusteractions{{- end -}} +{{- define "k10.backupClusterActionsDetails" -}}backupclusteractions/details{{- end -}} +{{- define "k10.restoreClusterActions" -}}restoreclusteractions{{- end -}} +{{- define "k10.restoreClusterActionsDetails" -}}restoreclusteractions/details{{- end -}} +{{- define "k10.cancelActions" -}}cancelactions{{- end -}} +{{- define "k10.upgradeActions" -}}upgradeactions{{- end -}} +{{- define "k10.appsAPIs" -}}apps{{- end -}} +{{- define "k10.restorePoints" -}}restorepoints{{- end -}} +{{- define "k10.restorePointsDetails" -}}restorepoints/details{{- end -}} +{{- define "k10.clusterRestorePoints" -}}clusterrestorepoints{{- end -}} +{{- define "k10.clusterRestorePointsDetails" -}}clusterrestorepoints/details{{- end -}} +{{- define "k10.applications" -}}applications{{- end -}} +{{- define "k10.applicationsDetails" -}}applications/details{{- end -}} +{{- define "k10.vaultAPIs" -}}vault{{- end -}} +{{- define "k10.passkey" -}}passkeys{{- end -}} +{{- define "k10.authAPIs" -}}auth{{- end -}} +{{- define "k10.defaultK10LimiterSnapshotExportsPerAction" -}}3{{- end -}} +{{- define "k10.defaultK10LimiterWorkloadSnapshotsPerAction" -}}5{{- end -}} +{{- define "k10.defaultK10DataStoreParallelUpload" -}}8{{- end -}} +{{- define "k10.defaultK10DataStoreGeneralContentCacheSizeMB" -}}0{{- end -}} +{{- define "k10.defaultK10DataStoreGeneralMetadataCacheSizeMB" -}}500{{- end -}} +{{- define "k10.defaultK10DataStoreRestoreContentCacheSizeMB" -}}500{{- end -}} +{{- define "k10.defaultK10DataStoreRestoreMetadataCacheSizeMB" -}}500{{- end -}} +{{- define "k10.defaultK10BackupBufferFileHeadroomFactor" -}}1.1{{- end -}} +{{- define "k10.defaultK10LimiterGenericVolumeBackupsPerCluster" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterSnapshotExportsPerCluster" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterVolumeRestoresPerCluster" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterCsiSnapshotsPerCluster" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterImageCopiesPerCluster" -}}10{{- end -}} +{{- define "k10.defaultK10LimiterDirectSnapshotsPerCluster" -}}10{{- end -}} +{{- define "k10.defaultK10GCDaemonPeriod" -}}21600{{- end -}} +{{- define "k10.defaultK10GCKeepMaxActions" -}}1000{{- end -}} +{{- define "k10.defaultK10GCActionsEnabled" -}}false{{- end -}} +{{- define "k10.defaultK10LimiterExecutorThreads" -}}8{{- end -}} +{{- define "k10.defaultK10LimiterCsiSnapshotRestoresPerAction" -}}3{{- end -}} +{{- define "k10.defaultK10LimiterVolumeRestoresPerAction" -}}3{{- end -}} +{{- define "k10.defaultK10LimiterWorkloadRestoresPerAction" -}}3{{- end -}} +{{- define "k10.defaultAssumeRoleDuration" -}}60m{{- end -}} +{{- define "k10.defaultK10TimeoutBlueprintBackup" -}}45{{- end -}} +{{- define "k10.defaultK10TimeoutBlueprintRestore" -}}600{{- end -}} +{{- define "k10.defaultK10TimeoutBlueprintDelete" -}}45{{- end -}} +{{- define "k10.defaultK10TimeoutBlueprintHooks" -}}20{{- end -}} +{{- define "k10.defaultK10TimeoutCheckRepoPodReady" -}}20{{- end -}} +{{- define "k10.defaultK10TimeoutStatsPodReady" -}}20{{- end -}} +{{- define "k10.defaultK10TimeoutEFSRestorePodReady" -}}45{{- end -}} +{{- define "k10.cloudProviders" -}}aws google azure{{- end -}} +{{- define "k10.serviceResources" -}} +aggregatedapis-svc: + aggregatedapis-svc: + requests: + cpu: 90m + memory: 180Mi +auth-svc: + auth-svc: + requests: + cpu: 2m + memory: 30Mi +catalog-svc: + catalog-svc: + requests: + cpu: 200m + memory: 780Mi + kanister-sidecar: + limits: + cpu: 1200m + memory: 800Mi + requests: + cpu: 100m + memory: 800Mi + schema-upgrade-check: + requests: + cpu: 200m + memory: 780Mi + upgrade-init: + requests: + cpu: 5m + memory: 20Mi +controllermanager-svc: + controllermanager-svc: + requests: + cpu: 5m + memory: 30Mi +crypto-svc: + bloblifecyclemanager-svc: + requests: + cpu: 10m + memory: 40Mi + crypto-svc: + requests: + cpu: 1m + memory: 30Mi + garbagecollector-svc: + requests: + cpu: 3m + memory: 100Mi + repositories-svc: + requests: + cpu: 10m + memory: 40Mi +dashboardbff-svc: + dashboardbff-svc: + requests: + cpu: 8m + memory: 40Mi + vbrintegrationapi-svc: + requests: + cpu: 3m + memory: 120Mi +executor-svc: + executor-svc: + requests: + cpu: 3m + memory: 50Mi + tools: + requests: + cpu: 1m + memory: 2Mi +frontend-svc: + frontend-svc: + requests: + cpu: 1m + memory: 40Mi +jobs-svc: + jobs-svc: + requests: + cpu: 30m + memory: 380Mi + upgrade-init: + requests: + cpu: 5m + memory: 20Mi +kanister-svc: + kanister-svc: + requests: + cpu: 1m + memory: 30Mi +logging-svc: + logging-svc: + requests: + cpu: 2m + memory: 40Mi + upgrade-init: + requests: + cpu: 5m + memory: 20Mi +metering-svc: + metering-svc: + requests: + cpu: 2m + memory: 30Mi + upgrade-init: + requests: + cpu: 5m + memory: 20Mi +state-svc: + events-svc: + requests: + cpu: 3m + memory: 500Mi + state-svc: + requests: + cpu: 2m + memory: 30Mi +{{- end -}} +{{- define "k10.multiClusterVersion" -}}2.5{{- end -}} +{{- define "k10.mcExternalPort" -}}18000{{- end -}} +{{- define "k10.defaultKubeVirtVMsUnfreezeTimeout" -}}5m{{- end -}} +{{- define "k10.aggAuditPolicyFile" -}}agg-audit-policy.yaml{{- end -}} +{{- define "k10.siemAuditLogFilePath" -}}-{{- end -}} +{{- define "k10.siemAuditLogFileSize" -}}100{{- end -}} +{{- define "k10.kanisterToolsImageTag" -}}0.112.0{{- end -}} +{{- define "k10.disabledServicesEnvVar" -}}K10_DISABLED_SERVICES{{- end -}} +{{- define "k10.openShiftClientSecretEnvVar" -}}K10_OPENSHIFT_CLIENT_SECRET{{- end -}} +{{- define "k10.defaultK10DefaultPriorityClassName" -}}{{- end -}} +{{- define "k10.dexServiceAccountName" -}}k10-dex-k10-sa{{- end -}} +{{- define "k10.defaultCACertConfigMapName" -}}custom-ca-bundle-store{{- end -}} +{{- define "k10.openShiftConsolePluginName" -}}veeam-kasten-console-plugin{{- end -}} +{{- define "k10.openShiftConsolePluginImageName" -}}ocpconsoleplugin{{- end -}} +{{- define "k10.gatewayPrefixVarName" -}}PREFIX_PATH{{- end -}} +{{- define "k10.gatewayGrafanaSvcVarName" -}}GRAFANA_SVC_NAME{{- end -}} +{{- define "k10.gatewayRequestHeadersVarName" -}}EXTAUTH_REQUEST_HEADERS{{- end -}} +{{- define "k10.gatewayAuthHeadersVarName" -}}EXTAUTH_AUTH_HEADERS{{- end -}} +{{- define "k10.gatewayPortVarName" -}}PORT{{- end -}} +{{- define "k10.gatewayEnableDex" -}}ENABLE_DEX{{- end -}} +{{- define "k10.gatewayTLSCertFile" -}}TLS_CRT_FILE{{- end -}} +{{- define "k10.gatewayTLSKeyFile" -}}TLS_KEY_FILE{{- end -}} +{{- define "k10.azureClientIDEnvVar" -}}AZURE_CLIENT_ID{{- end -}} +{{- define "k10.azureTenantIDEnvVar" -}}AZURE_TENANT_ID{{- end -}} +{{- define "k10.azureClientSecretEnvVar" -}}AZURE_CLIENT_SECRET{{- end -}} +{{- define "k10.oidcSecretName" -}}k10-oidc-auth{{- end -}} +{{- define "k10.oidcCustomerSecretName" -}}k10-oidc-auth-creds{{- end -}} +{{- define "k10.secretsDir" -}}/var/run/secrets/kasten.io{{- end -}} +{{- define "k10.sccNameEnvVar" -}}K10_SCC_NAME{{- end -}} +{{- define "k10.fluentbitEndpointEnvVar" -}}FLUENTBIT_ENDPOINT{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/_grafana.tpl b/charts/kasten/k10/7.0.1401/templates/_grafana.tpl new file mode 100644 index 000000000..53ade64a0 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/_grafana.tpl @@ -0,0 +1,18 @@ +{{/*** SELECTOR LABELS *** + NOTE: The selector labels here (`app` and `release`) are divergent from + the selector labels set by the upstream chart. This is intentional since a + Deployment's `spec.selector` is immutable and K10 has already been shipped + with these values. + + A change to these selector labels will mean that all customers must manually + delete the Grafana Deployment before upgrading, which is a situation we don't + want for our customers. + + Instead, the `app.kubernetes.io/name` and `app.kubernetes.io/instance` labels + are included in the `grafana.extraLabels` in: + `templates/{values}/grafana/values/grafana_values.tpl`. +*/}} +{{- define "grafana.selectorLabels" -}} +app: {{ include "grafana.name" . }} +release: {{ .Release.Name }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/_helpers.tpl b/charts/kasten/k10/7.0.1401/templates/_helpers.tpl new file mode 100644 index 000000000..746622431 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/_helpers.tpl @@ -0,0 +1,1614 @@ +{{/* Returns a string of the disabled K10 services */}} +{{- define "get.disabledServices" -}} + {{/* Append services to this list based on helm values */}} + {{- $disabledServices := list -}} + + {{- if eq .Values.logging.internal false -}} + {{- $disabledServices = append $disabledServices "logging" -}} + {{- end -}} + + {{- $disabledServices | join " " -}} +{{- end -}} + +{{/* Removes disabled service names from the provided string of service names */}} +{{- define "removeDisabledServicesFromList" -}} + {{- $disabledServices := include "get.disabledServices" .main | splitList " " -}} + {{- $services := .list | splitList " " -}} + + {{- range $disabledServices -}} + {{- $services = without $services . -}} + {{- end -}} + + {{- $services | join " " -}} +{{- end -}} + +{{/* Removes keys with disabled service names from the provided YAML string */}} +{{- define "removeDisabledServicesFromYaml" -}} + {{- $disabledServices := include "get.disabledServices" .main | splitList " " -}} + {{- $services := .yaml | fromYaml -}} + + {{- range $disabledServices -}} + {{- $services = unset $services . -}} + {{- end -}} + + {{- if gt (len $services) 0 -}} + {{- $services | toYaml | trim | nindent 0}} + {{- else -}} + {{- print "" -}} + {{- end -}} +{{- end -}} + +{{/* Returns k10.additionalServices string with disabled services removed */}} +{{- define "get.enabledAdditionalServices" -}} + {{- $list := include "k10.additionalServices" . -}} + {{- dict "main" . "list" $list | include "removeDisabledServicesFromList" -}} +{{- end -}} + +{{/* Returns k10.restServices string with disabled services removed */}} +{{- define "get.enabledRestServices" -}} + {{- $list := include "k10.restServices" . -}} + {{- dict "main" . "list" $list | include "removeDisabledServicesFromList" -}} +{{- end -}} + +{{/* Returns k10.services string with disabled services removed */}} +{{- define "get.enabledServices" -}} + {{- $list := include "k10.services" . -}} + {{- dict "main" . "list" $list | include "removeDisabledServicesFromList" -}} +{{- end -}} + +{{/* Returns k10.exposedServices string with disabled services removed */}} +{{- define "get.enabledExposedServices" -}} + {{- $list := include "k10.exposedServices" . -}} + {{- dict "main" . "list" $list | include "removeDisabledServicesFromList" -}} +{{- end -}} + +{{/* Returns k10.statelessServices string with disabled services removed */}} +{{- define "get.enabledStatelessServices" -}} + {{- $list := include "k10.statelessServices" . -}} + {{- dict "main" . "list" $list | include "removeDisabledServicesFromList" -}} +{{- end -}} + +{{/* Returns k10.colocatedServices string with disabled services removed */}} +{{- define "get.enabledColocatedServices" -}} + {{- $yaml := include "k10.colocatedServices" . -}} + {{- dict "main" . "yaml" $yaml | include "removeDisabledServicesFromYaml" -}} +{{- end -}} + +{{/* Returns YAML of primary services mapped to their secondary services */}} +{{/* The content will only have services which are not disabled */}} +{{- define "get.enabledColocatedServiceLookup" -}} + {{- $colocatedServicesLookup := include "k10.colocatedServiceLookup" . | fromYaml -}} + {{- $disabledServices := include "get.disabledServices" . | splitList " " -}} + {{- $filteredLookup := dict -}} + + {{/* construct filtered lookup */}} + {{- range $primaryService, $secondaryServices := $colocatedServicesLookup -}} + {{/* proceed only if primary service is enabled */}} + {{- if not (has $primaryService $disabledServices) -}} + {{/* filter out secondary services */}} + {{- range $disabledServices -}} + {{- $secondaryServices = without $secondaryServices . -}} + {{- end -}} + {{/* add entry for primary service only if secondary services exist */}} + {{- if gt (len $secondaryServices) 0 -}} + {{- $filteredLookup = set $filteredLookup $primaryService $secondaryServices -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{/* return filtered lookup */}} + {{- if gt (len $filteredLookup) 0 -}} + {{- $filteredLookup | toYaml | trim | nindent 0 -}} + {{- else -}} + {{- print "" -}} + {{- end -}} +{{- end -}} + +{{- define "k10.capabilities" -}} + {{- /* Internal capabilities enabled by other Helm values are added here */ -}} + {{- $internal_capabilities := list "gateway" -}} + + {{- /* Multi-cluster */ -}} + {{- if eq .Values.multicluster.enabled true -}} + {{- $internal_capabilities = append $internal_capabilities "mc" -}} + {{- end -}} + + {{- /* FIPS */ -}} + {{- if .Values.fips.enabled -}} + {{- $internal_capabilities = append $internal_capabilities "fips.strict" -}} + {{- $internal_capabilities = append $internal_capabilities "crypto.k10.v2" -}} + {{- $internal_capabilities = append $internal_capabilities "crypto.storagerepository.v2" -}} + {{- $internal_capabilities = append $internal_capabilities "crypto.vbr.v2" -}} + {{- $internal_capabilities = append $internal_capabilities "gateway" -}} + {{- end -}} + + {{- concat $internal_capabilities (.Values.capabilities | default list) | join " " -}} +{{- end -}} + +{{- define "k10.capabilities_mask" -}} + {{- /* Internal capabilities masked by other Helm values are added here */ -}} + {{- $internal_capabilities_mask := list -}} + + {{- /* Multi-cluster */ -}} + {{- if eq .Values.multicluster.enabled false -}} + {{- $internal_capabilities_mask = append $internal_capabilities_mask "mc" -}} + {{- end -}} + + {{- concat $internal_capabilities_mask (.Values.capabilitiesMask | default list) | join " " -}} +{{- end -}} + +{{/* + k10.capability checks whether a given capability is enabled + + For example: + + include "k10.capability" (. | merge (dict "capability" "SOME.CAPABILITY")) +*/}} +{{- define "k10.capability" -}} + {{- $capabilities := dict -}} + {{- range $capability := include "k10.capabilities" . | splitList " " -}} + {{- $_ := set $capabilities $capability "enabled" -}} + {{- end -}} + {{- range $capability := include "k10.capabilities_mask" . | splitList " " -}} + {{- $_ := unset $capabilities $capability -}} + {{- end -}} + + {{- index $capabilities .capability | default "" -}} +{{- end -}} + +{{/* + k10.capability.gateway checks whether the "gateway" capability is enabled +*/}} +{{- define "k10.capability.gateway" -}} + {{- include "k10.capability" (. | merge (dict "capability" "gateway")) -}} +{{- end -}} + +{{/* Check if basic auth is needed */}} +{{- define "basicauth.check" -}} + {{- if .Values.auth.basicAuth.enabled }} + {{- print true }} + {{- end -}} {{/* End of check for auth.basicAuth.enabled */}} +{{- end -}} + +{{/* +Check if trusted root CA certificate related configmap settings +have been configured +*/}} +{{- define "check.cacertconfigmap" -}} +{{- if .Values.cacertconfigmap.name -}} +{{- print true -}} +{{- else -}} +{{- print false -}} +{{- end -}} +{{- end -}} + +{{/* +Check if OCP CA certificates automatic extraction is enabled +*/}} +{{- define "k10.ocpcacertsautoextraction" -}} + {{- if and .Values.auth.openshift.enabled .Values.auth.openshift.caCertsAutoExtraction -}} + {{- true -}} + {{- end -}} +{{- end -}} + +{{/* +Get the name of the CA certificate related configmap +*/}} +{{- define "k10.cacertconfigmapname" -}} + {{- if eq (include "check.cacertconfigmap" .) "true" -}} + {{- .Values.cacertconfigmap.name -}} + {{- else if (include "k10.ocpcacertsautoextraction" .) -}} + {{- include "k10.defaultCACertConfigMapName" . -}} + {{- end -}} +{{- end -}} + +{{- define "k10.sccAnnotations" -}} + {{- if .Values.scc.create -}} + {{- dict "openshift.io/required-scc" (printf "%s-scc" .Release.Name) | toYaml -}} + {{- end -}} +{{- end -}} + +{{/* Merging common pod labels for deployments with specific order of priority +to prevent overwriting of required labels. Certain site-specific required labels +are passed into the context as a dict at the caller site. */}} +{{- define "k10.deploymentPodLabels" -}} + {{- (merge (dict) (.requiredLabels) (include "k10.azMarketPlace.billingIdentifier" . | fromYaml) (include "helm.labels" . | fromYaml) (include "k10.globalPodLabels" . | fromYaml)) | toYaml -}} +{{- end -}} + +{{/* Merging common pod annotations for deployments with specific order of +priority to prevent overwriting of required annotations. Certain site-specific +required annotations are passed into the context as a dict at the caller site. */}} +{{- define "k10.deploymentPodAnnotations" -}} + {{- (merge (dict) (.requiredAnnotations) (dict "checksum/config" (include (print .Template.BasePath "/k10-config.yaml") . | sha256sum)) (dict "checksum/secret" (include (print .Template.BasePath "/secrets.yaml") . | sha256sum)) (include "k10.sccAnnotations" . | fromYaml) (include "k10.globalPodAnnotations" . | fromYaml)) | toYaml -}} +{{- end -}} + +{{/* Custom pod labels applied globally to all pods */}} +{{- define "k10.globalPodLabels" -}} + {{ include "k10.validateGlobalAndKanisterLabelsAnnotations" . }} + {{- with .Values.global.podLabels -}} + {{- toYaml . -}} + {{- end -}} +{{- end -}} + +{{/* Custom pod labels applied globally to all pods in a json format */}} +{{- define "k10.globalPodLabelsJson" -}} + {{- if .Values.global.podLabels -}} + {{- toJson .Values.global.podLabels -}} + {{- end -}} +{{- end -}} + +{{/* Custom pod annotations applied globally to all pods */}} +{{- define "k10.globalPodAnnotations" -}} + {{ include "k10.validateGlobalAndKanisterLabelsAnnotations" . }} + {{- with .Values.global.podAnnotations -}} + {{- toYaml . -}} + {{- end -}} +{{- end -}} + +{{/* Custom pod annotations applied globally to all pods in a json format */}} +{{- define "k10.globalPodAnnotationsJson" -}} + {{- if .Values.global.podAnnotations -}} + {{- toJson .Values.global.podAnnotations -}} + {{- end -}} +{{- end -}} + +{{/* +Validate and fail if the labels/annotations are configured at global level (global.podLabels) +as well as kanister helm field level (kanisterPodCustomLabels) +*/}} +{{- define "k10.validateGlobalAndKanisterLabelsAnnotations" -}} + {{- if and .Values.global.podAnnotations .Values.kanisterPodCustomAnnotations -}} + {{- fail "The `kanisterPodCustomAnnotations` field has been deprecated and cannot be used simultaneously with `global.podAnnotations`. Please use `global.podAnnotations` to set annotations to all the Kasten pods globally." }} + {{- end -}} + {{- if and .Values.global.podLabels .Values.kanisterPodCustomLabels -}} + {{- fail "The `kanisterPodCustomLabels` field has been deprecated and cannot be used simultaneously with `global.podLabels`. Please use `global.podLabels` to set labels to all the Kasten pods globally." }} + {{- end -}} +{{- end -}} + +{{/* +Check if the auth options are implemented using Dex +*/}} +{{- define "check.dexAuth" -}} +{{- if or .Values.auth.openshift.enabled .Values.auth.ldap.enabled -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* Check the only 1 auth is specified */}} +{{- define "singleAuth.check" -}} +{{- $count := dict "count" (int 0) -}} +{{- $authList := list .Values.auth.basicAuth.enabled .Values.auth.tokenAuth.enabled .Values.auth.oidcAuth.enabled .Values.auth.openshift.enabled .Values.auth.ldap.enabled -}} +{{- range $i, $val := $authList }} +{{ if $val }} +{{ $c := add1 $count.count | set $count "count" }} +{{ if gt $count.count 1 }} +{{- fail "Multiple auth types were selected. Only one type can be enabled." }} +{{ end }} +{{ end }} +{{- end }} +{{- end -}}{{/* Check the only 1 auth is specified */}} + +{{/* Check if Auth is enabled */}} +{{- define "authEnabled.check" -}} +{{- $count := dict "count" (int 0) -}} +{{- $authList := list .Values.auth.basicAuth.enabled .Values.auth.tokenAuth.enabled .Values.auth.oidcAuth.enabled .Values.auth.openshift.enabled .Values.auth.ldap.enabled -}} +{{- range $i, $val := $authList }} +{{ if $val }} +{{ $c := add1 $count.count | set $count "count" }} +{{ end }} +{{- end }} +{{- if eq $count.count 0}} + {{- fail "Auth is required to expose access to K10." }} +{{- end }} +{{- end -}}{{/*end of check */}} + +{{/* Return ingress class name annotation */}} +{{- define "ingressClassAnnotation" -}} +{{- if .Values.ingress.class -}} +kubernetes.io/ingress.class: {{ .Values.ingress.class | quote }} +{{- end -}} +{{- end -}} + +{{/* Return ingress class name in spec */}} +{{- define "specIngressClassName" -}} +{{- if and .Values.ingress.class (semverCompare ">= 1.27-0" .Capabilities.KubeVersion.Version) -}} +ingressClassName: {{ .Values.ingress.class }} +{{- end -}} +{{- end -}} + +{{/* Helm required labels */}} +{{- define "helm.labels" -}} +heritage: {{ .Release.Service }} +helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} +app.kubernetes.io/name: {{ .Chart.Name }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{ include "k10.common.matchLabels" . }} +{{- end -}} + +{{- define "k10.common.matchLabels" -}} +app: {{ .Chart.Name }} +release: {{ .Release.Name }} +{{- end -}} + +{{- define "k10.defaultRBACLabels" -}} +k10.kasten.io/default-rbac-object: "true" +{{- end -}} + +{{/* Expand the name of the chart. */}} +{{- define "name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "serviceAccountName" -}} +{{- if and .Values.metering.awsMarketplace ( not .Values.serviceAccount.name ) -}} + {{ print "k10-metering" }} +{{- else if .Values.serviceAccount.create -}} + {{ default (include "fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the metering service account to use +*/}} +{{- define "meteringServiceAccountName" -}} +{{- if and .Values.metering.awsManagedLicense ( not .Values.serviceAccount.name ) ( not .Values.metering.serviceAccount.name ) ( not .Values.metering.licenseConfigSecretName ) -}} + {{ print "k10-metering" }} +{{- else -}} + {{ default (include "serviceAccountName" .) .Values.metering.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Prints annotations based on .Values.fqdn.type +*/}} +{{- define "dnsAnnotations" -}} +{{- if .Values.externalGateway.fqdn.name -}} +{{- if eq "route53-mapper" ( default "" .Values.externalGateway.fqdn.type) }} +domainName: {{ .Values.externalGateway.fqdn.name | quote }} +{{- end }} +{{- if eq "external-dns" (default "" .Values.externalGateway.fqdn.type) }} +external-dns.alpha.kubernetes.io/hostname: {{ .Values.externalGateway.fqdn.name | quote }} +{{- end }} +{{- end -}} +{{- end -}} + +{{/* +Prometheus scrape config template for k10 services +*/}} +{{- define "k10.prometheusScrape" -}} +{{- $cluster_domain := "" -}} +{{- with .main.Values.cluster.domainName -}} + {{- $cluster_domain = printf ".%s" . -}} +{{- end -}} +{{- $admin_port := default 8877 .main.Values.service.gatewayAdminPort -}} +- job_name: {{ .k10service }} + metrics_path: /metrics + {{- if eq "aggregatedapis" .k10service }} + scheme: https + tls_config: + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + {{- else }} + scheme: http + {{- end }} + static_configs: + - targets: + {{- if eq "gateway" .k10service }} + - {{ .k10service }}-admin.{{ .main.Release.Namespace }}.svc{{ $cluster_domain }}:{{ $admin_port }} + {{- else if eq "aggregatedapis" .k10service }} + - {{ .k10service }}-svc.{{ .main.Release.Namespace }}.svc{{ $cluster_domain }}:443 + {{- else }} + {{- $service := default .k10service (index (include "get.enabledColocatedServices" . | fromYaml) .k10service).primary }} + {{- $port := default .main.Values.service.externalPort (index (include "get.enabledColocatedServices" . | fromYaml) .k10service).port }} + - {{ $service }}-svc.{{ .main.Release.Namespace }}.svc{{ $cluster_domain }}:{{ $port }} + {{- end }} + labels: + application: {{ .main.Release.Name }} + service: {{ .k10service }} +{{- end -}} + +{{/* +Prometheus scrape config template for k10 services +*/}} +{{- define "k10.prometheusTargetConfig" -}} +{{- $cluster_domain := "" -}} +{{- with .main.Values.cluster.domainName -}} + {{- $cluster_domain = printf ".%s" . -}} +{{- end -}} +{{- $admin_port := default 8877 .main.Values.service.gatewayAdminPort | toString -}} +- service: {{ .k10service }} + metricsPath: /metrics + {{- if eq "aggregatedapis" .k10service }} + scheme: https + tls_config: + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + {{- else }} + scheme: http + {{- end }} + {{- $serviceFqdn := "" }} + {{- $servicePort := "" }} + {{- if eq "gateway" .k10service -}} + {{- $serviceFqdn = printf "%s-admin.%s.svc%s" .k10service .main.Release.Namespace $cluster_domain -}} + {{- $servicePort = $admin_port -}} + {{- else if eq "aggregatedapis" .k10service -}} + {{- $serviceFqdn = printf "%s-svc.%s.svc%s" .k10service .main.Release.Namespace $cluster_domain -}} + {{- $servicePort = "443" -}} + {{- else -}} + {{- $service := default .k10service (index (include "get.enabledColocatedServices" .main | fromYaml) .k10service).primary -}} + {{- $port := default .main.Values.service.externalPort (index (include "get.enabledColocatedServices" .main | fromYaml) .k10service).port | toString -}} + {{- $serviceFqdn = printf "%s-svc.%s.svc%s" $service .main.Release.Namespace $cluster_domain -}} + {{- $servicePort = $port -}} + {{- end }} + fqdn: {{ $serviceFqdn }} + port: {{ $servicePort }} + application: {{ .main.Release.Name }} +{{- end -}} + +{{/* +Expands the name of the Prometheus chart. It is equivalent to what the +"prometheus.name" template does. It is needed because the referenced values in a +template are relative to where/when the template is called from, and not where +the template is defined at. This means that the value of .Chart.Name and +.Values.nameOverride are different depending on whether the template is called +from within the Prometheus chart or the K10 chart. +*/}} +{{- define "k10.prometheus.name" -}} +{{- default "prometheus" .Values.prometheus.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Expands the name of the Prometheus service created to expose the prometheus server. +*/}} +{{- define "k10.prometheus.service.name" -}} +{{- default (printf "%s-%s-%s" .Release.Name "prometheus" .Values.prometheus.server.name) .Values.prometheus.server.fullnameOverride }} +{{- end -}} + +{{/* +Checks if EULA is accepted via cmd +Enforces eula.company and eula.email as required fields +returns configMap fields +*/}} +{{- define "k10.eula.fields" -}} +{{- if .Values.eula.accept -}} +accepted: "true" +company: {{ required "eula.company is required field if eula is accepted" .Values.eula.company }} +email: {{ required "eula.email is required field if eula is accepted" .Values.eula.email }} +{{- else -}} +accepted: "" +company: "" +email: "" +{{- end }} +{{- end -}} + +{{/* +Helper to determine the API Domain +*/}} +{{- define "apiDomain" -}} +{{- if .Values.useNamespacedAPI -}} +kio.{{- replace "-" "." .Release.Namespace -}} +{{- else -}} +kio.kasten.io +{{- end -}} +{{- end -}} + +{{/* +Get dex image, if user wants to +install certified version of upstream +images or not +*/}} + +{{- define "get.dexImage" }} + {{- (get .Values.global.images (include "dex.dexImageName" .)) | default (include "dex.dexImage" .) }} +{{- end }} + +{{- define "dex.dexImage" -}} + {{- printf "%s:%s" (include "dex.dexImageRepo" .) (include "dex.dexImageTag" .) }} +{{- end -}} + +{{- define "dex.dexImageRepo" -}} + {{- if .Values.global.airgapped.repository }} + {{- printf "%s/%s" .Values.global.airgapped.repository (include "dex.dexImageName" .) }} + {{- else if .Values.global.azMarketPlace }} + {{- printf "%s/%s" .Values.global.azure.images.dex.registry .Values.global.azure.images.dex.image }} + {{- else }} + {{- printf "%s/%s" .Values.global.image.registry (include "dex.dexImageName" .) }} + {{- end }} +{{- end -}} + +{{- define "dex.dexImageName" -}} + {{- printf "dex" }} +{{- end -}} + +{{- define "dex.dexImageTag" -}} + {{- if .Values.global.azMarketPlace }} + {{- print .Values.global.azure.images.dex.tag }} + {{- else }} + {{- .Values.global.image.tag | default .Chart.AppVersion }} + {{- end -}} +{{- end -}} + +{{/* + Get dex frontend directory (in the dex image) +*/}} +{{- define "k10.dexFrontendDir" -}} + {{- $dexImageDict := default $.Values.dexImage dict }} + {{- index $dexImageDict "frontendDir" | default "/srv/dex/web" }} +{{- end -}} + +{{/* +Get the k10tools image. +*/}} +{{- define "k10.k10ToolsImage" -}} + {{- (get .Values.global.images (include "k10.k10ToolsImageName" .)) | default (include "k10.k10ToolsDefaultImage" .) -}} +{{- end -}} + +{{- define "k10.k10ToolsDefaultImage" -}} + {{- printf "%s:%s" (include "k10.k10ToolsImageRepo" .) (include "k10.k10ToolsImageTag" .) -}} +{{- end -}} + +{{- define "k10.k10ToolsImageRepo" -}} + {{- if .Values.global.airgapped.repository -}} + {{- printf "%s/%s" .Values.global.airgapped.repository (include "k10.k10ToolsImageName" .) -}} + {{- else if .Values.global.azMarketPlace -}} + {{- printf "%s/%s" .Values.global.azure.images.k10tools.registry .Values.global.azure.images.k10tools.image -}} + {{- else -}} + {{- printf "%s/%s" .Values.global.image.registry (include "k10.k10ToolsImageName" .) -}} + {{- end -}} +{{- end -}} + +{{- define "k10.k10ToolsImageName" -}} + {{- print "k10tools" -}} +{{- end -}} + +{{- define "k10.k10ToolsImageTag" -}} + {{- if .Values.global.azMarketPlace -}} + {{- print .Values.global.azure.images.k10tools.tag -}} + {{- else -}} + {{- include "get.k10ImageTag" . -}} + {{- end -}} +{{- end -}} + +{{/* +Get the ocpconsoleplugin image. +*/}} +{{- define "k10.ocpConsolePluginImage" -}} + {{- (get .Values.global.images (include "k10.openShiftConsolePluginImageName" .)) | default (include "k10.ocpConsolePluginDefaultImage" .) -}} +{{- end -}} + +{{- define "k10.ocpConsolePluginDefaultImage" -}} + {{- printf "%s:%s" (include "k10.ocpConsolePluginImageRepo" .) (include "get.k10ImageTag" .) -}} +{{- end -}} + +{{- define "k10.ocpConsolePluginImageRepo" -}} + {{- if .Values.global.airgapped.repository -}} + {{- printf "%s/%s" .Values.global.airgapped.repository (include "k10.openShiftConsolePluginImageName" .) -}} + {{- else -}} + {{- printf "%s/%s" .Values.global.image.registry (include "k10.openShiftConsolePluginImageName" .) -}} + {{- end -}} +{{- end -}} + +{{/* +Get the emissary image. +*/}} +{{- define "get.emissaryImage" }} + {{- (get .Values.global.images (include "k10.emissaryImageName" .)) | default (include "k10.emissaryImage" .) }} +{{- end }} + +{{- define "k10.emissaryImage" -}} + {{- printf "%s:%s" (include "k10.emissaryImageRepo" .) (include "k10.emissaryImageTag" .) }} +{{- end -}} + +{{- define "k10.emissaryImageRepo" -}} + {{- if .Values.global.airgapped.repository }} + {{- printf "%s/%s" .Values.global.airgapped.repository (include "k10.emissaryImageName" .) }} + {{- else if .Values.global.azMarketPlace }} + {{- printf "%s/%s" .Values.global.azure.images.emissary.registry .Values.global.azure.images.emissary.image }} + {{- else }} + {{- printf "%s/%s" .Values.global.image.registry (include "k10.emissaryImageName" .) }} + {{- end }} +{{- end -}} + +{{- define "k10.emissaryImageName" -}} + {{- printf "emissary" }} +{{- end -}} + +{{- define "k10.emissaryImageTag" -}} + {{- if .Values.global.azMarketPlace }} + {{- print .Values.global.azure.images.emissary.tag }} + {{- else }} + {{- include "get.k10ImageTag" . }} + {{- end }} +{{- end -}} + +{{/* +Get the datamover image. +*/}} +{{- define "get.datamoverImage" }} + {{- (get .Values.global.images (include "k10.datamoverImageName" .)) | default (include "k10.datamoverImage" .) }} +{{- end }} + +{{- define "k10.datamoverImage" -}} + {{- printf "%s:%s" (include "k10.datamoverImageRepo" .) (include "k10.datamoverImageTag" .) }} +{{- end -}} + +{{- define "k10.datamoverImageRepo" -}} + {{- if .Values.global.airgapped.repository }} + {{- printf "%s/%s" .Values.global.airgapped.repository (include "k10.datamoverImageName" .) }} + {{- else if .Values.global.azMarketPlace }} + {{- printf "%s/%s" .Values.global.azure.images.datamover.registry .Values.global.azure.images.datamover.image }} + {{- else }} + {{- printf "%s/%s" .Values.global.image.registry (include "k10.datamoverImageName" .) }} + {{- end }} +{{- end -}} + +{{- define "k10.datamoverImageName" -}} + {{- printf "datamover" }} +{{- end -}} + +{{- define "k10.datamoverImageTag" -}} + {{- if .Values.global.azMarketPlace }} + {{- print .Values.global.azure.images.datamover.tag }} + {{- else }} + {{- include "get.k10ImageTag" . }} + {{- end }} +{{- end -}} + +{{/* +Get the metric-sidecar image. +*/}} +{{- define "get.metricSidecarImage" }} + {{- (get .Values.global.images (include "k10.metricSidecarImageName" .)) | default (include "k10.metricSidecarImage" .) }} +{{- end }} + +{{- define "k10.metricSidecarImage" -}} + {{- printf "%s:%s" (include "k10.metricSidecarImageRepo" .) (include "k10.metricSidecarImageTag" .) }} +{{- end -}} + +{{- define "k10.metricSidecarImageRepo" -}} + {{- if .Values.global.airgapped.repository }} + {{- printf "%s/%s" .Values.global.airgapped.repository (include "k10.metricSidecarImageName" .) }} + {{- else if .Values.global.azMarketPlace }} + {{- printf "%s/%s" (.Values.global.azure.images.metricsidecar.registry) (.Values.global.azure.images.metricsidecar.image) }} + {{- else }} + {{- printf "%s/%s" .Values.global.image.registry (include "k10.metricSidecarImageName" .) }} + {{- end }} +{{- end -}} + +{{- define "k10.metricSidecarImageName" -}} + {{- printf "metric-sidecar" }} +{{- end -}} + +{{- define "k10.metricSidecarImageTag" -}} + {{- if .Values.global.azMarketPlace }} + {{- print .Values.global.azure.images.metricsidecar.tag }} + {{- else }} + {{- include "get.k10ImageTag" . }} + {{- end }} +{{- end -}} + +{{/* +Check if AWS creds are specified +*/}} +{{- define "check.awscreds" -}} +{{- if or .Values.secrets.awsAccessKeyId .Values.secrets.awsSecretAccessKey -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{- define "check.awsSecretName" -}} +{{- if .Values.secrets.awsClientSecretName -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{- define "check.azureFederatedIdentity" -}} +{{- if and .Values.azure.useFederatedIdentity .Values.secrets.azureClientId -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Azure MSI with Default ID is specified +*/}} +{{- define "check.azureMSIWithDefaultID" -}} +{{- if .Values.azure.useDefaultMSI -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Azure MSI with a specific Client ID is specified +*/}} +{{- define "check.azureMSIWithClientID" -}} +{{- if and (not (or .Values.secrets.azureClientSecret .Values.secrets.azureTenantId)) .Values.secrets.azureClientId -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Azure ClientSecret creds are specified +*/}} +{{- define "check.azureClientSecretCreds" -}} +{{- if and (and .Values.secrets.azureTenantId .Values.secrets.azureClientId) .Values.secrets.azureClientSecret -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Checks and enforces only 1 set of azure creds is specified +*/}} +{{- define "enforce.singleazurecreds" -}} +{{- if and (eq (include "check.azureFederatedIdentity" .) "true") (eq (include "check.azureMSIWithDefaultID" .) "true") -}} +{{- fail "useDefaultMSI is set to true, but FederatedIdentity is also set to true. Please choose one." -}} +{{- end -}} +{{- if and (eq (include "check.azureMSIWithClientID" .) "true") (eq (include "check.azureMSIWithDefaultID" .) "true") -}} +{{- fail "useDefaultMSI is set to true, but an additional ClientID is also provided. Please choose one." -}} +{{- end -}} +{{ if and ( or (eq (include "check.azureClientSecretCreds" .) "true") (eq (include "check.azuresecret" .) "true" )) (or (eq (include "check.azureMSIWithClientID" .) "true") (eq (include "check.azureMSIWithDefaultID" .) "true")) }} +{{- fail "Both Azure ClientSecret and Managed Identity creds are available, but only one is allowed. Please choose one." }} +{{- end -}} +{{- end -}} + +{{/* +Get the kanister-tools image. +*/}} +{{- define "get.kanisterToolsImage" -}} + {{- (get .Values.global.images (include "kan.kanisterToolsImageName" .)) | default (include "kan.kanisterToolsImage" .) }} +{{- end }} + +{{- define "kan.kanisterToolsImage" -}} + {{- printf "%s:%s" (include "kan.kanisterToolsImageRepo" .) (include "kan.kanisterToolsImageTag" .) }} +{{- end -}} + +{{- define "kan.kanisterToolsImageRepo" -}} + {{- if .Values.global.airgapped.repository }} + {{- printf "%s/%s" .Values.global.airgapped.repository (include "kan.kanisterToolsImageName" .) }} + {{- else if .Values.global.azMarketPlace }} + {{- printf "%s/%s" .Values.global.azure.images.kanistertools.registry .Values.global.azure.images.kanistertools.image }} + {{- else }} + {{- printf "%s/%s" .Values.global.image.registry (include "kan.kanisterToolsImageName" .) }} + {{- end }} +{{- end -}} + +{{- define "kan.kanisterToolsImageName" -}} + {{- printf "kanister-tools" }} +{{- end -}} + +{{- define "kan.kanisterToolsImageTag" -}} + {{- if .Values.global.azMarketPlace }} + {{- print .Values.global.azure.images.kanistertools.tag }} + {{- else }} + {{- include "get.k10ImageTag" . }} + {{- end }} +{{- end -}} + +{{/* +Check if Google Workload Identity Federation is enabled +*/}} +{{- define "check.gwifenabled" -}} +{{- if .Values.google.workloadIdentityFederation.enabled -}} +{{- print true -}} +{{- end -}} +{{- end -}} + + +{{/* +Check if Google Workload Identity Federation Identity Provider is set +*/}} +{{- define "check.gwifidptype" -}} +{{- if .Values.google.workloadIdentityFederation.idp.type -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Fail if Google Workload Identity Federation is enabled but no Identity Provider is set +*/}} +{{- define "validate.gwif.idp.type" -}} +{{- if and (eq (include "check.gwifenabled" .) "true") (ne (include "check.gwifidptype" .) "true") -}} + {{- fail "Google Workload Federation is enabled but helm flag for idp type is missing. Please set helm value google.workloadIdentityFederation.idp.type" -}} +{{- end -}} +{{- end -}} + +{{/* +Check if K8S Bound Service Account Token (aka Projected Service Account Token) is needed, +which is when GWIF is enabled and the IdP is kubernetes +*/}} +{{- define "check.projectSAToken" -}} +{{- if and (eq (include "check.gwifenabled" .) "true") (eq .Values.google.workloadIdentityFederation.idp.type "kubernetes") -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if the audience that the bound service account token is intended for is set +*/}} +{{- define "check.gwifidpaud" -}} +{{- if .Values.google.workloadIdentityFederation.idp.aud -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Fail if Service Account token projection is expected but no indented Audience is set +*/}} +{{- define "validate.gwif.idp.aud" -}} +{{- if and (eq (include "check.projectSAToken" .) "true") (ne (include "check.gwifidpaud" .) "true") -}} + {{- fail "Kubernetes is set as the Identity Provider but an intended Audience is missing. Please set helm value google.workloadIdentityFederation.idp.aud" -}} +{{- end -}} +{{- end -}} + + +{{/* +Check if Google creds are specified +*/}} +{{- define "check.googlecreds" -}} +{{- if .Values.secrets.googleApiKey -}} + {{- if eq (include "check.isBase64" .Values.secrets.googleApiKey) "false" -}} + {{- fail "secrets.googleApiKey must be base64 encoded" -}} + {{- end -}} + {{- print true -}} +{{- end -}} +{{- end -}} + +{{- define "check.googleCredsSecret" -}} +{{- if .Values.secrets.googleClientSecretName -}} + {{- print true -}} +{{- end -}} +{{- end -}} + +{{- define "check.googleCredsOrSecret" -}} +{{- if or (eq (include "check.googlecreds" .) "true") (eq (include "check.googleCredsSecret" .) "true")}} + {{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Google Project ID is not set without Google API Key +*/}} +{{- define "check.googleproject" -}} +{{- if .Values.secrets.googleProjectId -}} + {{- if not .Values.secrets.googleApiKey -}} + {{- print false -}} + {{- else -}} + {{- print true -}} + {{- end -}} +{{- else -}} + {{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Azure creds are specified +*/}} +{{- define "check.azurecreds" -}} +{{- if or (eq (include "check.azureClientSecretCreds" .) "true") ( or (eq (include "check.azureMSIWithClientID" .) "true") (eq (include "check.azureMSIWithDefaultID" .) "true")) -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{- define "check.azuresecret" -}} +{{- if .Values.secrets.azureClientSecretName }} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Vsphere creds are specified +*/}} +{{- define "check.vspherecreds" -}} +{{- if or (or .Values.secrets.vsphereEndpoint .Values.secrets.vsphereUsername) .Values.secrets.vspherePassword -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{- define "check.vsphereClientSecret" -}} +{{- if .Values.secrets.vsphereClientSecretName -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Vault token secret creds are specified +*/}} +{{- define "check.vaulttokenauth" -}} +{{- if .Values.vault.secretName -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if K8s role is specified +*/}} +{{- define "check.vaultk8sauth" -}} +{{- if .Values.vault.role -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{/* +Check if Vault creds for token or k8s auth are specified +*/}} +{{- define "check.vaultcreds" -}} +{{- if or (eq (include "check.vaulttokenauth" .) "true") (eq (include "check.vaultk8sauth" .) "true") -}} +{{- print true -}} +{{- end -}} +{{- end -}} + + +{{/* +Checks and enforces only 1 set of cloud creds is specified +*/}} +{{- define "enforce.singlecloudcreds" -}} +{{- $count := dict "count" (int 0) -}} +{{- $main := . -}} +{{- range $ind, $cloud_provider := include "k10.cloudProviders" . | splitList " " }} +{{ if eq (include (printf "check.%screds" $cloud_provider) $main) "true" }} +{{ $c := add1 $count.count | set $count "count" }} +{{ if gt $count.count 1 }} +{{- fail "Credentials for different cloud providers were provided but only one is allowed. Please verify your .secrets.* values." }} +{{ end }} +{{ end }} +{{- end }} +{{- end -}} + +{{/* +Converts .Values.features into k10-features: map[string]: "value" +*/}} +{{- define "k10.features" -}} +{{ range $n, $v := .Values.features }} +{{ $n }}: {{ $v | quote -}} +{{ end }} +{{- end -}} + +{{/* +Checks if string is base64 encoded +*/}} +{{- define "check.isBase64" -}} +{{- not (. | b64dec | contains "illegal base64 data") -}} +{{- end -}} + +{{/* +Returns a license base64 either from file or from values +or prints it for awsmarketplace or awsManagedLicense +*/}} +{{- define "k10.getlicense" -}} +{{- if .Values.metering.awsMarketplace -}} + {{- print "Y3VzdG9tZXJOYW1lOiBhd3MtbWFya2V0cGxhY2UKZGF0ZUVuZDogJzIxMDAtMDEtMDFUMDA6MDA6MDAuMDAwWicKZGF0ZVN0YXJ0OiAnMjAxOC0wOC0wMVQwMDowMDowMC4wMDBaJwpmZWF0dXJlczoKICBjbG91ZE1ldGVyaW5nOiBhd3MKaWQ6IGF3cy1ta3QtNWMxMDlmZDUtYWI0Yy00YTE0LWJiY2QtNTg3MGU2Yzk0MzRiCnByb2R1Y3Q6IEsxMApyZXN0cmljdGlvbnM6IG51bGwKdmVyc2lvbjogdjEuMC4wCnNpZ25hdHVyZTogY3ZEdTNTWHljaTJoSmFpazR3THMwTk9mcTNFekYxQ1pqLzRJMUZVZlBXS0JETHpuZmh2eXFFOGUvMDZxNG9PNkRoVHFSQlY3VFNJMzVkQzJ4alllaGp3cWwxNHNKT3ZyVERKZXNFWVdyMVFxZGVGVjVDd21HczhHR0VzNGNTVk5JQXVseGNTUG9oZ2x2UlRJRm0wVWpUOEtKTzlSTHVyUGxyRjlGMnpnK0RvM2UyTmVnamZ6eTVuMUZtd24xWUNlbUd4anhFaks0djB3L2lqSGlwTGQzWVBVZUh5Vm9mZHRodGV0YmhSUGJBVnVTalkrQllnRklnSW9wUlhpYnpTaEMvbCs0eTFEYzcyTDZXNWM0eUxMWFB1SVFQU3FjUWRiYnlwQ1dYYjFOT3B3aWtKMkpsR0thMldScFE4ZUFJNU9WQktqZXpuZ3FPa0lRUC91RFBtSXFBPT0K" -}} +{{- else if or ( .Values.metering.awsManagedLicense ) ( .Values.metering.licenseConfigSecretName ) -}} + {{- print "Y3VzdG9tZXJOYW1lOiBhd3MtdG90ZW0KZGF0ZUVuZDogJzIxMDAtMDEtMDFUMDA6MDA6MDAuMDAwWicKZGF0ZVN0YXJ0OiAnMjAyMS0wOS0wMVQwMDowMDowMC4wMDBaJwpmZWF0dXJlczoKICBleHRlcm5hbExpY2Vuc2U6IGF3cwogIHByb2R1Y3RTS1U6IGI4YzgyMWQ5LWJmNDAtNDE4ZC1iYTBiLTgxMjBiZjc3ZThmOQogIGtleUZpbmdlcnByaW50OiBhd3M6Mjk0NDA2ODkxMzExOkFXUy9NYXJrZXRwbGFjZTppc3N1ZXItZmluZ2VycHJpbnQKaWQ6IGF3cy1leHQtMWUxMTVlZjMtM2YyMC00MTJlLTgzODItMmE1NWUxMTc1OTFlCnByb2R1Y3Q6IEsxMApyZXN0cmljdGlvbnM6CiAgbm9kZXM6ICczJwp2ZXJzaW9uOiB2MS4wLjAKc2lnbmF0dXJlOiBkeEtLN3pPUXdzZFBOY2I1NExzV2hvUXNWeWZSVDNHVHZ0VkRuR1Vvb2VxSGlwYStTY25HTjZSNmdmdmtWdTRQNHh4RmV1TFZQU3k2VnJYeExOTE1RZmh2NFpBSHVrYmFNd3E5UXhGNkpGSmVXbTdzQmdtTUVpWVJ2SnFZVFcyMlNoakZEU1RWejY5c2JBTXNFMUd0VTdXKytITGk0dnhybjVhYkd6RkRHZW5iRE5tcXJQT3dSa3JIdTlHTFQ1WmZTNDFUL0hBMjNZZnlsTU54MGFlK2t5TGZvZXNuK3FKQzdld2NPWjh4eE94bFRJR3RuWDZ4UU5DTk5iYjhSMm5XbmljNVd0OElEc2VDR3lLMEVVRW9YL09jNFhsWVVra3FGQ0xPdVhuWDMxeFZNZ1NFQnVEWExFd3Y3K2RlSmcvb0pMaW9EVHEvWUNuM0lnem9VR2NTMGc9PQo=" -}} +{{- else -}} + {{- $license := .Values.license -}} + {{- if eq (include "check.isBase64" $license) "false" -}} + {{- $license = $license | b64enc -}} + {{- end -}} + {{- print (default (.Files.Get "license") $license) -}} +{{- end -}} +{{- end -}} + +{{/* +Returns resource usage given a pod name and container name +*/}} +{{- define "k10.resource.request" -}} +{{- $resourceDefaultList := (include "k10.serviceResources" .main | fromYaml) }} +{{- $podName := .k10_service_pod_name }} +{{- $containerName := .k10_service_container_name }} +{{- $resourceValue := "" }} +{{- if (hasKey $resourceDefaultList $podName) }} + {{- $resourceValue = index (index $resourceDefaultList $podName) $containerName }} +{{- end }} +{{- if (hasKey .main.Values.resources $podName) }} + {{- if (hasKey (index .main.Values.resources $podName) $containerName) }} + {{- $resourceValue = index (index .main.Values.resources $podName) $containerName }} + {{- end }} +{{- end }} +{{- /* If no resource usage value was provided, do not include the resources section */}} +{{- /* This allows users to set unlimited resources by providing a service key that is empty (e.g. `--set resources.=`) */}} +{{- if $resourceValue }} +resources: +{{- $resourceValue | toYaml | trim | nindent 2 }} +{{- else if eq .main.Release.Namespace "default" }} +resources: + requests: + cpu: "0.01" +{{- end }} +{{- end -}} + +{{/* +Adds priorityClassName field according to helm values. +*/}} +{{- define "k10.priorityClassName" }} +{{- $deploymentName := .k10_deployment_name }} +{{- $defaultPriorityClassName := default "" .main.Values.defaultPriorityClassName }} +{{- $priorityClassName := $defaultPriorityClassName }} + +{{- if and (hasKey .main.Values "priorityClassName") (hasKey .main.Values.priorityClassName $deploymentName) }} + {{- $priorityClassName = index .main.Values.priorityClassName $deploymentName }} +{{- end -}} + +{{- if $priorityClassName }} +priorityClassName: {{ $priorityClassName }} +{{- end }} + +{{- end }}{{/* define "k10.priorityClassName" */}} + +{{- define "kanisterToolsResources" }} +{{- if .Values.genericVolumeSnapshot.resources.requests.memory }} +KanisterToolsMemoryRequests: {{ .Values.genericVolumeSnapshot.resources.requests.memory | quote }} +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.requests.cpu }} +KanisterToolsCPURequests: {{ .Values.genericVolumeSnapshot.resources.requests.cpu | quote }} +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.limits.memory }} +KanisterToolsMemoryLimits: {{ .Values.genericVolumeSnapshot.resources.limits.memory | quote }} +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.limits.cpu }} +KanisterToolsCPULimits: {{ .Values.genericVolumeSnapshot.resources.limits.cpu | quote }} +{{- end }} +{{- end }} + +{{- define "workerPodMetricSidecarResources" }} +{{- if not (quote .Values.workerPodMetricSidecar.resources.requests.memory | empty) }} +WorkerPodMetricSidecarMemoryRequest: {{ .Values.workerPodMetricSidecar.resources.requests.memory | quote }} +{{- else if not (quote .Values.kanisterPodMetricSidecar.resources.requests.memory | empty) }} +WorkerPodMetricSidecarMemoryRequest: {{ .Values.kanisterPodMetricSidecar.resources.requests.memory | quote }} +{{- end }} +{{- if not (quote .Values.workerPodMetricSidecar.resources.requests.cpu | empty) }} +WorkerPodMetricSidecarCPURequest: {{ .Values.workerPodMetricSidecar.resources.requests.cpu | quote }} +{{- else if not (quote .Values.kanisterPodMetricSidecar.resources.requests.cpu | empty) }} +WorkerPodMetricSidecarCPURequest: {{ .Values.kanisterPodMetricSidecar.resources.requests.cpu | quote }} +{{- end }} +{{- if not (quote .Values.workerPodMetricSidecar.resources.limits.memory | empty) }} +WorkerPodMetricSidecarMemoryLimit: {{ .Values.workerPodMetricSidecar.resources.limits.memory | quote }} +{{- else if not (quote .Values.kanisterPodMetricSidecar.resources.limits.memory | empty) }} +WorkerPodMetricSidecarMemoryLimit: {{ .Values.kanisterPodMetricSidecar.resources.limits.memory | quote }} +{{- end }} +{{- if not (quote .Values.workerPodMetricSidecar.resources.limits.cpu | empty) }} +WorkerPodMetricSidecarCPULimit: {{ .Values.workerPodMetricSidecar.resources.limits.cpu | quote }} +{{- else if not (quote .Values.kanisterPodMetricSidecar.resources.limits.cpu | empty) }} +WorkerPodMetricSidecarCPULimit: {{ .Values.kanisterPodMetricSidecar.resources.limits.cpu | quote }} +{{- end }} +{{- end }} + +{{- define "workerPodResourcesCRD" }} +{{- if .Values.workerPodCRDs.resourcesRequests.maxMemory }} +workerPodMaxMemoryRequest: {{ .Values.workerPodCRDs.resourcesRequests.maxMemory | quote }} +{{- end }} +{{- if .Values.workerPodCRDs.resourcesRequests.maxCPU }} +workerPodMaxCPURequest: {{ .Values.workerPodCRDs.resourcesRequests.maxCPU | quote }} +{{- end }} +{{- if .Values.workerPodCRDs.defaultActionPodSpec }} +workerPodDefaultAPSName: {{ .Values.workerPodCRDs.defaultActionPodSpec | quote }} +{{- end }} +{{- end }} + +{{- define "get.kanisterPodCustomLabels" -}} +{{- if .Values.kanisterPodCustomLabels }} +KanisterPodCustomLabels: {{ .Values.kanisterPodCustomLabels | quote }} +{{- end }} +{{- end }} + +{{- define "get.gvsActivationToken" }} +{{- if .Values.genericStorageBackup.token }} +GVSActivationToken: {{ .Values.genericStorageBackup.token | quote }} +{{- end }} +{{- end }} + +{{- define "get.kanisterPodCustomAnnotations" -}} +{{- if .Values.kanisterPodCustomAnnotations }} +KanisterPodCustomAnnotations: {{ .Values.kanisterPodCustomAnnotations | quote }} +{{- end }} +{{- end }} + +{{/* +Lookup and return only enabled colocated services +*/}} +{{- define "get.enabledColocatedSvcList" -}} +{{- $enabledColocatedSvcList := dict }} +{{- $colocatedList := include "get.enabledColocatedServiceLookup" . | fromYaml }} +{{- range $primary, $secondaryList := $colocatedList }} + {{- $enabledSecondarySvcList := list }} + {{- range $skip, $secondary := $secondaryList }} + {{- if or (not (hasKey $.Values.optionalColocatedServices $secondary)) ((index $.Values.optionalColocatedServices $secondary).enabled) }} + {{- $enabledSecondarySvcList = append $enabledSecondarySvcList $secondary }} + {{- end }} + {{- end }} + {{- if gt (len $enabledSecondarySvcList) 0 }} + {{- $enabledColocatedSvcList = set $enabledColocatedSvcList $primary $enabledSecondarySvcList }} + {{- end }} +{{- end }} +{{- $enabledColocatedSvcList | toYaml | trim | nindent 0}} +{{- end -}} + +{{- define "get.serviceContainersInPod" -}} +{{- $podService := .k10_service_pod }} +{{- $colocatedList := include "get.enabledColocatedServices" .main | fromYaml }} +{{- $colocatedLookupByPod := include "get.enabledColocatedSvcList" .main | fromYaml }} +{{- $containerList := list $podService }} +{{- if hasKey $colocatedLookupByPod $podService }} + {{- $containerList = concat $containerList (index $colocatedLookupByPod $podService)}} +{{- end }} +{{- $containerList | join " " }} +{{- end -}} + +{{- define "get.statefulRestServicesInPod" -}} +{{- $statefulRestSvcsInPod := list }} +{{- $podService := .k10_service_pod }} +{{- $containerList := (dict "main" .main "k10_service_pod" $podService | include "get.serviceContainersInPod" | splitList " ") }} +{{- if .main.Values.global.persistence.enabled }} + {{- range $skip, $containerInPod := $containerList }} + {{- $isRestService := has $containerInPod (include "get.enabledRestServices" $.main | splitList " ") }} + {{- $isStatelessService := has $containerInPod (include "get.enabledStatelessServices" $.main | splitList " ") }} + {{- if and $isRestService (not $isStatelessService) }} + {{- $statefulRestSvcsInPod = append $statefulRestSvcsInPod $containerInPod }} + {{- end }} + {{- end }} +{{- end }} +{{- $statefulRestSvcsInPod | join " " }} +{{- end -}} + +{{- define "k10.prefixPath" -}} + {{- if .Values.route.enabled -}} + /{{ .Values.route.path | default .Release.Name | trimPrefix "/" | trimSuffix "/" }} + {{- else if .Values.ingress.create -}} + /{{ .Values.ingress.urlPath | default .Release.Name | trimPrefix "/" | trimSuffix "/" }} + {{- else -}} + /{{ .Release.Name }} + {{- end -}} +{{- end -}} + +{{/* +Check if encryption keys are specified +*/}} +{{- define "check.primaryKey" -}} +{{- if (or .Values.encryption.primaryKey.awsCmkKeyId .Values.encryption.primaryKey.vaultTransitKeyName) -}} +{{- print true -}} +{{- end -}} +{{- end -}} + +{{- define "check.validateImagePullSecrets" -}} + {{/* Validate image pull secrets if a custom Docker config is provided */}} + {{- if (or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath ) -}} + {{- if (and .Values.grafana.enabled (not .Values.global.imagePullSecret) (not .Values.grafana.image.pullSecrets)) -}} + {{ fail "A custom Docker config was provided, but Grafana is not configured to use it. Please check that global.imagePullSecret is set correctly." }} + {{- end -}} + {{- if (and .Values.prometheus.server.enabled (not .Values.global.imagePullSecret) (not .Values.prometheus.imagePullSecrets)) -}} + {{ fail "A custom Docker config was provided, but Prometheus is not configured to use it. Please check that global.imagePullSecret is set correctly." }} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "k10.imagePullSecrets" }} +{{- $imagePullSecrets := list .Values.global.imagePullSecret }}{{/* May be empty, but the compact below will handle that */}} +{{- if (or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath) }} + {{- $imagePullSecrets = concat $imagePullSecrets (list "k10-ecr") }} +{{- end }} +{{- $imagePullSecrets = $imagePullSecrets | compact | uniq }} + +{{- if $imagePullSecrets }} +imagePullSecrets: + {{- range $imagePullSecrets }} + {{/* Check if the name is not empty string */}} + - name: {{ . }} + {{- end }} +{{- end }} +{{- end }} + +{{/* +k10.imagePullSecretNames gets us just the secret names that are going be used +as imagePullSecrets in the k10 services. +*/}} +{{- define "k10.imagePullSecretNames" }} +{{- $pullSecretsSpec := (include "k10.imagePullSecrets" . ) | fromYaml }} +{{- if $pullSecretsSpec }} + {{- range $pullSecretsSpec.imagePullSecrets }} + {{- $secretName := . }} + {{- printf "%s " ( $secretName.name) }} + {{- end}} +{{- end}} +{{- end }} + +{{/* +Below helper template functions are referred from chart +https://github.com/prometheus-community/helm-charts/blob/main/charts/prometheus/templates/_helpers.tpl +*/}} + +{{/* +Return kubernetes version +*/}} +{{- define "k10.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19.x" (include "k10.kubeVersion" .)) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "extensions/v1beta1" -}} + {{- print "extensions/v1beta1" -}} + {{- else -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Is ingress part of stable APIVersion. +*/}} +{{- define "ingress.isStable" -}} + {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Check if `ingress.defaultBackend` is properly formatted when specified. +*/}} +{{- define "check.ingress.defaultBackend" -}} + {{- if .Values.ingress.defaultBackend -}} + {{- if and .Values.ingress.defaultBackend.service.enabled .Values.ingress.defaultBackend.resource.enabled -}} + {{- fail "Both `service` and `resource` cannot be enabled in the `ingress.defaultBackend`. Provide only one." -}} + {{- end -}} + {{- if .Values.ingress.defaultBackend.service.enabled -}} + {{- if and (not .Values.ingress.defaultBackend.service.port.name) (not .Values.ingress.defaultBackend.service.port.number) -}} + {{- fail "Provide either `name` or `number` in the `ingress.defaultBackend.service.port`." -}} + {{- end -}} + {{- if and .Values.ingress.defaultBackend.service.port.name .Values.ingress.defaultBackend.service.port.number -}} + {{- fail "Both `name` and `number` cannot be specified in the `ingress.defaultBackend.service.port`. Provide only one." -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- define "check.validatePrometheusConfig" -}} + {{if and ( and .Values.global.prometheus.external.host .Values.global.prometheus.external.port) .Values.prometheus.server.enabled}} + {{ fail "Both internal and external Prometheus configs are not allowed at same time"}} + {{- end -}} +{{- end -}} + +{{/* +Defines unique ID to be assigned to all the K10 ambassador resources. +This will ensure that the K10's ambassador does not conflict with any other ambassador instances +running in the same cluster. +*/}} +{{- define "k10.ambassadorId" -}} +"kasten.io/k10" +{{- end -}} + +{{/* Check that image.values are not set. */}} +{{- define "image.values.check" -}} + {{- if not (empty .main.Values.image) }} + + {{- $registry := .main.Values.image.registry }} + {{- $repository := .main.Values.image.repository }} + {{- if or $registry $repository }} + {{- $registry = coalesce $registry "gcr.io" }} + {{- $repository = coalesce $repository "kasten-images" }} + + {{- $oldCombinedRegistry := "" }} + {{- if hasPrefix $registry $repository }} + {{- $oldCombinedRegistry = $repository }} + {{- else }} + {{- $oldCombinedRegistry = printf "%s/%s" $registry $repository }} + {{- end }} + + {{- if ne $oldCombinedRegistry .main.Values.global.image.registry }} + {{- fail "Setting image.registry and image.repository is no longer supported use global.image.registry instead" }} + {{- end }} + {{- end }} + + {{- $tag := .main.Values.image.tag }} + {{- if $tag }} + {{- if ne $tag .main.Values.global.image.tag }} + {{- fail "Setting image.tag is no longer supported use global.image.tag instead" }} + {{- end }} + {{- end }} + + {{- $pullPolicy := .main.Values.image.pullPolicy }} + {{- if $pullPolicy }} + {{- if ne $pullPolicy .main.Values.global.image.pullPolicy }} + {{- fail "Setting image.pullPolicy is no longer supported use global.image.pullPolicy instead" }} + {{- end }} + {{- end }} + + {{- end }} +{{- end -}} + +{{/* Used to verify if Ironbank is enabled */}} +{{- define "ironbank.enabled" -}} + {{- if (.Values.global.ironbank | default dict).enabled -}} + {{- print true -}} + {{- end -}} +{{- end -}} + +{{/* Get the K10 image tag. Fails if not set correctly */}} +{{- define "get.k10ImageTag" -}} + {{- $imageTag := coalesce .Values.global.image.tag (include "k10.imageTag" .) }} + {{- if not $imageTag }} + {{- fail "global.image.tag must be set because helm chart does not include a default tag." }} + {{- else }} + {{- $imageTag }} + {{- end }} +{{- end -}} + +{{- define "get.initImage" -}} + {{- (get .Values.global.images (include "init.ImageName" .)) | default (include "init.Image" .) }} +{{- end -}} + +{{- define "init.Image" -}} + {{- printf "%s:%s" (include "init.ImageRepo" .) (include "get.k10ImageTag" .) }} +{{- end -}} + +{{- define "init.ImageRepo" -}} + {{- if .Values.global.airgapped.repository }} + {{- printf "%s/%s" .Values.global.airgapped.repository (include "init.ImageName" .) }} + {{- else if .main.Values.global.azMarketPlace }} + {{- printf "%s/%s" .Values.global.azure.images.init.registry .Values.global.azure.images.init.image }} + {{- else }} + {{- printf "%s/%s" .Values.global.image.registry (include "init.ImageName" .) }} + {{- end }} +{{- end -}} + +{{- define "init.ImageName" -}} + {{- printf "init" }} +{{- end -}} + +{{- define "k10.splitImage" -}} + {{- $split_repo_tag_and_hash := .image | splitList "@" -}} + {{- $split_repo_and_tag := $split_repo_tag_and_hash | first | splitList ":" -}} + {{- $repo := $split_repo_and_tag | first -}} + + {{- /* Error if there are extra pieces we don't understand in the image */ -}} + {{- $split_repo_tag_and_hash_len := $split_repo_tag_and_hash | len -}} + {{- $split_repo_and_tag_len := $split_repo_and_tag | len -}} + {{- if or (gt $split_repo_tag_and_hash_len 2) (gt $split_repo_and_tag_len 2) -}} + {{- fail (printf "Unsupported image format: %q (%s)" .image .path) -}} + {{- end -}} + + {{- $digest := $split_repo_tag_and_hash | rest | first -}} + {{- $tag := $split_repo_and_tag | rest | first -}} + + {{- $sha := "" -}} + {{- if $digest -}} + {{- if not ($digest | hasPrefix "sha256:") -}} + {{- fail (printf "Unsupported image ...@hash type: %q (%s)" .image .path) -}} + {{- end -}} + {{- $sha = $digest | trimPrefix "sha256:" }} + {{- end -}} + + {{- /* Split out the registry if the first component of the repo contains a "." */ -}} + {{- $registry := "" }} + {{- $split_repo := $repo | splitList "/" -}} + {{- if first $split_repo | contains "." -}} + {{- $registry = first $split_repo -}} + {{- $split_repo = rest $split_repo -}} + {{- end -}} + {{- $repo = $split_repo | join "/" -}} + + {{- + (dict + "registry" $registry + "repository" $repo + "tag" ($tag | default "") + "digest" ($digest | default "") + "sha" ($sha | default "") + ) | toJson + -}} +{{- end -}} + +{{/* Fail if Ironbank is enabled and images we don't support are turned on */}} +{{- define "k10.fail.ironbankRHMarketplace" -}} + {{- if and (include "ironbank.enabled" .) (.Values.global.rhMarketPlace) -}} + {{- fail "global.ironbank.enabled and global.rhMarketPlace cannot both be enabled at the same time" -}} + {{- end -}} +{{- end -}} + +{{/* Fail if Ironbank is enabled and images we don't support are turned on */}} +{{- define "k10.fail.ironbankGrafana" -}} + {{- if (include "ironbank.enabled" .) -}} + {{- range $key, $value := .Values.grafana.sidecar -}} + {{/* + https://go.dev/doc/go1.18: the "and" used to evaluate all conditions and not terminate early + if a predicate was met, so we must have the below as their own conditional for any customers + used go version < 1.18. + */}} + {{- if kindIs "map" $value -}} + {{- if hasKey $value "enabled" -}} + {{- if $value.enabled -}} + {{- fail (printf "Ironbank deployment does not support grafana sidecar %s" $key) -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* Fail if Ironbank is enabled and images we don't support are turned on */}} +{{- define "k10.fail.ironbankPrometheus" -}} + {{- if (include "ironbank.enabled" .) -}} + {{- $prometheusDict := pick .Values.prometheus "alertmanager" "kube-state-metrics" "prometheus-node-exporter" "prometheus-pushgateway" -}} + {{- range $key, $value := $prometheusDict -}} + {{/* + https://go.dev/doc/go1.18: the "and" used to evaluate all conditions and not terminate early + if a predicate was met, so we must have the below as their own conditional for any customers + used go version < 1.18. + */}} + {{- if kindIs "map" $value -}} + {{- if hasKey $value "enabled" -}} + {{- if $value.enabled -}} + {{- fail (printf "Ironbank deployment does not support prometheus %s" $key) -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* Fail if FIPS is enabled and Grafana is turned on */}} +{{- define "k10.fail.fipsGrafana" -}} + {{- if and (.Values.fips.enabled) (.Values.grafana.enabled) -}} + {{- fail "fips.enabled and grafana.enabled cannot both be enabled at the same time" -}} + {{- end -}} +{{- end -}} + +{{/* Fail if FIPS is enabled and Prometheus is turned on */}} +{{- define "k10.fail.fipsPrometheus" -}} + {{- if and (.Values.fips.enabled) (.Values.prometheus.server.enabled) -}} + {{- fail "fips.enabled and prometheus.server.enabled cannot both be enabled at the same time" -}} + {{- end -}} +{{- end -}} + +{{/* Check to see whether SIEM logging is enabled */}} +{{- define "k10.siemEnabled" -}} + {{- if or .Values.siem.logging.cluster.enabled .Values.siem.logging.cloud.awsS3.enabled -}} + {{- true -}} + {{- end -}} +{{- end -}} + +{{/* Determine if logging should go to filepath instead of stdout */}} +{{- define "k10.siemLoggingClusterFile" -}} + {{- if .Values.siem.logging.cluster.enabled -}} + {{- if (.Values.siem.logging.cluster.file | default dict).enabled -}} + {{- .Values.siem.logging.cluster.file.path | default "" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* Determine if a max file size should be used */}} +{{- define "k10.siemLoggingClusterFileSize" -}} + {{- if .Values.siem.logging.cluster.enabled -}} + {{- if (.Values.siem.logging.cluster.file | default dict).enabled -}} + {{- .Values.siem.logging.cluster.file.size | default "" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* Returns a generated name for the OpenShift Service Account secret */}} +{{- define "get.openshiftServiceAccountSecretName" -}} + {{ printf "%s-k10-secret" (include "get.openshiftServiceAccountName" .) | quote }} +{{- end -}} + +{{/* +Returns a generated name for the OpenShift Service Account if a service account name +is not configuredby the user using the helm value auth.openshift.serviceAccount +*/}} +{{- define "get.openshiftServiceAccountName" -}} + {{ default (include "k10.dexServiceAccountName" .) .Values.auth.openshift.serviceAccount}} +{{- end -}} + +{{/* +Returns the required environment variables to enforce FIPS mode using +the Microsoft Go toolchain and Red Hat's OpenSSL. +*/}} +{{- define "k10.enforceFIPSEnvironmentVariables" }} +- name: GOFIPS + value: "1" +- name: OPENSSL_FORCE_FIPS_MODE + value: "1" +{{- if .Values.fips.disable_ems }} +- name: KASTEN_CRYPTO_POLICY + value: disable_ems +{{- end }} +{{- end }} + +{{/* +Returns a billing identifier label to be added to workloads for azure marketplace offer +*/}} +{{- define "k10.azMarketPlace.billingIdentifier" -}} + {{- if .Values.global.azMarketPlace -}} + azure-extensions-usage-release-identifier: {{.Release.Name}} + {{- end -}} +{{- end -}} + +{{/* +Returns the grafana URL based on the fields grafana.enabled and grafana.external.url, or in other +words based on the fact that internal grafana is used to external grafana's URL is provided +*/}} +{{- define "k10.grafanaUrl" -}} + {{- if and (.Values.grafana.enabled) (.Values.grafana.external.url) }} + {{- fail "K10's Grafana is enabled and external Grafana's URL is also provided. URL must only be provided if grafana.enabled is set to false." }} + {{- end }} + {{- if .Values.grafana.enabled }} + {{- include "k10.prefixPath" . }}/grafana/ + {{- else -}} + {{ .Values.grafana.external.url }} + {{- end }} +{{- end }} + +{{/* Fail if internal logging is enabled and fluentbit endpoint is specified, otherwise return the fluentbit endpoint even if its empty */}} +{{- define "k10.fluentbitEndpoint" -}} + {{- if and (.Values.logging.fluentbit_endpoint) (.Values.logging.internal) -}} + {{- fail "logging.fluentbit_endpoint cannot be set if logging.internal is true" -}} + {{- end -}} + {{ .Values.logging.fluentbit_endpoint }} +{{- end -}} + +{{/* +Returns the name of the K10 OpenShift Console Plugin ConfigMap +*/}} +{{- define "k10.openShiftConsolePluginConfigMapName" -}} + {{- printf "%s-config" (include "k10.openShiftConsolePluginName" .) -}} +{{- end -}} + +{{/* +Returns the name of the K10 OpenShift Console Plugin TLS certificate +*/}} +{{- define "k10.openShiftConsolePluginTLSCertName" -}} + {{- printf "%s-tls-cert" (include "k10.openShiftConsolePluginName" .) -}} +{{- end -}} + +{{/* +Returns the name of the K10 OpenShift Console Plugin Proxy +*/}} +{{- define "k10.openShiftConsolePluginProxyName" -}} + {{- printf "%s-proxy" (include "k10.openShiftConsolePluginName" .) -}} +{{- end -}} + +{{/* +Returns the name of the K10 OpenShift Console Plugin Proxy ConfigMap +*/}} +{{- define "k10.openShiftConsolePluginProxyConfigMapName" -}} + {{- printf "%s-config" (include "k10.openShiftConsolePluginProxyName" .) -}} +{{- end -}} + +{{/* +Return the name of the K10 OpenShift Console Plugin Proxy TLS certificate +*/}} +{{- define "k10.openShiftConsolePluginProxyTLSCertName" -}} + {{- printf "%s-tls-cert" (include "k10.openShiftConsolePluginProxyName" .) -}} +{{- end -}} + +{{/* +Returns true if release is being installed to the OpenShift cluster +*/}} +{{- define "k10.isOpenShift" -}} + {{- $isOpenShift := "false" -}} + + {{- if .Capabilities.APIVersions -}} + {{- if .Capabilities.APIVersions.Has "console.openshift.io/v1" -}} + {{- $isOpenShift = "true" -}} + {{- end -}} + {{- end -}} + + {{/* We consider that K10 is being installed to OpenShift if .Values.scc.create is true */}} + {{- if .Values.scc.create -}} + {{- $isOpenShift = "true" -}} + {{- end -}} + + {{- print $isOpenShift -}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/_k10_container.tpl b/charts/kasten/k10/7.0.1401/templates/_k10_container.tpl new file mode 100644 index 000000000..8e2655166 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/_k10_container.tpl @@ -0,0 +1,1125 @@ +{{- define "k10-containers" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- $main_context := . }} +{{- $colocatedList := include "get.enabledColocatedServices" . | fromYaml }} +{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} + containers: +{{- range $skip, $container := $containerList }} + {{- $port := default $main_context.Values.service.externalPort (index $colocatedList $container).port }} + {{- $serviceStateful := has $container (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} + {{- dict "main" $main_context "k10_pod" $pod "k10_container" $container "externalPort" $port "stateful" $serviceStateful | include "k10-container" }} +{{- end }} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-containers" */}} + +{{- define "k10-container" }} +{{- $pod := .k10_pod }} +{{- $service := .k10_container }} +{{- $externalPort := .externalPort }} +{{- with .main }} + - name: {{ $service }}-svc + {{- dict "main" . "k10_service" $service | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ .Values.global.image.pullPolicy }} +{{- if eq $service "aggregatedapis" }} + args: + - "--secure-port={{ .Values.service.aggregatedApiPort }}" + - "--cert-dir=/tmp/apiserver.local.config/certificates/" + {{- if include "k10.siemEnabled" . }} + - "--audit-policy-file=/etc/kubernetes/{{ include "k10.aggAuditPolicyFile" .}}" + {{/* SIEM cloud logging */}} + - "--enable-k10-audit-cloud-aws-s3={{ .Values.siem.logging.cloud.awsS3.enabled }}" + - "--audit-cloud-path={{ .Values.siem.logging.cloud.path }}" + {{/* SIEM cluster logging */}} + - "--enable-k10-audit-cluster={{ .Values.siem.logging.cluster.enabled }}" + - "--audit-log-file={{ include "k10.siemLoggingClusterFile" . | default (include "k10.siemAuditLogFilePath" .) }}" + - "--audit-log-file-size={{ include "k10.siemLoggingClusterFileSize" . | default (include "k10.siemAuditLogFileSize" .) }}" + {{- end }} +{{- if .Values.useNamespacedAPI }} + - "--k10-api-domain={{ template "apiDomain" . }}" +{{- end }}{{/* .Values.useNamespacedAPI */}} +{{/* +We need this explicit conversion because installation using operator hub was failing +stating that types are not same for the equality check +*/}} +{{- else if not (eq (int .Values.service.externalPort) (int $externalPort) ) }} + args: + - "--port={{ $externalPort }}" + - "--host=0.0.0.0" +{{- end }}{{/* eq $service "aggregatedapis" */}} +{{- $podName := (printf "%s-svc" $pod) }} +{{- $containerName := (printf "%s-svc" $service) }} +{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" $containerName | include "k10.resource.request" | indent 8}} + ports: +{{- if eq $service "aggregatedapis" }} + - containerPort: {{ .Values.service.aggregatedApiPort }} +{{- else }} + - containerPort: {{ $externalPort }} + {{- if eq $service "controllermanager" }} + - containerPort: {{ include "k10.mcExternalPort" nil }} + {{- end }} +{{- end }} +{{- if eq $service "logging" }} + - containerPort: 24224 + protocol: TCP + - containerPort: 24225 + protocol: TCP +{{- end }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + capabilities: + drop: ["ALL"] + livenessProbe: +{{- if eq $service "aggregatedapis" }} + tcpSocket: + port: {{ .Values.service.aggregatedApiPort }} + timeoutSeconds: 5 +{{- else }} + httpGet: + path: /v0/healthz + port: {{ $externalPort }} + timeoutSeconds: 1 +{{- end }} + initialDelaySeconds: 300 +{{- if ne $service "aggregatedapis" }} + readinessProbe: + httpGet: + path: /v0/healthz + port: {{ $externalPort }} + initialDelaySeconds: 3 +{{- end }} + env: +{{- if eq $service "dashboardbff" }} + - name: {{ include "k10.disabledServicesEnvVar" . }} + value: {{ include "get.disabledServices" . | quote }} +{{- end -}} +{{- if list "dashboardbff" "executor" "garbagecollector" "controllermanager" "kanister" | has $service}} +{{- if not (eq (include "check.googleproject" . ) "true") -}} + {{- fail "secrets.googleApiKey field is required when using secrets.googleProjectId" -}} +{{- end -}} +{{- $gkeSecret := default "google-secret" .Values.secrets.googleClientSecretName }} +{{- $gkeProjectId := "kasten-gke-project" }} +{{- $gkeApiKey := "/var/run/secrets/kasten.io/kasten-gke-sa.json"}} +{{- if eq (include "check.googleCredsSecret" .) "true" }} + {{- $gkeProjectId = "google-project-id" }} + {{- $gkeApiKey = "/var/run/secrets/kasten.io/google-api-key" }} +{{- end }} +{{- if eq (include "check.googleCredsOrSecret" .) "true" }} + - name: GOOGLE_APPLICATION_CREDENTIALS + value: {{ $gkeApiKey }} +{{- end }} +{{- if eq (include "check.googleCredsOrSecret" .) "true" }} + - name: projectID + valueFrom: + secretKeyRef: + name: {{ $gkeSecret }} + key: {{ $gkeProjectId }} + optional: true +{{- end }} +{{- end }} +{{- if list "dashboardbff" "executor" "garbagecollector" "controllermanager" "kanister" | has $service}} +{{- if or (eq (include "check.azuresecret" .) "true") (eq (include "check.azurecreds" .) "true" ) }} +{{- if eq (include "check.azuresecret" .) "true" }} + - name: {{ include "k10.azureClientIDEnvVar" . }} + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.azureClientSecretName }} + key: azure_client_id + - name: {{ include "k10.azureTenantIDEnvVar" . }} + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.azureClientSecretName }} + key: azure_tenant_id + - name: {{ include "k10.azureClientSecretEnvVar" . }} + valueFrom: + secretKeyRef: + name: {{ .Values.secrets.azureClientSecretName }} + key: azure_client_secret +{{- else }} +{{- if and (or (eq (include "check.azureMSIWithClientID" .) "true") (eq (include "check.azureClientSecretCreds" .) "true")) (not (eq (include "check.azureFederatedIdentity" . ) "true")) }} + - name: {{ include "k10.azureClientIDEnvVar" . }} + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_client_id +{{- end }} +{{- if eq (include "check.azureClientSecretCreds" .) "true" }} + - name: {{ include "k10.azureTenantIDEnvVar" . }} + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_tenant_id + - name: {{ include "k10.azureClientSecretEnvVar" . }} + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_client_secret +{{- end }} +{{- end }} +{{- if .Values.secrets.azureResourceGroup }} + - name: AZURE_RESOURCE_GROUP + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_resource_group +{{- end }} +{{- if .Values.secrets.azureSubscriptionID }} + - name: AZURE_SUBSCRIPTION_ID + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_subscription_id +{{- end }} +{{- if .Values.secrets.azureResourceMgrEndpoint }} + - name: AZURE_RESOURCE_MANAGER_ENDPOINT + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_resource_manager_endpoint +{{- end }} +{{- if or .Values.secrets.azureADEndpoint .Values.secrets.microsoftEntraIDEndpoint }} + - name: AZURE_AD_ENDPOINT + valueFrom: + secretKeyRef: + name: azure-creds + key: entra_id_endpoint +{{- end }} +{{- if or .Values.secrets.azureADResourceID .Values.secrets.microsoftEntraIDResourceID }} + - name: AZURE_AD_RESOURCE + valueFrom: + secretKeyRef: + name: azure-creds + key: entra_id_resource_id +{{- end }} +{{- if .Values.secrets.azureCloudEnvID }} + - name: AZURE_CLOUD_ENV_ID + valueFrom: + secretKeyRef: + name: azure-creds + key: azure_cloud_env_id +{{- end }} +{{- if eq (include "check.azureMSIWithDefaultID" .) "true" }} + - name: USE_AZURE_DEFAULT_MSI + value: "{{ .Values.azure.useDefaultMSI }}" +{{- end }} +{{- if eq (include "check.azureFederatedIdentity" .) "true" }} + - name: USE_AZURE_FEDERATED_IDENTITY + value: "{{ .Values.azure.useFederatedIdentity }}" +{{- end }} +{{- end }} +{{- end }} + +{{- /* +There are 3 valid states of the secret provided by customer: +1. Only role set +2. Both aws_access_key_id and aws_secret_access_key are set +3. All of role, aws_access_key_id and aws_secret_access_key are set. +*/}} +{{- if eq (include "check.awsSecretName" .) "true" }} + {{- $customerSecret := (lookup "v1" "Secret" .Release.Namespace .Values.secrets.awsClientSecretName )}} + {{- if $customerSecret }} + {{- if and (not $customerSecret.data.role) (not $customerSecret.data.aws_access_key_id) (not $customerSecret.data.aws_secret_access_key) }} + {{ fail "Provided secret must contain at least AWS IAM Role or AWS access key ID together with AWS secret access key"}} + {{- end }} + {{- if not (or (and $customerSecret.data.aws_access_key_id $customerSecret.data.aws_secret_access_key) (and (not $customerSecret.data.aws_access_key_id) (not $customerSecret.data.aws_secret_access_key))) }} + {{ fail "Provided secret lacks aws_access_key_id or aws_secret_access_key" }} + {{- end }} + {{- end }} +{{- end }} +{{- if list "dashboardbff" "executor" "garbagecollector" "controllermanager" "metering" "kanister" | has $service}} +{{- $awsSecretName := default "aws-creds" .Values.secrets.awsClientSecretName }} + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: {{ $awsSecretName }} + key: aws_access_key_id + optional: true + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: {{ $awsSecretName }} + key: aws_secret_access_key + optional: true + - name: K10_AWS_IAM_ROLE + valueFrom: + secretKeyRef: + name: {{ $awsSecretName }} + key: role + optional: true +{{- end }} +{{- if list "controllermanager" "executor" "catalog" | has $service}} +{{- if eq (include "check.gwifenabled" .) "true"}} + - name: GOOGLE_WORKLOAD_IDENTITY_FEDERATION_ENABLED + value: "true" +{{- if eq (include "check.gwifidptype" .) "true"}} + - name: GOOGLE_WORKLOAD_IDENTITY_FEDERATION_IDP + value: {{ .Values.google.workloadIdentityFederation.idp.type }} +{{- end }} +{{- if eq (include "check.gwifidpaud" .) "true"}} + - name: GOOGLE_WORKLOAD_IDENTITY_FEDERATION_AUD + value: {{ .Values.google.workloadIdentityFederation.idp.aud }} +{{- end }} +{{- end }} {{/* if eq (include "check.gwifenabled" .) "true" */}} +{{- end }} {{/* list "controllermanager" "executor" "catalog" | has $service */}} +{{- if or (eq $service "crypto") (eq $service "executor") (eq $service "dashboardbff") (eq $service "repositories") }} +{{- if eq (include "check.vaultcreds" .) "true" }} + - name: VAULT_ADDR + value: {{ .Values.vault.address }} +{{- if eq (include "check.vaultk8sauth" .) "true" }} + - name: VAULT_AUTH_ROLE + value: {{ .Values.vault.role }} + - name: VAULT_K8S_SERVICE_ACCOUNT_TOKEN_PATH + value: {{ .Values.vault.serviceAccountTokenPath }} +{{- end }} +{{- if (eq (include "check.vaulttokenauth" .) "true") }} + - name: VAULT_TOKEN + valueFrom: + secretKeyRef: + name: {{.Values.vault.secretName }} + key: vault_token +{{- end }} +{{- end }} +{{- end }} +{{- if list "dashboardbff" "executor" "garbagecollector" "controllermanager" | has $service}} +{{- if or (eq (include "check.vspherecreds" .) "true") (eq (include "check.vsphereClientSecret" .) "true") }} +{{- $vsphereSecretName := default "vsphere-creds" .Values.secrets.vsphereClientSecretName }} + - name: VSPHERE_ENDPOINT + valueFrom: + secretKeyRef: + name: {{ $vsphereSecretName }} + key: vsphere_endpoint + - name: VSPHERE_USERNAME + valueFrom: + secretKeyRef: + name: {{ $vsphereSecretName }} + key: vsphere_username + - name: VSPHERE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ $vsphereSecretName }} + key: vsphere_password +{{- end }} +{{- end }} + - name: VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: version + - name: {{ include "k10.fluentbitEndpointEnvVar" . }} + valueFrom: + configMapKeyRef: + name: k10-config + key: fluentbitEndpoint + optional: true +{{- if .Values.clusterName }} + - name: CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: clustername +{{- end }} +{{- if .Values.fips.enabled }} + {{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }} +{{- end }} + {{- with $capabilities := include "k10.capabilities" . }} + - name: K10_CAPABILITIES + value: {{ $capabilities | quote }} + {{- end }} + {{- with $capabilities_mask := include "k10.capabilities_mask" . }} + - name: K10_CAPABILITIES_MASK + value: {{ $capabilities_mask | quote }} + {{- end }} + - name: K10_HOST_SVC + value: {{ $pod }} +{{- if eq $service "controllermanager" }} + - name: K10_STATEFUL + value: "{{ .Values.global.persistence.enabled }}" +{{- if .Values.workerPodCRDs.resourcesRequests.maxMemory }} + - name: EPHEMERAL_POD_MAX_MEMORY_REQUESTS + valueFrom: + configMapKeyRef: + name: k10-config + key: workerPodMaxMemoryRequest +{{- end }} +{{- if .Values.workerPodCRDs.resourcesRequests.maxCPU }} + - name: EPHEMERAL_POD_MAX_CPU_REQUESTS + valueFrom: + configMapKeyRef: + name: k10-config + key: workerPodMaxCPURequest +{{- end }} +{{- end }} +{{- if eq $service "executor" }} + - name: KUBEVIRT_VM_UNFREEZE_TIMEOUT + valueFrom: + configMapKeyRef: + name: k10-config + key: kubeVirtVMsUnFreezeTimeout +{{- end }} +{{- if eq $service "executor" }} + - name: QUICK_DISASTER_RECOVERY_ENABLED + valueFrom: + configMapKeyRef: + name: k10-config + key: quickDisasterRecoveryEnabled +{{- end }} +{{- if or (eq $service "executor") (eq $service "controllermanager") }} +{{- if or .Values.global.imagePullSecret (or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath) }} + - name: IMAGE_PULL_SECRET_NAMES + value: {{ (trimSuffix " " (include "k10.imagePullSecretNames" .)) | toJson }} +{{- end }} +{{- end }} + - name: MODEL_STORE_DIR +{{- if or (eq $service "state") (not .Values.global.persistence.enabled) }} + value: "/tmp/k10store" +{{- else }} + valueFrom: + configMapKeyRef: + name: k10-config + key: modelstoredirname +{{- end }} +{{- if or (eq $service "kanister") (eq $service "executor")}} + - name: DATA_MOVER_IMAGE + value: {{ include "get.datamoverImage" . }} +{{- end }} +{{- if or (eq $service "kanister") (eq $service "executor")}} + - name: DATA_STORE_LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: DataStoreLogLevel + - name: DATA_STORE_FILE_LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: DataStoreFileLogLevel +{{- end }} + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: loglevel +{{- if .Values.kanisterPodCustomLabels }} + - name: KANISTER_POD_CUSTOM_LABELS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterPodCustomLabels +{{- end }} +{{- if .Values.kanisterPodCustomAnnotations }} + - name: KANISTER_POD_CUSTOM_ANNOTATIONS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterPodCustomAnnotations +{{- end }} + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: K10_LIMITER_SNAPSHOT_EXPORTS_PER_ACTION + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterSnapshotExportsPerAction + - name: K10_LIMITER_WORKLOAD_SNAPSHOTS_PER_ACTION + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterWorkloadSnapshotsPerAction + - name: K10_DATA_STORE_PARALLEL_UPLOAD + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreParallelUpload + - name: K10_DATA_STORE_PARALLEL_DOWNLOAD + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreParallelDownload + - name: K10_DATA_STORE_GENERAL_CONTENT_CACHE_SIZE_MB + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreGeneralContentCacheSizeMB + - name: K10_DATA_STORE_GENERAL_METADATA_CACHE_SIZE_MB + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreGeneralMetadataCacheSizeMB + - name: K10_DATA_STORE_RESTORE_CONTENT_CACHE_SIZE_MB + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreRestoreContentCacheSizeMB + - name: K10_DATA_STORE_RESTORE_METADATA_CACHE_SIZE_MB + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreRestoreMetadataCacheSizeMB + - name: K10_LIMITER_GENERIC_VOLUME_BACKUPS_PER_CLUSTER + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterGenericVolumeBackupsPerCluster + - name: K10_LIMITER_SNAPSHOT_EXPORTS_PER_CLUSTER + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterSnapshotExportsPerCluster + - name: K10_LIMITER_VOLUME_RESTORES_PER_CLUSTER + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterVolumeRestoresPerCluster + - name: K10_LIMITER_CSI_SNAPSHOTS_PER_CLUSTER + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterCsiSnapshotsPerCluster + - name: K10_LIMITER_DIRECT_SNAPSHOTS_PER_CLUSTER + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterDirectSnapshotsPerCluster + - name: K10_LIMITER_IMAGE_COPIES_PER_CLUSTER + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterImageCopiesPerCluster + - name: K10_EPHEMERAL_PVC_OVERHEAD + valueFrom: + configMapKeyRef: + name: k10-config + key: K10EphemeralPVCOverhead + - name: K10_PERSISTENCE_STORAGE_CLASS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10PersistenceStorageClass + - name: AWS_ASSUME_ROLE_DURATION + valueFrom: + configMapKeyRef: + name: k10-config + key: AWSAssumeRoleDuration +{{- if (list "kanister" "executor" "repositories" | has $service) }} + - name: K10_DATA_STORE_DISABLE_COMPRESSION + valueFrom: + configMapKeyRef: + name: k10-config + key: k10DataStoreDisableCompression + + - name: K10_KANISTER_POD_METRICS_IMAGE + value: {{ include "get.metricSidecarImage" . }} + + - name: K10_TIMEOUT_WORKER_POD_READY + valueFrom: + configMapKeyRef: + name: k10-config + key: K10TimeoutWorkerPodReady + + - name: WORKER_POD_METRIC_SIDECAR_ENABLED + valueFrom: + configMapKeyRef: + name: k10-config + key: WorkerPodMetricSidecarEnabled + - name: WORKER_POD_METRIC_SIDECAR_METRICS_INTERVAL + valueFrom: + configMapKeyRef: + name: k10-config + key: WorkerPodPushgatewayMetricsInterval + {{- if or (not (quote .Values.workerPodMetricSidecar.resources.requests.memory | empty)) (not (quote .Values.kanisterPodMetricSidecar.resources.requests.memory | empty)) }} + - name: K10_WORKER_POD_METRIC_SIDECAR_MEMORY_REQUEST + valueFrom: + configMapKeyRef: + name: k10-config + key: WorkerPodMetricSidecarMemoryRequest + {{- end }} + {{- if or (not (quote .Values.workerPodMetricSidecar.resources.requests.cpu | empty)) (not (quote .Values.kanisterPodMetricSidecar.resources.requests.cpu | empty)) }} + - name: K10_WORKER_POD_METRIC_SIDECAR_CPU_REQUEST + valueFrom: + configMapKeyRef: + name: k10-config + key: WorkerPodMetricSidecarCPURequest + {{- end }} + {{- if or (not (quote .Values.workerPodMetricSidecar.resources.limits.memory | empty)) (not (quote .Values.kanisterPodMetricSidecar.resources.limits.memory | empty)) }} + - name: K10_WORKER_POD_METRIC_SIDECAR_MEMORY_LIMIT + valueFrom: + configMapKeyRef: + name: k10-config + key: WorkerPodMetricSidecarMemoryLimit + {{- end }} + {{- if or (not (quote .Values.workerPodMetricSidecar.resources.limits.cpu | empty)) (not (quote .Values.kanisterPodMetricSidecar.resources.limits.cpu | empty)) }} + - name: K10_WORKER_POD_METRIC_SIDECAR_CPU_LIMIT + valueFrom: + configMapKeyRef: + name: k10-config + key: WorkerPodMetricSidecarCPULimit + {{- end }} + {{- if .Values.scc.create }} + - name: {{ include "k10.sccNameEnvVar" . }} + value: {{ .Release.Name }}-scc + {{- end }} + {{- if .Values.workerPodCRDs.enabled }} + - name: K10_EPHEMERAL_POD_SPECS_CR_ENABLED + valueFrom: + configMapKeyRef: + name: k10-config + key: workerPodResourcesCRDEnabled + {{- if .Values.workerPodCRDs.defaultActionPodSpec }} + - name: K10_DEFAULT_ACTION_POD_SPEC_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: workerPodDefaultAPSName + {{- end }} + {{- end }} +{{- end }} +{{- if (list "kanister" "executor" "repositories" "crypto" "dashboardbff" "aggregatedapis" | has $service) }} + {{- if .Values.global.podLabels }} + - name: K10_CUSTOM_POD_LABELS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10CustomPodLabels + {{- end }} + {{- if .Values.global.podAnnotations }} + - name: K10_CUSTOM_POD_ANNOTATIONS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10CustomPodAnnotations + {{- end }} +{{- end }} +{{- if (list "dashboardbff" "catalog" "executor" "crypto" | has $service) }} + {{- if .Values.metering.mode }} + - name: K10REPORTMODE + value: {{ .Values.metering.mode }} + {{- end }} +{{- end }} +{{- if eq $service "garbagecollector" }} + - name: K10_GC_DAEMON_PERIOD + valueFrom: + configMapKeyRef: + name: k10-config + key: K10GCDaemonPeriod + - name: K10_GC_KEEP_MAX_ACTIONS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10GCKeepMaxActions + - name: K10_GC_ACTIONS_ENABLED + valueFrom: + configMapKeyRef: + name: k10-config + key: K10GCActionsEnabled +{{- end }} +{{- if (eq $service "executor") }} + - name: K10_LIMITER_EXECUTOR_THREADS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterExecutorThreads + - name: K10_LIMITER_CSI_SNAPSHOT_RESTORES_PER_ACTION + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterCsiSnapshotRestoresPerAction + - name: K10_LIMITER_VOLUME_RESTORES_PER_ACTION + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterVolumeRestoresPerAction + - name: K10_LIMITER_WORKLOAD_RESTORES_PER_ACTION + valueFrom: + configMapKeyRef: + name: k10-config + key: K10LimiterWorkloadRestoresPerAction + - name: K10_TIMEOUT_BLUEPRINT_BACKUP + valueFrom: + configMapKeyRef: + name: k10-config + key: K10TimeoutBlueprintBackup + - name: K10_TIMEOUT_BLUEPRINT_RESTORE + valueFrom: + configMapKeyRef: + name: k10-config + key: K10TimeoutBlueprintRestore + - name: K10_TIMEOUT_BLUEPRINT_DELETE + valueFrom: + configMapKeyRef: + name: k10-config + key: K10TimeoutBlueprintDelete + - name: K10_TIMEOUT_BLUEPRINT_HOOKS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10TimeoutBlueprintHooks + - name: K10_TIMEOUT_CHECK_REPO_POD_READY + valueFrom: + configMapKeyRef: + name: k10-config + key: K10TimeoutCheckRepoPodReady + - name: K10_TIMEOUT_STATS_POD_READY + valueFrom: + configMapKeyRef: + name: k10-config + key: K10TimeoutStatsPodReady + - name: K10_TIMEOUT_EFS_RESTORE_POD_READY + valueFrom: + configMapKeyRef: + name: k10-config + key: K10TimeoutEFSRestorePodReady + - name: KANISTER_MANAGED_DATA_SERVICES_BLUEPRINTS_ENABLED + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterManagedDataServicesBlueprintsEnabled +{{- if or .Values.maxJobWaitDuration .Values.timeout.jobWait }} + - name: K10_TIMEOUT_JOB_WAIT + valueFrom: + configMapKeyRef: + name: k10-config + key: K10TimeoutJobWait +{{- end }} + - name: K10_FORCE_ROOT_IN_BLUEPRINT_ACTIONS + valueFrom: + configMapKeyRef: + name: k10-config + key: K10ForceRootInBlueprintActions +{{- end }} +{{- if and (eq $service "executor") (.Values.awsConfig.efsBackupVaultName) }} + - name: EFS_BACKUP_VAULT_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: efsBackupVaultName +{{- end }} +{{- if and (eq $service "executor") (.Values.genericStorageBackup.token) }} + - name: K10_GVS_ACTIVATION_TOKEN + valueFrom: + configMapKeyRef: + name: k10-config + key: GVSActivationToken +{{- end }} +{{- if and (eq $service "executor") (.Values.genericStorageBackup.overridepubkey) }} + - name: OVERRIDE_GVS_TOKEN_VERIFICATION_KEY + valueFrom: + configMapKeyRef: + name: k10-config + key: overridePublicKeyForGVS +{{- end }} +{{- if and (eq $service "executor") (.Values.vmWare.taskTimeoutMin) }} + - name: VMWARE_GOM_TIMEOUT_MIN + valueFrom: + configMapKeyRef: + name: k10-config + key: vmWareTaskTimeoutMin +{{- end }} +{{- if .Values.useNamespacedAPI }} + - name: K10_API_DOMAIN + valueFrom: + configMapKeyRef: + name: k10-config + key: apiDomain +{{- end }} +{{- if .Values.jaeger.enabled }} + - name: JAEGER_AGENT_HOST + value: {{ .Values.jaeger.agentDNS }} +{{- end }} +{{- if .Values.auth.tokenAuth.enabled }} + - name: TOKEN_AUTH + valueFrom: + secretKeyRef: + name: k10-token-auth + key: auth +{{- end }} + - name: KANISTER_TOOLS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsImage +{{- with (include "k10.cacertconfigmapname" .) }} + - name: CACERT_CONFIGMAP_NAME + value: {{ . }} +{{- end }} + - name: K10_RELEASE_NAME + value: {{ .Release.Name }} + - name: KANISTER_FUNCTION_VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: kanisterFunctionVersion +{{- if and (eq $service "controllermanager") (.Values.injectKanisterSidecar.enabled) }} + - name: K10_MUTATING_WEBHOOK_ENABLED + value: "true" + - name: K10_MUTATING_WEBHOOK_TLS_CERT_DIR + valueFrom: + configMapKeyRef: + name: k10-config + key: K10MutatingWebhookTLSCertDir + - name: K10_MUTATING_WEBHOOK_PORT + value: {{ .Values.injectKanisterSidecar.webhookServer.port | quote }} +{{- end }} +{{- if (list "controllermanager" "kanister" "executor" "dashboardbff" "repositories" | has $service) }} + - name: K10_DEFAULT_PRIORITY_CLASS_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: K10DefaultPriorityClassName +{{- if .Values.genericVolumeSnapshot.resources.requests.memory }} + - name: KANISTER_TOOLS_MEMORY_REQUESTS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsMemoryRequests +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.requests.cpu }} + - name: KANISTER_TOOLS_CPU_REQUESTS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsCPURequests +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.limits.memory }} + - name: KANISTER_TOOLS_MEMORY_LIMITS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsMemoryLimits +{{- end }} +{{- if .Values.genericVolumeSnapshot.resources.limits.cpu }} + - name: KANISTER_TOOLS_CPU_LIMITS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsCPULimits +{{- end }} +{{- end }} +{{- if (list "dashboardbff" "controllermanager" "executor" | has $service) }} + {{- if .Values.prometheus.server.enabled }} + - name: K10_PROMETHEUS_HOST + value: {{ include "k10.prometheus.service.name" . }}-exp + - name: K10_PROMETHEUS_PORT + value: {{ .Values.prometheus.server.service.servicePort | quote }} + - name: K10_PROMETHEUS_BASE_URL + value: {{ .Values.prometheus.server.baseURL }} + {{- else -}} + {{- if and .Values.global.prometheus.external.host .Values.global.prometheus.external.port}} + - name: K10_PROMETHEUS_HOST + value: {{ .Values.global.prometheus.external.host }} + - name: K10_PROMETHEUS_PORT + value: {{ .Values.global.prometheus.external.port | quote }} + - name: K10_PROMETHEUS_BASE_URL + value: {{ .Values.global.prometheus.external.baseURL }} + {{- end -}} + {{- end }} + {{- if or (.Values.grafana.enabled) (.Values.grafana.external.url) }} + - name: GRAFANA_URL + value: {{ include "k10.grafanaUrl" . }} + {{- end }} +{{- end }} +{{- if eq $service "dashboardbff" }} + {{- if ne .Values.global.persistence.diskSpaceAlertPercent nil }} + - name: K10_DISK_SPACE_ALERT_PERCENT + value: {{ .Values.global.persistence.diskSpaceAlertPercent | quote }} + {{- end -}} +{{- end -}} +{{- if eq $service "controllermanager" }} + {{- if .Values.multicluster.primary.create }} + {{- if not .Values.multicluster.enabled }} + {{- fail "Cannot setup cluster as primary without enabling feature with multicluster.enabled=true" -}} + {{- end }} + {{- if not .Values.multicluster.primary.name }} + {{- fail "Cannot setup cluster as primary without setting cluster name with multicluster.primary.name" -}} + {{- end }} + {{- if not .Values.multicluster.primary.ingressURL }} + {{- fail "Cannot setup cluster as primary without providing an ingress with multicluster.primary.ingressURL" -}} + {{- end }} + - name: K10_MC_CREATE_PRIMARY + value: "true" + - name: K10_MC_PRIMARY_NAME + value: {{ .Values.multicluster.primary.name | quote }} + - name: K10_MC_PRIMARY_INGRESS_URL + value: {{ .Values.multicluster.primary.ingressURL | quote }} + {{- end }} +{{- end -}} +{{- if or $.stateful (or (eq (include "check.googleCredsOrSecret" .) "true") (eq $service "auth" "logging")) }} + volumeMounts: +{{- else if or (or (eq (include "basicauth.check" .) "true") (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true"))) .Values.features }} + volumeMounts: +{{- else if and (eq $service "controllermanager") (.Values.injectKanisterSidecar.enabled) }} + volumeMounts: +{{- else if or (eq (include "check.cacertconfigmap" .) "true") (include "k10.ocpcacertsautoextraction" .) }} + volumeMounts: +{{- else if eq $service "frontend" }} + volumeMounts: +{{- else if and (list "controllermanager" "executor" | has $pod) (eq (include "check.projectSAToken" .) "true")}} + volumeMounts: +{{- else if and (eq $service "aggregatedapis") (include "k10.siemEnabled" .) }} + volumeMounts: +{{- end }} +{{- if $.stateful }} + - name: {{ $service }}-persistent-storage + mountPath: {{ .Values.global.persistence.mountPath | quote }} +{{- end }} +{{- if .Values.features }} + - name: k10-features + mountPath: "/mnt/k10-features" +{{- end }} +{{- if eq $service "logging" }} + - name: logging-configmap-storage + mountPath: "/mnt/conf" +{{- end }} +{{- if and (eq $service "controllermanager") (.Values.injectKanisterSidecar.enabled) }} + - name: mutating-webhook-certs + mountPath: /etc/ssl/certs/webhook + readOnly: true +{{- end }} +{{- if list "dashboardbff" "auth" "controllermanager" | has $service}} +{{- if eq (include "basicauth.check" .) "true" }} + - name: k10-basic-auth + mountPath: "/var/run/secrets/kasten.io/k10-basic-auth" + readOnly: true +{{- end }} +{{- if (or .Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" .) "true")) }} + - name: {{ include "k10.oidcSecretName" .}} + mountPath: {{ printf "%s/%s" (include "k10.secretsDir" .) (include "k10.oidcSecretName" .) }} + readOnly: true +{{- if .Values.auth.oidcAuth.clientSecretName }} + - name: {{ include "k10.oidcCustomerSecretName" .}} + mountPath: {{ printf "%s/%s" (include "k10.secretsDir" .) (include "k10.oidcCustomerSecretName" .) }} + readOnly: true +{{- end }} +{{- end }} +{{- end }} +{{- if eq (include "check.googleCredsOrSecret" .) "true"}} + - name: service-account + mountPath: {{ include "k10.secretsDir" .}} +{{- end }} +{{- if and (list "controllermanager" "executor" | has $pod) (eq (include "check.projectSAToken" .) "true")}} + - name: bound-sa-token + mountPath: "/var/run/secrets/kasten.io/serviceaccount/GWIF" + readOnly: true +{{- end }} +{{- with (include "k10.cacertconfigmapname" .) }} + - name: {{ . }} + mountPath: "/etc/ssl/certs/custom-ca-bundle.pem" + subPath: custom-ca-bundle.pem +{{- end }} +{{- if eq $service "frontend" }} + - name: frontend-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + readOnly: true + - name: frontend-config + mountPath: /etc/nginx/conf.d/frontend.conf + subPath: frontend.conf + readOnly: true +{{- end}} +{{- if and (eq $service "aggregatedapis") (include "k10.siemEnabled" .) }} + - name: aggauditpolicy-config + mountPath: /etc/kubernetes/{{ include "k10.aggAuditPolicyFile" .}} + subPath: {{ include "k10.aggAuditPolicyFile" .}} + readOnly: true +{{- end}} +{{- if and (eq $service "catalog") $.stateful }} + - name: kanister-sidecar + image: {{ include "get.kanisterToolsImage" .}} + imagePullPolicy: {{ .Values.kanisterToolsImage.pullPolicy }} +{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "kanister-sidecar" | include "k10.resource.request" | indent 8}} + env: + {{- with $capabilities := include "k10.capabilities" . }} + - name: K10_CAPABILITIES + value: {{ $capabilities | quote }} + {{- end }} + {{- with $capabilities_mask := include "k10.capabilities_mask" . }} + - name: K10_CAPABILITIES_MASK + value: {{ $capabilities_mask | quote }} + {{- end }} +{{- if .Values.fips.enabled }} + {{- include "k10.enforceFIPSEnvironmentVariables" . | nindent 10 }} +{{- end }} + volumeMounts: + - name: {{ $service }}-persistent-storage + mountPath: {{ .Values.global.persistence.mountPath | quote }} +{{- with (include "k10.cacertconfigmapname" .) }} + - name: {{ . }} + mountPath: "/etc/ssl/certs/custom-ca-bundle.pem" + subPath: custom-ca-bundle.pem +{{- end }} +{{- if eq (include "check.projectSAToken" .) "true" }} + - name: bound-sa-token + mountPath: "/var/run/secrets/kasten.io/serviceaccount/GWIF" + readOnly: true +{{- end }} +{{- end }} {{/* and (eq $service "catalog") $.stateful */}} +{{- if and ( eq $service "auth" ) ( eq (include "check.dexAuth" .) "true" ) }} + - name: dex + image: {{ include "get.dexImage" . }} +{{- if .Values.auth.ldap.enabled }} + command: ["/usr/local/bin/dex", "serve", "/dex-config/config.yaml"] +{{- if .Values.fips.enabled }} + env: + {{- include "k10.enforceFIPSEnvironmentVariables" . | nindent 10 }} +{{- end }} +{{- else if .Values.auth.openshift.enabled }} + {{- /* + In the case of OpenShift, a template config is used instead of a plain config for Dex. + It requires a different command to be processed correctly. + */}} + command: ["/usr/local/bin/docker-entrypoint", "dex", "serve", "/etc/dex/cfg/config.yaml"] + env: + - name: {{ include "k10.openShiftClientSecretEnvVar" . }} +{{- if and (not .Values.auth.openshift.clientSecretName) (not .Values.auth.openshift.clientSecret) }} + valueFrom: + secretKeyRef: + name: {{ include "get.openshiftServiceAccountSecretName" . }} + key: token +{{- else if .Values.auth.openshift.clientSecretName }} + valueFrom: + secretKeyRef: + name: {{ .Values.auth.openshift.clientSecretName }} + key: token +{{- else }} + value: {{ .Values.auth.openshift.clientSecret }} +{{- end }} +{{- if .Values.fips.enabled }} + {{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }} +{{- end }} +{{- end }} + ports: + - name: http + containerPort: 8080 + volumeMounts: +{{- if .Values.auth.ldap.enabled }} + - name: dex-config + mountPath: /dex-config + - name: k10-logos-dex + mountPath: {{ include "k10.dexFrontendDir" . }}/themes/custom/ +{{- else }} + - name: config + mountPath: /etc/dex/cfg +{{- end }} +{{- with (include "k10.cacertconfigmapname" .) }} + - name: {{ . }} + mountPath: "/etc/ssl/certs/custom-ca-bundle.pem" + subPath: custom-ca-bundle.pem +{{- end }} +{{- end }} {{/* end of dex check */}} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-container" */}} + +{{- define "k10-init-container-header" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- $main_context := . }} +{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} +{{- $needsInitContainersHeader := false }} +{{- range $skip, $service := $containerList }} +{{- $serviceStateful := has $service (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} + {{- if and ( eq $service "auth" ) $main_context.Values.auth.ldap.enabled }} + {{- $needsInitContainersHeader = true }} + {{- else if $serviceStateful }} + {{- $needsInitContainersHeader = true }} + {{- end }}{{/* initContainers header needed check */}} +{{- end }}{{/* range $skip, $service := $containerList */}} +{{- if $needsInitContainersHeader }} + initContainers: +{{- end }} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-init-container-header" */}} + +{{- define "k10-init-container" }} +{{- $pod := .k10_pod }} +{{- $podName := (printf "%s-svc" $pod) }} +{{- with .main }} +{{- $main_context := . }} +{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} +{{- range $skip, $service := $containerList }} +{{- $serviceStateful := has $service (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} +{{- if and ( eq $service "auth" ) $main_context.Values.auth.ldap.enabled }} + - name: dex-init + command: + - /dex/dexconfigmerge + args: + - --config-path=/etc/dex/cfg/config.yaml + - --secret-path=/var/run/secrets/kasten.io/bind-secret/bindPW + - --new-config-path=/dex-config/config.yaml + - --secret-field=bindPW + {{- dict "main" $main_context "k10_service" $service | include "serviceImage" | indent 8 }} + {{- dict "main" $main_context "k10_service_pod_name" $podName "k10_service_container_name" "dex-init" | include "k10.resource.request" | indent 8}} + volumeMounts: + - mountPath: /etc/dex/cfg + name: config + - mountPath: /dex-config + name: dex-config + - name: bind-secret + mountPath: "/var/run/secrets/kasten.io/bind-secret" + readOnly: true +{{- else if $serviceStateful }} + - name: upgrade-init + securityContext: + capabilities: + add: + - FOWNER + - CHOWN + runAsUser: 1000 + allowPrivilegeEscalation: false + {{- dict "main" $main_context "k10_service" "upgrade" | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ $main_context.Values.global.image.pullPolicy }} + {{- dict "main" $main_context "k10_service_pod_name" $podName "k10_service_container_name" "upgrade-init" | include "k10.resource.request" | indent 8}} + env: + - name: MODEL_STORE_DIR + valueFrom: + configMapKeyRef: + name: k10-config + key: modelstoredirname + volumeMounts: + - name: {{ $service }}-persistent-storage + mountPath: {{ $main_context.Values.global.persistence.mountPath | quote }} +{{- if eq $service "catalog" }} + - name: schema-upgrade-check + {{- dict "main" $main_context "k10_service" $service | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ $main_context.Values.global.image.pullPolicy }} + {{- dict "main" $main_context "k10_service_pod_name" $podName "k10_service_container_name" "schema-upgrade-check" | include "k10.resource.request" | indent 8}} + env: +{{- if $main_context.Values.clusterName }} + - name: CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: clustername +{{- end }} + - name: INIT_CONTAINER + value: "true" + - name: K10_RELEASE_NAME + value: {{ $main_context.Release.Name }} + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: loglevel + - name: MODEL_STORE_DIR + valueFrom: + configMapKeyRef: + name: k10-config + key: modelstoredirname + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: version + volumeMounts: + - name: {{ $service }}-persistent-storage + mountPath: {{ $main_context.Values.global.persistence.mountPath | quote }} +{{- end }}{{/* eq $service "catalog" */}} +{{- end }}{{/* initContainers definitions */}} +{{- end }}{{/* range $skip, $service := $containerList */}} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-init-container" */}} diff --git a/charts/kasten/k10/7.0.1401/templates/_k10_image_tag.tpl b/charts/kasten/k10/7.0.1401/templates/_k10_image_tag.tpl new file mode 100644 index 000000000..9ac59af4f --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/_k10_image_tag.tpl @@ -0,0 +1 @@ +{{- define "k10.imageTag" -}}7.0.14{{- end -}} \ No newline at end of file diff --git a/charts/kasten/k10/7.0.1401/templates/_k10_metering.tpl b/charts/kasten/k10/7.0.1401/templates/_k10_metering.tpl new file mode 100644 index 000000000..6dfb6a416 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/_k10_metering.tpl @@ -0,0 +1,352 @@ +{{/* Generate service spec */}} +{{/* because of https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/issues/165 +we have to start using .Values.reportingSecret instead +of correct version .Values.metering.reportingSecret */}} +{{- define "k10-metering" }} +{{ $service := .k10_service }} +{{- $podName := (printf "%s-svc" $service) }} +{{ $main := .main }} +{{- with .main }} +{{- $servicePort := .Values.service.externalPort -}} +{{- $optionalServices := .Values.optionalColocatedServices -}} +{{- $rbac := .Values.prometheus.rbac.create -}} +{{- if $.stateful }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: {{ .Release.Namespace }} + name: {{ $service }}-pv-claim + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ $service }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ default .Values.global.persistence.size (index .Values.global.persistence $service "size") }} +{{- if .Values.global.persistence.storageClass }} + {{- if (eq "-" .Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.global.persistence.storageClass }}" + {{- end }} +{{- end }} +--- +{{- end }}{{/* if $.stateful */}} +{{ $service_list := include "get.enabledRestServices" . | splitList " " }} +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: {{ include "fullname" . }}-metering-config +data: + config: | +{{- if .Values.metering.reportingKey }} + identities: + - name: gcp + gcp: + encodedServiceAccountKey: {{ .Values.metering.reportingKey }} +{{- end }} + metrics: + - name: node_time + type: int + passthrough: {} + endpoints: + - name: on_disk +{{- if .Values.metering.reportingKey }} + - name: servicecontrol +{{- end }} + endpoints: + - name: on_disk + disk: +{{- if .Values.global.persistence.enabled }} + reportDir: /var/reports/ubbagent/reports +{{- else }} + reportDir: /tmp/reports/ubbagent/reports +{{- end }} + expireSeconds: 3600 +{{- if .Values.metering.reportingKey }} + - name: servicecontrol + servicecontrol: + identity: gcp + serviceName: kasten-k10.mp-kasten-public.appspot.com + consumerId: {{ .Values.metering.consumerId }} +{{- end }} + prometheusTargets: | +{{- range $service_list }} +{{- if or (not (hasKey $optionalServices .)) (index $optionalServices .).enabled }} +{{- if not (eq . "executor") }} +{{ $tmpcontx := dict "main" $main "k10service" . -}} +{{ include "k10.prometheusTargetConfig" $tmpcontx | trim | indent 4 -}} +{{- end }} +{{- end }} +{{- end }} +{{- range include "get.enabledServices" . | splitList " " }} +{{- if (or (ne . "aggregatedapis") ($rbac)) }} +{{ $tmpcontx := dict "main" $main "k10service" . -}} +{{ include "k10.prometheusTargetConfig" $tmpcontx | indent 4 -}} +{{- end }} +{{- end }} +{{- range include "get.enabledAdditionalServices" . | splitList " " }} +{{- if not (eq . "frontend") }} +{{ $tmpcontx := dict "main" $main "k10service" . -}} +{{ include "k10.prometheusTargetConfig" $tmpcontx | indent 4 -}} +{{- end }} +{{- end }} + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{ .Release.Namespace }} + name: {{ $service }}-svc + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ $service }} +spec: + replicas: {{ $.replicas }} + strategy: + type: Recreate + selector: + matchLabels: +{{ include "k10.common.matchLabels" . | indent 6 }} + component: {{ $service }} + run: {{ $service }}-svc + template: + metadata: + annotations: + {{- include "k10.deploymentPodAnnotations" . | nindent 8 }} + labels: + {{- with merge (dict "requiredLabels" (dict "component" $service "run" (printf "%s-svc" $service) )) . }} + {{- include "k10.deploymentPodLabels" . | nindent 8 }} + {{- end }} + spec: + securityContext: +{{ toYaml .Values.services.securityContext | indent 8 }} + serviceAccountName: {{ template "meteringServiceAccountName" . }} + {{- dict "main" . "k10_deployment_name" $podName | include "k10.priorityClassName" | indent 6}} + {{- include "k10.imagePullSecrets" . | indent 6 }} +{{- if $.stateful }} + initContainers: + - name: upgrade-init + securityContext: + capabilities: + add: + - FOWNER + - CHOWN + runAsUser: 1000 + allowPrivilegeEscalation: false + {{- dict "main" . "k10_service" "upgrade" | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ .Values.global.image.pullPolicy }} + {{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" "upgrade-init" | include "k10.resource.request" | indent 8}} + env: + - name: MODEL_STORE_DIR + value: /var/reports/ + volumeMounts: + - name: {{ $service }}-persistent-storage + mountPath: /var/reports/ +{{- end }} + containers: + - name: {{ $service }}-svc + {{- dict "main" . "k10_service" $service | include "serviceImage" | indent 8 }} + imagePullPolicy: {{ .Values.global.image.pullPolicy }} +{{- $containerName := (printf "%s-svc" $service) }} +{{- dict "main" . "k10_service_pod_name" $podName "k10_service_container_name" $containerName | include "k10.resource.request" | indent 8}} + ports: + - containerPort: {{ .Values.service.externalPort }} + livenessProbe: + httpGet: + path: /v0/healthz + port: {{ .Values.service.externalPort }} + initialDelaySeconds: 90 + timeoutSeconds: 1 + env: + - name: VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: version + - name: {{ include "k10.fluentbitEndpointEnvVar" . }} + valueFrom: + configMapKeyRef: + name: k10-config + key: fluentbitEndpoint + optional: true + - name: KANISTER_TOOLS + valueFrom: + configMapKeyRef: + name: k10-config + key: KanisterToolsImage +{{- if .Values.clusterName }} + - name: CLUSTER_NAME + valueFrom: + configMapKeyRef: + name: k10-config + key: clustername +{{- end }} +{{- if .Values.fips.enabled }} + {{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }} +{{- end }} + {{- with $capabilities := include "k10.capabilities" . }} + - name: K10_CAPABILITIES + value: {{ $capabilities | quote }} + {{- end }} + {{- with $capabilities_mask := include "k10.capabilities_mask" . }} + - name: K10_CAPABILITIES_MASK + value: {{ $capabilities_mask | quote }} + {{- end }} + - name: K10_HOST_SVC + value: {{ $service }} + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: loglevel + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace +{{- if .Values.useNamespacedAPI }} + - name: K10_API_DOMAIN + valueFrom: + configMapKeyRef: + name: k10-config + key: apiDomain +{{- end }} + - name: AGENT_CONFIG_FILE + value: /var/ubbagent/config.yaml + - name: AGENT_STATE_DIR +{{- if .Values.global.persistence.enabled }} + value: "/var/reports/ubbagent" +{{- else }} + value: "/tmp/reports/ubbagent" + - name: K10SYNCSTATUSDIR + value: "/tmp/reports/k10" + - name: GRACE_PERIOD_STORE + value: /tmp/reports/clustergraceperiod + - name: NODE_USAGE_STORE + value: /tmp/reports/node_usage_history +{{- end }} +{{- if .Values.metering.awsRegion }} + - name: AWS_REGION + value: {{ .Values.metering.awsRegion }} +{{- end }} +{{- if .Values.metering.mode }} + - name: K10REPORTMODE + value: {{ .Values.metering.mode }} +{{- end }} +{{- if .Values.metering.reportCollectionPeriod }} + - name: K10_REPORT_COLLECTION_PERIOD + value: {{ .Values.metering.reportCollectionPeriod | quote }} +{{- end }} +{{- if .Values.metering.reportPushPeriod }} + - name: K10_REPORT_PUSH_PERIOD + value: {{ .Values.metering.reportPushPeriod | quote }} +{{- end }} +{{- if .Values.metering.promoID }} + - name: K10_PROMOTION_ID + value: {{ .Values.metering.promoID }} +{{- end }} + +{{- if .Values.prometheus.server.enabled }} + - name: K10_PROMETHEUS_HOST + value: {{ include "k10.prometheus.service.name" . }}-exp + - name: K10_PROMETHEUS_PORT + value: {{ .Values.prometheus.server.service.servicePort | quote }} + - name: K10_PROMETHEUS_BASE_URL + value: {{ .Values.prometheus.server.baseURL }} +{{- else -}} + {{- if and .Values.global.prometheus.external.host .Values.global.prometheus.external.port}} + - name: K10_PROMETHEUS_HOST + value: {{ .Values.global.prometheus.external.host }} + - name: K10_PROMETHEUS_PORT + value: {{ .Values.global.prometheus.external.port | quote }} + - name: K10_PROMETHEUS_BASE_URL + value: {{ .Values.global.prometheus.external.baseURL }} + {{- end -}} +{{- end }} +{{- if or .Values.workerPodMetricSidecar.enabled .Values.kanisterPodMetricSidecar.enabled }} + - name: WORKER_POD_METRIC_SIDECAR_ENABLED + valueFrom: + configMapKeyRef: + name: k10-config + key: WorkerPodMetricSidecarEnabled + - name: WORKER_POD_METRIC_SIDECAR_METRIC_LIFETIME + valueFrom: + configMapKeyRef: + name: k10-config + key: WorkerPodMetricSidecarMetricLifetime + - name: WORKER_POD_METRIC_SIDECAR_METRICS_INTERVAL + valueFrom: + configMapKeyRef: + name: k10-config + key: WorkerPodPushgatewayMetricsInterval +{{- end }} +{{- if .Values.reportingSecret }} + - name: AGENT_CONSUMER_ID + valueFrom: + secretKeyRef: + name: {{ .Values.reportingSecret }} + key: consumer-id + - name: AGENT_REPORTING_KEY + valueFrom: + secretKeyRef: + name: {{ .Values.reportingSecret }} + key: reporting-key + - name: K10_RELEASE_NAME + value: {{ .Release.Name }} +{{- end }} +{{- if .Values.metering.licenseConfigSecretName }} + - name: AWS_WEB_IDENTITY_REFRESH_TOKEN_FILE + value: "/var/run/secrets/product-license/license_token" + - name: AWS_ROLE_ARN + valueFrom: + secretKeyRef: + name: {{ .Values.metering.licenseConfigSecretName }} + key: iam_role +{{- end }} + volumeMounts: + - name: meter-config + mountPath: /var/ubbagent +{{- if $.stateful }} + - name: {{ $service }}-persistent-storage + mountPath: /var/reports/ +{{- end }} +{{- if .Values.metering.licenseConfigSecretName }} + - name: awsmp-product-license + mountPath: "/var/run/secrets/product-license" +{{- end }} +{{- if .Values.features }} + - name: k10-features + mountPath: "/mnt/k10-features" +{{- end }} + volumes: + - name: meter-config + configMap: + name: {{ include "fullname" . }}-metering-config + items: + - key: config + path: config.yaml + - key: prometheusTargets + path: prometheusTargets.yaml +{{- if .Values.features }} + - name: k10-features + configMap: + name: k10-features +{{- end }} +{{- if $.stateful }} + - name: {{ $service }}-persistent-storage + persistentVolumeClaim: + claimName: {{ $service }}-pv-claim +{{- end }} +{{- if .Values.metering.licenseConfigSecretName }} + - name: awsmp-product-license + secret: + secretName: {{ .Values.metering.licenseConfigSecretName }} +{{- end }} +--- +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-metering" */}} diff --git a/charts/kasten/k10/7.0.1401/templates/_k10_serviceimage.tpl b/charts/kasten/k10/7.0.1401/templates/_k10_serviceimage.tpl new file mode 100644 index 000000000..9a333d92c --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/_k10_serviceimage.tpl @@ -0,0 +1,50 @@ +{{/* +Helper to get k10 service image +The details on how these image are being generated +is in below issue +https://kasten.atlassian.net/browse/K10-4036 +*/}} +{{- define "serviceImage" -}} +{{/* +we are maintaining the field .Values.global.images to override it when +we install the chart for red hat marketplace. If we dont +have the value specified use earlier flow, if it is, use the +value that is specified. +*/}} +{{- include "image.values.check" . -}} +{{- if not .main.Values.global.rhMarketPlace }} +{{- $serviceImage := "" -}} +{{- $tagFromDefs := "" -}} +{{- if .main.Values.global.airgapped.repository }} +{{- $serviceImage = (include "get.k10ImageTag" .main) | print .main.Values.global.airgapped.repository "/" .k10_service ":" }} +{{- else if .main.Values.global.azMarketPlace }} +{{- $az_image := (get .main.Values.global.azure.images .k10_service) }} +{{- $serviceImage = print $az_image.registry "/" $az_image.image ":" $az_image.tag }} +{{- else }} +{{- $serviceImage = (include "get.k10ImageTag" .main) | print .main.Values.global.image.registry "/" .k10_service ":" }} +{{- end }}{{/* if .main.Values.global.airgapped.repository */}} +{{- $serviceImageKey := print (replace "-" "" .k10_service) "Image" }} +{{- if eq $serviceImageKey "dexImage" }} +{{- $tagFromDefs = (include "dex.dexImageTag" .) }} +{{- end }}{{/* if eq $serviceImageKey "dexImage" */}} +{{- if index .main.Values $serviceImageKey }} +{{- $service_values := index .main.Values $serviceImageKey }} +{{- if .main.Values.global.airgapped.repository }} +{{ $valuesImage := (splitList "/" (index $service_values "image")) }} +{{- if $tagFromDefs }} +image: {{ printf "%s/%s:k10-%s" .main.Values.global.airgapped.repository (index $valuesImage (sub (len $valuesImage) 1) ) $tagFromDefs -}} +{{- end }} +{{- else }}{{/* .main.Values.global.airgapped.repository */}} +{{- if $tagFromDefs }} +image: {{ printf "%s:%s" (index $service_values "image") $tagFromDefs }} +{{- else }} +image: {{ index $service_values "image" }} +{{- end }} +{{- end }}{{/* .main.Values.global.airgapped.repository */}} +{{- else }} +image: {{ $serviceImage }} +{{- end -}}{{/* index .main.Values $serviceImageKey */}} +{{- else }} +image: {{ printf "%s" (get .main.Values.global.images .k10_service) }} +{{- end }}{{/* if not .main.Values.images.executor */}} +{{- end -}}{{/* define "serviceImage" */}} diff --git a/charts/kasten/k10/7.0.1401/templates/_k10_template.tpl b/charts/kasten/k10/7.0.1401/templates/_k10_template.tpl new file mode 100644 index 000000000..48ab4d78d --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/_k10_template.tpl @@ -0,0 +1,245 @@ +{{/* Generate service spec */}} +{{- define "k10-default" }} +{{- $service := .k10_service }} +{{- $deploymentName := (printf "%s-svc" $service) }} +{{- with .main }} +{{- $main_context := . }} +{{- range $skip, $statefulContainer := compact (dict "main" $main_context "k10_service_pod" $service | include "get.statefulRestServicesInPod" | splitList " ") }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + namespace: {{ $main_context.Release.Namespace }} + name: {{ $statefulContainer }}-pv-claim + labels: +{{ include "helm.labels" $main_context | indent 4 }} + component: {{ $statefulContainer }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ index (index $main_context.Values.global.persistence $statefulContainer | default dict) "size" | default $main_context.Values.global.persistence.size }} +{{- if $main_context.Values.global.persistence.storageClass }} + {{- if (eq "-" $main_context.Values.global.persistence.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ $main_context.Values.global.persistence.storageClass }}" + {{- end }} +{{- end }} +--- +{{- end }}{{/* if $.stateful */}} +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{ .Release.Namespace }} + name: {{ $deploymentName }} + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ $service }} +spec: + replicas: {{ $.replicas }} + strategy: + type: Recreate + selector: + matchLabels: +{{ include "k10.common.matchLabels" . | indent 6 }} + component: {{ $service }} + run: {{ $deploymentName }} + template: + metadata: + annotations: +{{- +$requiredAnnotations := (dict + "run" $deploymentName + "checksum/frontend-nginx-config" (include (print .Template.BasePath "/frontend-nginx-configmap.yaml") . | sha256sum) +) +-}} +{{- if .Values.auth.ldap.restartPod -}} + {{- $_ := set $requiredAnnotations "rollme" (randAlphaNum 5) -}} +{{- end -}} + {{- with merge (dict "requiredAnnotations" $requiredAnnotations) . }} + {{- include "k10.deploymentPodAnnotations" . | nindent 8 }} + {{- end }} + labels: +{{- +$requiredLabels := (dict + "component" $service + "run" $deploymentName +) +-}} +{{- if list "executor" "controllermanager" | has $service}} + {{- if eq (include "check.azureFederatedIdentity" .) "true" }} + azure.workload.identity/use: "true" + {{- end }} +{{- end }} + {{- with merge (dict "requiredLabels" $requiredLabels) . }} + {{- include "k10.deploymentPodLabels" . | nindent 8 }} + {{- end }} + spec: +{{- if eq $service "executor" }} +{{- if .Values.services.executor.hostNetwork }} + hostNetwork: true +{{- end }}{{/* .Values.services.executor.hostNetwork */}} +{{- end }}{{/* eq $service "executor" */}} +{{- if eq $service "aggregatedapis" }} +{{- if .Values.services.aggregatedapis.hostNetwork }} + hostNetwork: true +{{- end }}{{/* .Values.services.aggregatedapis.hostNetwork */}} +{{- end }}{{/* eq $service "aggregatedapis" */}} +{{- if eq $service "dashboardbff" }} +{{- if .Values.services.dashboardbff.hostNetwork }} + hostNetwork: true +{{- end }}{{/* .Values.services.dashboardbff.hostNetwork */}} +{{- end }}{{/* eq $service "dashboardbff" */}} + securityContext: +{{ toYaml .Values.services.securityContext | indent 8 }} + serviceAccountName: {{ template "serviceAccountName" . }} + {{- dict "main" . "k10_deployment_name" $deploymentName | include "k10.priorityClassName" | indent 6}} + {{- include "k10.imagePullSecrets" . | indent 6 }} +{{- /* initContainers: */}} +{{- (dict "main" . "k10_pod" $service | include "k10-init-container-header") }} +{{- (dict "main" . "k10_pod" $service | include "k10-init-container") }} +{{- /* containers: */}} +{{- (dict "main" . "k10_pod" $service | include "k10-containers") }} +{{- /* volumes: */}} +{{- (dict "main" . "k10_pod" $service | include "k10-deployment-volumes-header") }} +{{- (dict "main" . "k10_pod" $service | include "k10-deployment-volumes") }} +--- +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-default" */}} + +{{- define "k10-deployment-volumes-header" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- $main_context := . }} +{{- $containerList := (dict "main" $main_context "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} +{{- $needsVolumesHeader := false }} +{{- range $skip, $service := $containerList }} + {{- $serviceStateful := has $service (dict "main" $main_context "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} + {{- if or $serviceStateful (or (eq (include "check.googlecreds" $main_context) "true") (eq $service "auth" "logging")) }} + {{- $needsVolumesHeader = true }} + {{- else if or (or (eq (include "basicauth.check" $main_context) "true") (or $main_context.Values.auth.oidcAuth.enabled (eq (include "check.dexAuth" $main_context) "true"))) $main_context.Values.features }} + {{- $needsVolumesHeader = true }} + {{- else if and (eq $service "controllermanager") ($main_context.Values.injectKanisterSidecar.enabled) }} + {{- $needsVolumesHeader = true }} + {{- else if or (eq (include "check.cacertconfigmap" $main_context) "true") (include "k10.ocpcacertsautoextraction" $main_context) }} + {{- $needsVolumesHeader = true }} + {{- else if and ( eq $service "auth" ) ( eq (include "check.dexAuth" $main_context) "true" ) }} + {{- $needsVolumesHeader = true }} + {{- else if eq $service "frontend" }} + {{- $needsVolumesHeader = true }} + {{- else if and (list "controllermanager" "executor" "catalog" | has $pod) (eq (include "check.projectSAToken" $main_context) "true")}} + {{- $needsVolumesHeader = true }} + {{- else if and (eq $service "aggregatedapis") (include "k10.siemEnabled" $main_context) }} + {{- $needsVolumesHeader = true }} + {{- end }}{{/* volumes header needed check */}} +{{- end }}{{/* range $skip, $service := $containerList */}} +{{- if $needsVolumesHeader }} + volumes: +{{- end }} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-init-container-header" */}} + +{{- define "k10-deployment-volumes" }} +{{- $pod := .k10_pod }} +{{- with .main }} +{{- if .Values.features }} + - name: k10-features + configMap: + name: k10-features +{{- end }} +{{- if list "dashboardbff" "auth" "controllermanager" | has $pod}} +{{- if eq (include "basicauth.check" .) "true" }} + - name: k10-basic-auth + secret: + secretName: {{ default "k10-basic-auth" .Values.auth.basicAuth.secretName }} +{{- end }} +{{- if .Values.auth.oidcAuth.enabled }} + - name: {{ include "k10.oidcSecretName" .}} + secret: + secretName: {{ default (include "k10.oidcSecretName" .) .Values.auth.oidcAuth.secretName }} +{{- if .Values.auth.oidcAuth.clientSecretName }} + - name: {{ include "k10.oidcCustomerSecretName" . }} + secret: + secretName: {{ .Values.auth.oidcAuth.clientSecretName }} +{{- end }} +{{- end }} +{{- if .Values.auth.openshift.enabled }} + - name: {{ include "k10.oidcSecretName" .}} + secret: + secretName: {{ default (include "k10.oidcSecretName" .) .Values.auth.openshift.secretName }} +{{- end }} +{{- if .Values.auth.ldap.enabled }} + - name: {{ include "k10.oidcSecretName" .}} + secret: + secretName: {{ default (include "k10.oidcSecretName" .) .Values.auth.ldap.secretName }} + - name: k10-logos-dex + configMap: + name: k10-logos-dex +{{- end }} +{{- end }} +{{- range $skip, $statefulContainer := compact (dict "main" . "k10_service_pod" $pod | include "get.statefulRestServicesInPod" | splitList " ") }} + - name: {{ $statefulContainer }}-persistent-storage + persistentVolumeClaim: + claimName: {{ $statefulContainer }}-pv-claim +{{- end }} +{{- if eq (include "check.googleCredsOrSecret" .) "true" }} +{{- $gkeSecret := default "google-secret" .Values.secrets.googleClientSecretName }} + - name: service-account + secret: + secretName: {{ $gkeSecret }} +{{- end }} +{{- if and (list "controllermanager" "executor" "catalog" | has $pod) (eq (include "check.projectSAToken" .) "true")}} + - name: bound-sa-token + projected: + sources: + - serviceAccountToken: +{{- if eq (include "check.gwifidpaud" .) "true" }} + audience: {{ .Values.google.workloadIdentityFederation.idp.aud }} +{{- end }} + expirationSeconds: 3600 + path: token +{{- end }} +{{- with (include "k10.cacertconfigmapname" .) }} + - name: {{ . }} + configMap: + name: {{ . }} +{{- end }} +{{- if eq $pod "frontend" }} + - name: frontend-config + configMap: + name: frontend-config +{{- end }} +{{- if and (eq $pod "aggregatedapis") (include "k10.siemEnabled" .) }} + - name: aggauditpolicy-config + configMap: + name: aggauditpolicy-config +{{- end }} +{{- $containersInThisPod := (dict "main" . "k10_service_pod" $pod | include "get.serviceContainersInPod" | splitList " ") }} +{{- if has "logging" $containersInThisPod }} + - name: logging-configmap-storage + configMap: + name: fluentbit-configmap +{{- end }} +{{- if and (has "controllermanager" $containersInThisPod) (.Values.injectKanisterSidecar.enabled) }} + - name: mutating-webhook-certs + secret: + secretName: controllermanager-certs +{{- end }} +{{- if and ( has "auth" $containersInThisPod) ( eq (include "check.dexAuth" .) "true" ) }} + - name: config + configMap: + name: k10-dex + items: + - key: config.yaml + path: config.yaml +{{- if .Values.auth.ldap.enabled }} + - name: dex-config + emptyDir: {} + - name: bind-secret + secret: + secretName: {{ default "k10-dex" .Values.auth.ldap.bindPWSecretName }} +{{- end }} +{{- end }} +{{- end }}{{/* with .main */}} +{{- end }}{{/* define "k10-init-container-header" */}} diff --git a/charts/kasten/k10/7.0.1401/templates/_prometheus.tpl b/charts/kasten/k10/7.0.1401/templates/_prometheus.tpl new file mode 100644 index 000000000..a49a8363f --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/_prometheus.tpl @@ -0,0 +1,29 @@ +{{/*** MATCH LABELS *** + NOTE: The match labels here (`app` and `release`) are divergent from + the match labels set by the upstream chart. This is intentional since a + Deployment's `spec.selector` is immutable and K10 has already been shipped + with these values. + + A change to these selector labels will mean that all customers must manually + delete the Prometheus Deployment before upgrading, which is a situation we don't + want for our customers. + + Instead, the `app.kubernetes.io/name` and `app.kubernetes.io/instance` labels + are included in the `prometheus.commonMetaLabels` in: + `helm/k10/templates/{values}/prometheus/charts/{charts}/values/prometheus_values.tpl`. +*/}} +{{- define "prometheus.common.matchLabels" -}} +app: {{ include "prometheus.name" . }} +release: {{ .Release.Name }} +{{- end -}} + +{{- define "prometheus.server.labels" -}} +{{ include "prometheus.server.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +app.kubernetes.io/component: {{ .Values.server.name }} +{{- end -}} + +{{- define "prometheus.server.matchLabels" -}} +component: {{ .Values.server.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/aggregatedaudit-policy.yaml b/charts/kasten/k10/7.0.1401/templates/aggregatedaudit-policy.yaml new file mode 100644 index 000000000..ef7f03c6c --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/aggregatedaudit-policy.yaml @@ -0,0 +1,34 @@ +{{- if include "k10.siemEnabled" . -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: aggauditpolicy-config + namespace: {{ .Release.Namespace }} +data: + {{ include "k10.aggAuditPolicyFile" .}}: | + apiVersion: audit.k8s.io/v1 + kind: Policy + omitStages: + - "RequestReceived" + rules: + - level: RequestResponse + resources: + - group: "actions.kio.kasten.io" + resources: ["backupactions", "cancelactions", "exportactions", "importactions", "restoreactions", "retireactions", "runactions"] + - group: "apps.kio.kasten.io" + resources: ["applications", "clusterrestorepoints", "restorepoints", "restorepointcontents"] + - group: "repositories.kio.kasten.io" + resources: ["storagerepositories"] + - group: "vault.kio.kasten.io" + resources: ["passkeys"] + verbs: ["create", "update", "patch", "delete", "get"] + - level: None + nonResourceURLs: + - /healthz* + - /version + - /openapi/v2* + - /openapi/v3* + - /timeout* +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/api-tls-secrets.yaml b/charts/kasten/k10/7.0.1401/templates/api-tls-secrets.yaml new file mode 100644 index 000000000..386d3b999 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/api-tls-secrets.yaml @@ -0,0 +1,13 @@ +{{- if and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }} +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: gateway-certs +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.secrets.apiTlsCrt }} + tls.key: {{ .Values.secrets.apiTlsKey }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/templates/apiservice.yaml b/charts/kasten/k10/7.0.1401/templates/apiservice.yaml new file mode 100644 index 000000000..1811df48a --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/apiservice.yaml @@ -0,0 +1,25 @@ +{{/* Template to generate the aggregated APIService/Service objects */}} +{{- if .Values.apiservices.deployed -}} +{{- $main := . -}} +{{- $container_port := .Values.service.internalPort -}} +{{- $namespace := .Release.Namespace -}} +{{- range include "k10.aggregatedAPIs" . | splitList " " -}} +--- +apiVersion: apiregistration.k8s.io/v1 +kind: APIService +metadata: + name: v1alpha1.{{ . }}.{{ template "apiDomain" $main }} + labels: + apiserver: "true" +{{ include "helm.labels" $ | indent 4 }} +spec: + version: v1alpha1 + group: {{ . }}.{{ template "apiDomain" $main }} + groupPriorityMinimum: 2000 + service: + namespace: {{$namespace}} + name: aggregatedapis-svc + versionPriority: 10 + insecureSkipTLSVerify: true +{{ end }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/daemonsets.yaml b/charts/kasten/k10/7.0.1401/templates/daemonsets.yaml new file mode 100644 index 000000000..b8c50b505 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/daemonsets.yaml @@ -0,0 +1,26 @@ +{{- if .Values.metering.redhatMarketplacePayg }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + namespace: {{ .Release.Namespace }} + name: k10-rhmp-paygo + labels: +{{ include "helm.labels" . | indent 4 }} + component: paygo +spec: + selector: + matchLabels: +{{ include "k10.common.matchLabels" . | indent 6 }} + component: paygo + template: + metadata: + labels: +{{ include "helm.labels" . | indent 8 }} + component: paygo + spec: + containers: + - name: paygo + image: {{ .Values.global.images.paygo_daemonset }} + command: [ "sleep" ] + args: [ "36500d" ] +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/deployments.yaml b/charts/kasten/k10/7.0.1401/templates/deployments.yaml new file mode 100644 index 000000000..29713d214 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/deployments.yaml @@ -0,0 +1,39 @@ +{{/* +Generates deployment specs for K10 services and other services such as +"frontend" and "kanister". +*/}} +{{- include "singleAuth.check" . -}} +{{- $main_context := . -}} +{{- $stateless_services := include "get.enabledStatelessServices" . | splitList " " -}} +{{- $colocated_services := include "get.enabledColocatedServices" . | fromYaml -}} +{{ $service_list := include "get.enabledRestServices" . | splitList " " }} +{{- range $skip, $k10_service := $service_list }} + {{ if not (hasKey $colocated_services $k10_service ) }} + {{/* Set $stateful for stateful services when .Values.global.persistence.enabled is true */}} + {{- $stateful := and $.Values.global.persistence.enabled (not (has $k10_service $stateless_services)) -}} + {{/* Use `limiter.executorReplicas` (with back-compatibility with already deprecated + `executorReplicas`) Helm parameter to configure number of replicas for service. In case of missing + `limiter.{servicename}Replicas` Helm parameter will be set `1`. + See also function `replicasFieldForService` in go/src/kasten.io/k10/kio/tools/restorectl/servicescaler/config.go.*/}} + {{- $replicas := get $.Values (printf "%sReplicas" $k10_service) | default -1 -}} + {{- $replicasInt := int $replicas -}} + {{- if le $replicasInt 0 -}} + {{- $replicas = get $.Values (printf "limiter.%sReplicas" $k10_service) | default 1 -}} + {{- end }} + {{ $tmp_contx := dict "main" $main_context "k10_service" $k10_service "stateful" $stateful "replicas" $replicas }} + {{ if eq $k10_service "metering" }} + {{- include "k10-metering" $tmp_contx -}} + {{ else }} + {{- include "k10-default" $tmp_contx -}} + {{ end }} + {{ end }}{{/* if not (hasKey $colocated_services $k10_service ) */}} +{{- end }} +{{/* +Generate deployment specs for additional services. These are stateless and have +1 replica. +*/}} +{{- range $skip, $k10_service := concat (include "get.enabledServices" . | splitList " ") (include "get.enabledAdditionalServices" . | splitList " ") }} + {{- if eq $k10_service "gateway" -}}{{- continue -}}{{- end -}} + {{ $tmp_contx := dict "main" $main_context "k10_service" $k10_service "stateful" false "replicas" 1 }} + {{- include "k10-default" $tmp_contx -}} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/templates/fluentbit-configmap.yaml b/charts/kasten/k10/7.0.1401/templates/fluentbit-configmap.yaml new file mode 100644 index 000000000..71cecb966 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/fluentbit-configmap.yaml @@ -0,0 +1,34 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: fluentbit-configmap +data: + fluentbit.conf: | + [SERVICE] + HTTP_Server On + HTTP_Listen 0.0.0.0 + HTTP_PORT 24225 + + [INPUT] + Name tcp + Listen 0.0.0.0 + Port 24224 + + [OUTPUT] + Name stdout + Match * + + [OUTPUT] + Name file + Match * + File {{ .Values.global.persistence.mountPath }}/k10.log + logrotate.conf: | + {{ .Values.global.persistence.mountPath }}/k10.log { + create + missingok + rotate 6 + size 1G + } diff --git a/charts/kasten/k10/7.0.1401/templates/frontend-nginx-configmap.yaml b/charts/kasten/k10/7.0.1401/templates/frontend-nginx-configmap.yaml new file mode 100644 index 000000000..93d17b3a1 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/frontend-nginx-configmap.yaml @@ -0,0 +1,50 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: frontend-config +data: + frontend.conf: | + server { + listen {{ .Values.service.externalPort }} default_server; + {{- if .Values.global.network.enable_ipv6 }} + listen [::]:{{ .Values.service.externalPort }} default_server; + {{- end }} + server_name localhost; + + gzip on; + # serves *.gz files (when present) instead of dynamic compression + gzip_static on; + + root /frontend; + index index.html; + + location / { + try_files $uri $uri/ =404; + } + } + nginx.conf: | + #user nginx; # this directive is ignored if we use a non-root user in Dockerfile + worker_processes 4; + + error_log stderr warn; + pid /var/run/nginx/nginx.pid; + + events { + worker_connections 1024; + } + + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + access_log /dev/stdout; + sendfile on; + keepalive_timeout 650; + + # turn off nginx version in responses + server_tokens off; + + include /etc/nginx/conf.d/*.conf; + } diff --git a/charts/kasten/k10/7.0.1401/templates/gateway-ext.yaml b/charts/kasten/k10/7.0.1401/templates/gateway-ext.yaml new file mode 100644 index 000000000..00da4c27b --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/gateway-ext.yaml @@ -0,0 +1,36 @@ +{{/* Externally exposed service for gateway endpoint. */}} +{{- $container_port := .Values.service.internalPort -}} +{{- if .Values.externalGateway.create -}} +{{- include "authEnabled.check" . -}} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + name: gateway-ext + labels: + service: gateway + {{- if eq "route53-mapper" (default " " .Values.externalGateway.fqdn.type) }} + dns: route53 + {{- end }} +{{ include "helm.labels" . | indent 4 }} + annotations: + {{- if .Values.externalGateway.annotations }} +{{ toYaml .Values.externalGateway.annotations | indent 4 }} + {{- end }} +{{ include "dnsAnnotations" . | indent 4 }} + {{- if .Values.externalGateway.awsSSLCertARN }} + service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Values.externalGateway.awsSSLCertARN }} + service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https + {{- if .Values.externalGateway.awsSecurityGroup }} + service.beta.kubernetes.io/aws-load-balancer-extra-security-groups: {{ .Values.externalGateway.awsSecurityGroup }} + {{- end }} + {{- end }} +spec: + type: LoadBalancer + ports: + - name: https + port: {{ if or .Values.secrets.tlsSecret (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) .Values.externalGateway.awsSSLCertARN }}443{{ else }}80{{ end }} + targetPort: {{ $container_port }} + selector: + service: gateway +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/gateway.yaml b/charts/kasten/k10/7.0.1401/templates/gateway.yaml new file mode 100644 index 000000000..23a7aa437 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/gateway.yaml @@ -0,0 +1,249 @@ +{{- $container_port := .Values.gateway.service.internalPort | default 8000 -}} +{{- $service_port := .Values.gateway.service.externalPort -}} +{{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}} +--- +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + labels: + service: gateway +{{ include "helm.labels" . | indent 4 }} + name: gateway + {{- if not (include "k10.capability.gateway" $) }} + annotations: + getambassador.io/config: | + --- + apiVersion: getambassador.io/v3alpha1 + kind: AuthService + name: authentication + auth_service: "auth-svc:8000" + path_prefix: "/v0/authz" + ambassador_id: [ {{ include "k10.ambassadorId" . }} ] + allowed_authorization_headers: + - x-cluster-name + allowed_request_headers: + - "x-forwarded-access-token" + --- + apiVersion: getambassador.io/v3alpha1 + kind: Host + name: ambassadorhost + hostname: "*" + ambassador_id: [ {{ include "k10.ambassadorId" . }} ] + {{- if .Values.secrets.tlsSecret }} + tlsSecret: + name: {{ .Values.secrets.tlsSecret }} + {{- else if and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey }} + tlsSecret: + name: gateway-certs + {{- end }} + requestPolicy: + insecure: + action: Route + --- + apiVersion: getambassador.io/v3alpha1 + kind: Listener + name: ambassadorlistener + port: {{ $container_port }} + securityModel: XFP + protocol: HTTPS + hostBinding: + namespace: + from: SELF + ambassador_id: [ {{ include "k10.ambassadorId" . }} ] + --- + {{- if (eq "endpoint" .Values.apigateway.serviceResolver) }} + apiVersion: getambassador.io/v3alpha1 + kind: KubernetesEndpointResolver + name: endpoint + ambassador_id: [ {{ include "k10.ambassadorId" . }} ] + --- + {{- end }} + apiVersion: getambassador.io/v3alpha1 + kind: Module + name: ambassador + config: + diagnostics: + enabled: false + service_port: {{ $container_port }} + {{- if .Values.global.network.enable_ipv6 }} + enable_ipv6: true + {{- end }} + ambassador_id: [ {{ include "k10.ambassadorId" . }} ] + {{- if (eq "endpoint" .Values.apigateway.serviceResolver) }} + resolver: endpoint + load_balancer: + policy: round_robin + {{- end }} + {{- end }} +spec: + ports: + - name: http + port: {{ $service_port }} + targetPort: {{ $container_port }} + selector: + service: gateway +--- +{{- if not (include "k10.capability.gateway" $) }} +{{- if .Values.gateway.exposeAdminPort }} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + name: gateway-admin + labels: + service: gateway + annotations: + getambassador.io/config: | + apiVersion: getambassador.io/v3alpha1 + kind: Module + name: ambassador + config: + diagnostics: + enabled: false +{{ include "helm.labels" . | indent 4 }} +spec: + ports: + - name: metrics + port: {{ $admin_port }} + targetPort: {{ $admin_port }} + selector: + service: gateway +--- +{{- end }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: {{ $.Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} + component: gateway + name: gateway +spec: + replicas: 1 + selector: + matchLabels: + service: gateway + template: + metadata: + annotations: + {{- include "k10.deploymentPodAnnotations" . | nindent 8 }} + labels: + {{- with merge (dict "requiredLabels" (dict "component" "gateway" "service" "gateway")) . }} + {{- include "k10.deploymentPodLabels" . | nindent 8 }} + {{- end }} +{{- if (include "k10.capability.gateway" $) }} + spec: + serviceAccountName: {{ template "serviceAccountName" . }} + {{- dict "main" . "k10_deployment_name" "gateway" | include "k10.priorityClassName" | indent 6}} + {{- include "k10.imagePullSecrets" . | indent 6 }} + containers: + - name: gateway + {{- dict "main" . "k10_service" "gateway" | include "serviceImage" | indent 8 }} + {{- if or .Values.secrets.tlsSecret (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) }} + volumeMounts: + - name: tls-volume + mountPath: "/etc/tls" + readOnly: true + {{- end }} + resources: + limits: + cpu: {{ .Values.gateway.resources.limits.cpu | quote }} + memory: {{ .Values.gateway.resources.limits.memory | quote }} + requests: + cpu: {{ .Values.gateway.resources.requests.cpu | quote }} + memory: {{ .Values.gateway.resources.requests.memory | quote }} + env: + - name: LOG_LEVEL + valueFrom: + configMapKeyRef: + name: k10-config + key: loglevel + - name: VERSION + valueFrom: + configMapKeyRef: + name: k10-config + key: version +{{- if .Values.fips.enabled }} + {{- include "k10.enforceFIPSEnvironmentVariables" . | indent 10 }} +{{- end }} + {{- with $capabilities := include "k10.capabilities" . }} + - name: K10_CAPABILITIES + value: {{ $capabilities | quote }} + {{- end }} + {{- with $capabilities_mask := include "k10.capabilities_mask" . }} + - name: K10_CAPABILITIES_MASK + value: {{ $capabilities_mask | quote }} + {{- end }} + {{- if eq (include "check.dexAuth" .) "true" }} + - name: {{ include "k10.gatewayEnableDex" . }} + value: "true" + {{- end }} + envFrom: + - configMapRef: + name: k10-gateway + livenessProbe: + httpGet: + path: /healthz + port: {{ $container_port }} + initialDelaySeconds: 5 + readinessProbe: + httpGet: + path: /healthz + port: {{ $container_port }} + restartPolicy: Always + {{- if or .Values.secrets.tlsSecret (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) }} + volumes: + - name: tls-volume + secret: + secretName: {{ .Values.secrets.tlsSecret | default "gateway-certs" }} + {{- end }} +{{- else }} + spec: + serviceAccountName: {{ template "serviceAccountName" . }} + {{- dict "main" . "k10_deployment_name" "gateway" | include "k10.priorityClassName" | indent 6}} + {{- include "k10.imagePullSecrets" . | indent 6 }} + containers: + - name: ambassador + image: {{ include "get.emissaryImage" . }} + resources: + limits: + cpu: {{ .Values.gateway.resources.limits.cpu | quote }} + memory: {{ .Values.gateway.resources.limits.memory | quote }} + requests: + cpu: {{ .Values.gateway.resources.requests.cpu | quote }} + memory: {{ .Values.gateway.resources.requests.memory | quote }} + env: + - name: AMBASSADOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: AMBASSADOR_SINGLE_NAMESPACE + value: "true" + - name: SCOUT_DISABLE + value: "1" + - name: "AMBASSADOR_VERIFY_SSL_FALSE" + value: {{ .Values.gateway.insecureDisableSSLVerify | quote }} + - name: AMBASSADOR_ID + value: {{ include "k10.ambassadorId" . }} +{{- if .Values.global.network.enable_ipv6}} + - name: AMBASSADOR_ENVOY_BIND_ADDRESS + value: '::' + - name: AMBASSADOR_DIAGD_BIND_ADDREASS + value: '[::]' +{{- end }} + livenessProbe: + httpGet: + path: /ambassador/v0/check_alive + port: {{ $admin_port }} + initialDelaySeconds: 30 + periodSeconds: 3 + readinessProbe: + httpGet: + path: /ambassador/v0/check_ready + port: {{ $admin_port }} + initialDelaySeconds: 30 + periodSeconds: 3 + restartPolicy: Always +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/templates/grafana-scc.yaml b/charts/kasten/k10/7.0.1401/templates/grafana-scc.yaml new file mode 100644 index 000000000..014d1be46 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/grafana-scc.yaml @@ -0,0 +1,45 @@ +{{- if .Values.scc.create }} +{{- if .Values.grafana.enabled }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Name }}-grafana +allowPrivilegedContainer: false +allowHostNetwork: false +allowHostDirVolumePlugin: true +allowHostPorts: true +allowHostPID: false +allowHostIPC: false +readOnlyRootFilesystem: false +requiredDropCapabilities: + - KILL + - MKNOD + - SETUID + - SETGID +defaultAddCapabilities: [] +allowedCapabilities: + - CHOWN +priority: 0 +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +seccompProfiles: + - runtime/default +volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - projected + - secret +users: + - system:serviceaccount:{{.Release.Namespace}}:{{.Release.Name}}-grafana +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/templates/ingress.yaml b/charts/kasten/k10/7.0.1401/templates/ingress.yaml new file mode 100644 index 000000000..df347477c --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/ingress.yaml @@ -0,0 +1,73 @@ +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $service_port := .Values.gateway.service.externalPort -}} +{{ if .Values.ingress.create }} +{{ include "authEnabled.check" . }} +{{ include "check.ingress.defaultBackend" . }} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: {{ .Values.ingress.name | default (printf "%s-ingress" .Release.Name) }} + annotations: +{{ include "ingressClassAnnotation" . | indent 4 }} + {{- if or .Values.secrets.tlsSecret (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) }} + nginx.ingress.kubernetes.io/secure-backends: "true" + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + {{- end }} + {{- if .Values.ingress.annotations }} +{{ toYaml .Values.ingress.annotations | indent 4 }} + {{- end }} +spec: +{{ include "specIngressClassName" . | indent 2 }} +{{ with .Values.ingress.defaultBackend }} + {{- if or .service.enabled .resource.enabled }} + defaultBackend: + {{- with .service }} + {{- if .enabled }} + service: + name: {{ required "`name` is required in the `ingress.defaultBackend.service`." .name }} + port: + {{- if .port.name }} + name: {{ .port.name }} + {{- else if .port.number }} + number: {{ .port.number }} + {{- end }} + {{- end }} + {{- end }} + {{- with .resource }} + {{- if .enabled }} + resource: + apiGroup: {{ .apiGroup }} + name: {{ required "`name` is required in the `ingress.defaultBackend.resource`." .name }} + kind: {{ required "`kind` is required in the `ingress.defaultBackend.resource`." .kind }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} +{{- if .Values.ingress.tls.enabled }} + tls: + - hosts: + - {{ required "ingress.host value is required for TLS configuration" .Values.ingress.host }} + secretName: {{ .Values.ingress.tls.secretName }} +{{- end }} + rules: + - http: + paths: + - path: /{{ default .Release.Name .Values.ingress.urlPath | trimPrefix "/" | trimSuffix "/" }}/ + pathType: {{ default "ImplementationSpecific" .Values.ingress.pathType }} + backend: + {{- if $ingressApiIsStable }} + service: + name: gateway + port: + number: {{ $service_port }} + {{- else }} + serviceName: gateway + servicePort: {{ $service_port }} + {{- end }} + {{- if .Values.ingress.host }} + host: {{ .Values.ingress.host }} + {{- end }} +{{ end }} diff --git a/charts/kasten/k10/7.0.1401/templates/k10-config.yaml b/charts/kasten/k10/7.0.1401/templates/k10-config.yaml new file mode 100644 index 000000000..731d29659 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/k10-config.yaml @@ -0,0 +1,355 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-config +data: + DataStoreLogLevel: {{ default "error" | quote }} + DataStoreFileLogLevel: {{ default "" | quote }} + loglevel: {{ .Values.logLevel | quote }} + {{- if .Values.clusterName }} + clustername: {{ quote .Values.clusterName }} + {{- end }} + version: {{ .Chart.AppVersion }} + {{- $capabilities := include "k10.capabilities" . | splitList " " }} + {{- $capabilities_mask := include "k10.capabilities_mask" . | splitList " " }} + {{- if and ( has "mc" $capabilities ) ( not ( has "mc" $capabilities_mask ) ) }} + multiClusterVersion: {{ include "k10.multiClusterVersion" . | quote }} + {{- end }} + modelstoredirname: "//mnt/k10state/kasten-io/" + apiDomain: {{ include "apiDomain" . }} + k10DataStoreDisableCompression: "false" + k10DataStoreParallelUpload: {{ .Values.datastore.parallelUploads | quote }} + k10DataStoreParallelDownload: {{ .Values.datastore.parallelDownloads | quote }} + k10DataStoreGeneralContentCacheSizeMB: {{ include "k10.defaultK10DataStoreGeneralContentCacheSizeMB" . | quote }} + k10DataStoreGeneralMetadataCacheSizeMB: {{ include "k10.defaultK10DataStoreGeneralMetadataCacheSizeMB" . | quote }} + k10DataStoreRestoreContentCacheSizeMB: {{ include "k10.defaultK10DataStoreRestoreContentCacheSizeMB" . | quote }} + k10DataStoreRestoreMetadataCacheSizeMB: {{ include "k10.defaultK10DataStoreRestoreMetadataCacheSizeMB" . | quote }} + K10BackupBufferFileHeadroomFactor: {{ include "k10.defaultK10BackupBufferFileHeadroomFactor" . | quote }} + AWSAssumeRoleDuration: {{ default (include "k10.defaultAssumeRoleDuration" .) .Values.awsConfig.assumeRoleDuration | quote }} + {{- if gt (int .Values.kanister.backupTimeout) 0 }} + K10TimeoutBlueprintBackup: {{ default (include "k10.defaultK10TimeoutBlueprintBackup" .) .Values.kanister.backupTimeout | quote }} + {{- else }} + K10TimeoutBlueprintBackup: {{ default (include "k10.defaultK10TimeoutBlueprintBackup" .) .Values.timeout.blueprintBackup | quote }} + {{- end }} + {{- if gt (int .Values.kanister.restoreTimeout) 0 }} + K10TimeoutBlueprintRestore: {{ default (include "k10.defaultK10TimeoutBlueprintRestore" .) .Values.kanister.restoreTimeout | quote }} + {{- else }} + K10TimeoutBlueprintRestore: {{ default (include "k10.defaultK10TimeoutBlueprintRestore" .) .Values.timeout.blueprintRestore | quote }} + {{- end }} + {{- if gt (int .Values.kanister.deleteTimeout) 0 }} + K10TimeoutBlueprintDelete: {{ default (include "k10.defaultK10TimeoutBlueprintDelete" .) .Values.kanister.deleteTimeout | quote }} + {{- else }} + K10TimeoutBlueprintDelete: {{ default (include "k10.defaultK10TimeoutBlueprintDelete" .) .Values.timeout.blueprintDelete | quote }} + {{- end }} + {{- if gt (int .Values.kanister.hookTimeout) 0 }} + K10TimeoutBlueprintHooks: {{ default (include "k10.defaultK10TimeoutBlueprintHooks" .) .Values.kanister.hookTimeout | quote }} + {{- else }} + K10TimeoutBlueprintHooks: {{ default (include "k10.defaultK10TimeoutBlueprintHooks" .) .Values.timeout.blueprintHooks | quote }} + {{- end }} + {{- if gt (int .Values.kanister.checkRepoTimeout) 0 }} + K10TimeoutCheckRepoPodReady: {{ default (include "k10.defaultK10TimeoutCheckRepoPodReady" .) .Values.kanister.checkRepoTimeout | quote }} + {{- else }} + K10TimeoutCheckRepoPodReady: {{ default (include "k10.defaultK10TimeoutCheckRepoPodReady" .) .Values.timeout.checkRepoPodReady | quote }} + {{- end }} + {{- if gt (int .Values.kanister.statsTimeout) 0 }} + K10TimeoutStatsPodReady: {{ default (include "k10.defaultK10TimeoutStatsPodReady" .) .Values.kanister.statsTimeout | quote }} + {{- else }} + K10TimeoutStatsPodReady: {{ default (include "k10.defaultK10TimeoutStatsPodReady" .) .Values.timeout.statsPodReady | quote }} + {{- end }} + {{- if gt (int .Values.kanister.efsPostRestoreTimeout) 0 }} + K10TimeoutEFSRestorePodReady: {{ default (include "k10.defaultK10TimeoutEFSRestorePodReady" .) .Values.kanister.efsPostRestoreTimeout | quote }} + {{- else }} + K10TimeoutEFSRestorePodReady: {{ default (include "k10.defaultK10TimeoutEFSRestorePodReady" .) .Values.timeout.efsRestorePodReady | quote }} + {{- end }} + {{- if gt (int .Values.kanister.podReadyWaitTimeout) 0 }} + K10TimeoutWorkerPodReady: {{ .Values.kanister.podReadyWaitTimeout | quote }} + {{- else }} + K10TimeoutWorkerPodReady: {{ .Values.timeout.workerPodReady | quote }} + {{- end }} + KanisterManagedDataServicesBlueprintsEnabled: {{ .Values.kanister.managedDataServicesBlueprintsEnabled | quote }} + WorkerPodMetricSidecarEnabled: {{ default .Values.kanisterPodMetricSidecar.enabled .Values.workerPodMetricSidecar.enabled | quote }} + WorkerPodMetricSidecarMetricLifetime: {{ default .Values.kanisterPodMetricSidecar.metricLifetime .Values.workerPodMetricSidecar.metricLifetime | quote }} + WorkerPodPushgatewayMetricsInterval: {{ default .Values.kanisterPodMetricSidecar.pushGatewayInterval .Values.workerPodMetricSidecar.pushGatewayInterval | quote }} +{{- include "workerPodMetricSidecarResources" . | indent 2 }} + KanisterToolsImage: {{ include "get.kanisterToolsImage" . | quote }} + K10MutatingWebhookTLSCertDir: "/etc/ssl/certs/webhook" + + {{- if gt (int .Values.limiter.concurrentSnapConversions) 0 }} + K10LimiterSnapshotExportsPerAction: {{ default (include "k10.defaultK10LimiterSnapshotExportsPerAction" .) .Values.limiter.concurrentSnapConversions | quote }} + {{- else }} + K10LimiterSnapshotExportsPerAction: {{ default (include "k10.defaultK10LimiterSnapshotExportsPerAction" .) .Values.limiter.snapshotExportsPerAction | quote }} + {{- end }} + {{- if gt (int .Values.limiter.genericVolumeSnapshots) 0 }} + K10LimiterGenericVolumeBackupsPerCluster: {{ default (include "k10.defaultK10LimiterGenericVolumeBackupsPerCluster" .) .Values.limiter.genericVolumeSnapshots | quote }} + {{- else }} + K10LimiterGenericVolumeBackupsPerCluster: {{ default (include "k10.defaultK10LimiterGenericVolumeBackupsPerCluster" .) .Values.limiter.genericVolumeBackupsPerCluster | quote }} + {{- end }} + {{- if gt (int .Values.limiter.genericVolumeCopies) 0 }} + K10LimiterSnapshotExportsPerCluster: {{ default (include "k10.defaultK10LimiterSnapshotExportsPerCluster" .) .Values.limiter.genericVolumeCopies | quote }} + {{- else }} + K10LimiterSnapshotExportsPerCluster: {{ default (include "k10.defaultK10LimiterSnapshotExportsPerCluster" .) .Values.limiter.snapshotExportsPerCluster | quote }} + {{- end }} + {{- if gt (int .Values.limiter.genericVolumeRestores) 0 }} + K10LimiterVolumeRestoresPerCluster: {{ default (include "k10.defaultK10LimiterVolumeRestoresPerCluster" .) .Values.limiter.genericVolumeRestores | quote }} + {{- else }} + K10LimiterVolumeRestoresPerCluster: {{ default (include "k10.defaultK10LimiterVolumeRestoresPerCluster" .) .Values.limiter.volumeRestoresPerCluster | quote }} + {{- end }} + {{- if gt (int .Values.limiter.csiSnapshots) 0 }} + K10LimiterCsiSnapshotsPerCluster: {{ default (include "k10.defaultK10LimiterCsiSnapshotsPerCluster" .) .Values.limiter.csiSnapshots | quote }} + {{- else }} + K10LimiterCsiSnapshotsPerCluster: {{ default (include "k10.defaultK10LimiterCsiSnapshotsPerCluster" .) .Values.limiter.csiSnapshotsPerCluster | quote }} + {{- end }} + {{- if gt (int .Values.limiter.providerSnapshots) 0 }} + K10LimiterDirectSnapshotsPerCluster: {{ default (include "k10.defaultK10LimiterDirectSnapshotsPerCluster" .) .Values.limiter.providerSnapshots | quote }} + {{- else }} + K10LimiterDirectSnapshotsPerCluster: {{ default (include "k10.defaultK10LimiterDirectSnapshotsPerCluster" .) .Values.limiter.directSnapshotsPerCluster | quote }} + {{- end }} + {{- if gt (int .Values.limiter.imageCopies) 0 }} + K10LimiterImageCopiesPerCluster: {{ default (include "k10.defaultK10LimiterImageCopiesPerCluster" .) .Values.limiter.imageCopies | quote }} + {{- else }} + K10LimiterImageCopiesPerCluster: {{ default (include "k10.defaultK10LimiterImageCopiesPerCluster" .) .Values.limiter.imageCopiesPerCluster | quote }} + {{- end }} + K10LimiterWorkloadSnapshotsPerAction: {{ default (include "k10.defaultK10LimiterWorkloadSnapshotsPerAction" .) .Values.limiter.workloadSnapshotsPerAction | quote }} + {{- if gt (int .Values.services.executor.workerCount) 0 }} + K10LimiterExecutorThreads: {{ default (include "k10.defaultK10LimiterExecutorThreads" .) .Values.services.executor.workerCount | quote }} + {{- else }} + K10LimiterExecutorThreads: {{ default (include "k10.defaultK10LimiterExecutorThreads" .) .Values.limiter.executorThreads | quote }} + {{- end }} + {{- if gt (int .Values.services.executor.maxConcurrentRestoreCsiSnapshots) 0 }} + K10LimiterCsiSnapshotRestoresPerAction: {{ default (include "k10.defaultK10LimiterCsiSnapshotRestoresPerAction" .) .Values.services.executor.maxConcurrentRestoreCsiSnapshots | quote }} + {{- else }} + K10LimiterCsiSnapshotRestoresPerAction: {{ default (include "k10.defaultK10LimiterCsiSnapshotRestoresPerAction" .) .Values.limiter.csiSnapshotRestoresPerAction | quote }} + {{- end }} + {{- if gt (int .Values.services.executor.maxConcurrentRestoreGenericVolumeSnapshots) 0 }} + K10LimiterVolumeRestoresPerAction: {{ default (include "k10.defaultK10LimiterVolumeRestoresPerAction" .) .Values.services.executor.maxConcurrentRestoreGenericVolumeSnapshots | quote }} + {{- else }} + K10LimiterVolumeRestoresPerAction: {{ default (include "k10.defaultK10LimiterVolumeRestoresPerAction" .) .Values.limiter.volumeRestoresPerAction | quote }} + {{- end }} + {{- if gt (int .Values.services.executor.maxConcurrentRestoreWorkloads) 0 }} + K10LimiterWorkloadRestoresPerAction: {{ default (include "k10.defaultK10LimiterWorkloadRestoresPerAction" .) .Values.services.executor.maxConcurrentRestoreWorkloads | quote }} + {{- else }} + K10LimiterWorkloadRestoresPerAction: {{ default (include "k10.defaultK10LimiterWorkloadRestoresPerAction" .) .Values.limiter.workloadRestoresPerAction | quote }} + {{- end }} + + K10GCDaemonPeriod: {{ default (include "k10.defaultK10GCDaemonPeriod" .) .Values.garbagecollector.daemonPeriod | quote }} + K10GCKeepMaxActions: {{ default (include "k10.defaultK10GCKeepMaxActions" .) .Values.garbagecollector.keepMaxActions | quote }} + K10GCActionsEnabled: {{ default (include "k10.defaultK10GCActionsEnabled" .) .Values.garbagecollector.actions.enabled | quote }} + + K10EphemeralPVCOverhead: {{ .Values.ephemeralPVCOverhead | quote }} + + K10PersistenceStorageClass: {{ .Values.global.persistence.storageClass | quote }} + + K10DefaultPriorityClassName: {{ default (include "k10.defaultK10DefaultPriorityClassName" .) .Values.defaultPriorityClassName | quote }} + {{- if .Values.global.podLabels }} + K10CustomPodLabels: {{ include "k10.globalPodLabelsJson" . | quote }} + {{- end }} + {{- if .Values.global.podAnnotations }} + K10CustomPodAnnotations: {{ include "k10.globalPodAnnotationsJson" . | quote }} + {{- end }} + + kubeVirtVMsUnFreezeTimeout: {{ default (include "k10.defaultKubeVirtVMsUnfreezeTimeout" .) .Values.kubeVirtVMs.snapshot.unfreezeTimeout | quote }} + + {{- if not (quote .Values.maxJobWaitDuration | empty) }} + K10TimeoutJobWait: {{ .Values.maxJobWaitDuration | quote }} + {{- else }} + K10TimeoutJobWait: {{ .Values.timeout.jobWait | quote }} + {{- end }} + + quickDisasterRecoveryEnabled: {{ .Values.kastenDisasterRecovery.quickMode.enabled | quote }} + + {{- if .Values.forceRootInKanisterHooks }} + K10ForceRootInBlueprintActions: {{ .Values.forceRootInKanisterHooks| quote }} + {{- else }} + K10ForceRootInBlueprintActions: {{ .Values.forceRootInBlueprintActions | quote }} + {{- end }} + + workerPodResourcesCRDEnabled: {{ .Values.workerPodCRDs.enabled | quote }} +{{- include "workerPodResourcesCRD" . | indent 2 }} + + {{- if .Values.awsConfig.efsBackupVaultName }} + efsBackupVaultName: {{ quote .Values.awsConfig.efsBackupVaultName }} + {{- end }} + + {{- if .Values.excludedApps }} + excludedApps: '{{ join "," .Values.excludedApps }}' + {{- end }} + + {{- if .Values.vmWare.taskTimeoutMin }} + vmWareTaskTimeoutMin: {{ quote .Values.vmWare.taskTimeoutMin }} + {{- end }} + +{{- include "get.kanisterPodCustomLabels" . | indent 2}} +{{- include "get.kanisterPodCustomAnnotations" . | indent 2}} + + {{- if .Values.kanisterFunctionVersion }} + kanisterFunctionVersion: {{ .Values.kanisterFunctionVersion | quote }} + {{- else }} + kanisterFunctionVersion: {{ quote "v1.0.0-alpha" }} + {{- end }} +{{- include "kanisterToolsResources" . | indent 2 }} +{{- include "get.gvsActivationToken" . | indent 2 }} + + {{- if .Values.genericStorageBackup.overridepubkey }} + overridePublicKeyForGVS: {{ .Values.genericStorageBackup.overridepubkey | quote }} + {{- end }} + + {{- with (include "k10.fluentbitEndpoint" .) }} + fluentbitEndpoint: {{ . | quote }} + {{- end }} + +{{ if .Values.features }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-features +data: +{{ include "k10.features" . | indent 2}} +{{ end }} +{{ if .Values.auth.openshift.enabled }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-dex + namespace: {{ .Release.Namespace }} +data: + config.yaml: | + issuer: {{ printf "%s/dex" (trimSuffix "/" .Values.auth.openshift.dashboardURL) }} + storage: + type: memory + web: + http: 0.0.0.0:8080 + logger: + level: info + format: text + connectors: + - type: openshift + id: openshift + name: OpenShift + config: + issuer: {{ .Values.auth.openshift.openshiftURL }} + clientID: {{ printf "system:serviceaccount:%s:%s" .Release.Namespace (include "get.openshiftServiceAccountName" .) }} + clientSecret: {{ printf "{{ getenv \"%s\" }}" (include "k10.openShiftClientSecretEnvVar" . ) }} + redirectURI: {{ printf "%s/dex/callback" (trimSuffix "/" .Values.auth.openshift.dashboardURL) }} + insecureCA: {{ .Values.auth.openshift.insecureCA }} +{{- if and (eq (include "check.cacertconfigmap" .) "false") .Values.auth.openshift.useServiceAccountCA }} + rootCA: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt +{{- end }} + oauth2: + skipApprovalScreen: true + staticClients: + - name: 'K10' + id: kasten + secret: kastensecret + redirectURIs: + - {{ printf "%s/auth-svc/v0/oidc/redirect" (trimSuffix "/" .Values.auth.openshift.dashboardURL) }} +{{ end }} +{{ if .Values.auth.ldap.enabled }} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-dex + namespace: {{ .Release.Namespace }} +data: + config.yaml: | + issuer: {{ printf "%s/dex" (trimSuffix "/" .Values.auth.ldap.dashboardURL) }} + storage: + type: memory + web: + http: 0.0.0.0:8080 + frontend: + dir: {{ include "k10.dexFrontendDir" . }} + theme: custom + logoURL: theme/kasten-logo.svg + logger: + level: info + format: text + connectors: + - type: ldap + id: ldap + name: LDAP + config: + host: {{ .Values.auth.ldap.host }} + insecureNoSSL: {{ .Values.auth.ldap.insecureNoSSL }} + insecureSkipVerify: {{ .Values.auth.ldap.insecureSkipVerifySSL }} + startTLS: {{ .Values.auth.ldap.startTLS }} + bindDN: {{ .Values.auth.ldap.bindDN }} + bindPW: BIND_PASSWORD_PLACEHOLDER + userSearch: + baseDN: {{ .Values.auth.ldap.userSearch.baseDN }} + filter: {{ .Values.auth.ldap.userSearch.filter }} + username: {{ .Values.auth.ldap.userSearch.username }} + idAttr: {{ .Values.auth.ldap.userSearch.idAttr }} + emailAttr: {{ .Values.auth.ldap.userSearch.emailAttr }} + nameAttr: {{ .Values.auth.ldap.userSearch.nameAttr }} + preferredUsernameAttr: {{ .Values.auth.ldap.userSearch.preferredUsernameAttr }} + groupSearch: + baseDN: {{ .Values.auth.ldap.groupSearch.baseDN }} + filter: {{ .Values.auth.ldap.groupSearch.filter }} + nameAttr: {{ .Values.auth.ldap.groupSearch.nameAttr }} +{{- with .Values.auth.ldap.groupSearch.userMatchers }} + userMatchers: +{{ toYaml . | indent 10 }} +{{- end }} + oauth2: + skipApprovalScreen: true + staticClients: + - name: 'K10' + id: kasten + secret: kastensecret + redirectURIs: + - {{ printf "%s/auth-svc/v0/oidc/redirect" (trimSuffix "/" .Values.auth.ldap.dashboardURL) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: k10-logos-dex + namespace: {{ .Release.Namespace }} +binaryData: + {{- $files := .Files }} + {{- range tuple "files/favicon.png" "files/kasten-logo.svg" "files/styles.css" }} + {{ trimPrefix "files/" . }}: |- + {{ $files.Get . | b64enc }} + {{- end }} +{{ end }} +{{ if (include "k10.capability.gateway" $) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: k10-gateway + namespace: {{ .Release.Namespace }} +data: + {{ include "k10.gatewayPrefixVarName" . }}: {{ include "k10.prefixPath" . }} + {{ include "k10.gatewayGrafanaSvcVarName" . }}: {{ printf "%s-grafana" .Release.Name }} + + {{- if .Values.gateway.requestHeaders }} + {{ include "k10.gatewayRequestHeadersVarName" .}}: {{ (.Values.gateway.requestHeaders | default list) | join " " }} + {{- end }} + + {{- if .Values.gateway.authHeaders }} + {{ include "k10.gatewayAuthHeadersVarName" .}}: {{ (.Values.gateway.authHeaders | default list) | join " " }} + {{- end }} + + {{- if .Values.gateway.service.internalPort }} + {{ include "k10.gatewayPortVarName" .}}: {{ .Values.gateway.service.internalPort | quote }} + {{- end }} + + {{- if or .Values.secrets.tlsSecret (and .Values.secrets.apiTlsCrt .Values.secrets.apiTlsKey) }} + {{ include "k10.gatewayTLSCertFile" . }}: /etc/tls/tls.crt + {{ include "k10.gatewayTLSKeyFile" . }}: /etc/tls/tls.key + {{- end }} + +{{ end }} diff --git a/charts/kasten/k10/7.0.1401/templates/k10-eula.yaml b/charts/kasten/k10/7.0.1401/templates/k10-eula.yaml new file mode 100644 index 000000000..21e251d6c --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/k10-eula.yaml @@ -0,0 +1,21 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-eula +data: + text: {{ .Files.Get "eula.txt" | quote }} +--- +{{ if .Values.eula.accept }} +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-eula-info +data: +{{ include "k10.eula.fields" . | indent 2 }} +{{ end }} diff --git a/charts/kasten/k10/7.0.1401/templates/k10-scc.yaml b/charts/kasten/k10/7.0.1401/templates/k10-scc.yaml new file mode 100644 index 000000000..12a449f6f --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/k10-scc.yaml @@ -0,0 +1,46 @@ +{{- if .Values.scc.create }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + name: {{ .Release.Name }}-scc + labels: +{{ include "helm.labels" . | indent 4 }} +allowHostDirVolumePlugin: false +allowHostIPC: false +allowHostNetwork: false +allowHostPID: false +allowHostPorts: false +allowPrivilegeEscalation: false +allowPrivilegedContainer: false +allowedCapabilities: + - CHOWN + - FOWNER + - DAC_OVERRIDE +defaultAddCapabilities: + - CHOWN + - FOWNER + - DAC_OVERRIDE +fsGroup: + type: RunAsAny +priority: {{ .Values.scc.priority }} +readOnlyRootFilesystem: false +requiredDropCapabilities: + - ALL +runAsUser: + type: RunAsAny +seLinuxContext: + type: RunAsAny +supplementalGroups: + type: RunAsAny +seccompProfiles: + - runtime/default +users: + - system:serviceaccount:{{.Release.Namespace}}:{{ template "serviceAccountName" . }} +volumes: + - configMap + - downwardAPI + - emptyDir + - persistentVolumeClaim + - projected + - secret +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/templates/kopia-tls-certs.yaml b/charts/kasten/k10/7.0.1401/templates/kopia-tls-certs.yaml new file mode 100644 index 000000000..ac0635f51 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/kopia-tls-certs.yaml @@ -0,0 +1,33 @@ +# alternate names of the services. This renders to: [ component-svc.namespace, component-svc.namespace.svc ] +{{- $altNamesKopia := list ( printf "%s-svc.%s" "data-mover" .Release.Namespace ) ( printf "%s-svc.%s.svc" "data-mover" .Release.Namespace ) }} +# generate ca cert with 365 days of validity +{{- $caKopia := genCA ( printf "%s-svc-ca" "data-mover" ) 365 }} +# generate cert with CN="component-svc", SAN=$altNames and with 365 days of validity +{{- $certKopia := genSignedCert ( printf "%s-svc" "data-mover" ) nil $altNamesKopia 365 $caKopia }} +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: kopia-tls-cert + labels: +{{ include "helm.labels" . | indent 4 }} +{{- if .Values.global.rhMarketPlace }} + annotations: + "helm.sh/hook": "pre-install" +{{- end }} +data: + tls.crt: {{ $certKopia.Cert | b64enc }} +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: kopia-tls-key + labels: +{{ include "helm.labels" . | indent 4 }} +{{- if .Values.global.rhMarketPlace }} + annotations: + "helm.sh/hook": "pre-install" +{{- end }} +data: + tls.key: {{ $certKopia.Key | b64enc }} diff --git a/charts/kasten/k10/7.0.1401/templates/license.yaml b/charts/kasten/k10/7.0.1401/templates/license.yaml new file mode 100644 index 000000000..f409fb7e5 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/license.yaml @@ -0,0 +1,25 @@ +{{- if not ( or ( .Values.license ) ( .Values.metering.awsMarketplace ) ( .Values.metering.awsManagedLicense ) ( .Values.metering.licenseConfigSecretName ) ) }} +{{- if .Files.Get "triallicense" }} +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-trial-license +type: Opaque +data: + license: {{ print (.Files.Get "triallicense") }} +{{- end }} +{{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-license +type: Opaque +data: + license: {{ include "k10.getlicense" . }} diff --git a/charts/kasten/k10/7.0.1401/templates/mc.yaml b/charts/kasten/k10/7.0.1401/templates/mc.yaml new file mode 100644 index 000000000..2c23f94ae --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/mc.yaml @@ -0,0 +1,6 @@ +{{- if not .Values.multicluster.enabled -}} + {{- $clusterInfo := lookup "v1" "Secret" .Release.Namespace "mc-cluster-info" -}} + {{- if $clusterInfo -}} + {{- fail "WARNING: Multi-cluster features must remain enabled as long as this cluster is connected to a multi-cluster system.\nEither disconnect this cluster from the multi-cluster system or use multicluster.enabled=true to enable multi-cluster features." -}} + {{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/mutatingwebhook.yaml b/charts/kasten/k10/7.0.1401/templates/mutatingwebhook.yaml new file mode 100644 index 000000000..729df5865 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/mutatingwebhook.yaml @@ -0,0 +1,51 @@ +{{- if .Values.injectKanisterSidecar.enabled -}} +# alternate names of the services. This renders to: [ component-svc.namespace, component-svc.namespace.svc ] +{{- $altNames := list ( printf "%s-svc.%s" "controllermanager" .Release.Namespace ) ( printf "%s-svc.%s.svc" "controllermanager" .Release.Namespace ) }} +# generate ca cert with 365 days of validity +{{- $ca := genCA ( printf "%s-svc-ca" "controllermanager" ) 365 }} +# generate cert with CN="component-svc", SAN=$altNames and with 365 days of validity +{{- $cert := genSignedCert ( printf "%s-svc" "controllermanager" ) nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: controllermanager-certs + labels: +{{ include "helm.labels" . | indent 4 }} +data: + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-sidecar-injector +webhooks: +- name: k10-sidecar-injector.kasten.io + admissionReviewVersions: ["v1", "v1beta1"] + failurePolicy: Ignore + sideEffects: None + clientConfig: + service: + name: controllermanager-svc + namespace: {{ .Release.Namespace }} + path: "/k10/mutate" + port: 443 + caBundle: {{ b64enc $ca.Cert }} + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["*"] + apiVersions: ["v1"] + resources: ["deployments", "statefulsets", "deploymentconfigs"] +{{- if .Values.injectKanisterSidecar.namespaceSelector }} + namespaceSelector: +{{ toYaml .Values.injectKanisterSidecar.namespaceSelector | indent 4 }} +{{- end }} +{{- if .Values.injectKanisterSidecar.objectSelector }} + objectSelector: +{{ toYaml .Values.injectKanisterSidecar.objectSelector | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/templates/networkpolicy.yaml b/charts/kasten/k10/7.0.1401/templates/networkpolicy.yaml new file mode 100644 index 000000000..0f7629580 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/networkpolicy.yaml @@ -0,0 +1,299 @@ +{{- $admin_port := default 8877 .Values.service.gatewayAdminPort -}} +{{- $mutating_webhook_port := default 8080 .Values.injectKanisterSidecar.webhookServer.port -}} +{{- if .Values.networkPolicy.create }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: {} + policyTypes: + - Ingress +{{- if eq (include "k10.isOpenShift" .) "true" }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-openshift-console-access + namespace: {{ .Release.Namespace }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: openshift-console +{{- end }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: access-k10-services + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + ingress: + - from: + - podSelector: + matchLabels: + access-k10-services: allowed + ports: + - protocol: TCP + port: {{ .Values.service.internalPort }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: cross-services-allow + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + ingress: + - from: + - podSelector: + matchLabels: + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: {{ .Values.service.internalPort }} +--- +{{/* TODO: Consider a flag to turn this off. */}} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-gateway-to-mc-external + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + component: controllermanager + release: {{ .Release.Name }} + ingress: + - from: + - podSelector: + matchLabels: + service: gateway + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: {{ include "k10.mcExternalPort" nil }} +{{- if .Values.logging.internal }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: logging-allow-internal + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + run: logging-svc + ingress: + - from: + - podSelector: + matchLabels: + release: {{ .Release.Name }} + ports: + # Logging input port + - protocol: TCP + port: 24224 + - protocol: TCP + port: 24225 +{{- end }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-external + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + service: gateway + release: {{ .Release.Name }} + ingress: + - from: [] + ports: + - protocol: TCP + port: {{ .Values.gateway.service.internalPort | default 8000 }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-all-api + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + run: aggregatedapis-svc + release: {{ .Release.Name }} + ingress: + - from: + ports: + - protocol: TCP + port: {{ .Values.service.aggregatedApiPort }} +{{- if .Values.gateway.exposeAdminPort }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-gateway-admin + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + service: gateway + ingress: + - from: + - podSelector: + matchLabels: + app: prometheus + component: server + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: {{ $admin_port }} +{{- end -}} +{{- if or .Values.workerPodMetricSidecar.enabled .Values.kanisterPodMetricSidecar.enabled }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-metrics-kanister-pods + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + run: metering-svc + ingress: + - from: + - podSelector: + matchLabels: + createdBy: kanister + ports: + - protocol: TCP + port: {{ .Values.service.internalPort }} +{{- end -}} +{{- if .Values.injectKanisterSidecar.enabled }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-mutating-webhook + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + run: controllermanager-svc + ingress: + - from: + ports: + - protocol: TCP + port: {{ $mutating_webhook_port }} +{{- end -}} +{{- if eq (include "check.dexAuth" .) "true" }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: gateway-dex-allow + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + run: auth-svc + ingress: + - from: + - podSelector: + matchLabels: + service: gateway + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: 8080 +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: auth-dex-allow + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ .Release.Name }} + run: auth-svc + ingress: + - from: + - podSelector: + matchLabels: + run: auth-svc + release: {{ .Release.Name }} + ports: + - protocol: TCP + port: 8080 +{{- end -}} +{{- $mainCtx := . }} +{{- $colocatedList := include "get.enabledColocatedSvcList" . | fromYaml }} +{{- range $primary, $secondaryList := $colocatedList }} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ $primary }}-svc-allow-secondary-services + namespace: {{ $mainCtx.Release.Namespace }} + labels: +{{ include "helm.labels" $mainCtx | indent 4 }} +spec: + podSelector: + matchLabels: + release: {{ $mainCtx.Release.Name }} + run: {{ $primary }}-svc + ingress: + - from: + - podSelector: + matchLabels: + release: {{ $mainCtx.Release.Name }} + ports: + {{- range $skip, $secondary := $secondaryList }} + {{- $colocConfig := index (include "get.enabledColocatedServices" $mainCtx | fromYaml) $secondary }} + - protocol: TCP + port: {{ $colocConfig.port }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/ocp-ca-cert-extract-hook.yaml b/charts/kasten/k10/7.0.1401/templates/ocp-ca-cert-extract-hook.yaml new file mode 100644 index 000000000..73f39bb9c --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/ocp-ca-cert-extract-hook.yaml @@ -0,0 +1,218 @@ +{{- if (include "k10.ocpcacertsautoextraction" .) -}} +{{- if or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath }} +--- +apiVersion: v1 +kind: Secret +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + name: {{ .Release.Name }}-extract-ocp-ca-cert-dockerconfig + namespace: {{ .Release.Namespace }} +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ or .Values.secrets.dockerConfig ( .Values.secrets.dockerConfigPath | b64enc ) }} +{{- end }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + name: {{ .Release.Name }}-ocp-ca-cert-extractor + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + name: openshift-cluster-config-reader +rules: + - apiGroups: ["config.openshift.io"] + resources: ["proxies", "apiservers"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + name: openshift-config-reader + namespace: openshift-config +rules: + - apiGroups: [""] + resources: ["configmaps", "secrets"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + name: openshift-ingress-operator-reader + namespace: openshift-ingress-operator +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + name: openshift-kube-apiserver-reader + namespace: openshift-kube-apiserver +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + name: {{ .Release.Namespace }}-configmaps-editor + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["create", "get", "list", "watch", "patch", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + name: read-openshift-cluster-config +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-ocp-ca-cert-extractor + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: openshift-cluster-config-reader + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + name: read-openshift-config + namespace: openshift-config +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-ocp-ca-cert-extractor + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: openshift-config-reader + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + name: read-openshift-ingress-operator + namespace: openshift-ingress-operator +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-ocp-ca-cert-extractor + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: openshift-ingress-operator-reader + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + name: read-openshift-kube-apiserver + namespace: openshift-kube-apiserver +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-ocp-ca-cert-extractor + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: openshift-kube-apiserver-reader + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + name: edit-{{ .Release.Namespace }}-configmaps + namespace: {{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: {{ .Release.Name }}-ocp-ca-cert-extractor + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: {{ .Release.Namespace }}-configmaps-editor + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Release.Name }}-extract-ocp-ca-cert-job + labels: +{{ include "helm.labels" . | indent 4 }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed + "helm.sh/hook-weight": "3" +spec: + template: + metadata: + name: {{ .Release.Name }}-extract-ocp-ca-cert-job + labels: +{{ include "helm.labels" . | indent 8 }} + spec: + restartPolicy: Never + serviceAccountName: {{ .Release.Name }}-ocp-ca-cert-extractor + containers: + - name: {{ .Release.Name }}-extract-ocp-ca-cert-job + image: {{ include "k10.k10ToolsImage" . }} + command: ["./k10tools", "openshift", "extract-certificates"] + args: ["-n", "{{ .Release.Namespace }}", "--release-name", "{{ .Release.Name }}", "--ca-cert-configmap-name", "{{ .Values.cacertconfigmap.name }}"] + {{- if or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath }} + imagePullSecrets: + - name: {{ .Release.Name }}-extract-ocp-ca-cert-dockerconfig + {{- else if .Values.global.imagePullSecret }} + imagePullSecrets: + - name: {{ .Values.global.imagePullSecret }} + {{- end }} + backoffLimit: 0 +{{ end }} diff --git a/charts/kasten/k10/7.0.1401/templates/ocp-consoleplugin.yaml b/charts/kasten/k10/7.0.1401/templates/ocp-consoleplugin.yaml new file mode 100644 index 000000000..845d9667d --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/ocp-consoleplugin.yaml @@ -0,0 +1,27 @@ +{{- if eq (include "k10.isOpenShift" .) "true" -}} +apiVersion: console.openshift.io/v1 +kind: ConsolePlugin +metadata: + name: {{ template "k10.openShiftConsolePluginName" . }} + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ template "k10.openShiftConsolePluginName" . }} +spec: + displayName: Veeam Kasten Plugin + backend: + type: Service + service: + name: {{ template "k10.openShiftConsolePluginName" . }} + namespace: {{ .Release.Namespace }} + port: 9443 + basePath: / + proxy: + - alias: dashboardbff + authorization: UserToken + endpoint: + service: + name: {{ template "k10.openShiftConsolePluginProxyName" . }} + namespace: {{ .Release.Namespace }} + port: 443 + type: Service +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/ocp-plugin-configmap.yaml b/charts/kasten/k10/7.0.1401/templates/ocp-plugin-configmap.yaml new file mode 100644 index 000000000..1fc058271 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/ocp-plugin-configmap.yaml @@ -0,0 +1,28 @@ +{{- if eq (include "k10.isOpenShift" .) "true" -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "k10.openShiftConsolePluginConfigMapName" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ template "k10.openShiftConsolePluginName" . }} +data: + nginx.conf: | + pid /var/run/nginx/nginx.pid; + error_log /dev/stdout info; + events {} + http { + access_log /dev/stdout; + include /etc/nginx/mime.types; + default_type application/octet-stream; + keepalive_timeout 65; + server { + listen 9443 ssl; + listen [::]:9443 ssl; + ssl_certificate /var/cert/tls.crt; + ssl_certificate_key /var/cert/tls.key; + root /ocpconsoleplugin; + } + } +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/ocp-plugin-deployment.yaml b/charts/kasten/k10/7.0.1401/templates/ocp-plugin-deployment.yaml new file mode 100644 index 000000000..3be16b1c9 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/ocp-plugin-deployment.yaml @@ -0,0 +1,74 @@ +{{- if eq (include "k10.isOpenShift" .) "true" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "k10.openShiftConsolePluginName" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ template "k10.openShiftConsolePluginName" . }} + app.openshift.io/runtime-namespace: {{ .Release.Namespace }} +spec: + replicas: 2 + selector: + matchLabels: +{{ include "helm.labels" . | indent 6 }} + component: {{ template "k10.openShiftConsolePluginName" . }} + template: + metadata: + {{- if .Values.scc.create }} + annotations: + openshift.io/required-scc: {{ .Release.Name }}-scc + {{- end }} + labels: +{{ include "helm.labels" . | indent 8 }} + component: {{ template "k10.openShiftConsolePluginName" . }} + spec: + containers: + - name: {{ template "k10.openShiftConsolePluginName" . }} + image: {{ include "k10.ocpConsolePluginImage" . }} + ports: + - containerPort: 9443 + protocol: TCP + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: 10m + memory: 50Mi + volumeMounts: + - name: {{ template "k10.openShiftConsolePluginTLSCertName" . }} + readOnly: true + mountPath: /var/cert + - name: {{ template "k10.openShiftConsolePluginConfigMapName" . }} + readOnly: true + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + volumes: + - name: {{ template "k10.openShiftConsolePluginTLSCertName" . }} + secret: + secretName: {{ template "k10.openShiftConsolePluginTLSCertName" . }} + defaultMode: 420 + - name: {{ template "k10.openShiftConsolePluginConfigMapName" . }} + configMap: + name: {{ template "k10.openShiftConsolePluginConfigMapName" . }} + defaultMode: 420 + restartPolicy: Always + dnsPolicy: ClusterFirst + securityContext: + fsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + serviceAccountName: {{ template "serviceAccountName" . }} + strategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/ocp-plugin-proxy-configmap.yaml b/charts/kasten/k10/7.0.1401/templates/ocp-plugin-proxy-configmap.yaml new file mode 100644 index 000000000..3276a3265 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/ocp-plugin-proxy-configmap.yaml @@ -0,0 +1,36 @@ +{{- if eq (include "k10.isOpenShift" .) "true" -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "k10.openShiftConsolePluginProxyConfigMapName" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ template "k10.openShiftConsolePluginProxyName" . }} +data: + nginx.conf: | + pid /var/run/nginx/nginx.pid; + error_log /dev/stdout info; + events { + worker_connections 1024; + } + http { + access_log /dev/stdout; + server { + listen 8080; + server_name {{ template "k10.openShiftConsolePluginProxyName" . }}.dashboardbff; + location / { + proxy_pass http://dashboardbff-svc.{{ .Release.Namespace }}:8000; + } + } + server { + listen 9443 ssl; + server_name {{ template "k10.openShiftConsolePluginProxyName" . }}.dashboardbff; + ssl_certificate /etc/nginx/ssl/tls.crt; + ssl_certificate_key /etc/nginx/ssl/tls.key; + location / { + proxy_pass http://dashboardbff-svc.{{ .Release.Namespace }}:8000; + } + } + } +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/ocp-plugin-proxy-deployment.yaml b/charts/kasten/k10/7.0.1401/templates/ocp-plugin-proxy-deployment.yaml new file mode 100644 index 000000000..50f15463a --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/ocp-plugin-proxy-deployment.yaml @@ -0,0 +1,67 @@ +{{- if eq (include "k10.isOpenShift" .) "true" -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "k10.openShiftConsolePluginProxyName" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ template "k10.openShiftConsolePluginProxyName" . }} +spec: + replicas: 1 + selector: + matchLabels: +{{ include "helm.labels" . | indent 6 }} + component: {{ template "k10.openShiftConsolePluginProxyName" . }} + template: + metadata: + {{- if .Values.scc.create }} + annotations: + openshift.io/required-scc: {{ .Release.Name }}-scc + {{- end }} + labels: +{{ include "helm.labels" . | indent 8 }} + component: {{ template "k10.openShiftConsolePluginProxyName" . }} + spec: + containers: + - image: {{ include "k10.ocpConsolePluginImage" . }} + imagePullPolicy: Always + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + capabilities: + drop: ["ALL"] + name: nginx + ports: + - containerPort: 8080 + name: http + protocol: TCP + - containerPort: 9443 + name: https + protocol: TCP + resources: + requests: + cpu: 10m + memory: 50Mi + volumeMounts: + - mountPath: /etc/nginx + name: {{ template "k10.openShiftConsolePluginProxyConfigMapName" . }} + - mountPath: /etc/nginx/ssl + name: {{ template "k10.openShiftConsolePluginProxyTLSCertName" . }} + volumes: + - name: {{ template "k10.openShiftConsolePluginProxyConfigMapName" . }} + configMap: + defaultMode: 420 + name: {{ template "k10.openShiftConsolePluginProxyConfigMapName" . }} + - name: {{ template "k10.openShiftConsolePluginProxyTLSCertName" . }} + secret: + defaultMode: 420 + secretName: {{ template "k10.openShiftConsolePluginProxyTLSCertName" . }} + securityContext: + fsGroup: 1000 + runAsNonRoot: true + runAsUser: 1000 + seccompProfile: + type: RuntimeDefault + serviceAccountName: {{ template "serviceAccountName" . }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/ocp-plugin-proxy-service.yaml b/charts/kasten/k10/7.0.1401/templates/ocp-plugin-proxy-service.yaml new file mode 100644 index 000000000..e1b421673 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/ocp-plugin-proxy-service.yaml @@ -0,0 +1,25 @@ +{{- if eq (include "k10.isOpenShift" .) "true" -}} +apiVersion: v1 +kind: Service +metadata: + annotations: + service.beta.openshift.io/serving-cert-secret-name: {{ template "k10.openShiftConsolePluginProxyTLSCertName" . }} + name: {{ template "k10.openShiftConsolePluginProxyName" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ template "k10.openShiftConsolePluginProxyName" . }} +spec: + selector: +{{ include "helm.labels" . | indent 4 }} + component: {{ template "k10.openShiftConsolePluginProxyName" . }} + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + - name: https + port: 443 + protocol: TCP + targetPort: https +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/ocp-plugin-service.yaml b/charts/kasten/k10/7.0.1401/templates/ocp-plugin-service.yaml new file mode 100644 index 000000000..59add4bc4 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/ocp-plugin-service.yaml @@ -0,0 +1,23 @@ +{{- if eq (include "k10.isOpenShift" .) "true" -}} +apiVersion: v1 +kind: Service +metadata: + annotations: + service.alpha.openshift.io/serving-cert-secret-name: {{ template "k10.openShiftConsolePluginTLSCertName" . }} + name: {{ template "k10.openShiftConsolePluginName" . }} + namespace: {{ .Release.Namespace }} + labels: +{{ include "helm.labels" . | indent 4 }} + component: {{ template "k10.openShiftConsolePluginName" . }} +spec: + ports: + - name: tcp + protocol: TCP + port: 9443 + targetPort: 9443 + selector: +{{ include "helm.labels" . | indent 4 }} + component: {{ template "k10.openShiftConsolePluginName" . }} + type: ClusterIP + sessionAffinity: None +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/prometheus-configmap.yaml b/charts/kasten/k10/7.0.1401/templates/prometheus-configmap.yaml new file mode 100644 index 000000000..4e1e24f9e --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/prometheus-configmap.yaml @@ -0,0 +1,97 @@ +{{ include "check.validatePrometheusConfig" .}} +{{- if .Values.prometheus.server.enabled -}} +{{- $cluster_domain := "" -}} +{{- with .Values.cluster.domainName -}} + {{- $cluster_domain = printf ".%s" . -}} +{{- end -}} +{{- $rbac := .Values.prometheus.rbac.create -}} +kind: ConfigMap +apiVersion: v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: {{ .Release.Name }}-{{ .Values.prometheus.server.configMapOverrideName }} +data: + prometheus.yml: | + global: + scrape_interval: 1m + scrape_timeout: 10s + evaluation_interval: 1m + scrape_configs: + - job_name: httpServiceDiscovery + http_sd_configs: + - url: {{ printf "http://metering-svc.%s.svc%s:8000/v0/listScrapeTargets" .Release.Namespace $cluster_domain }} +{{- if or .Values.workerPodMetricSidecar.enabled .Values.kanisterPodMetricSidecar.enabled }} + - job_name: pushAggregator + honor_timestamps: true + metrics_path: /v0/push-metric-agg/metrics + static_configs: + - targets: + - {{ printf "metering-svc.%s.svc%s:8000" .Release.Namespace $cluster_domain }} +{{- end -}} +{{- if .Values.prometheus.scrapeCAdvisor }} + - job_name: 'kubernetes-cadvisor' + scheme: https + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + kubernetes_sd_configs: + - role: node + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor +{{- end}} + - job_name: prometheus + metrics_path: {{ .Values.prometheus.server.baseURL }}metrics + static_configs: + - targets: + - "localhost:9090" + labels: + app: prometheus + component: server + - job_name: k10-pods + scheme: http + metrics_path: /metrics + kubernetes_sd_configs: + - role: pod + namespaces: + own_namespace: true + selectors: + - role: pod + label: "component=executor" + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_pod_container_port_number] + action: keep + regex: 8\d{3} +{{- if ne .Values.metering.mode "airgap" }} + - job_name: k10-grafana + scheme: http + metrics_path: /metrics + kubernetes_sd_configs: + - role: pod + namespaces: + own_namespace: true + selectors: + - role: pod + label: "component=grafana" + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_pod_container_port_number] + action: keep + regex: 3000 + metric_relabel_configs: + - source_labels: [__name__] + regex: grafana_http_request_duration_seconds_count + action: keep +{{- end}} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/prometheus-scc.yaml b/charts/kasten/k10/7.0.1401/templates/prometheus-scc.yaml new file mode 100644 index 000000000..4d039ef00 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/prometheus-scc.yaml @@ -0,0 +1,41 @@ +{{- if .Values.scc.create }} +kind: SecurityContextConstraints +apiVersion: security.openshift.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Name }}-prometheus-server +allowPrivilegedContainer: false +allowHostNetwork: false +allowHostDirVolumePlugin: true +allowHostPorts: true +allowHostPID: false +allowHostIPC: false +readOnlyRootFilesystem: false +requiredDropCapabilities: +- CHOWN +- KILL +- MKNOD +- SETUID +- SETGID +defaultAddCapabilities: [] +allowedCapabilities: [] +priority: 0 +runAsUser: + type: MustRunAsNonRoot +seLinuxContext: + type: RunAsAny +fsGroup: + type: RunAsAny +supplementalGroups: + type: RunAsAny +volumes: +- configMap +- downwardAPI +- emptyDir +- persistentVolumeClaim +- projected +- secret +users: + - system:serviceaccount:{{.Release.Namespace}}:prometheus-server +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/templates/prometheus-service.yaml b/charts/kasten/k10/7.0.1401/templates/prometheus-service.yaml new file mode 100644 index 000000000..a5a228171 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/prometheus-service.yaml @@ -0,0 +1,46 @@ +{{/* Template to generate service spec for v0 rest services */}} +{{- if .Values.prometheus.server.enabled -}} +{{- $postfix := default .Release.Name .Values.ingress.urlPath -}} +{{- $os_postfix := default .Release.Name .Values.route.path -}} +{{- $service_port := .Values.prometheus.server.service.servicePort -}} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ .Release.Namespace }} + name: {{ include "k10.prometheus.service.name" . }}-exp + labels: +{{ include "helm.labels" $ | indent 4 }} + component: {{ include "k10.prometheus.service.name" . }} + run: {{ include "k10.prometheus.service.name" . }} + annotations: + getambassador.io/config: | + --- + apiVersion: getambassador.io/v3alpha1 + kind: Mapping + name: {{ include "k10.prometheus.service.name" . }}-mapping + {{- if .Values.prometheus.server.baseURL }} + rewrite: /{{ .Values.prometheus.server.baseURL | trimPrefix "/" | trimSuffix "/" }}/ + {{- else }} + rewrite: / + {{- end }} + {{- if .Values.route.enabled }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/prometheus/ + {{- else }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/prometheus/ + {{- end }} + service: {{ include "k10.prometheus.service.name" . }}:{{ $service_port }} + timeout_ms: 15000 + hostname: "*" + ambassador_id: [ {{ include "k10.ambassadorId" . }} ] + +spec: + ports: + - name: http + protocol: TCP + port: {{ $service_port }} + targetPort: 9090 + selector: + app: {{ include "k10.prometheus.name" . }} + component: {{ .Values.prometheus.server.name }} + release: {{ .Release.Name }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/rbac.yaml b/charts/kasten/k10/7.0.1401/templates/rbac.yaml new file mode 100644 index 000000000..ec68013e9 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/rbac.yaml @@ -0,0 +1,381 @@ +{{- $main := . -}} +{{- $apiDomain := include "apiDomain" . -}} + +{{- $actionsAPIs := splitList " " (include "k10.actionsAPIs" .) -}} +{{- $aggregatedAPIs := splitList " " (include "k10.aggregatedAPIs" .) -}} +{{- $appsAPIs := splitList " " (include "k10.appsAPIs" .) -}} +{{- $authAPIs := splitList " " (include "k10.authAPIs" .) -}} +{{- $configAPIs := splitList " " (include "k10.configAPIs" .) -}} +{{- $distAPIs := splitList " " (include "k10.distAPIs" .) -}} +{{- $reportingAPIs := splitList " " (include "k10.reportingAPIs" .) -}} + +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: {{ template "serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- if not ( eq (include "meteringServiceAccountName" .) (include "serviceAccountName" .) )}} +- kind: ServiceAccount + name: {{ template "meteringServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-admin +rules: +- apiGroups: +{{- range sortAlpha (concat $aggregatedAPIs $configAPIs $reportingAPIs) }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - "*" + verbs: + - "*" +- apiGroups: + - cr.kanister.io + resources: + - '*' + verbs: + - '*' +- apiGroups: + - "" + resources: + - namespaces + verbs: + - create + - get + - list +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-ns-admin + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "apps" + resources: + - deployments + verbs: + - get + - update + - watch + - list +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - create + - delete + - list +- apiGroups: + - "apik10.kasten.io" + resources: + - k10s + verbs: + - list + - patch +- apiGroups: + - "" + resources: + - persistentvolumeclaims + verbs: + - get +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - delete + - get + - list + - update +- apiGroups: + - "batch" + resources: + - jobs + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - create + - get + - delete +- apiGroups: + - "networking.k8s.io" + resources: + - networkpolicies + verbs: + - get + - create + - list + - delete +- apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - get +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-mc-admin +rules: +- apiGroups: +{{- range sortAlpha (concat $authAPIs $configAPIs $distAPIs) }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "" + resources: + - secrets + verbs: + - "*" +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-basic +rules: +- apiGroups: +{{- range sortAlpha $actionsAPIs }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - {{ include "k10.backupActions" $main}} + - {{ include "k10.backupActionsDetails" $main}} + - {{ include "k10.restoreActions" $main}} + - {{ include "k10.restoreActionsDetails" $main}} + - {{ include "k10.exportActions" $main}} + - {{ include "k10.exportActionsDetails" $main}} + - {{ include "k10.cancelActions" $main}} + - {{ include "k10.runActions" $main}} + - {{ include "k10.runActionsDetails" $main}} + verbs: + - "*" +- apiGroups: +{{- range sortAlpha $appsAPIs }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - {{ include "k10.restorePoints" $main}} + - {{ include "k10.restorePointsDetails" $main}} + - {{ include "k10.applications" $main}} + - {{ include "k10.applicationsDetails" $main}} + verbs: + - "*" +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: +{{- range sortAlpha $configAPIs }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - {{ include "k10.policies" $main}} + verbs: + - "*" +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-config-view +rules: +- apiGroups: +{{- range sortAlpha $configAPIs }} + - {{ . }}.{{ $apiDomain }} +{{- end }} + resources: + - {{ include "k10.auditconfigs" $main}} + - {{ include "k10.profiles" $main}} + - {{ include "k10.policies" $main}} + - {{ include "k10.policypresets" $main}} + - {{ include "k10.transformsets" $main}} + - {{ include "k10.blueprintbindings" $main}} + - {{ include "k10.storagesecuritycontexts" $main}} + - {{ include "k10.storagesecuritycontextbindings" $main}} + verbs: + - get + - list +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: k10:admins +{{- range .Values.auth.k10AdminUsers }} +- apiGroup: rbac.authorization.k8s.io + kind: User + name: {{ . }} +{{- end }} +{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }} +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: {{ . }} +{{- end }} +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-ns-admin + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-ns-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: k10:admins +{{- range .Values.auth.k10AdminUsers }} +- apiGroup: rbac.authorization.k8s.io + kind: User + name: {{ . }} +{{- end }} +{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }} +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: {{ . }} +{{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-mc-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Release.Name }}-mc-admin +subjects: + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: k10:admins +{{- range .Values.auth.k10AdminUsers }} + - apiGroup: rbac.authorization.k8s.io + kind: User + name: {{ . }} +{{- end }} +{{- range default .Values.auth.groupAllowList .Values.auth.k10AdminGroups }} + - apiGroup: rbac.authorization.k8s.io + kind: Group + name: {{ . }} +{{- end }} +{{- end }} +{{- if and .Values.rbac.create (not .Values.prometheus.rbac.create) }} +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} +{{ include "k10.defaultRBACLabels" . | indent 4 }} + name: {{ .Release.Name }}-prometheus-server + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - extensions + - networking.k8s.io + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ .Release.Namespace }}-{{ template "serviceAccountName" . }}-prometheus-server + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-prometheus-server +subjects: + - kind: ServiceAccount + name: prometheus-server + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/templates/route.yaml b/charts/kasten/k10/7.0.1401/templates/route.yaml new file mode 100644 index 000000000..1ecd244be --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/route.yaml @@ -0,0 +1,36 @@ +{{- $route := .Values.route -}} +{{- if $route.enabled -}} +{{ include "authEnabled.check" . }} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ .Release.Name }}-route + {{- with $route.annotations }} + namespace: {{ .Release.Namespace }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: +{{ include "helm.labels" . | indent 4 }} + {{- with $route.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + host: {{ $route.host }} + path: /{{ default .Release.Name $route.path | trimPrefix "/" | trimSuffix "/" }}/ + port: + targetPort: http + to: + kind: Service + name: gateway + weight: 100 + {{- if $route.tls.enabled }} + tls: + {{- if $route.tls.insecureEdgeTerminationPolicy }} + insecureEdgeTerminationPolicy: {{ $route.tls.insecureEdgeTerminationPolicy }} + {{- end }} + {{- if $route.tls.termination }} + termination: {{ $route.tls.termination }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/secrets.yaml b/charts/kasten/k10/7.0.1401/templates/secrets.yaml new file mode 100644 index 000000000..0a040e2c0 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/secrets.yaml @@ -0,0 +1,257 @@ +{{- include "enforce.singlecloudcreds" . -}} +{{- include "enforce.singleazurecreds" . -}} +{{- include "check.validateImagePullSecrets" . -}} +{{- if and (eq (include "check.awscreds" . ) "true") (not (eq (include "check.awsSecretName" . ) "true")) }} +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: aws-creds +type: Opaque +data: + aws_access_key_id: {{ required "secrets.awsAccessKeyId field is required!" .Values.secrets.awsAccessKeyId | b64enc | quote }} + aws_secret_access_key: {{ required "secrets.awsSecretAccessKey field is required!" .Values.secrets.awsSecretAccessKey | b64enc | quote }} +{{- if .Values.secrets.awsIamRole }} + role: {{ .Values.secrets.awsIamRole | trim | b64enc | quote }} +{{- end }} +{{- end }} +{{- if or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: k10-ecr +type: kubernetes.io/dockerconfigjson +data: + .dockerconfigjson: {{ or .Values.secrets.dockerConfig ( .Values.secrets.dockerConfigPath | b64enc ) }} +{{- end }} +{{- if and (eq (include "check.googlecreds" .) "true") ( not (eq (include "check.googleCredsSecret" .) "true")) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: google-secret +type: Opaque +data: + kasten-gke-sa.json: {{ .Values.secrets.googleApiKey }} +{{- if eq (include "check.googleproject" .) "true" }} + kasten-gke-project: {{ .Values.secrets.googleProjectId | b64enc }} +{{- end }} +{{- end }} +{{- if eq (include "check.azurecreds" .) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: azure-creds +type: Opaque +data: + {{- if not (eq (include "check.azuresecret" .) "true" ) }} + {{- if or (eq (include "check.azureMSIWithClientID" .) "true") (eq (include "check.azureClientSecretCreds" .) "true") }} + azure_client_id: {{ required "secrets.azureClientId field is required!" .Values.secrets.azureClientId | b64enc | quote }} + {{- end }} + {{- if eq (include "check.azureClientSecretCreds" .) "true" }} + azure_tenant_id: {{ required "secrets.azureTenantId field is required!" .Values.secrets.azureTenantId | b64enc | quote }} + azure_client_secret: {{ required "secrets.azureClientSecret field is required!" .Values.secrets.azureClientSecret | b64enc | quote }} + {{- end }} + {{- end }} + azure_resource_group: {{ default "" .Values.secrets.azureResourceGroup | b64enc | quote }} + azure_subscription_id: {{ default "" .Values.secrets.azureSubscriptionID | b64enc | quote }} + azure_resource_manager_endpoint: {{ default "" .Values.secrets.azureResourceMgrEndpoint | b64enc | quote }} + entra_id_endpoint: {{ default "" (default .Values.secrets.azureADEndpoint .Values.secrets.microsoftEntraIDEndpoint) | b64enc | quote }} + entra_id_resource_id: {{ default "" (default .Values.secrets.azureADResourceID .Values.secrets.microsoftEntraIDResourceID) | b64enc | quote }} + azure_cloud_env_id: {{ default "" .Values.secrets.azureCloudEnvID | b64enc | quote }} +{{- end }} +{{- if and (eq (include "check.vspherecreds" .) "true") (not (eq (include "check.vsphereClientSecret" . ) "true")) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + namespace: {{ .Release.Namespace }} + name: vsphere-creds +type: Opaque +data: + vsphere_endpoint: {{ required "secrets.vsphereEndpoint field is required!" .Values.secrets.vsphereEndpoint | b64enc | quote }} + vsphere_username: {{ required "secrets.vsphereUsername field is required!" .Values.secrets.vsphereUsername | b64enc | quote }} + vsphere_password: {{ required "secrets.vspherePassword field is required!" .Values.secrets.vspherePassword | b64enc | quote }} +{{- end }} +{{- if and (eq (include "basicauth.check" .) "true") (not .Values.auth.basicAuth.secretName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-basic-auth + namespace: {{ .Release.Namespace }} +data: + auth: {{ required "auth.basicAuth.htpasswd field is required!" .Values.auth.basicAuth.htpasswd | b64enc | quote}} +type: Opaque +{{- end }} +{{- if .Values.auth.tokenAuth.enabled }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-token-auth + namespace: {{ .Release.Namespace }} +data: + auth: {{ "true" | b64enc | quote}} +type: Opaque +{{- end }} +{{- if and .Values.auth.oidcAuth.enabled (not .Values.auth.oidcAuth.secretName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ include "k10.oidcSecretName" .}} + namespace: {{ .Release.Namespace }} +data: + provider-url: {{ required "auth.oidcAuth.providerURL field is required!" .Values.auth.oidcAuth.providerURL | b64enc | quote }} + redirect-url: {{ required "auth.oidcAuth.redirectURL field is required!" .Values.auth.oidcAuth.redirectURL | b64enc | quote }} +{{- if not .Values.auth.oidcAuth.clientSecretName }} + client-id: {{ required "auth.oidcAuth.clientID field is required!" .Values.auth.oidcAuth.clientID | b64enc | quote }} + client-secret: {{ required "auth.oidcAuth.clientSecret field is required!" .Values.auth.oidcAuth.clientSecret | b64enc | quote }} +{{- end }} + scopes: {{ required "auth.oidcAuth.scopes field is required!" .Values.auth.oidcAuth.scopes | b64enc | quote }} + prompt: {{ default "select_account" .Values.auth.oidcAuth.prompt | b64enc | quote }} + usernameClaim: {{ default "sub" .Values.auth.oidcAuth.usernameClaim | b64enc | quote }} + usernamePrefix: {{ default "" .Values.auth.oidcAuth.usernamePrefix | b64enc | quote }} + groupClaim: {{ default "" .Values.auth.oidcAuth.groupClaim | b64enc | quote }} + groupPrefix: {{ default "" .Values.auth.oidcAuth.groupPrefix | b64enc | quote }} + sessionDuration: {{ default "1h" .Values.auth.oidcAuth.sessionDuration | b64enc | quote }} +{{- if .Values.auth.oidcAuth.refreshTokenSupport }} + refreshTokenSupport: {{ "true" | b64enc | quote }} +{{- else }} + refreshTokenSupport: {{ "false" | b64enc | quote }} +{{ end }} +stringData: + groupAllowList: |- +{{- range $.Values.auth.groupAllowList }} + {{ . -}} +{{ end }} + logout-url: {{ default "" .Values.auth.oidcAuth.logoutURL | b64enc | quote }} +type: Opaque +{{- end }} +{{- if and (.Values.auth.openshift.enabled) (and (not .Values.auth.openshift.clientSecretName) (not .Values.auth.openshift.clientSecret)) }} +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/service-account-token +metadata: + name: {{ include "get.openshiftServiceAccountSecretName" . }} + annotations: + kubernetes.io/service-account.name: {{ include "get.openshiftServiceAccountName" . | quote }} +{{- end }} +{{- if and (.Values.auth.openshift.enabled) (not .Values.auth.openshift.secretName) }} +{{ $dashboardURL := required "auth.openshift.dashboardURL field is required!" .Values.auth.openshift.dashboardURL }} +{{ $redirectURL := trimSuffix "/" (trimSuffix (default .Release.Name .Values.ingress.urlPath) (trimSuffix "/" $dashboardURL)) | b64enc | quote }} +{{- if .Values.route.enabled }} +{{ $redirectURL := trimSuffix "/" (trimSuffix (default .Release.Name .Values.route.path) (trimSuffix "/" $dashboardURL)) | b64enc | quote }} +{{- end }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ include "k10.oidcSecretName" .}} + namespace: {{ .Release.Namespace }} +data: + provider-url: {{ printf "%s/dex" (trimSuffix "/" $dashboardURL) | b64enc | quote }} + redirect-url: {{ $redirectURL }} + client-id: {{ (printf "kasten") | b64enc | quote }} + client-secret: {{ (printf "kastensecret") | b64enc | quote }} + scopes: {{ (printf "groups profile email") | b64enc | quote }} + prompt: {{ (printf "select_account") | b64enc | quote }} + usernameClaim: {{ default "email" .Values.auth.openshift.usernameClaim | b64enc | quote }} + usernamePrefix: {{ default "" .Values.auth.openshift.usernamePrefix | b64enc | quote }} + groupClaim: {{ default "groups" .Values.auth.openshift.groupClaim | b64enc | quote }} + groupPrefix: {{ default "" .Values.auth.openshift.groupPrefix | b64enc | quote }} +stringData: + groupAllowList: |- +{{- range $.Values.auth.groupAllowList }} + {{ . -}} +{{ end }} +type: Opaque +{{- end }} +{{- if and .Values.auth.ldap.enabled (not .Values.auth.ldap.secretName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ include "k10.oidcSecretName" .}} + namespace: {{ .Release.Namespace }} +data: + provider-url: {{ required "auth.ldap.dashboardURL field is required!" (printf "%s/dex" (trimSuffix "/" .Values.auth.ldap.dashboardURL)) | b64enc | quote }} + {{- if .Values.route.enabled }} + redirect-url: {{ required "auth.ldap.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.route.path) (trimSuffix "/" .Values.auth.ldap.dashboardURL))) | b64enc | quote }} + {{- else }} + redirect-url: {{ required "auth.ldap.dashboardURL field is required!" (trimSuffix "/" (trimSuffix (default .Release.Name .Values.ingress.urlPath) (trimSuffix "/" .Values.auth.ldap.dashboardURL))) | b64enc | quote }} + {{- end }} + client-id: {{ (printf "kasten") | b64enc | quote }} + client-secret: {{ (printf "kastensecret") | b64enc | quote }} + scopes: {{ (printf "groups profile email") | b64enc | quote }} + prompt: {{ (printf "select_account") | b64enc | quote }} + usernameClaim: {{ default "email" .Values.auth.ldap.usernameClaim | b64enc | quote }} + usernamePrefix: {{ default "" .Values.auth.ldap.usernamePrefix | b64enc | quote }} + groupClaim: {{ default "groups" .Values.auth.ldap.groupClaim | b64enc | quote }} + groupPrefix: {{ default "" .Values.auth.ldap.groupPrefix | b64enc | quote }} +stringData: + groupAllowList: |- +{{- range $.Values.auth.groupAllowList }} + {{ . -}} +{{ end }} +type: Opaque +{{- end }} +{{- if and .Values.auth.ldap.enabled (not .Values.auth.ldap.bindPWSecretName) }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-dex + namespace: {{ .Release.Namespace }} +data: + bindPW: {{ required "auth.ldap.bindPW field is required!" .Values.auth.ldap.bindPW | b64enc | quote }} +type: Opaque +{{- end }} +{{- if eq (include "check.primaryKey" . ) "true" }} +--- +apiVersion: v1 +kind: Secret +metadata: + labels: +{{ include "helm.labels" . | indent 4 }} + name: k10-encryption-primary-key + namespace: {{ .Release.Namespace }} +data: + {{- if .Values.encryption.primaryKey.awsCmkKeyId }} + awscmkkeyid: {{ default "" .Values.encryption.primaryKey.awsCmkKeyId | trim | b64enc | quote }} + {{- end }} + {{- if .Values.encryption.primaryKey.vaultTransitKeyName }} + vaulttransitkeyname: {{ default "" .Values.encryption.primaryKey.vaultTransitKeyName | trim | b64enc | quote }} + vaulttransitpath: {{ default "transit" .Values.encryption.primaryKey.vaultTransitPath | trim | b64enc | quote }} + {{- end }} +type: Opaque +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/templates/secure_deployment.tpl b/charts/kasten/k10/7.0.1401/templates/secure_deployment.tpl new file mode 100644 index 000000000..55c537eb9 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/secure_deployment.tpl @@ -0,0 +1,17 @@ +{{/* +This file is used to fail the helm deployment if certain values are set which are +not compatible with a secure deployment. + +A secure deployment is defined as one of the following: +- Iron Bank +- FIPS +*/}} + +{{/* Iron Bank */}} +{{- include "k10.fail.ironbankGrafana" . -}} +{{- include "k10.fail.ironbankPrometheus" . -}} +{{- include "k10.fail.ironbankRHMarketplace" . -}} + +{{/* FIPS */}} +{{- include "k10.fail.fipsGrafana" . -}} +{{- include "k10.fail.fipsPrometheus" . -}} diff --git a/charts/kasten/k10/7.0.1401/templates/serviceaccount.yaml b/charts/kasten/k10/7.0.1401/templates/serviceaccount.yaml new file mode 100644 index 000000000..d24d91e16 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/serviceaccount.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.serviceAccount.create ( not .Values.metering.awsMarketplace ) }} +kind: ServiceAccount +apiVersion: v1 +metadata: +{{- if .Values.secrets.awsIamRole }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.secrets.awsIamRole }} +{{- end }} +{{- if eq (include "check.azureFederatedIdentity" .) "true" }} + annotations: + azure.workload.identity/client-id: {{ .Values.secrets.azureClientId | quote }} +{{- end }} + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ template "serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- if and (not ( eq (include "meteringServiceAccountName" .) (include "serviceAccountName" .))) ( not .Values.metering.awsManagedLicense ) .Values.metering.serviceAccount.create }} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: +{{- if .Values.metering.awsMarketPlaceIamRole }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.metering.awsMarketPlaceIamRole }} +{{- end }} + labels: +{{ include "helm.labels" . | indent 4 }} + name: {{ template "meteringServiceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end }} +{{- if and (.Values.auth.openshift.enabled) (not .Values.auth.openshift.serviceAccount) }} +{{- if or (.Values.auth.openshift.clientSecret) (.Values.auth.openshift.clientSecretName) }} + {{ fail "auth.openshift.serviceAccount is required when auth.openshift.clientSecret or auth.openshift.clientSecretName is used "}} +{{- end }} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: {{ include "k10.dexServiceAccountName" . }} + namespace: {{ .Release.Namespace }} + annotations: + {{- $dashboardURL := (trimSuffix "/" (required "auth.openshift.dashboardURL field is required" .Values.auth.openshift.dashboardURL)) -}} + {{- if (not (hasSuffix .Release.Name $dashboardURL)) }} + {{ fail "auth.openshift.dashboardURL should end with the K10's release name" }} + {{- end }} + serviceaccounts.openshift.io/oauth-redirecturi.dex: {{ printf "%s/dex/callback" $dashboardURL }} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/templates/v0services.yaml b/charts/kasten/k10/7.0.1401/templates/v0services.yaml new file mode 100644 index 000000000..8a744cfe3 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/v0services.yaml @@ -0,0 +1,200 @@ +{{/* Template to generate service spec for v0 rest services */}} +{{- $container_port := .Values.service.internalPort -}} +{{- $service_port := .Values.service.externalPort -}} +{{- $aggregated_api_port := .Values.service.aggregatedApiPort -}} +{{- $postfix := default .Release.Name .Values.ingress.urlPath -}} +{{- $colocated_services := include "get.enabledColocatedServices" . | fromYaml -}} +{{- $exposed_services := include "get.enabledExposedServices" . | splitList " " -}} +{{- $os_postfix := default .Release.Name .Values.route.path -}} +{{- $main_context := . -}} +{{ $service_list := append (include "get.enabledRestServices" . | splitList " ") "frontend" }} +{{- range $service_list }} + {{- $exposed_service := (has . $exposed_services) }} + {{- $mc_exposed_service := (eq . "controllermanager") }} + {{ if not (hasKey $colocated_services . ) }} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + name: {{ . }}-svc + labels: +{{ include "helm.labels" $ | indent 4 }} + component: {{ . }} + run: {{ . }}-svc +{{- if not (include "k10.capability.gateway" $) }} +{{- if or $exposed_service (eq . "frontend") $mc_exposed_service }} + annotations: + getambassador.io/config: | + {{- if or $exposed_service (eq . "frontend") }} + --- + apiVersion: getambassador.io/v3alpha1 + kind: Mapping + name: {{ . }}-mapping + {{- if $.Values.route.enabled }} + {{- if eq . "frontend" }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/ + {{- else }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/{{ . }}-svc/ + {{- end }} + {{- else }} + {{- if eq . "frontend" }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/ + {{- else }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/{{ . }}-svc/ + {{- end }} + {{- end }} + rewrite: / + service: {{ . }}-svc.{{ $.Release.Namespace }}:{{ $service_port }} + timeout_ms: 30000 + hostname: "*" + ambassador_id: [ {{ include "k10.ambassadorId" . }} ] + {{- end }} + {{- $colocatedList := include "get.enabledColocatedSvcList" $main_context | fromYaml }} + {{- range $skip, $secondary := index $colocatedList . }} + {{- $colocConfig := index (include "get.enabledColocatedServices" $main_context | fromYaml) $secondary }} + {{- if (has $secondary $exposed_services) }} + --- + apiVersion: getambassador.io/v3alpha1 + kind: Mapping + name: {{ $secondary }}-mapping + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/{{ $secondary }}-svc/ + rewrite: / + service: {{ $colocConfig.primary }}-svc.{{ $.Release.Namespace }}:{{ $colocConfig.port }} + timeout_ms: 30000 + hostname: "*" + ambassador_id: [ {{ include "k10.ambassadorId" . }} ] + {{- end }} + {{- end }} + {{- if $mc_exposed_service }} + --- + apiVersion: getambassador.io/v3alpha1 + kind: Mapping + name: {{ . }}-mc-mapping + {{- if $.Values.route.enabled }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/mc/ + {{- else }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/mc/ + {{- end }} + rewrite: / + service: {{ . }}-svc.{{ $.Release.Namespace }}:{{ include "k10.mcExternalPort" nil }} + timeout_ms: 30000 + hostname: "*" + ambassador_id: [ {{ include "k10.ambassadorId" . }} ] + {{- end }} +{{- end }} +{{- end }} +spec: + ports: + - name: http + protocol: TCP + port: {{ $service_port }} + targetPort: {{ $container_port }} + {{- if and (eq . "controllermanager") ($.Values.injectKanisterSidecar.enabled) }} + - name: https + protocol: TCP + port: 443 + targetPort: {{ $.Values.injectKanisterSidecar.webhookServer.port }} + {{- end }} +{{- $colocatedList := include "get.enabledColocatedSvcList" $main_context | fromYaml }} +{{- range $skip, $secondary := index $colocatedList . }} + {{- $colocConfig := index (include "get.enabledColocatedServices" $main_context | fromYaml) $secondary }} + - name: {{ $secondary }} + protocol: TCP + port: {{ $colocConfig.port }} + targetPort: {{ $colocConfig.port }} +{{- end }} +{{- if eq . "logging" }} + - name: logging + protocol: TCP + port: 24224 + targetPort: 24224 + - name: logging-metrics + protocol: TCP + port: 24225 + targetPort: 24225 +{{- end }} +{{- if eq . "controllermanager" }} + - name: mc-http + protocol: TCP + port: {{ include "k10.mcExternalPort" nil }} + targetPort: {{ include "k10.mcExternalPort" nil }} +{{- end }} + selector: + run: {{ . }}-svc +--- + {{ end }}{{/* if not (hasKey $colocated_services $k10_service ) */}} +{{ end -}}{{/* range append (include "get.enabledRestServices" . | splitList " ") "frontend" */}} +{{- range append (include "get.enabledServices" . | splitList " ") "kanister" }} +{{- if eq . "gateway" -}}{{- continue -}}{{- end -}} +apiVersion: v1 +kind: Service +metadata: + namespace: {{ $.Release.Namespace }} + name: {{ . }}-svc + labels: +{{ include "helm.labels" $ | indent 4 }} + component: {{ . }} + run: {{ . }}-svc +spec: + ports: + {{- if eq . "aggregatedapis" }} + - name: http + port: 443 + protocol: TCP + targetPort: {{ $aggregated_api_port }} + {{- else }} + - name: http + protocol: TCP + port: {{ $service_port }} + targetPort: {{ $container_port }} + {{- end }} +{{- $colocatedList := include "get.enabledColocatedSvcList" $main_context | fromYaml }} +{{- range $skip, $secondary := index $colocatedList . }} + {{- $colocConfig := index (include "get.enabledColocatedServices" . | fromYaml) $secondary }} + - name: {{ $secondary }} + protocol: TCP + port: {{ $colocConfig.port }} + targetPort: {{ $colocConfig.port }} +{{- end }} + selector: + run: {{ . }}-svc +--- +{{ end -}} +{{- if eq (include "check.dexAuth" .) "true" }} +apiVersion: v1 +kind: Service +metadata: +{{- if not (include "k10.capability.gateway" $) }} + annotations: + getambassador.io/config: | + --- + apiVersion: getambassador.io/v3alpha1 + kind: Mapping + name: dex-mapping + {{- if $.Values.route.enabled }} + prefix: /{{ $os_postfix | trimPrefix "/" | trimSuffix "/" }}/dex/ + {{- else }} + prefix: /{{ $postfix | trimPrefix "/" | trimSuffix "/" }}/dex/ + {{- end }} + rewrite: "" + service: dex.{{ $.Release.Namespace }}:8000 + timeout_ms: 30000 + hostname: "*" + ambassador_id: [ {{ include "k10.ambassadorId" . }} ] +{{- end }} + name: dex + namespace: {{ $.Release.Namespace }} + labels: +{{ include "helm.labels" $ | indent 4 }} + component: dex + run: auth-svc +spec: + ports: + - name: http + port: {{ $service_port }} + protocol: TCP + targetPort: 8080 + selector: + run: auth-svc + type: ClusterIP +{{ end -}} diff --git a/charts/kasten/k10/7.0.1401/templates/workloadIdentityFederation.tpl b/charts/kasten/k10/7.0.1401/templates/workloadIdentityFederation.tpl new file mode 100644 index 000000000..75296e98b --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/workloadIdentityFederation.tpl @@ -0,0 +1,10 @@ +{{/* +This file is used to fail the helm deployment if Workload Identity settings are not +compatible. +*/}} +{{- include "validate.gwif.idp.type" . -}} +{{- include "validate.gwif.idp.aud" . -}} + + + + diff --git a/charts/kasten/k10/7.0.1401/templates/{values}/grafana/values/grafana_values.tpl b/charts/kasten/k10/7.0.1401/templates/{values}/grafana/values/grafana_values.tpl new file mode 100644 index 000000000..3203a6c62 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/{values}/grafana/values/grafana_values.tpl @@ -0,0 +1,278 @@ +{{/* + With some of K10's features being provided by external Helm charts, those Helm + charts need to be configured to work with K10. + + Unfortunately, some of the values needed to configure the subcharts aren't + accessible to the subcharts (only global.* and chart_name.* are accessible). + + This means the values need to be duplicated, making the configuration of K10 + quite cumbersome for users (the same setting has to be provided in multiple + places, making it easy to misconfigure one thing or another). + + Alternatively, the subchart's templates could be customized to read global.* + values instead. However, this means upgrading the subchart is quite burdensome + since the customizations have to be re-applied to the upgraded chart. This is + even less tenable with the frequency with which chart updates are needed. + + With this in mind, this template was specially crafted to be able to read K10 + values and update the values that will be passed to the subchart. + + --- + + To accomplish this, Helm's template parsing and rendering order is exploited. + + Helm allows parent charts to override templates in subcharts. This is done by + parsing templates with lower precedence first (templates that are more deeply + nested than others). This allows templates with higher precedence to redefine + templates with lower precedence. + + Helm also renders templates in this same order. This template exploits this + ordering in order to set subchart values before the subchart's templates are + rendered, having the same effect as the user setting the values. + + WARNING: The name and directory structure of this template was carefully + selected to ensure that it is rendered before other templates! +*/}} + +{{- if .Values.grafana.enabled }} +{{- $grafana_prefix := printf "%s/grafana/" (include "k10.prefixPath" $) -}} +{{- $grafana_scoped_values := (dict "Chart" (dict "Name" "grafana") "Release" .Release "Values" .Values.grafana) -}} + +{{- /*** GRAFANA LABELS ***/ -}} +{{- /* Merge global pod labels with any grafana-specific labels, where the latter is of highest priority */ -}} +{{- $podLabels := merge (dict) (dict "component" "grafana") (.Values.grafana.podLabels | default dict) (.Values.global.podLabels) -}} + +{{- /* Merge global pod annotations with any grafana-specific annotations, where the latter is of highest priority */ -}} +{{- $podAnnotations := merge (dict) (.Values.grafana.podAnnotations | default dict) (.Values.global.podAnnotations) -}} +{{- if .Values.scc.create -}} + {{- $podAnnotations = merge (dict "openshift.io/required-scc" (printf "%s-grafana" .Release.Name)) $podAnnotations -}} +{{- end -}} +{{- $_ := mergeOverwrite .Values.grafana + (dict + "extraLabels" (dict + "app.kubernetes.io/name" (include "grafana.name" $grafana_scoped_values) + "app.kubernetes.io/instance" .Release.Name + "component" "grafana" + ) + "podLabels" $podLabels + "podAnnotations" $podAnnotations + ) +-}} + +{{- /*** GRAFANA SERVER CONFIGURATION ***/ -}} +{{- $_ := mergeOverwrite (index .Values.grafana "grafana.ini") + (dict + "auth" (dict + "disable_login_form" true + "disable_signout_menu" true + ) + "auth.basic" (dict + "enabled" false + ) + "auth.anonymous" (dict + "enabled" true + ) + "server" (dict + "root_url" $grafana_prefix + ) + ) +-}} +{{- $authAnonymous := index .Values.grafana "grafana.ini" "auth.anonymous" -}} +{{- $_ := set $authAnonymous "org_name" ($authAnonymous.org_name | default "Main Org.") -}} +{{- $_ := set $authAnonymous "org_role" ($authAnonymous.org_role | default "Admin") -}} + +{{- /*** GRAFANA DEPLOYMENT STRATEGY ***/ -}} +{{- $_ := set .Values.grafana.deploymentStrategy "type" "Recreate" -}} + +{{- /*** GRAFANA NETWORKING POLICY ***/ -}} +{{- $_ := set .Values.grafana.networkPolicy "enabled" true -}} + +{{- /*** GRAFANA TEST FRAMEWORK ***/ -}} +{{- $_ := set .Values.grafana.testFramework "enabled" false -}} + +{{- /*** GRAFANA RBAC ***/ -}} +{{- $_ := set .Values.grafana.rbac "namespaced" true -}} + +{{- /*** K10 PROMETHEUS DATASOURCE ***/ -}} +{{- $_ := set .Values.grafana.datasources + "datasources.yaml" (dict + "apiVersion" 1 + "datasources" (list + (dict + "access" "proxy" + "editable" false + "isDefault" true + "name" "Prometheus" + "type" "prometheus" + "url" (printf "http://%s-exp%s" (include "k10.prometheus.service.name" $) .Values.prometheus.server.baseURL) + "jsonData" (dict + "timeInterval" "1m" + ) + ) + ) + ) +-}} + +{{- /*** K10 DASHBOARD ***/ -}} +{{- $_ := set .Values.grafana.dashboards + "default" (dict + "default" (dict + "json" (.Files.Get "grafana/dashboards/default/default.json") + ) + ) +-}} + +{{- $_ := mergeOverwrite (index .Values.grafana "grafana.ini") + (dict + "dashboards" (dict + "default_home_dashboard_path" "/var/lib/grafana/dashboards/default/default.json" + ) + ) +-}} + +{{- $_ := set .Values.grafana.dashboardProviders + "dashboardproviders.yaml" (dict + "apiVersion" 1 + "providers" (list + (dict + "name" "default" + "orgId" 1 + "folder" "" + "type" "file" + "disableDeletion" true + "editable" false + "options" (dict + "path" "/var/lib/grafana/dashboards" + ) + ) + ) + ) +-}} + +{{- /*** K10 PERSISTENCE *** + - global.persistence.enabled + - global.persistence.accessMode + - global.persistence.storageClass + - global.persistence.grafana.size + - global.persistence.size +*/ -}} +{{- if .Values.global.persistence.enabled -}} + {{ $grafana_storage_class := dict }} + {{- if eq .Values.global.persistence.storageClass "-" -}} + {{ $grafana_storage_class = (dict "storageClassName" "") }} + {{- else if .Values.global.persistence.storageClass -}} + {{ $grafana_storage_class = (dict "storageClassName" .Values.global.persistence.storageClass) }} + {{- end -}} + + {{- $_ := mergeOverwrite .Values.grafana.persistence + $grafana_storage_class + (dict + "enabled" true + "accessModes" (list .Values.global.persistence.accessMode) + "size" (.Values.global.persistence.grafana.size | default .Values.global.persistence.size) + ) + -}} +{{- end -}} + +{{- /*** K10 IMAGE PULL SECRETS *** + - secrets.dockerConfig + - secrets.dockerConfigPath + - global.imagePullSecret +*/ -}} +{{- $image_pull_secrets := list -}} +{{- if .Values.global.imagePullSecret -}} + {{- $image_pull_secrets = append $image_pull_secrets .Values.global.imagePullSecret -}} +{{- end -}} +{{- if (or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath) -}} + {{ $image_pull_secrets = append $image_pull_secrets "k10-ecr" -}} +{{- end -}} +{{- $image_pull_secrets = $image_pull_secrets | compact | uniq -}} + +{{- if $image_pull_secrets -}} + {{- $image_pull_secrets = concat (.Values.grafana.image.pullSecrets | default list) $image_pull_secrets -}} + {{- $_ := set .Values.grafana.image "pullSecrets" $image_pull_secrets -}} +{{- end -}} + +{{- /*** K10 GRAFANA IMAGE *** + - global.airgapped.repository + - global.image.registry + - global.image.tag + - global.images.grafana +*/ -}} +{{- $grafana_image := (dict + "registry" (.Values.global.airgapped.repository | default .Values.global.image.registry) + "repository" "grafana" + "tag" (include "get.k10ImageTag" $) +) -}} +{{- if .Values.global.images.grafana -}} + {{- $grafana_image_args := (dict "image" .Values.global.images.grafana "path" "global.images.grafana") -}} + {{- $grafana_image = (include "k10.splitImage" $grafana_image_args) | fromJson -}} +{{- end -}} + +{{- if .Values.global.azMarketPlace -}} + {{- $grafana_image = ( dict + "registry" .Values.global.azure.images.grafana.registry + "repository" .Values.global.azure.images.grafana.image + "tag" .Values.global.azure.images.grafana.tag + ) + -}} +{{- end -}} + +{{- $_ := set .Values.grafana.image "registry" $grafana_image.registry -}} +{{- $_ := set .Values.grafana.image "repository" $grafana_image.repository -}} +{{- $_ := set .Values.grafana.image "tag" $grafana_image.tag -}} +{{- $_ := set .Values.grafana.image "sha" $grafana_image.sha -}} + +{{- /*** K10 INIT IMAGE *** + - global.airgapped.repository + - global.image.registry + - global.image.tag + - global.images.init +*/ -}} +{{- $init_image := (dict + "registry" (.Values.global.airgapped.repository | default .Values.global.image.registry) + "repository" "init" + "tag" (include "get.k10ImageTag" $) +) -}} + +{{- if .Values.global.images.init -}} + {{- $init_image_args := (dict "image" .Values.global.images.init "path" "global.images.init") -}} + {{- $init_image = (include "k10.splitImage" $init_image_args) | fromJson -}} +{{- end -}} + +{{- if .Values.global.azMarketPlace -}} + {{- $init_image = ( dict + "registry" .Values.global.azure.images.init.registry + "repository" .Values.global.azure.images.init.image + "tag" .Values.global.azure.images.init.tag + ) + -}} +{{- end -}} + +{{- $_ := set .Values.grafana.downloadDashboardsImage "registry" $init_image.registry -}} +{{- $_ := set .Values.grafana.downloadDashboardsImage "repository" $init_image.repository -}} +{{- $_ := set .Values.grafana.downloadDashboardsImage "tag" $init_image.tag -}} +{{- $_ := set .Values.grafana.downloadDashboardsImage "sha" $init_image.sha -}} + +{{- $_ := set .Values.grafana.initChownData.image "registry" $init_image.registry -}} +{{- $_ := set .Values.grafana.initChownData.image "repository" $init_image.repository -}} +{{- $_ := set .Values.grafana.initChownData.image "tag" $init_image.tag -}} +{{- $_ := set .Values.grafana.initChownData.image "sha" $init_image.sha -}} + +{{- /*** K10 SERVICE ***/ -}} +{{- $_ := set .Values.grafana.service.annotations + "getambassador.io/config" (dict + "apiVersion" "getambassador.io/v3alpha1" + "kind" "Mapping" + "name" "grafana-server-mapping" + "prefix" $grafana_prefix + "rewrite" "/" + "service" (printf "%s-grafana:%0.f" .Release.Name .Values.grafana.service.port) + "timeout_ms" 15000 + "hostname" "*" + "ambassador_id" (list + (include "k10.ambassadorId" nil | replace "\"" "") + ) + | toYaml) +-}} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/templates/{values}/prometheus/charts/{charts}/values/prometheus_values.tpl b/charts/kasten/k10/7.0.1401/templates/{values}/prometheus/charts/{charts}/values/prometheus_values.tpl new file mode 100644 index 000000000..fbf1f2ef6 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/templates/{values}/prometheus/charts/{charts}/values/prometheus_values.tpl @@ -0,0 +1,186 @@ +{{/* + With some of K10's features being provided by external Helm charts, those Helm + charts need to be configured to work with K10. + + Unfortunately, some of the values needed to configure the subcharts aren't + accessible to the subcharts (only global.* and chart_name.* are accessible). + + This means the values need to be duplicated, making the configuration of K10 + quite cumbersome for users (the same setting has to be provided in multiple + places, making it easy to misconfigure one thing or another). + + Alternatively, the subchart's templates could be customized to read global.* + values instead. However, this means upgrading the subchart is quite burdensome + since the customizations have to be re-applied to the upgraded chart. This is + even less tenable with the frequency with which chart updates are needed. + + With this in mind, this template was specially crafted to be able to read K10 + values and update the values that will be passed to the subchart. + + --- + + To accomplish this, Helm's template parsing and rendering order is exploited. + + Helm allows parent charts to override templates in subcharts. This is done by + parsing templates with lower precedence first (templates that are more deeply + nested than others). This allows templates with higher precedence to redefine + templates with lower precedence. + + Helm also renders templates in this same order. This template exploits this + ordering in order to set subchart values before the subchart's templates are + rendered, having the same effect as the user setting the values. + + WARNING: The name and directory structure of this template was carefully + selected to ensure that it is rendered before other templates! +*/}} + +{{- if .Values.prometheus.server.enabled }} +{{- $prometheus_scoped_values := (dict "Chart" (dict "Name" "prometheus") "Release" .Release "Values" .Values.prometheus) -}} + +{{- $prometheus_name := (include "prometheus.name" $prometheus_scoped_values) -}} +{{- $prometheus_prefix := "/k10/prometheus/" -}} +{{- $release_name := .Release.Name -}} + +{{- /*** PROMETHEUS LABELS ***/ -}} +{{- $_ := mergeOverwrite .Values.prometheus + (dict + "commonMetaLabels" (dict + "app.kubernetes.io/name" $prometheus_name + "app.kubernetes.io/instance" $release_name + ) + ) +-}} + +{{- /*** PROMETHEUS SERVER OVERRIDES ***/ -}} +{{- $fullnameOverride := .Values.prometheus.server.fullnameOverride | default "prometheus-server" -}} +{{- $clusterRoleNameOverride := .Values.prometheus.server.clusterRoleNameOverride | default (printf "%s-%s" .Release.Name $fullnameOverride) -}} + +{{- /* Merge global pod labels with any prometheus-specific labels, where the latter is of highest priority */ -}} +{{- $podLabels := merge (dict) (.Values.prometheus.server.podLabels | default dict) (.Values.global.podLabels) -}} + +{{- /* Merge global pod labels with any prometheus-specific annotations, where the latter is of highest priority */ -}} +{{- $podAnnotations := merge (dict) (.Values.prometheus.server.podAnnotations | default dict) (.Values.global.podAnnotations) -}} +{{- if .Values.scc.create -}} + {{- $podAnnotations = merge (dict "openshift.io/required-scc" (printf "%s-prometheus-server" .Release.Name)) $podAnnotations -}} +{{- end -}} +{{- $_ := mergeOverwrite .Values.prometheus.server + (dict + "baseURL" (.Values.prometheus.server.baseURL | default $prometheus_prefix) + "prefixURL" (.Values.prometheus.server.prefixURL | default $prometheus_prefix | trimSuffix "/") + + "clusterRoleNameOverride" $clusterRoleNameOverride + "configMapOverrideName" "k10-prometheus-config" + "fullnameOverride" $fullnameOverride + "podLabels" $podLabels + "podAnnotations" $podAnnotations + ) +-}} + +{{- /*** K10 PROMETHEUS CONFIGMAP-RELOAD IMAGE *** + - global.airgapped.repository + - global.image.registry + - global.image.tag + - global.images.configmap-reload +*/ -}} +{{- $prometheus_configmap_reload_image := (dict + "registry" (.Values.global.airgapped.repository | default .Values.global.image.registry) + "repository" "configmap-reload" + "tag" (include "get.k10ImageTag" $) +) -}} + +{{- if (index .Values.global.images "configmap-reload") -}} + {{- $prometheus_configmap_reload_image = ( + include "k10.splitImage" (dict + "image" (index .Values.global.images "configmap-reload") + "path" "global.images.configmap-reload" + ) + ) | fromJson + -}} +{{- end -}} + +{{- if .Values.global.azMarketPlace -}} + {{- $prometheus_configmap_reload_image = (dict + "registry" .Values.global.azure.images.configmapreload.registry + "repository" .Values.global.azure.images.configmapreload.image + "tag" .Values.global.azure.images.configmapreload.tag + ) + -}} +{{- end -}} + +{{- $_ := mergeOverwrite .Values.prometheus.configmapReload.prometheus.image + (dict + "repository" (list $prometheus_configmap_reload_image.registry $prometheus_configmap_reload_image.repository | compact | join "/") + "tag" $prometheus_configmap_reload_image.tag + "digest" $prometheus_configmap_reload_image.digest + ) +-}} + +{{- /*** K10 PROMETHEUS SERVER IMAGE *** + - global.airgapped.repository + - global.image.registry + - global.image.tag + - global.images.prometheus +*/ -}} +{{- $prometheus_server_image := (dict + "registry" (.Values.global.airgapped.repository | default .Values.global.image.registry) + "repository" "prometheus" + "tag" (include "get.k10ImageTag" $) +) -}} +{{- if .Values.global.images.prometheus -}} + {{- $prometheus_server_image = ( + include "k10.splitImage" (dict + "image" .Values.global.images.prometheus + "path" "global.images.prometheus" + ) + ) | fromJson + -}} +{{- end -}} + +{{- if .Values.global.azMarketPlace -}} + {{- $prometheus_server_image = ( dict + "registry" .Values.global.azure.images.prometheus.registry + "repository" .Values.global.azure.images.prometheus.image + "tag" .Values.global.azure.images.prometheus.tag + ) + -}} +{{- end -}} + +{{- $_ := mergeOverwrite .Values.prometheus.server.image + (dict + "repository" (list $prometheus_server_image.registry $prometheus_server_image.repository | compact | join "/") + "tag" $prometheus_server_image.tag + "digest" $prometheus_server_image.digest + ) +-}} + +{{- /*** K10 IMAGE PULL SECRETS *** + - secrets.dockerConfig + - secrets.dockerConfigPath + - global.imagePullSecret +*/ -}} +{{- $image_pull_secret_names := list -}} +{{- if .Values.global.imagePullSecret -}} + {{- $image_pull_secret_names = append $image_pull_secret_names .Values.global.imagePullSecret -}} +{{- end -}} +{{- if (or .Values.secrets.dockerConfig .Values.secrets.dockerConfigPath) -}} + {{ $image_pull_secret_names = append $image_pull_secret_names "k10-ecr" -}} +{{- end -}} +{{- $image_pull_secret_names = $image_pull_secret_names | compact | uniq -}} + +{{- if $image_pull_secret_names -}} + {{- $image_pull_secrets := .Values.prometheus.imagePullSecrets | default list -}} + {{- range $name := $image_pull_secret_names -}} + {{- $image_pull_secrets = append $image_pull_secrets (dict "name" $name) -}} + {{- end -}} + {{- $_ := set .Values.prometheus "imagePullSecrets" $image_pull_secrets -}} +{{- end -}} + +{{- /*** K10 PERSISTENCE *** + - global.persistence.storageClass +*/ -}} +{{- $_ := mergeOverwrite .Values.prometheus.server.persistentVolume + (dict + "storageClass" (.Values.prometheus.server.persistentVolume.storageClass | default .Values.global.persistence.storageClass) + ) +-}} +{{- end }} diff --git a/charts/kasten/k10/7.0.1401/triallicense b/charts/kasten/k10/7.0.1401/triallicense new file mode 100644 index 000000000..cfe6dd46b --- /dev/null +++ b/charts/kasten/k10/7.0.1401/triallicense @@ -0,0 +1 @@ +Y3VzdG9tZXJOYW1lOiB0cmlhbHN0YXJ0ZXItbGljZW5zZQpkYXRlRW5kOiAnMjEwMC0wMS0wMVQwMDowMDowMC4wMDBaJwpkYXRlU3RhcnQ6ICcyMDIwLTAxLTAxVDAwOjAwOjAwLjAwMFonCmZlYXR1cmVzOgogIHRyaWFsOiBudWxsCmlkOiB0cmlhbC0wOWY4MzE5Zi0xODBmLTRhOTAtOTE3My1kOTJiNzZmMTgzNWUKcHJvZHVjdDogSzEwCnJlc3RyaWN0aW9uczoKICBub2RlczogNTAwCnNlcnZpY2VBY2NvdW50S2V5OiBudWxsCnZlcnNpb246IHYxLjAuMApzaWduYXR1cmU6IEYxbnVLUFV5STJtbDJGMmV1VHdGOXNZRTZMVU5rQ3ZiR2tTV1ZkT0ZqdERCb1B6SjUyVWFsVkFmRjVmQUxpcm5BcVhkcERnYi9YcnpxSEYrTE0xS2pEMVdXUFd0ZUdXNFc1anBPSFN0T296Y0c5M0pUUHF5M2l6TVk3RmczZVFLYTZzWDhBdnFwOXArWXVBMWNwTENlQ2dsR2dnOTVzSUFmYmRMMTBmV2d2RmR6QUt4dUZLN2psRzVtbG1CRVF5R0hrYWdoZFIrVGxzeUNTNEFkbXVBOEZodVUwZnRBdXN0b1M3R2JKd1BuTFI3STFZY1Q4OW8wU2xRZEJ2Yjg2QzdKbm1OdnY0aHhiSUo5TTJvWGJPSnQ4ZnBNcjhNWFR6YWRMTWJzSndhZ3VBVHlNUWF2cExHNXRPb0U2ZE1uMVlFVDZLdWZiYy9NdThVRDVYYXlDYTdkZz09Cg== diff --git a/charts/kasten/k10/7.0.1401/values.schema.json b/charts/kasten/k10/7.0.1401/values.schema.json new file mode 100644 index 000000000..04188d11f --- /dev/null +++ b/charts/kasten/k10/7.0.1401/values.schema.json @@ -0,0 +1,3126 @@ +{ + "$schema": "https://json-schema.org/draft/2019-09/schema", + "type": "object", + "properties": { + "rbac": { + "type": "object", + "title": "RBAC configuration", + "description": "Create RBAC seetings", + "properties": { + "create": { + "title": "Enable RBAC creation", + "description": "Toggle RBAC resource creation", + "type": "boolean", + "default": true + } + } + }, + "serviceAccount": { + "type": "object", + "title": "ServiceAccount details", + "description": "Configure ServiceAccount", + "properties": { + "create": { + "type": "boolean", + "default": true, + "title": "Create a ServiceAccount", + "description": "Specifies whether a ServiceAccount should be created" + }, + "name": { + "type": "string", + "default": "", + "title": "The name of the ServiceAccount", + "description": "The name of the ServiceAccount to use. If not set and create is true, a name is derived using the release and chart names" + } + } + }, + "scc": { + "type": "object", + "title": "Security Context Constraints details", + "description": "Configure Security Context Constraints", + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "Create K10 SSC", + "description": "Whether to create a SecurityContextConstraints for K10 ServiceAccounts" + }, + "priority": { + "type": "integer", + "default": 0, + "title": "SCC priority", + "description": "Sets the SecurityContextConstraints priority" + } + } + }, + "networkPolicy": { + "type": "object", + "title": "NetworkPolicy details", + "description": "Configure NetworkPolicy", + "properties": { + "create": { + "type": "boolean", + "default": true, + "title": "Create NetworkPolicies", + "description": "Whether to create NetworkPolicies for the K10 services" + } + } + }, + "global": { + "type": "object", + "title": "Global settings", + "properties": { + "image": { + "type": "object", + "title": "K10 image configurations", + "description": "Change K10 image settings", + "properties": { + "registry": { + "type": "string", + "default": "gcr.io/kasten-images", + "title": "K10 image registry", + "description": "Change default K10 image registry" + }, + "tag": { + "type": "string", + "default": "", + "title": "K10 image tag", + "description": "Change default K10 tag" + }, + "pullPolicy": { + "type": "string", + "default": "Always", + "title": "Container images pullPolicy", + "description": "Change default pullPolicy for all the images", + "enum": [ + "IfNotPresent", + "Always", + "Never" + ] + } + } + }, + "airgapped": { + "type": "object", + "title": "Airgapped offline installation", + "description": "Configure Airgapped offline installation", + "properties": { + "repository": { + "type": "string", + "default": "", + "title": "helm repository", + "description": "The helm repository for offline (airgapped) installation" + } + } + }, + "persistence": { + "type": "object", + "title": "Persistent Volume global details", + "description": "Configure global settings for Persistent Volume", + "properties": { + "mountPath": { + "type": "string", + "default": "/mnt/k10state", + "title": "Persistent Volume global mount path", + "description": "Change default path for Persistent Volume mount" + }, + "enabled": { + "type": "boolean", + "default": true, + "title": "Enable Persistent Volume", + "description": "Create Persistent Volumes" + }, + "storageClass": { + "type": "string", + "default": "", + "title": "Persistent Volume global Storageclass", + "description": "If set to '-', dynamic provisioning is disabled. If undefined (the default) or set to null, the default provisioner is used. (e.g gp2 on AWS, standard on GKE, AWS & OpenStack)" + }, + "accessMode": { + "type": "string", + "default": "ReadWriteOnce", + "title": "Persistent Volume global AccessMode", + "description": "Change default AccessMode for Persistent Volumes", + "enum": [ + "ReadWriteOnce", + "ReadOnlyMany", + "ReadWriteMany" + ] + }, + "size": { + "type": "string", + "default": "20Gi", + "title": "Persistent Volume size", + "description": "Change default size for Persistent Volumes" + }, + "metering": { + "type": "object", + "title": "Metering service Persistent Volume details", + "description": "Configure Persistence Volume for metering service", + "properties": { + "size": { + "type": "string", + "default": "2Gi", + "title": "Metering service Persistent Volume size", + "description": "If not set, global.persistence.size is used" + } + } + }, + "catalog": { + "type": "object", + "title": "Catalog service Persistent Volume details", + "description": "Configure Persistence Volume for catalog service", + "properties": { + "size": { + "type": "string", + "default": "", + "title": "Catalog service Persistent Volume size", + "description": "If not set, global.persistence.size is used." + } + } + }, + "jobs": { + "type": "object", + "title": "Jobs service Persistent Volume details", + "description": "Configure Persistence Volume for jobs service", + "properties": { + "size": { + "type": "string", + "default": "", + "title": "Jobs service Persistent Volume size", + "description": "If not set, global.persistence.size is used." + } + } + }, + "logging": { + "type": "object", + "title": "Logging service Persistent Volume details", + "description": "Configure Persistence Volume for logging service", + "properties": { + "size": { + "type": "string", + "default": "", + "title": "Logging service Persistent Volume size", + "description": "If not set, global.persistence.size is used." + } + } + }, + "grafana": { + "type": "object", + "title": "Grafana service Persistent Volume details", + "description": "Configure Persistence Volume for grafana service", + "properties": { + "size": { + "type": "string", + "default": "5Gi", + "title": "Grafana service Persistent Volume size", + "description": "If not set, global.persistence.size is used." + } + } + } + } + }, + "podLabels": { + "type": "object", + "default": {}, + "title": "Custom labels to be set to all Kasten pods", + "description": "Configures custom pod labels to be set to all Kasten pods.", + "examples": [ + { + "foo": "bar" + } + ] + }, + "podAnnotations": { + "type": "object", + "default": {}, + "title": "Custom annotations to be set to all Kasten pods", + "description": "Configures custom pod annotations to be set to all Kasten pods.", + "examples": [ + { + "foo": "bar" + } + ] + }, + "rhMarketPlace": { + "type": "boolean", + "default": false, + "title": "RedHat marketplace config", + "description": "Set it to true while generating helm operator" + }, + "images": { + "type": "object", + "title": "Global image settings", + "properties": { + "aggregatedapis": { + "type": "string", + "default": "", + "title": "Aggregatedapis service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "auth": { + "type": "string", + "default": "", + "title": "Auth service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "bloblifecyclemanager": { + "type": "string", + "default": "", + "title": "Bloblifecyclemanager service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "catalog": { + "type": "string", + "default": "", + "title": "Catalog service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "configmap-reload": { + "type": "string", + "title": "Configmap-reload service container image", + "default": "", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes." + }, + "controllermanager": { + "type": "string", + "default": "", + "title": "Controllermanager service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "crypto": { + "type": "string", + "default": "", + "title": "Crypto service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "dashboardbff": { + "type": "string", + "default": "", + "title": "Dashboardbff service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "datamover": { + "type": "string", + "default": "", + "title": "Datamover service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes." + }, + "dex": { + "type": "string", + "default": "", + "title": "Dex service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes." + }, + "emissary": { + "type": "string", + "default": "", + "title": "Emissary service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "events": { + "type": "string", + "default": "", + "title": "Events service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "executor": { + "type": "string", + "default": "", + "title": "Executor service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "frontend": { + "type": "string", + "default": "", + "title": "Frontend service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "gateway": { + "type": "string", + "default": "", + "title": "Gateway service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "grafana": { + "type": "string", + "title": "Grafana service container image", + "default": "", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes." + }, + "init": { + "type": "string", + "title": "Generic init container image", + "default": "", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes." + }, + "jobs": { + "type": "string", + "default": "", + "title": "Jobs service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "kanister-tools": { + "type": "string", + "default": "", + "title": "Kanister-tools service container image", + "description": "Kanister-tools service container image contains set of tools, required for all kanister related operations. It is used for debug, troubleshooting, primer purposes as well" + }, + "kanister": { + "type": "string", + "default": "", + "title": "Kanister service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "k10tools": { + "type": "string", + "default": "", + "title": "k10tools service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "logging": { + "type": "string", + "default": "", + "title": "Logging service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "metering": { + "type": "string", + "default": "", + "title": "Metering service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "ocpconsoleplugin": { + "type": "string", + "default": "", + "title": "OpenShift Console Plugin container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "paygo_daemonset": { + "type": "string", + "default": "", + "title": "Paygo_daemonset service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes." + }, + "prometheus": { + "type": "string", + "default": "", + "title": "Prometheus service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes." + }, + "repositories": { + "type": "string", + "default": "", + "title": "Repositories service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "state": { + "type": "string", + "default": "", + "title": "State service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "upgrade": { + "type": "string", + "default": "", + "title": "Upgrade service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes. If not set, the image name is formed with '(global.airgapped.repository)|(global.image.registry)/:(Chart.AppVersion)|(image.tag)'" + }, + "vbrintegrationapi": { + "type": "string", + "default": "", + "title": "Vbrintegrationapi service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes." + }, + "garbagecollector": { + "type": "string", + "default": "", + "title": "Garbagecollector service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes." + }, + "metric-sidecar": { + "type": "string", + "default": "", + "title": "Metric-sidecar service container image", + "description": "Used for packaging RedHat Operator. Setting this flag along with global.rhMarketPlace=true overrides the default image name. This flag is only for internal purposes." + } + } + }, + "imagePullSecret": { + "type": "string", + "default": "", + "title": "Container image pull secret", + "description": "Secret which contains docker config for private repository. Use `k10-ecr` when secrets.dockerConfigPath is used." + }, + "prometheus": { + "type": "object", + "title": "Prometheus settings", + "description": "Global prometheus settings", + "properties": { + "external": { + "type": "object", + "title": "External prometheus settings", + "description": "Configure prometheus", + "properties": { + "host": { + "type": "string", + "default": "", + "title": "External prometheus host name", + "description": "Set prometheus host name" + }, + "port": { + "type": "string", + "default": "", + "title": "External prometheus port number", + "description": "Set prometheus port number" + }, + "baseURL": { + "type": "string", + "default": "", + "title": "External prometheus baseURL", + "description": "Set prometheus baseURL" + } + } + } + } + }, + "network": { + "type": "object", + "title": "Network settings", + "description": "Global network settings", + "properties": { + "enable_ipv6": { + "type": "boolean", + "default": false, + "title": "Enable ipv6", + "description": "Set true to enable ipv6" + } + } + } + } + }, + "route": { + "type": "object", + "title": "OpenShift route configuration", + "description": "Configure OpenShift Route", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Exposed dashboard via route", + "description": "Whether the K10 dashboard should be exposed via route" + }, + "host": { + "type": "string", + "default": "", + "title": "Host name", + "description": "Set Host name for the route" + }, + "path": { + "type": "string", + "default": "", + "title": "Route path", + "description": "Set Path for the route" + }, + "annotations": { + "type": "object", + "default": {}, + "title": "Route annotations", + "description": "Set annotations for the route", + "examples": [ + { + "kubernetes.io/tls-acme": "true", + "haproxy.router.openshift.io/disable_cookies": "true", + "haproxy.router.openshift.io/balance": "roundrobin" + } + ] + }, + "labels": { + "type": "object", + "default": {}, + "title": "Route label", + "description": "Set Labels for the route resource", + "examples": [ + { + "foo": "bar" + } + ] + }, + "tls": { + "type": "object", + "title": "Route TLS configuration", + "description": "Set TLS configuration for the route", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable TLS", + "description": "Whether to enable TLS" + }, + "insecureEdgeTerminationPolicy": { + "type": "string", + "default": "Redirect", + "title": "Route Termination Policy", + "description": "What to do in case of an insecure traffic edge termination", + "enum": [ + "None", + "Allow", + "Redirect", + "" + ] + }, + "termination": { + "type": "string", + "default": "edge", + "title": "Termination Schema", + "description": "Set termination Schema", + "enum": [ + "edge", + "passthrough", + "reencrypt" + ] + } + } + } + } + }, + "dexImage": { + "type": "object", + "title": "Dex image config", + "description": "Specify Dex image config", + "properties": { + "registry": { + "type": "string", + "default": "ghcr.io", + "title": "Dex image registry", + "description": "Change default image registry for Dex images" + }, + "repository": { + "type": "string", + "default": "dexidp", + "title": "Dex image repository", + "description": "Change default image repository for Dex images" + }, + "image": { + "type": "string", + "default": "dex", + "title": "Dex image name", + "description": "Change default image name for Dex images" + } + } + }, + "kanisterToolsImage": { + "type": "object", + "title": "kanister tools image config", + "description": "Set kanister tools image config", + "properties": { + "registry": { + "type": "string", + "default": "ghcr.io", + "title": "kanister-tools image registry", + "description": "Change default image registry for kanister-tools images" + }, + "repository": { + "type": "string", + "default": "kanisterio", + "title": "kanister-tools image repository", + "description": "Change default image repository for kanister-tools images" + }, + "image": { + "type": "string", + "default": "kanister-tools", + "title": "Kanister tools image name", + "description": "Change default image name for kanister-tools images" + }, + "pullPolicy": { + "type": "string", + "default": "Always", + "title": "Kanister tools image pullPolicy", + "description": "Change kanister-tools image pullPolicy", + "enum": [ + "IfNotPresent", + "Always", + "Never" + ] + } + } + }, + "ingress": { + "type": "object", + "title": "Ingress configuration", + "description": "Add ingress resource configuration", + "properties": { + "annotations": { + "type": "object", + "default": {}, + "title": "Ingress annotations", + "description": "Add optional annotations to the Ingress resource" + }, + "create": { + "type": "boolean", + "default": false, + "title": "Expose dashboard via ingress", + "description": "whether the K10 dashboard should be exposed via ingress" + }, + "tls": { + "type": "object", + "title": "TLS configuration for ingress", + "description": "Set TLS configuration for ingress", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable TLS", + "description": "Configures a TLS use for ingress.host" + }, + "secretName": { + "type": "string", + "default": "", + "title": "Optional TLS secret name", + "description": "Specifies the name of the secret to configure ingress.tls[].secretName" + } + } + }, + "name": { + "type": "string", + "default": "", + "title": "Ingress name", + "description": "Optional name of the Ingress object for the K10 dashboard." + }, + "class": { + "type": "string", + "default": "", + "title": "Ingress controller class", + "description": "Cluster ingress controller class: nginx, GCE" + }, + "host": { + "type": "string", + "default": "", + "title": "Ingress host name", + "description": "FQDN for name-based virtual host", + "examples": [ + "/k10.example.com" + ] + }, + "urlPath": { + "type": "string", + "default": "", + "title": "Ingress URL path", + "description": "URL path for K10 Dashboard", + "examples": [ + "/k10" + ] + }, + "pathType": { + "type": "string", + "default": "ImplementationSpecific", + "title": "Ingress path type", + "description": "Set the path type for the ingress resource", + "enum": [ + "Exact", + "Prefix", + "ImplementationSpecific" + ] + }, + "defaultBackend": { + "type": "object", + "title": "Ingress default backend", + "description": "Optional default backend for the Ingress object.", + "properties": { + "service": { + "type": "object", + "title": "Ingress default backend service", + "description": "A service referenced by the default backend (mutually exclusive with `resource`).", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable service default backend.", + "description": "Enable the default backend backed by a service." + }, + "name": { + "type": "string", + "default": "", + "title": "Service name", + "description": "Name of a service referenced by the default backend." + }, + "port": { + "type": "object", + "title": "Service port", + "description": "A port of a service referenced by the default backend.", + "properties": { + "name": { + "type": "string", + "default": "", + "title": "Port name", + "description": "Port name of a service referenced by the default backend (mutually exclusive with `number`)." + }, + "number": { + "type": "integer", + "default": 0, + "title": "Port number", + "description": "Port number of a service referenced by the default backend (mutually exclusive with `name`)." + } + } + } + } + }, + "resource": { + "type": "object", + "title": "Ingress default backend resource", + "description": "A resource referenced by the default backend (mutually exclusive with `service`).", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable resource default backend.", + "description": "Enable the default backend backed by a resource." + }, + "apiGroup": { + "type": "string", + "default": "", + "title": "Resource API group", + "description": "Optional API group of a resource referenced by the default backend.", + "examples": [ + "k8s.example.com" + ] + }, + "kind": { + "type": "string", + "default": "", + "title": "Resource kind", + "description": "Type of a resource referenced by the default backend.", + "examples": [ + "StorageBucket" + ] + }, + "name": { + "type": "string", + "default": "", + "title": "Resource name", + "description": "Name of a resource referenced by the default backend." + } + } + } + } + } + } + }, + "eula": { + "type": "object", + "title": "EULA configuration", + "properties": { + "accept": { + "type": "boolean", + "default": false, + "title": "Enable accept EULA before installation", + "description": "An End-User license agreement (EULA) is a legal agreement that grants a user a license to use an application or software. Users must consent to the EULA before purchasing, installing, or downloading an application or software owned by the service provider." + } + } + }, + "license": { + "type": "string", + "default": "", + "title": "License from Kasten", + "description": "Add license string obtained from Kasten" + }, + "cluster": { + "type": "object", + "title": "Cluster configuration", + "description": "Set cluster configuration", + "properties": { + "domainName": { + "type": "string", + "default": "", + "title": "Domain name of the cluster", + "description": "Set domain name of the cluster" + } + } + }, + "multicluster": { + "type": "object", + "title": "Multi-cluster configuration", + "description": "Configure the multi-cluster system", + "properties": { + "enabled": { + "type": "boolean", + "default": true, + "title": "Enable the multi-cluster system", + "description": "Choose whether to enable the multi-cluster system components and capabilities" + }, + "primary": { + "type": "object", + "title": "Multi-cluster primary configuration", + "description": "Configure multi-cluster primary", + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "Setup cluster as a multi-cluster primary", + "description": "Choose whether to setup cluster as a multi-cluster primary" + }, + "name": { + "type": "string", + "default": "", + "title": "Primary cluster name", + "description": "Choose the cluster name for multi-cluster primary" + }, + "ingressURL": { + "type": "string", + "default": "", + "title": "Primary cluster dashboard URL", + "description": "Choose the dashboard URL for the multi-cluster primary; e.g. https://cluster-name.domain/k10" + } + } + } + } + }, + "prometheus": { + "type": "object", + "title": "Internal Prometheus configuration", + "description": "Configure internal Prometheus", + "properties": { + "rbac": { + "type": "object", + "title": "Prometheus rbac", + "description": "Configure Prometheus rbac resources", + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "Enable Prometheus rbac. Warning - cluster wide permissions", + "description": "Choose whether to create Prometheus RBAC configuration. Warning: Enabling this action will allow Prometheus permission to scrape pods in all K8s namespaces." + } + } + }, + "server": { + "type": "object", + "title": "Prometheus Server", + "description": "Configure Prometheus Server", + "properties": { + "enabled": { + "type": "boolean", + "default": true, + "title": "Enable Prometheus server", + "description": "Create Prometheus server" + }, + "securityContext": { + "type": "object", + "title": "Prometheus server securityContext", + "description": "Configure Prometheus server securityContext", + "properties": { + "runAsUser": { + "type": "integer", + "default": 65534, + "title": "runAsUser ID", + "description": "Set securityContext runAsUser ID" + }, + "runAsNonRoot": { + "type": "boolean", + "default": true, + "title": "Enable runAsNonRoot", + "description": "Enable securityContext runAsNonRoot" + }, + "runAsGroup": { + "type": "integer", + "default": 65534, + "title": "runAsGroup ID", + "description": "Set securityContext runAsGroup ID" + }, + "fsGroup": { + "type": "integer", + "default": 65534, + "title": "fsGroup ID", + "description": "Set securityContext fsGroup ID" + } + } + }, + "retention": { + "type": "string", + "default": "30d", + "title": "Prometheus retention", + "description": "Set retention period for Prometheus" + }, + "persistentVolume": { + "type": "object", + "title": "Prometheus persistent volume", + "description": "Configure Prometheus persistent volume", + "properties": { + "storageClass": { + "type": "string", + "default": "", + "title": "StorageClassName used to create Prometheus PVC", + "description": "Setting this option overwrites global StorageClass value" + } + } + }, + "fullnameOverride": { + "type": "string", + "default": "prometheus-server", + "title": "Prometheus server deployment name", + "description": "Override default Prometheus server deployment name" + }, + "baseURL": { + "type": "string", + "default": "/k10/prometheus/", + "title": "Prometheus external url path", + "description": "Prometheus external url path at which the server can be accessed" + }, + "prefixURL": { + "type": "string", + "default": "/k10/prometheus", + "title": "Prometheus prefix slug", + "description": "Prometheus prefix slug at which the server can be accessed" + } + } + } + } + }, + "jaeger": { + "type": "object", + "title": "Jaeger configuration", + "description": "Jaeger tracing settings", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable Jaeger tracing", + "description": "Set true to enable Jaeger tracing" + }, + "agentDNS": { + "type": "string", + "default": "", + "title": "Jaeger agentDNS", + "description": "Set agentDNS for Jaeger tracing" + } + } + }, + "service": { + "type": "object", + "title": "K10 K8s services config", + "properties": { + "externalPort": { + "type": "integer", + "default": 8000, + "title": "externalPort for K10 services", + "description": "Override default 8000 externalPort for K10 services" + }, + "internalPort": { + "type": "integer", + "default": 8000, + "title": "internalPort for K10 services", + "description": "Override default 8000 internalPort for K10 services" + }, + "aggregatedApiPort": { + "type": "integer", + "default": 10250, + "title": "aggregatedApiPort for aggapi service", + "description": "Override default 10250 port for aggapi service" + }, + "gatewayAdminPort": { + "type": "integer", + "default": 8877, + "title": "Gateway admin port", + "description": "Override default 8877 gateway admin port" + } + } + }, + "secrets": { + "type": "object", + "title": "K10 secrets", + "description": "K10 secrets configuration", + "properties": { + "awsAccessKeyId": { + "type": "string", + "default": "", + "title": "AWS access key ID", + "description": "Set AWS access key ID required for AWS deployment" + }, + "awsSecretAccessKey": { + "type": "string", + "default": "", + "title": "AWS secret access key", + "description": "Set AWS access key secret" + }, + "awsIamRole": { + "type": "string", + "default": "", + "title": "AWS IAM Role", + "description": "ARN of the AWS IAM role assumed by K10 to perform any AWS operation" + }, + "awsClientSecretName": { + "type": "string", + "default": "", + "title": "Secret with AWS credentials and/or IAM Role", + "description": "Specify a Secret directly instead of having to provide awsAccessKeyId, awsSecretAccessKey and awsIamRole" + }, + "googleApiKey": { + "type": "string", + "default": "", + "title": "Google API Key", + "description": "Non-default base64 encoded GCP Service Account key" + }, + "googleProjectId": { + "type": "string", + "default": "", + "title": "Google Project ID", + "description": "Set Google Project ID other than the one in the GCP Service Account" + }, + "googleClientSecretName": { + "type": "string", + "default": "", + "title": "Secret with Google credentials", + "description": "Specify a Secret directly instead of having to provide googleApiKey and googleProjectId" + }, + "tlsSecret": { + "type": "string", + "default": "", + "title": "K8s TLS secret name contains for k10 Gateway service", + "description": "Specify a Secret directly instead of having to provide both the cert and key. This reduces the security risk a bit by not caching the certs and keys in the bash history." + }, + "dockerConfig": { + "type": "string", + "default": "", + "title": "Docker config", + "description": "base64 representation of your Docker credentials to pull docker images from a private registry" + }, + "dockerConfigPath": { + "type": "string", + "default": "", + "title": "Docker config path", + "description": "Path to Docker config file to create secret from" + }, + "azureTenantId": { + "type": "string", + "default": "", + "title": "Azure tenant ID", + "description": "Azure tenant ID required for Azure deployment" + }, + "azureClientId": { + "type": "string", + "default": "", + "title": "Azure client ID", + "description": "Azure Service App ID" + }, + "azureClientSecret": { + "type": "string", + "default": "", + "title": "Azure client Secret", + "description": "Azure Service APP secret" + }, + "azureClientSecretName": { + "type": "string", + "default": "", + "title": "Secret with Azure credentials", + "description": "Specify a Secret directly instead of having to provide azureClientId, azureTenantId and azureClientSecret" + }, + "azureResourceGroup": { + "type": "string", + "default": "", + "title": "Azure resource group", + "description": "Resource Group name that was created for the Kubernetes cluster" + }, + "azureSubscriptionID": { + "type": "string", + "default": "", + "title": "Azure subscription ID", + "description": "Subscription ID in your Azure tenant" + }, + "azureResourceMgrEndpoint": { + "type": "string", + "default": "", + "title": "Azure resource manager endpoint", + "description": "Resource management endpoint for the Azure Stack instance" + }, + "azureADEndpoint": { + "type": "string", + "default": "", + "title": "Azure AD endpoint", + "description": "Azure Active Directory login endpoint" + }, + "azureADResourceID": { + "type": "string", + "default": "", + "title": "Azure Active Directory resource ID", + "description": "Azure Active Directory resource ID to obtain AD tokens" + }, + "microsoftEntraIDEndpoint": { + "type": "string", + "default": "", + "title": "Microsoft Entra ID endpoint", + "description": "Microsoft Entra ID login endpoint" + }, + "microsoftEntraIDResourceID": { + "type": "string", + "default": "", + "title": "Microsoft Entra ID resource ID", + "description": "Microsoft Entra ID resource ID to obtain AD tokens" + }, + "azureCloudEnvID": { + "type": "string", + "default": "", + "title": "Azure Cloud Environment ID", + "description": "Azure Cloud Environment ID" + }, + "apiTlsCrt": { + "type": "string", + "default": "", + "title": "API TLS Certificate", + "description": "K8s API server TLS certificate" + }, + "apiTlsKey": { + "type": "string", + "default": "", + "title": "API TLS Key", + "description": "K8s API server TLS key" + }, + "vsphereEndpoint": { + "type": "string", + "default": "", + "title": "vSphere endpoint", + "description": "vSphere endpoint for login" + }, + "vsphereUsername": { + "type": "string", + "default": "", + "title": "", + "description": "" + }, + "vspherePassword": { + "type": "string", + "default": "", + "title": "vSphere password", + "description": "vSphere password for login" + }, + "vsphereClientSecretName": { + "type": "string", + "default": "", + "title": "Secret with vSphere credentials", + "description": "Specify a Secret directly instead of having to provide vsphereUsername, vspherePassword and vspherePassword" + } + } + }, + "metering": { + "type": "object", + "title": "Metering service config", + "description": "Metering service settings", + "properties": { + "reportingKey": { + "type": "string", + "default": "", + "title": "Reporting key", + "description": "Base64 encoded reporting key" + }, + "consumerId": { + "type": "string", + "default": "", + "title": "Consumer ID", + "description": "Consumer ID in the format project:" + }, + "awsRegion": { + "type": "string", + "default": "", + "title": "AWS Region", + "description": "Set AWS_REGION for metering service" + }, + "awsMarketPlaceIamRole": { + "type": "string", + "default": "", + "title": "AWS Marketplace IAM Role", + "description": "Set AWS marketplace IAM Role" + }, + "awsMarketplace": { + "type": "boolean", + "default": false, + "title": "AWS Marketplace", + "description": "Set AWS cloud metering license mode" + }, + "awsManagedLicense": { + "type": "boolean", + "default": false, + "title": "AWS managed license", + "description": "Set AWS managed license mode" + }, + "licenseConfigSecretName": { + "type": "string", + "default": "", + "title": "License config secret name", + "description": "AWS managed license config secret" + }, + "serviceAccount": { + "type": "object", + "title": "Metering service serviceAccount", + "description": "Configuration for metering service serviceAccount", + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "Create metering service serviceAccount", + "description": "Create metering service serviceAccount" + }, + "name": { + "type": "string", + "default": "", + "title": "Metering ServiceAccount name", + "description": "Set name for metering ServiceAccount" + } + } + }, + "mode": { + "type": "string", + "default": "", + "title": "Control license reporting", + "description": "Set to `airgap` for private-network installs" + }, + "redhatMarketplacePayg": { + "type": "boolean", + "default": false, + "title": "Red Hat cloud metering", + "description": "Set Red Hat cloud metering license mode" + }, + "reportCollectionPeriod": { + "type": "integer", + "default": 1800, + "title": "Report collection period", + "description": "Metric report collection period (in seconds)" + }, + "reportPushPeriod": { + "type": "integer", + "default": 3600, + "title": "Report push period", + "description": "Metric report push period (in seconds)" + }, + "promoID": { + "type": "string", + "default": "", + "title": "K10 promotion ID", + "description": "K10 promotion ID from marketing campaigns" + } + } + }, + "clusterName": { + "type": "string", + "default": "", + "title": "Cluster name", + "description": "Cluster name for better logs visibility" + }, + "executorReplicas": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Number of executor service pod replicas", + "description": "Deprecated. Please use 'limiter.executorReplicas' parameter" + }, + "logLevel": { + "type": "string", + "default": "info", + "title": "Log level", + "description": "Change default log level" + }, + "externalGateway": { + "type": "object", + "title": "External gateway", + "description": "Configure external gateway for K10 API services", + "properties": { + "create": { + "type": "boolean", + "default": false, + "title": "Enable external gateway", + "description": "Create external gateway service" + }, + "annotations": { + "type": "object", + "title": "The annotations Schema", + "default": {}, + "description": "Standard annotations for the services" + }, + "fqdn": { + "type": "object", + "title": "Host and domain name for the K10 API services", + "description": "Configure host and domain name for the K10 API services", + "properties": { + "name": { + "type": "string", + "default": "", + "title": "Domain name for the K10 API services", + "description": "Domain name for the K10 API services" + }, + "type": { + "type": "string", + "default": "", + "title": "Gateway type", + "description": "Supported gateway type: route53-mapper or external-dns", + "enum": ["", "route53-mapper", "external-dns"] + } + } + }, + "awsSSLCertARN": { + "type": "string", + "default": "", + "title": "AWS SSL Cert ARN", + "description": "ARN for the AWS ACM SSL certificate used in the K10 API server" + } + } + }, + "auth": { + "type": "object", + "title": "Authentication settings", + "description": "Configure K10 dashboard authentication", + "properties": { + "groupAllowList": { + "type": "array", + "default": [], + "items": { + "type": "string" + }, + "title": "List of groups allowed to access K10 dashboard", + "description": "A list of groups whose members are allowed access to K10's dashboard", + "examples": [ + [ + "group1", + "group2" + ] + ] + }, + "basicAuth": { + "type": "object", + "title": "Basic authentication for the K10 dashboard", + "description": "Configure basic authentication for the K10 dashboard", + "properties": { + "enabled": { + "title": "Enable basic authentication", + "description": "Enables basic authentication to the K10 dashboard that allows users to login with username and password", + "type": "boolean", + "default": false + }, + "secretName": { + "type": "string", + "default": "", + "title": "Secret with basic auth creds", + "description": "Name of an existing Secret that contains a file generated with htpasswd" + }, + "htpasswd": { + "type": "string", + "default": "", + "title": "Basic authentication creds", + "description": "A username and password pair separated by a colon character" + } + } + }, + "tokenAuth": { + "type": "object", + "title": "Token based authentication", + "description": "Configuration for Token based authentication for the K10 dashboard", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable token based authentication", + "description": "Enable token based authentication to access K10 dashboard" + } + } + }, + "oidcAuth": { + "type": "object", + "default": {}, + "title": "Open ID Connect based authentication", + "description": "Configuration for Open ID Connect based authentication for the K10 dashboard", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable Open ID Connect based authentication", + "description": "Enable Open ID Connect based authentication to access K10 dashboard" + }, + "providerURL": { + "type": "string", + "default": "", + "title": "OIDC Provider URL", + "description": "URL for the OIDC Provider" + }, + "redirectURL": { + "type": "string", + "default": "", + "title": "K10 gateway service URL", + "description": "URL to the K10 gateway service" + }, + "scopes": { + "type": "string", + "default": "", + "title": "OIDC scopes", + "description": "Space separated OIDC scopes required for userinfo", + "examples": [ + "profile email" + ] + }, + "prompt": { + "type": "string", + "title": "OIDC prompt type", + "description": "The type of prompt to be used during authentication", + "default": "select_account", + "enum": [ + "none", + "consent", + "login", + "select_account" + ] + }, + "clientID": { + "type": "string", + "default": "", + "title": "OIDC client ID", + "description": "Client ID given by the OIDC provider" + }, + "clientSecret": { + "type": "string", + "default": "", + "title": "OIDC client secret", + "description": "Client secret given by the OIDC provider" + }, + "clientSecretName": { + "type": "string", + "default": "", + "title": "Reference to secret", + "description": "Secret containing OIDC client ID and OIDC client secret" + }, + "usernameClaim": { + "type": "string", + "default": "", + "title": "OIDC username claim", + "description": "The claim to be used as the username" + }, + "usernamePrefix": { + "type": "string", + "default": "", + "title": "OIDC username prefix", + "description": "Prefix that has to be used with the username obtained from the username claim" + }, + "groupClaim": { + "type": "string", + "default": "", + "title": "OIDC group claim", + "description": "Name of a custom OpenID Connect claim for specifying user groups" + }, + "groupPrefix": { + "type": "string", + "default": "", + "title": "OIDC group prefix", + "description": "All groups will be prefixed with this value to prevent conflicts" + }, + "logoutURL": { + "type": "string", + "default": "", + "title": "OIDC logout endpoint", + "description": "URL to your OIDC provider's logout endpoint" + }, + "secretName": { + "type": "string", + "default": "", + "title": "OIDC config based existing secret", + "description": "Must include providerURL, redirectURL, scopes, clientID/secret and logoutURL" + }, + "sessionDuration": { + "type": "string", + "default": "1h", + "title": "OIDC session duration", + "description": "Maximum OIDC session duration. Default value is 1 hour" + }, + "refreshTokenSupport": { + "type": "boolean", + "default": false, + "title": "OIDC Refresh Token support", + "description": "Enable OIDC Refresh Token support. Disabled by default." + } + } + }, + "openshift": { + "type": "object", + "title": "OpenShift OAuth server based authentication", + "description": "OpenShift OAuth server based authentication for K10 dashboard", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable OpenShift OAuth server based authentication", + "description": "Enable OpenShift OAuth server based authentication to access K10 dashboard" + }, + "serviceAccount": { + "type": "string", + "default": "", + "title": "Service account that represents an OAuth client", + "description": "Name of the service account that represents an OAuth client" + }, + "clientSecret": { + "type": "string", + "default": "", + "title": "Service account token", + "description": "The token corresponding to the service account" + }, + "clientSecretName": { + "type": "string", + "default": "", + "title": "Service account token secret", + "description": "The secret that contains the token corresponding to the service account" + }, + "dashboardURL": { + "type": "string", + "default": "", + "title": "K10 dashboard URL", + "description": "The URL used for accessing K10's dashboard" + }, + "openshiftURL": { + "type": "string", + "default": "", + "title": "OpenShift URL", + "description": "The URL for accessing OpenShift's API server" + }, + "insecureCA": { + "type": "boolean", + "default": false, + "title": "Disable SSL verification of connections to OpenShift", + "description": "Set true to turn off SSL verification of connections to OpenShift" + }, + "useServiceAccountCA": { + "type": "boolean", + "default": false, + "title": "use the CA certificate corresponding to the Service Account", + "description": "Usually found at ``/var/run/secrets/kubernetes.io/serviceaccount/ca.crt``" + }, + "secretName": { + "type": "string", + "default": "", + "title": "The Kubernetes Secret that contains OIDC settings", + "description": "Specify Kubernetes Secret that contains OIDC settings" + }, + "usernameClaim": { + "type": "string", + "default": "email", + "title": "Username claim", + "description": "The claim to be used as the username" + }, + "usernamePrefix": { + "type": "string", + "default": "", + "title": "Username prefix", + "description": "Prefix that has to be used with the username obtained from the username claim" + }, + "groupnameClaim": { + "type": "string", + "default": "groups", + "title": "custom OpenID Connect claim name for specifying user groups", + "description": "Name of a custom OpenID Connect claim for specifying user groups" + }, + "groupnamePrefix": { + "type": "string", + "default": "", + "title": "User group name prefix", + "description": "Prefix for user group name" + }, + "caCertsAutoExtraction": { + "type": "boolean", + "default": true, + "title": "Enable the OCP CA certificates automatic extraction", + "description": "Enable the OCP CA certificates automatic extraction to the K10 namespace" + } + } + }, + "ldap": { + "type": "object", + "title": "Active Directory/LDAP based authentication ", + "description": "Active Directory/LDAP based authentication for the K10 dashboard", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable Active Directory/LDAP based authentication", + "description": "Enable Active Directory/LDAP based authentication to access K10 dashboard" + }, + "restartPod": { + "type": "boolean", + "default": false, + "title": "force a restart of the authentication service pod", + "description": "force a restart of the authentication service pod (useful when updating authentication config)" + }, + "dashboardURL": { + "type": "string", + "default": "", + "title": "K10 dashboard URL", + "description": "The URL used for accessing K10's dashboard" + }, + "host": { + "type": "string", + "default": "", + "title": "Host and port of the AD/LDAP server", + "description": "Host and optional port of the AD/LDAP server in the form `host:port`" + }, + "insecureNoSSL": { + "type": "boolean", + "default": false, + "title": "Insecure AD/LDAP host", + "description": "Set if the AD/LDAP host is not using TLS" + }, + "insecureSkipVerifySSL": { + "type": "boolean", + "default": false, + "title": "Skip SSL verification of connections to the AD/LDAP host", + "description": "Turn off SSL verification of connections to the AD/LDAP host" + }, + "startTLS": { + "type": "boolean", + "default": false, + "title": "TLS protocol", + "description": "When set to true, ldap:// is used to connect to the server followed by creation of a TLS session. When set to false, ldaps:// is used." + }, + "bindDN": { + "type": "string", + "default": "", + "title": "Username for connecting to the AD/LDAP host", + "description": "The Distinguished Name(username) used for connecting to the AD/LDAP host" + }, + "bindPW": { + "type": "string", + "default": "", + "title": "The password for `bindDN`", + "description": "The password corresponding to the `bindDN` for connecting to the AD/LDAP host" + }, + "bindPWSecretName": { + "type": "string", + "default": "", + "title": "Secret name containing the password", + "description": "Secret name containing the password corresponding to the `bindDN` for connecting to the AD/LDAP host" + }, + "userSearch": { + "type": "object", + "title": "User search config", + "description": "AD/LDAP user search config", + "properties": { + "baseDN": { + "type": "string", + "default": "", + "title": "The base username to start the AD/LDAP search from", + "description": "The base Distinguished Name to start the AD/LDAP search from" + }, + "filter": { + "type": "string", + "default": "", + "title": "filter to apply when searching", + "description": "Optional filter to apply when searching the directory" + }, + "username": { + "type": "string", + "default": "", + "title": "Username to search in the directory", + "description": "Attribute used for comparing user entries when searching the directory" + }, + "idAttr": { + "type": "string", + "default": "", + "title": "Attribute in a user's entry that should map to the user ID field in a token", + "description": "AD/LDAP attribute in a user's entry that should map to the user ID field in a token" + }, + "emailAttr": { + "type": "string", + "default": "", + "title": "Attribute in a user's entry that should map to the email field in a token", + "description": "AD/LDAP attribute in a user's entry that should map to the email field in a token" + }, + "nameAttr": { + "type": "string", + "default": "", + "title": "Attribute in a user's entry that should map to the name field in a token", + "description": "Attribute in a user's entry that should map to the name field in a token" + }, + "preferredUsernameAttr": { + "type": "string", + "default": "", + "title": "Attribute in a user's entry that should map to the preferred_username field in a token", + "description": "AD/LDAP attribute in a user's entry that should map to the preferred_username field in a token" + } + } + }, + "groupSearch": { + "type": "object", + "title": "AD/LDAP group search config", + "description": "AD/LDAP group search config", + "properties": { + "baseDN": { + "type": "string", + "default": "", + "title": "The base Distinguished Name", + "description": "The base Distinguished Name to start the AD/LDAP group search from" + }, + "filter": { + "type": "string", + "default": "", + "title": "Search filter", + "description": "filter to apply when searching the directory for groups" + }, + "userMatchers": { + "type": "array", + "items": { + "type": "object", + "properties": { + "userAttr": { + "type": "string", + "default": "", + "title": "Attribute in the user's entry", + "description": "Attribute in the user's entry that must match the groupAttr when searching for groups" + }, + "groupAttr": { + "type": "string", + "default": "", + "title": "Attribute in the group's entry", + "description": "Attribute in the group's entry that must match the userAttr when searching for groups" + } + } + }, + "default": [], + "title": "List of field pairs that are used to match a user to a group", + "description": "List of field pairs that are used to match a user to a group" + }, + "nameAttr": { + "type": "string", + "default": "", + "title": "Attribute that represents a group's name in the directory", + "description": "The AD/LDAP attribute that represents a group's name in the directory" + } + } + }, + "secretName": { + "type": "string", + "default": "", + "title": "The Kubernetes Secret with OIDC settings", + "description": "The Kubernetes Secret that contains OIDC settings" + }, + "usernameClaim": { + "type": "string", + "default": "email", + "title": "Username claim", + "description": "The claim to be used as the username" + }, + "usernamePrefix": { + "type": "string", + "default": "", + "title": "Username prefix", + "description": "Prefix that has to be used with the username obtained from the username claim" + }, + "groupnameClaim": { + "type": "string", + "default": "groups", + "title": "Name of a custom OpenID Connect claim for specifying user groups", + "description": "Name of a custom OpenID Connect claim for specifying user groups" + }, + "groupnamePrefix": { + "type": "string", + "default": "", + "title": "Group name prefix", + "description": "Prefix for user group name" + } + } + }, + "k10AdminUsers": { + "type": "array", + "items": { + "type": "string" + }, + "default": [], + "title": "Admin users list", + "description": "A list of users who are granted admin level access to K10's dashboard" + }, + "k10AdminGroups": { + "type": "array", + "items": { + "type": "string" + }, + "default": [], + "title": "Admin groups list", + "description": "A list of groups whose members are granted admin level access to K10's dashboard" + } + } + }, + "optionalColocatedServices": { + "type": "object", + "title": "Optional Colocated services config", + "description": "Settings to enable optional colocated services", + "properties": { + "vbrintegrationapi": { + "title": "VBRIntegratipnAPI service", + "description": "Settings for VBRIntegratipnAPI service", + "type": "object", + "properties": { + "enabled": { + "title": "Enable VBRIntegratipnAPI service", + "description": "Set true to enable VBRIntegratipnAPI service", + "type": "boolean", + "default": true + } + } + } + } + }, + "cacertconfigmap": { + "type": "object", + "title": "CA Certificate ConfigMap", + "description": "ConfigMap containing a certificate for a trusted root certificate authority", + "properties": { + "name": { + "title": "Name of the configmap", + "description": "Name of the K8s ConfigMap containing a certificate for a trusted root certificate authority", + "type": "string", + "default": "" + } + } + }, + "apiservices": { + "type": "object", + "title": "Skip APIService objects creation", + "describe": "Skip APIService objects creation if already exists", + "properties": { + "deployed": { + "type": "boolean", + "default": true, + "title": "Whether APIService object are deployed", + "description": "Set true if APIService objects exists. Setting false will recreate the objects" + } + } + }, + "injectKanisterSidecar": { + "type": "object", + "title": "Kanister sidecar injection for workload pods", + "description": "Configure Kanister sidecar injection for workload pods", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable Kanister sidecar injection for workload pods", + "description": "Set true to enable Kanister sidecar injection for workload pods" + }, + "namespaceSelector": { + "type": "object", + "title": "namespaceSelector config", + "description": "Configure namespaceSelector for namespace containing the workloads to inject Kansiter Sidecar", + "properties": { + "matchLabels": { + "type": "object", + "default": {}, + "title": "namespaceSelector matchLabels", + "description": "Set of labels to select namespaces in which sidecar injection is enabled for workloads" + } + } + }, + "objectSelector": { + "type": "object", + "title": "objectSelector config", + "description": "Configure objectSelector for the workloads to inject Kansiter Sidecar", + "properties": { + "matchLabels": { + "type": "object", + "default": {}, + "title": "objectSelector matchLabels", + "description": "Set of labels to filter workload objects in which the sidecar is injected" + } + } + }, + "webhookServer": { + "type": "object", + "title": "Sidecar injector webhook server", + "description": "Configure sidecar injector webhook server", + "properties": { + "port": { + "type": "integer", + "default": 8080, + "title": "Mutating webhook server port number", + "description": "Port number on which the mutating webhook server accepts request" + } + } + } + } + }, + "kanisterPodCustomLabels": { + "type": "string", + "default": "", + "title": "Kanister pod custom labels", + "description": "Custom labels for pods managed by Kanister" + }, + "kanisterPodCustomAnnotations": { + "type": "string", + "default": "", + "title": "Kanister pod custom annotations", + "description": "Custom annotations added to pods managed by Kanister" + }, + "features": { + "type": "object", + "title": "Feature flags", + "description": "Feature flags to be set by K10", + "properties": { + "backgroundMaintenanceRun": { + "type": "boolean", + "default": true, + "title": "Background maintenance feature", + "description": "Enable background maintenance runs by the repositories service" + } + } + }, + "kanisterPodMetricSidecar": { + "type": "object", + "deprecated": true, + "title": "Deprecated: Metric sidecar for ephemeral pods", + "description": "Deprecated. Use 'workerPodMetricSidecar' parameter instead", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable sidecar container", + "description": "Enable sidecar container for gathering metrics from ephemeral pods" + }, + "metricLifetime": { + "type": "string", + "default": "2m", + "title": "The period we check if there are metrics which should be removed", + "description": "The period we check if there are metrics which should be removed" + }, + "pushGatewayInterval": { + "type": "string", + "default": "30s", + "title": "Pushgateway metrics interval", + "description": "The interval of sending metrics into the Pushgateway" + }, + "resources": { + "type": "object", + "title": "Kanister pod metric sidecar resource config", + "description": "Configure resource requests and limits for kanister pod metric sidecar", + "properties": { + "requests": { + "type": "object", + "title": "Kanister pod metric sidecar resource requests", + "description": "Kanister pod metric sidecar resource requests configuration", + "properties": { + "memory": { + "type": "string", + "default": "", + "title": "Kanister pod metric sidecar memory request", + "description": "Kanister pod metric sidecar memory request", + "examples": [ + "1Gi" + ] + }, + "cpu": { + "type": "string", + "default": "", + "title": "Kanister pod metric sidecars cpu request", + "description": "Kanister pod metric sidecars cpu request", + "examples": [ + "1" + ] + } + } + }, + "limits": { + "type": "object", + "title": "Kanister pod metric sidecar resource limits", + "description": "Kanister pod metric sidecar resource limits configuration", + "properties": { + "memory": { + "type": "string", + "default": "", + "title": "Kanister pod metric sidecars memory limit", + "description": "Kanister pod metric sidecars memory limit", + "examples": [ + "1Gi" + ] + }, + "cpu": { + "type": "string", + "default": "", + "title": "Kanister pod metric sidecars cpu limit", + "description": "Kanister pod metric sidecars cpu limit", + "examples": [ + "1" + ] + } + } + } + } + } + } + }, + "workerPodMetricSidecar": { + "type": "object", + "title": "Metric sidecar for ephemeral pods", + "description": "Sidecar container for gathering metrics from ephemeral pods", + "properties": { + "enabled": { + "type": "boolean", + "default": true, + "title": "Enables a sidecar container for temporary worker Pods used to push Pod performance metrics to Prometheus", + "description": "Enables a sidecar container for temporary worker Pods used to push Pod performance metrics to Prometheus" + }, + "metricLifetime": { + "type": "string", + "default": "2m", + "title": "Specifies the period after which metrics for an individual worker Pod are removed from Prometheus ", + "description": "Specifies the period after which metrics for an individual worker Pod are removed from Prometheus " + }, + "pushGatewayInterval": { + "type": "string", + "default": "30s", + "title": "Specifies the frequency for pushing metrics into Prometheus", + "description": "Specifies the frequency for pushing metrics into Prometheus" + }, + "resources": { + "type": "object", + "title": "Specifies resource requests and limits for the temporary worker Pod metric sidecar", + "description": "Specifies resource requests and limits for the temporary worker Pod metric sidecar", + "properties": { + "requests": { + "type": "object", + "title": "Specifies resource requests for the temporary worker Pod metric sidecar", + "description": "Specifies resource requests for the temporary worker Pod metric sidecar", + "properties": { + "memory": { + "type": "string", + "default": "", + "title": "Temporary worker Pod metric sidecar memory request", + "description": "Temporary worker Pod metric sidecar memory request", + "examples": [ + "1Gi" + ] + }, + "cpu": { + "type": "string", + "default": "", + "title": "Temporary worker Pod metric sidecars cpu request", + "description": "Temporary worker Pod metric sidecars cpu request", + "examples": [ + "1" + ] + } + } + }, + "limits": { + "type": "object", + "title": "Specifies resource limits for the temporary worker Pod metric sidecar", + "description": "Specifies resource limits for the temporary worker Pod metric sidecar", + "properties": { + "memory": { + "type": "string", + "default": "", + "title": "Temporary worker Pod metric sidecars memory limit", + "description": "Temporary worker Pod metric sidecars memory limit", + "examples": [ + "1Gi" + ] + }, + "cpu": { + "type": "string", + "default": "", + "title": "Temporary worker Pod metric sidecars cpu limit", + "description": "Temporary worker Pod metric sidecars cpu limit", + "examples": [ + "1" + ] + } + } + } + } + } + } + }, + "genericStorageBackup": { + "type": "object", + "title": "Generic Storage backup activation config", + "properties": { + "token": { + "type": "string", + "title": "Generic volume snapshot activation token", + "description": "Token to enable generic volume snapshot", + "default": "" + } + } + }, + "genericVolumeSnapshot": { + "type": "object", + "title": "Generic Volume Snapshot restore pods config", + "description": "Specifies resource requests and limits for generic backup sidecar and all temporary Kasten worker Pods. Superseded by ActionPodSpec", + "properties": { + "resources": { + "type": "object", + "title": "Generic Volume Snapshot restore pod resource config", + "description": "Specifies resource requests for generic backup sidecar and all temporary Kasten worker Pods. Superseded by ActionPodSpec", + "properties": { + "requests": { + "type": "object", + "title": "Generic Volume Snapshot resource requests", + "description": "Generic Volume Snapshot resource requests configuration", + "properties": { + "memory": { + "type": "string", + "default": "", + "title": "Generic Volume Snapshot restore pods memory request", + "description": "Generic Volume Snapshot restore pods memory request", + "examples": [ + "1Gi" + ] + }, + "cpu": { + "type": "string", + "default": "", + "title": "Generic Volume Snapshot restore pods cpu request", + "description": "Generic Volume Snapshot restore pods cpu request", + "examples": [ + "1" + ] + } + } + }, + "limits": { + "type": "object", + "title": "Generic Volume Snapshot resource limits", + "description": "Specifies resource limits for generic backup sidecar and all temporary Kasten worker Pods. Superseded by ActionPodSpec", + "properties": { + "memory": { + "type": "string", + "default": "", + "title": "Generic Volume Snapshot restore pods memory limit", + "description": "Generic Volume Snapshot restore pods memory limit", + "examples": [ + "1Gi" + ] + }, + "cpu": { + "type": "string", + "default": "", + "title": "Generic Volume Snapshot restore pods cpu limit", + "description": "Generic Volume Snapshot restore pods cpu limit", + "examples": [ + "1" + ] + } + } + } + } + } + } + }, + "garbagecollector": { + "type": "object", + "title": "garbage collection", + "description": "Configure garbage collection settings", + "properties": { + "daemonPeriod": { + "type": "integer", + "default": 21600, + "title": "Garbage collection period", + "description": "Set garbage collection period (in seconds)" + }, + "keepMaxActions": { + "type": "integer", + "default": 1000, + "title": "Max actions to keep", + "description": "Sets maximum actions to keep" + }, + "actions": { + "type": "object", + "title": "action collectors config", + "description": "Configure action garbage collectors", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable action collectors", + "description": "Set true to enable action collectors" + } + } + } + } + }, + "resources": { + "type": "object", + "default": {}, + "title": "K10 pods resource config", + "description": "Resource management for K10 pods" + }, + "datastore": { + "type": "object", + "properties": { + "parallelUploads": { + "type": "integer", + "default": 8, + "title": "Parallelism for data store uploads", + "description": "Specifies how many files can be uploaded in parallel to the data store" + }, + "parallelDownloads": { + "type": "integer", + "default": 8, + "title": "Parallelism for data store downloads", + "description": "Specifies how many files can be downloaded in parallel from the data store" + } + } + }, + "defaultPriorityClassName": { + "type": "string", + "default": "", + "title": "Default priorityClassName", + "description": "Set the default priorityClassName for all K10 pods" + }, + "priorityClassName": { + "type": "object", + "default": {}, + "title": "K10 pods priorityClassName config", + "description": "Set priorityClassName for specific K10 pods" + }, + "services": { + "type": "object", + "title": "K10 services config", + "description": "Settings for K10 services", + "properties": { + "executor": { + "type": "object", + "title": "executor service config", + "description": "Configuration for K10 executor service", + "properties": { + "hostNetwork": { + "type": "boolean", + "default": false, + "title": "Enable node network usage", + "description": "Whether the executor pods may use the node network" + }, + "workerCount": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Executor workers count", + "description": "Deprecated. Use 'limiter.executorThreads' parameter instead" + }, + "maxConcurrentRestoreCsiSnapshots": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Concurrent restore CSI snapshots operations", + "description": "Deprecated. Use 'limiter.csiSnapshotRestoresPerAction' parameter instead" + }, + "maxConcurrentRestoreGenericVolumeSnapshots": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Concurrent restore generic volume snapshots operations", + "description": "Deprecated. Use 'limiter.volumeRestoresPerAction' parameter instead" + }, + "maxConcurrentRestoreWorkloads": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Concurrent restore workloads operations", + "description": "Deprecated. Use 'limiter.workloadRestoresPerAction' parameter instead" + } + } + }, + "dashboardbff": { + "type": "object", + "title": "dashboardbff service config", + "properties": { + "hostNetwork": { + "type": "boolean", + "default": false, + "title": "Enable node network usage", + "description": "Whether the dashboardbff pods may use the node network" + } + } + }, + "securityContext": { + "type": "object", + "title": "securityContext for K10 service containers", + "description": "Custom securityContext for K10 service containers", + "properties": { + "runAsUser": { + "type": "integer", + "default": 1000, + "title": "runAsUser ID", + "description": "User ID K10 service containers run as" + }, + "fsGroup": { + "type": "integer", + "default": 1000, + "title": "FSGroup ID", + "description": "FSGroup that owns K10 service container volumes" + }, + "runAsNonRoot": { + "type": "boolean", + "default": true, + "title": "RunAsNonRoot", + "description": "Indicates that K10 service containers should run as non-root user." + }, + "seccompProfile": { + "type": "object", + "title": "Seccomp Profile object", + "description": "Sets the Seccomp profile for K10 service containers", + "properties": { + "type": { + "type": "string", + "default": "RuntimeDefault", + "title": "Seccomp profile type", + "description": "Sets the Seccomp profile type for K10 service containers" + } + } + } + } + }, + "aggregatedapis": { + "type": "object", + "title": "K10 aggregatedapis service config", + "properties": { + "hostNetwork": { + "type": "boolean", + "default": false, + "title": "Enable node network usage", + "description": "Whether the aggregatedapis pods may use the node network" + } + } + } + } + }, + "siem": { + "type": "object", + "title": "siem", + "description": "siem settings", + "properties": { + "logging": { + "type": "object", + "title": "logging", + "description": "siem logging settings", + "properties": { + "cluster": { + "type": "object", + "title": "cluster", + "description": "In-cluster agent log slurping settings", + "properties": { + "enabled": { + "type": "boolean", + "default": true, + "title": "Enable in-cluster agent-based audit logging", + "description": "Enabled in-cluster agent-based audit logging for K10 events" + } + } + }, + "cloud": { + "type": "object", + "title": "cloud", + "description": "siem cloud logging settings", + "properties": { + "path": { + "type": "string", + "default": "k10audit/", + "title": "Directory path in cloud object storage for saving logs", + "description": "Directory path in cloud object storage for saving logs when writing K10 events" + }, + "awsS3": { + "type": "object", + "title": "awsS3", + "description": "AWS S3 log slurping settings", + "properties": { + "enabled": { + "type": "boolean", + "default": true, + "title": "Enable AWS S3 audit logging", + "description": "Enable AWS S3 audit logging for K10 events" + } + } + } + } + } + } + } + } + }, + "apigateway": { + "type": "object", + "title": "APIGateway", + "description": "APIGateway settings", + "properties": { + "serviceResolver": { + "type": "string", + "default": "dns", + "title": "Resolver used for service discovery", + "description": "The resolver used for service discovery in the API gateway", + "enum": [ + "dns", + "endpoint" + ] + } + } + }, + "limiter": { + "type": "object", + "title": "Limiter", + "description": "Limits set on several operations", + "properties": { + "concurrentSnapConversions": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Concurrent snapshot conversions", + "description": "Deprecated. Use 'limiter.snapshotExportsPerAction' parameter instead" + }, + "snapshotExportsPerAction": { + "type": "integer", + "default": 3, + "title": "Per action limit of concurrent volume export operations", + "description": "Per action limit of concurrent volume export operations" + }, + "genericVolumeSnapshots": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Concurrent generic volume snapshot creation", + "description": "Deprecated. Use 'limiter.genericVolumeBackupsPerCluster' parameter instead." + }, + "genericVolumeBackupsPerCluster": { + "type": "integer", + "default": 10, + "title": "Cluster-wide limit of concurrent Generic Volume Backup operations", + "description": "Cluster-wide limit of concurrent Generic Volume Backup operations" + }, + "genericVolumeCopies": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Concurrent generic volume snapshot copy", + "description": "Deprecated. Use 'limiter.snapshotExportsPerCluster' parameter instead" + }, + "snapshotExportsPerCluster": { + "type": "integer", + "default": 10, + "title": "Cluster-wide limit of concurrent volume export operations", + "description": "Cluster-wide limit of concurrent volume export operations" + }, + "genericVolumeRestores": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Concurrent generic volume snapshot restore", + "description": "Deprecated. Use 'limiter.volumeRestoresPerCluster' parameter instead" + }, + "volumeRestoresPerCluster": { + "type": "integer", + "default": 10, + "title": "Cluster-wide limit of concurrent volume restore operations", + "description": "Cluster-wide limit of concurrent volume restore operations from exported backups" + }, + "csiSnapshots": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Concurrent CSI snapshot create", + "description": "Deprecated. Use 'limiter.csiSnapshotsPerCluster' parameter instead" + }, + "csiSnapshotsPerCluster": { + "type": "integer", + "default": 10, + "title": "Cluster-wide limit of concurrent CSI VolumeSnapshot creation requests", + "description": "Cluster-wide limit of concurrent CSI VolumeSnapshot creation requests" + }, + "providerSnapshots": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Concurrent cloud provider create", + "description": "Deprecated. Use 'limiter.directSnapshotsPerCluster' parameter instead" + }, + "directSnapshotsPerCluster": { + "type": "integer", + "default": 10, + "title": "Cluster-wide limit of concurrent non-CSI snapshot creation requests", + "description": "Cluster-wide limit of concurrent non-CSI snapshot creation requests" + }, + "imageCopies": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Concurrent image copy", + "description": "Deprecated. Use 'limiter.imageCopiesPerCluster' parameter instead" + }, + "imageCopiesPerCluster": { + "type": "integer", + "default": 10, + "title": "Cluster-wide limit of concurrent ImageStream container image operations", + "description": "Cluster-wide limit of concurrent ImageStream container image backup (i.e. copy from) and restore (i.e. copy to) operations" + }, + "executorReplicas": { + "type": "integer", + "default": 3, + "title": "Number of executor service pod replicas", + "description": "Specifies the number of executor-svc Pods used to process Kasten jobs" + }, + "executorThreads": { + "type": "integer", + "default": 8, + "title": "Executor threads count", + "description": "Specifies the number of threads per executor-svc Pod used to process Kasten jobs" + }, + "workloadRestoresPerAction": { + "type": "integer", + "default": 3, + "title": "Per action limit of concurrent manifest data restores, based on workload", + "description": "Per action limit of concurrent manifest data restores, based on workload (ex. Namespace, Deployment, StatefulSet, VirtualMachine)" + }, + "csiSnapshotRestoresPerAction": { + "type": "integer", + "default": 3, + "title": "Per action limit of concurrent CSI volume provisioning requests", + "description": "Per action limit of concurrent CSI volume provisioning requests when restoring from VolumeSnapshots" + }, + "volumeRestoresPerAction": { + "type": "integer", + "default": 3, + "title": "Per action limit of concurrent volume restore operations", + "description": "Per action limit of concurrent volume restore operations from an exported backup" + }, + "workloadSnapshotsPerAction": { + "type": "integer", + "default": 5, + "title": "Per action limit of concurrent manifest data snapshots, based on workload", + "description": "Per action limit of concurrent manifest data snapshots, based on workload (ex. Namespace, Deployment, StatefulSet, VirtualMachine)" + } + } + }, + "gateway": { + "type": "object", + "title": "Gateway config", + "description": "Configure Gateway service", + "properties": { + "insecureDisableSSLVerify": { + "type": "boolean", + "default": false, + "title": "Disable SSL verification for gateway pods", + "description": "Whether to disable SSL verification for gateway pods" + }, + "exposeAdminPort": { + "type": "boolean", + "default": true, + "title": "Expose Admin port", + "description": "Whether to expose Admin port for gateway service" + }, + "service": { + "type": "object", + "title": "gateway service config", + "properties": { + "externalPort": { + "type": "integer", + "default": 80, + "title": "externalPort for the gateway service", + "description": "Override default 80 externalPort for the gateway service" + } + } + }, + "resources": { + "type": "object", + "title": "Gateway pod resource config", + "description": "Configure resource request and limits by Gateway pod", + "properties": { + "requests": { + "type": "object", + "title": "Gateway resource requests", + "description": "Gateway resource requests configuration", + "properties": { + "memory": { + "type": "string", + "default": "300Mi", + "title": "Gateway pod memory request", + "description": "Gateway pod memory request", + "examples": [ + "1Gi" + ] + }, + "cpu": { + "type": "string", + "default": "200m", + "title": "Gateway pod cpu request", + "description": "Gateway pod cpu request", + "examples": [ + "1" + ] + } + } + }, + "limits": { + "type": "object", + "title": "Gateway resource limits", + "description": "Gateway resource limits configuration", + "properties": { + "memory": { + "type": "string", + "default": "1Gi", + "title": "Gateway pod memory limit", + "description": "Gateway pod memory limit", + "examples": [ + "1Gi" + ] + }, + "cpu": { + "type": "string", + "default": "1000m", + "title": "Gateway pod cpu limit", + "description": "Gateway pod cpu limit", + "examples": [ + "1" + ] + } + } + } + } + } + } + }, + "kanister": { + "type": "object", + "title": "Kanister config", + "description": "Configuration for Kanister service", + "properties": { + "backupTimeout": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Timeout on Kanister backup operations", + "description": "Deprecated. Use 'timeout.blueprintBackup' parameter instead" + }, + "restoreTimeout": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Timeout for Kanister restore operations", + "description": "Deprecated. Use 'timeout.blueprintRestore' parameter instead" + }, + "deleteTimeout": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Timeout for Kanister delete operations", + "description": "Deprecated. Use 'timeout.blueprintDelete' parameter instead" + }, + "hookTimeout": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Timeout for Kanister pre-hook and post-hook operations", + "description": "Deprecated. Use 'timeout.blueprintHooks' parameter instead" + }, + "checkRepoTimeout": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Timeout for Kanister checkRepo operations", + "description": "Deprecated. Use 'timeout.checkRepoPodReady' parameter instead" + }, + "statsTimeout": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Timeout for Kanister stats operations", + "description": "Deprecated. Use 'timeout.statsPodReady' parameter instead" + }, + "efsPostRestoreTimeout": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Timeout for Kanister efsPostRestore operations", + "description": "Deprecated. Use 'timeout.efsRestorePodReady' parameter instead" + }, + "podReadyWaitTimeout": { + "type": "integer", + "default": -1, + "deprecated": true, + "title": "Deprecated: Timeout for Kanister tooling pods to be ready", + "description": "Deprecated. Use 'timeout.workerPodReady' parameter instead" + }, + "managedDataServicesBlueprintsEnabled": { + "type": "boolean", + "default": true, + "title": "Enable built-in Kanister Blueprints for data services", + "description": "Whether to enable built-in Kanister Blueprints for data services such as Crunchy Data Postgres Operator and K8ssandra" + } + } + }, + "timeout": { + "type": "object", + "title": "Timeouts config", + "description": "Configuration of timeouts", + "properties": { + "blueprintBackup": { + "type": "integer", + "default": 45, + "title": "Specifies the timeout (in minutes) for Blueprint backup actions", + "description": "Specifies the timeout (in minutes) for Blueprint backup actions" + }, + "blueprintRestore": { + "type": "integer", + "default": 600, + "title": "Specifies the timeout (in minutes) for Blueprint restore actions", + "description": "Specifies the timeout (in minutes) for Blueprint restore actions" + }, + "blueprintDelete": { + "type": "integer", + "default": 45, + "title": "Specifies the timeout (in minutes) for Blueprint delete actions", + "description": "Specifies the timeout (in minutes) for Blueprint delete actions" + }, + "blueprintHooks": { + "type": "integer", + "default": 20, + "title": "Specifies the timeout (in minutes) for Blueprint backupPrehook and backupPosthook actions", + "description": "Specifies the timeout (in minutes) for Blueprint backupPrehook and backupPosthook actions" + }, + "checkRepoPodReady": { + "type": "integer", + "default": 20, + "title": "Specifies the timeout (in minutes) for temporary worker Pods used to validate backup repository existence", + "description": "Specifies the timeout (in minutes) for temporary worker Pods used to validate backup repository existence" + }, + "statsPodReady": { + "type": "integer", + "default": 20, + "title": "Specifies the timeout (in minutes) for temporary worker Pods used to collect repository statistics", + "description": "Specifies the timeout (in minutes) for temporary worker Pods used to collect repository statistics" + }, + "efsRestorePodReady": { + "type": "integer", + "default": 45, + "title": "Specifies the timeout (in minutes) for temporary worker Pods used for shareable volume restore operations", + "description": "Specifies the timeout (in minutes) for temporary worker Pods used for shareable volume restore operations" + }, + "workerPodReady": { + "type": "integer", + "default": 15, + "title": "Specifies the timeout (in minutes) for all other temporary worker Pods used during Veeam Kasten review comments fixedoperations", + "description": "Specifies the timeout (in minutes) for all other temporary worker Pods used during Veeam Kasten operations" + }, + "jobWait": { + "type": "string", + "default": "", + "title": "Specifies the timeout (in minutes) for completing execution of any child job, after which the parent job will be canceled", + "description": "Specifies the timeout (in minutes) for completing execution of any child job, after which the parent job will be canceled. If no value is set, a default of 10 hours will be used" + } + } + }, + "awsConfig": { + "type": "object", + "title": "AWS config", + "description": "AWS config", + "properties": { + "assumeRoleDuration": { + "type": "string", + "default": "", + "title": "Duration of a session token generated by AWS for an IAM role", + "description": "The minimum value is 15 minutes, and the maximum value is determined by the maximum session duration setting for that IAM role. For documentation on how to view and edit the maximum session duration for an IAM role, refer to https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session. The value accepts a number followed by a single character, 'm' (for minutes) or 'h' (for hours). Examples include: 60m or 2h" + }, + "efsBackupVaultName": { + "type": "string", + "default": "k10vault", + "title": "the AWS EFS backup vault name", + "description": "Set the AWS EFS backup vault name" + } + } + }, + "azure": { + "type": "object", + "title": "Azure config", + "description": "Azure config", + "properties": { + "useDefaultMSI": { + "type": "boolean", + "default": false, + "title": "Use the default Managed Identity", + "description": "Set to true - profile does not need a secret, Default Managed Identity will be used" + }, + "useFederatedIdentity": { + "type": "boolean", + "default": false, + "title": "Use the Federated Identity", + "description": "Set to true - injected Federated Identity will be used" + } + } + }, + "google": { + "type": "object", + "title": "Google config", + "description": "Google auth config", + "properties": { + "workloadIdentityFederation": { + "type": "object", + "title": "Google Workload Identity Federation config", + "description": "config for Google Workload Identity Federation", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable Google Workload Identity Federation (GWIF) for K10", + "description": "Set to true - Google Workload Identity Federation is enabled for K10" + }, + "idp": { + "type": "object", + "title": "Identity Provider config", + "description": "Identity Provider config", + "properties": { + "type": { + "type": "string", + "default": "", + "title": "Type of the Identity Provider for GWIF", + "description": "Set the type of IdP for GWIF" + }, + "aud": { + "type": "string", + "default": "", + "title": "The audience that ID token is intended for", + "description": "Set the name of the audience that ID token is intended for" + } + } + } + } + } + } + }, + "grafana": { + "type": "object", + "title": "Grafana config", + "description": "Settings for Grafana service", + "properties": { + "enabled": { + "type": "boolean", + "default": true, + "title": "Enable Grafana service", + "description": "Deploy Grafana service. If false Grafana will not be available" + }, + "external": { + "type": "object", + "title": "Configuration related to externally installed Grafana instance", + "description": "If Grafana instance that gets installed with K10 is disabled using grafana.enabled=false, this field can be used to configure externally installed Grafana instance.", + "properties": { + "url": { + "type": "string", + "default": "", + "title": "URL of externally installed Grafana instance", + "description": "If Grafana instance that gets installed with K10 is disabled using grafana.enabled=false, this field can be used to specify URL of externally installed Grafana instance." + } + } + } + } + }, + "encryption": { + "type": "object", + "title": "Encryption config", + "description": "Encryption config", + "properties": { + "primaryKey": { + "type": "object", + "title": "primaryKey for encrypting of K10 primary key", + "description": "primaryKey is used for enabling encryption of K10 primary key", + "properties": { + "awsCmkKeyId": { + "type": "string", + "default": "", + "title": "The AWS CMK key ID for encrypting K10 Primary Key", + "description": "Ensures AWS CMK is used for encrypting K10 primary key" + }, + "vaultTransitKeyName": { + "type": "string", + "default": "", + "title": "Vault transit Key Name", + "description": "Vault Transit key name for Vault integration" + }, + "vaultTransitPath": { + "type": "string", + "default": "", + "title": "Vault transit path", + "description": "Vault transit path for Vault integration" + } + } + } + } + }, + "vmWare": { + "type": "object", + "title": "VMWare integration config", + "properties": { + "taskTimeoutMin": { + "type": "integer", + "default": 60, + "title": "the timeout for VMWare operations", + "description": "the timeout for VMWare operations in minutes" + } + } + }, + "vault": { + "type": "object", + "title": "Vault config", + "description": "Vault integration configuration", + "properties": { + "secretName": { + "type": "string", + "default": "", + "title": "Vault secret name", + "description": "Vault secret name" + }, + "address": { + "type": "string", + "default": "http://vault.vault.svc:8200", + "title": "Vault address", + "description": "Specify Vault endpoint" + }, + "role": { + "type": "string", + "default": "", + "title": "Vault Service Account Role", + "description": "Role that was bound to the service account name and namespace from cluster" + }, + "serviceAccountTokenPath": { + "type": "string", + "default": "", + "title": "Token path for Vault Service Account Role", + "description": "Default: '/var/run/secrets/kubernetes.io/serviceaccount/token'" + } + } + }, + "kubeVirtVMs": { + "type": "object", + "properties": { + "snapshot": { + "type": "object", + "properties": { + "unfreezeTimeout": { + "type": "string", + "title": "Unfreeze timeout for Virtual Machines", + "description": "Time within which K10 is expected to complete the Virtual Machine's backup and thaw the Virtual Machine.", + "default": "5m" + } + } + } + } + }, + "excludedApps": { + "type": "array", + "items": { + "type": "string" + }, + "default": [ + "kube-system", + "kube-ingress", + "kube-node-lease", + "kube-public", + "kube-rook-ceph" + ], + "title": "List of applications to be excluded", + "description": "List of applications to be excluded from the dashboard & compliance considerations" + }, + "logging": { + "type": "object", + "properties": { + "internal": { + "title": "Enable internal logging service", + "description": "Enable use of internal logging service", + "type": "boolean", + "default": true + }, + "fluentbit_endpoint": { + "title": "Use external fluentbit endpoint", + "description": "Specify a fluentbit endpoint to collect logs, cannot be used with the internal logging service (logging.internal=true)", + "type": "string", + "default": "" + } + } + }, + "maxJobWaitDuration": { + "type": "string", + "default": "", + "deprecated": true, + "title": "Deprecated: Maximum duration for jobs in minutes", + "description": "Deprecated. Use 'timeout.jobWait' parameter instead" + }, + "forceRootInKanisterHooks": { + "type": "boolean", + "default": false, + "deprecated": true, + "title": "Deprecated: Run Kanister Hooks as root", + "description": "Deprecated. Use 'forceRootInBlueprintActions' parameter instead" + }, + "forceRootInBlueprintActions": { + "type": "boolean", + "default": true, + "title": "Run Kanister Blueprints as root", + "description": "Forces any Pod created by a Blueprint to run as root user" + }, + "ephemeralPVCOverhead": { + "type": "string", + "default": "0.1", + "title": "Storage overhead for ephemeral PVCs", + "description": "Set the percentage increase for the ephemeral Persistent Volume Claim's storage request, e.g. pvc size = (file raw size) * (1 + `ephemeralPVCOverhead`)" + }, + "kastenDisasterRecovery": { + "type": "object", + "properties": { + "quickMode": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "description": "Enables K10 Quick Disaster Recovery feature, with ability to restore necessary K10 resources and exported restore points of applications.", + "title": "Enable K10 Quick Disaster Recovery." + } + } + } + } + }, + "fips": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "description": "Enables K10 FIPS (Federal Information Processing Standard) mode of operation.", + "title": "Enable K10 FIPS mode of operation." + } + } + }, + "workerPodCRDs": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "default": false, + "title": "Enable ActionPodSpec and ActionPodSpecBinding CRDs", + "description": "Enables the use of ActionPodSpec and ActionPodSpecBinding for granular resource configuration of temporary Pods associated with Kasten Actions" + }, + "resourcesRequests": { + "type": "object", + "title": "Maximum resource requests", + "description": "Specifies the cluster-wide, maximum values for resource requests which may be used in any ActionPodSpec", + "properties": { + "maxMemory": { + "type": "string", + "default": "", + "title": "Maximum memory request", + "description": "Specifies the cluster-wide, maximum value for memory resource requests which may be used in any ActionPodSpec", + "examples": [ + "1Gi" + ] + }, + "maxCPU": { + "type": "string", + "default": "", + "title": "Maximum cpu request", + "description": "Specifies the cluster-wide, maximum value for CPU resource requests which may be used in any ActionPodSpec", + "examples": [ + "1" + ] + } + } + }, + "defaultActionPodSpec": { + "type": "string", + "default": "", + "title": "Default ActionPodSpec name", + "description": "The name of ActionPodSpec that will be used by default for worker pod resources. if empty, the default APS is omitted" + } + } + } + } +} diff --git a/charts/kasten/k10/7.0.1401/values.yaml b/charts/kasten/k10/7.0.1401/values.yaml new file mode 100644 index 000000000..2a20ddb80 --- /dev/null +++ b/charts/kasten/k10/7.0.1401/values.yaml @@ -0,0 +1,606 @@ +#file: noinspection ComposeUnknownKeys,ComposeUnknownValues +# Default values for k10. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +rbac: + create: true +serviceAccount: + # Specifies whether a ServiceAccount should be created + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is derived using the release and chart names. + name: "" + +scc: + create: false + priority: 0 + +networkPolicy: + create: true + +global: + # These are the default values for picking k10 images. They can be overridden + # to specify a particular registy and tag. + image: + registry: gcr.io/kasten-images + tag: '' + pullPolicy: Always + airgapped: + repository: '' + persistence: + mountPath: "/mnt/k10state" + enabled: true + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + accessMode: ReadWriteOnce + size: 20Gi + metering: + size: 2Gi + catalog: + size: "" + jobs: + size: "" + logging: + size: "" + grafana: + # Default value is set to 5Gi. This is the same as the default value + # from previous releases <= 4.5.1 where the Grafana sub chart used to + # reference grafana.persistence.size instead of the global values. + # Since the size remains the same across upgrades, the Grafana PVC + # is not deleted and recreated which means no Grafana data is lost + # while upgrading from <= 4.5.1 + size: 5Gi + podLabels: {} + podAnnotations: {} + ## Set it to true while generating helm operator + rhMarketPlace: false + ## these values should not be provided us, these are to be used by + ## red hat marketplace + images: + aggregatedapis: '' + auth: '' + bloblifecyclemanager: '' + catalog: '' + configmap-reload: '' + controllermanager: '' + crypto: '' + dashboardbff: '' + datamover: '' + dex: '' + emissary: '' + events: '' + executor: '' + frontend: '' + gateway: '' + grafana: '' + init: '' + jobs: '' + kanister-tools: '' + kanister: '' + k10tools: '' + logging: '' + metering: '' + ocpconsoleplugin: '' + paygo_daemonset: '' + prometheus: '' + repositories: '' + state: '' + upgrade: '' + vbrintegrationapi: '' + garbagecollector: '' + metric-sidecar: '' + imagePullSecret: '' + prometheus: + external: + host: '' #FQDN of prometheus-service + port: '' + baseURL: '' + network: + enable_ipv6: false + +## OpenShift route configuration. +route: + enabled: false + # Host name for the route + host: "" + # Default path for the route + path: "" + + annotations: {} + # kubernetes.io/tls-acme: "true" + # haproxy.router.openshift.io/disable_cookies: "true" + # haproxy.router.openshift.io/balance: roundrobin + + labels: {} + # key: value + + # TLS configuration + tls: + enabled: false + # What to do in case of an insecure traffic edge termination + insecureEdgeTerminationPolicy: "Redirect" + # Where this TLS configuration should terminate + termination: "edge" + +dexImage: + registry: ghcr.io + repository: dexidp + image: dex + +kanisterToolsImage: + registry: ghcr.io + repository: kanisterio + image: kanister-tools + pullPolicy: Always + +ingress: + create: false + annotations: {} + name: "" + tls: + enabled: false + secretName: "" #TLS secret name + class: "" #Ingress controller type + host: "" #ingress object host name + urlPath: "" #url path for k10 gateway + pathType: "ImplementationSpecific" + defaultBackend: + service: + enabled: false + name: "" + port: + name: "" + number: 0 + resource: + enabled: false + apiGroup: "" + kind: "" + name: "" + +eula: + accept: false #true value if EULA accepted + +license: "" #base64 encoded string provided by Kasten + +cluster: + domainName: "" + +multicluster: + enabled: true + primary: + create: false + name: "" + ingressURL: "" + +prometheus: + rbac: + create: false + server: + # UID and groupid are from prometheus helm chart + enabled: true + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + retention: 30d + persistentVolume: + storageClass: "" + fullnameOverride: prometheus-server + baseURL: /k10/prometheus/ + prefixURL: /k10/prometheus + +jaeger: + enabled: false + agentDNS: "" + +service: + externalPort: 8000 + internalPort: 8000 + aggregatedApiPort: 10250 + gatewayAdminPort: 8877 + +secrets: + awsAccessKeyId: '' + awsSecretAccessKey: '' + awsIamRole: '' + awsClientSecretName: '' + googleApiKey: '' + googleProjectId: '' + googleClientSecretName: '' + dockerConfig: '' + dockerConfigPath: '' + azureTenantId: '' + azureClientId: '' + azureClientSecret: '' + azureClientSecretName: '' + azureResourceGroup: '' + azureSubscriptionID: '' + azureResourceMgrEndpoint: '' + azureADEndpoint: '' + azureADResourceID: '' + microsoftEntraIDEndpoint: '' + microsoftEntraIDResourceID: '' + azureCloudEnvID: '' + apiTlsCrt: '' + apiTlsKey: '' + tlsSecret: '' + vsphereEndpoint: '' + vsphereUsername: '' + vspherePassword: '' + vsphereClientSecretName: '' + +metering: + reportingKey: "" #[base64-encoded key] + consumerId: "" #project: + awsRegion: '' + awsMarketPlaceIamRole: '' + awsMarketplace: false # AWS cloud metering license mode + awsManagedLicense: false # AWS managed license mode + licenseConfigSecretName: '' # AWS managed license config secret for non-eks clusters + serviceAccount: + create: false + name: "" + mode: '' # controls metric and license reporting (set to `airgap` for private-network installs) + redhatMarketplacePayg: false # Redhat cloud metering license mode + reportCollectionPeriod: 1800 # metric report collection period in seconds + reportPushPeriod: 3600 # metric report push period in seconds + promoID: '' # sets the K10 promotion ID + +clusterName: '' + +# Deprecated. Use 'limiter.executorReplicas' parameter. +executorReplicas: -1 + +logLevel: info + +externalGateway: + create: false + # Any standard service annotations + annotations: {} + # Host and domain name for the K10 API server + fqdn: + name: "" + #Supported types route53-mapper, external-dns + type: "" + # ARN for the AWS ACM SSL certificate used in the K10 API server (load balancer) + awsSSLCertARN: '' + +auth: + groupAllowList: [] +# - "group1" +# - "group2" + basicAuth: + enabled: false + secretName: "" #htpasswd based existing secret + htpasswd: "" #htpasswd string, which will be used for basic auth + tokenAuth: + enabled: false + oidcAuth: + enabled: false + providerURL: "" #URL to your OIDC provider + redirectURL: "" #URL to the K10 gateway service + scopes: "" #Space separated OIDC scopes required for userinfo. Example: "profile email" + prompt: "select_account" #The prompt type to be requested with the OIDC provider. Default is select_account. + clientID: "" #ClientID given by the OIDC provider for K10 + clientSecret: "" #ClientSecret given by the OIDC provider for K10 + clientSecretName: "" #The Kubernetes Secret that contains ClientID and ClientSecret given by the OIDC provider for K10 + usernameClaim: "" #Claim to be used as the username + usernamePrefix: "" #Prefix that has to be used with the username obtained from the username claim + groupClaim: "" #Name of a custom OpenID Connect claim for specifying user groups + groupPrefix: "" #All groups will be prefixed with this value to prevent conflicts. + logoutURL: "" #URL to your OIDC provider's logout endpoint + #OIDC config based existing secret. + #Must include providerURL, redirectURL, scopes, clientID/secret and logoutURL. + secretName: "" + sessionDuration: "1h" #Maximum OIDC session duration. Default value is 1 hour + refreshTokenSupport: false #Enable Refresh Token support. Disabled by default + openshift: + enabled: false + serviceAccount: "" #service account used as the OAuth client + clientSecret: "" #The token from the service account + clientSecretName: "" #The secret with the token from the service account + dashboardURL: "" #The URL for accessing K10's dashboard + openshiftURL: "" #The URL of the Openshift API server + insecureCA: false + useServiceAccountCA: false + secretName: "" # The Kubernetes Secret that contains OIDC settings + usernameClaim: "email" + usernamePrefix: "" + groupnameClaim: "groups" + groupnamePrefix: "" + caCertsAutoExtraction: true # Configures if K10 should automatically extract CA certificates from the OCP cluster. + ldap: + enabled: false + restartPod: false # Enable this value to force a restart of the authentication service pod + dashboardURL: "" #The URL for accessing K10's dashboard + host: "" + insecureNoSSL: false + insecureSkipVerifySSL: false + startTLS: false + bindDN: "" + bindPW: "" + bindPWSecretName: "" + userSearch: + baseDN: "" + filter: "" + username: "" + idAttr: "" + emailAttr: "" + nameAttr: "" + preferredUsernameAttr: "" + groupSearch: + baseDN: "" + filter: "" + userMatchers: [] +# - userAttr: +# groupAttr: + nameAttr: "" + secretName: "" # The Kubernetes Secret that contains OIDC settings + usernameClaim: "email" + usernamePrefix: "" + groupnameClaim: "groups" + groupnamePrefix: "" + k10AdminUsers: [] + k10AdminGroups: [] + +optionalColocatedServices: + vbrintegrationapi: + enabled: true + +cacertconfigmap: + name: "" #Name of the configmap + +apiservices: + deployed: true # If false APIService objects will not be deployed + +injectKanisterSidecar: + enabled: false + namespaceSelector: + matchLabels: {} + # Set objectSelector to filter workloads + objectSelector: + matchLabels: {} + webhookServer: + port: 8080 # should not conflict with config server port (8000) + +genericStorageBackup: + token: "" + +kanisterPodCustomLabels : "" + +kanisterPodCustomAnnotations : "" + +features: + backgroundMaintenanceRun: true # Key must be deleted to deactivate. Setting to false will not work. + +# Deprecated. Use 'workerPodMetricSidecar' parameter instead. +kanisterPodMetricSidecar: + enabled: false + metricLifetime: "2m" + pushGatewayInterval: "30s" + resources: + requests: + memory: "" + cpu: "" + limits: + memory: "" + cpu: "" + +workerPodMetricSidecar: + enabled: true + metricLifetime: "2m" + pushGatewayInterval: "30s" + resources: + requests: + memory: "" + cpu: "" + limits: + memory: "" + cpu: "" + +genericVolumeSnapshot: + resources: + requests: + memory: "" + cpu: "" + limits: + memory: "" + cpu: "" + +garbagecollector: + daemonPeriod: 21600 + keepMaxActions: 1000 + actions: + enabled: false + +resources: {} + +defaultPriorityClassName: "" +priorityClassName: {} + +services: + executor: + hostNetwork: false + # Deprecated. Use 'limiter.executorThreads' parameter instead. + workerCount: -1 + # Deprecated. Use 'limiter.csiSnapshotRestoresPerAction' parameter instead. + maxConcurrentRestoreCsiSnapshots: -1 + # Deprecated. Use 'limiter.volumeRestoresPerAction' parameter instead. + maxConcurrentRestoreGenericVolumeSnapshots: -1 + # Deprecated. Use 'limiter.workloadRestoresPerAction' parameter instead. + maxConcurrentRestoreWorkloads: -1 + dashboardbff: + hostNetwork: false + securityContext: + runAsUser: 1000 # Will override any USER instruction that a container image set for running the entrypoint and command. + fsGroup: 1000 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + aggregatedapis: + hostNetwork: false + +siem: + logging: + cluster: + enabled: true + cloud: + path: k10audit/ + awsS3: + enabled: true + +apigateway: + serviceResolver: dns + +limiter: + # Deprecated. Use 'limiter.snapshotExportsPerAction' parameter instead. + concurrentSnapConversions: -1 + snapshotExportsPerAction: 3 + # Deprecated. Use 'limiter.genericVolumeBackupsPerCluster' parameter instead. + genericVolumeSnapshots: -1 + genericVolumeBackupsPerCluster: 10 + # Deprecated. Use 'limiter.snapshotExportsPerCluster' parameter instead. + genericVolumeCopies: -1 + snapshotExportsPerCluster: 10 + # Deprecated. Use 'limiter.volumeRestoresPerCluster' parameter instead. + genericVolumeRestores: -1 + volumeRestoresPerCluster: 10 + # Deprecated. Use 'limiter.csiSnapshotsPerCluster' parameter instead. + csiSnapshots: -1 + csiSnapshotsPerCluster: 10 + # Deprecated. Use 'limiter.directSnapshotsPerCluster' parameter instead. + providerSnapshots: -1 + directSnapshotsPerCluster: 10 + # Deprecated. Use 'limiter.imageCopiesPerCluster' parameter instead. + imageCopies: -1 + imageCopiesPerCluster: 10 + executorReplicas: 3 + executorThreads: 8 + workloadRestoresPerAction: 3 + csiSnapshotRestoresPerAction: 3 + volumeRestoresPerAction: 3 + workloadSnapshotsPerAction: 5 + +gateway: + insecureDisableSSLVerify: false + exposeAdminPort: true + service: + externalPort: 80 + resources: + requests: + memory: 300Mi + cpu: 200m + limits: + memory: 1Gi + cpu: 1000m + +kanister: + # Deprecated. Use 'timeout.blueprintBackup' parameter instead. + backupTimeout: -1 + # Deprecated. Use 'timeout.blueprintRestore' parameter instead. + restoreTimeout: -1 + # Deprecated. Use 'timeout.blueprintDelete' parameter instead. + deleteTimeout: -1 + # Deprecated. Use 'timeout.blueprintHooks' parameter instead. + hookTimeout: -1 + # Deprecated. Use 'timeout.checkRepoPodReady' parameter instead. + checkRepoTimeout: -1 + # Deprecated. Use 'timeout.statsPodReady' parameter instead. + statsTimeout: -1 + # Deprecated. Use 'timeout.efsRestorePodReady' parameter instead. + efsPostRestoreTimeout: -1 + # Deprecated. Use 'timeout.workerPodReady' parameter instead. + podReadyWaitTimeout: -1 + managedDataServicesBlueprintsEnabled: true + +timeout: + blueprintBackup: 45 + blueprintRestore: 600 + blueprintDelete: 45 + blueprintHooks: 20 + checkRepoPodReady: 20 + statsPodReady: 20 + efsRestorePodReady: 45 + workerPodReady: 15 + jobWait: "" + +awsConfig: + assumeRoleDuration: "" + efsBackupVaultName: "k10vault" + +excludedApps: ["kube-system", "kube-ingress", "kube-node-lease", "kube-public", "kube-rook-ceph"] + +grafana: + enabled: true + external: + url: "" # can be used to configure the URL of externally installed Grafana instance. If it's provided, grafana.enabled must be false. + +encryption: + primaryKey: # primaryKey is used for enabling encryption of K10 primary key + awsCmkKeyId: '' # Ensures AWS CMK is used for encrypting K10 primary key + vaultTransitKeyName: '' + vaultTransitPath: '' + +vmWare: + taskTimeoutMin: 60 + +azure: + useDefaultMSI: false + useFederatedIdentity: false + +google: + workloadIdentityFederation: + enabled: false + idp: + type: "" + aud: "" + +vault: + role: "" # Role that was bound to the service account name and namespace from cluster + serviceAccountTokenPath: "" # This will default to /var/run/secrets/kubernetes.io/serviceaccount/token within the code if left blank + address: "http://vault.vault.svc:8200" # Address for dev mode in cluster vault server in vault namespace + secretName: "" # Ensures backward compatibility for now. We can remove once we tell all customers this is deprecated. + # This is how the token can be passed into default if K8S auth mode fails for whatever reason. + +kubeVirtVMs: + snapshot: + unfreezeTimeout: "5m" + +logging: + internal: true + # Used to set an external fluentbit endpoint. 'logging.internal' must be set to false. + fluentbit_endpoint: "" + +# Deprecated. Use 'timeout.jobWait' parameter instead. +maxJobWaitDuration: "" + +# Deprecated. Use 'forceRootInBlueprintActions' parameter instead. +forceRootInKanisterHooks: false +forceRootInBlueprintActions: true + +ephemeralPVCOverhead: "0.1" + +datastore: + parallelUploads: 8 + parallelDownloads: 8 + +kastenDisasterRecovery: + quickMode: + enabled: false + +fips: + enabled: false + +workerPodCRDs: + enabled: false + resourcesRequests: + maxCPU: "" + maxMemory: "" + defaultActionPodSpec: "" diff --git a/charts/kuma/kuma/2.9.1/.helmdocsignore b/charts/kuma/kuma/2.9.1/.helmdocsignore new file mode 100644 index 000000000..d8a5db8f8 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/.helmdocsignore @@ -0,0 +1 @@ +# Charts to ignore from helm-docs \ No newline at end of file diff --git a/charts/kuma/kuma/2.9.1/.helmignore b/charts/kuma/kuma/2.9.1/.helmignore new file mode 100644 index 000000000..0e8a0eb36 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/kuma/kuma/2.9.1/Chart.yaml b/charts/kuma/kuma/2.9.1/Chart.yaml new file mode 100644 index 000000000..8fdc14f2c --- /dev/null +++ b/charts/kuma/kuma/2.9.1/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kuma + catalog.cattle.io/namespace: kuma-system + catalog.cattle.io/release-name: kuma +apiVersion: v2 +appVersion: 2.9.1 +description: A Helm chart for the Kuma Control Plane +home: https://github.com/kumahq/kuma +icon: file://assets/icons/kuma.svg +keywords: +- service mesh +- control plane +maintainers: +- email: jakub.dyszkiewicz@konghq.com + name: Jakub Dyszkiewicz + url: https://github.com/jakubdyszkiewicz +- email: charly.molter@konghq.com + name: Charly Molter + url: https://github.com/lahabana +- email: michael.beaumont@konghq.com + name: Mike Beaumont + url: https://github.com/michaelbeaumont +name: kuma +type: application +version: 2.9.1 diff --git a/charts/kuma/kuma/2.9.1/README.md b/charts/kuma/kuma/2.9.1/README.md new file mode 100644 index 000000000..e9dcc2b22 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/README.md @@ -0,0 +1,316 @@ +[![][kuma-logo]][kuma-url] + +A Helm chart for the Kuma Control Plane + +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.9.1](https://img.shields.io/badge/Version-2.9.1-informational?style=flat-square) ![AppVersion: 2.9.1](https://img.shields.io/badge/AppVersion-2.9.1-informational?style=flat-square) + +**Homepage:** + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| global.image.registry | string | `"docker.io/kumahq"` | Default registry for all Kuma Images | +| global.image.tag | string | `nil` | The default tag for all Kuma images, which itself defaults to .Chart.AppVersion | +| global.imagePullSecrets | list | `[]` | Add `imagePullSecrets` to all the service accounts used for Kuma components | +| patchSystemNamespace | bool | `true` | Whether to patch the target namespace with the system label | +| installCrdsOnUpgrade.enabled | bool | `true` | Whether install new CRDs before upgrade (if any were introduced with the new version of Kuma) | +| installCrdsOnUpgrade.imagePullSecrets | list | `[]` | The `imagePullSecrets` to attach to the Service Account running CRD installation. This field will be deprecated in a future release, please use .global.imagePullSecrets | +| noHelmHooks | bool | `false` | Whether to disable all helm hooks | +| restartOnSecretChange | bool | `true` | Whether to restart control-plane by calculating a new checksum for the secret | +| controlPlane.environment | string | `"kubernetes"` | Environment that control plane is run in, useful when running universal global control plane on k8s | +| controlPlane.extraLabels | object | `{}` | Labels to add to resources in addition to default labels | +| controlPlane.logLevel | string | `"info"` | Kuma CP log level: one of off,info,debug | +| controlPlane.logOutputPath | string | `""` | Kuma CP log output path: Defaults to /dev/stdout | +| controlPlane.mode | string | `"zone"` | Kuma CP modes: one of zone,global | +| controlPlane.zone | string | `nil` | Kuma CP zone, if running multizone | +| controlPlane.kdsGlobalAddress | string | `""` | Only used in `zone` mode | +| controlPlane.replicas | int | `1` | Number of replicas of the Kuma CP. Ignored when autoscaling is enabled | +| controlPlane.minReadySeconds | int | `0` | Minimum number of seconds for which a newly created pod should be ready for it to be considered available. | +| controlPlane.deploymentAnnotations | object | `{}` | Annotations applied only to the `Deployment` resource | +| controlPlane.podAnnotations | object | `{}` | Annotations applied only to the `Pod` resource | +| controlPlane.autoscaling.enabled | bool | `false` | Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster | +| controlPlane.autoscaling.minReplicas | int | `2` | The minimum CP pods to allow | +| controlPlane.autoscaling.maxReplicas | int | `5` | The max CP pods to scale to | +| controlPlane.autoscaling.targetCPUUtilizationPercentage | int | `80` | For clusters that don't support autoscaling/v2, autoscaling/v1 is used | +| controlPlane.autoscaling.metrics | list | `[{"resource":{"name":"cpu","target":{"averageUtilization":80,"type":"Utilization"}},"type":"Resource"}]` | For clusters that do support autoscaling/v2, use metrics | +| controlPlane.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for the Kuma Control Plane pods | +| controlPlane.tolerations | list | `[]` | Tolerations for the Kuma Control Plane pods | +| controlPlane.podDisruptionBudget.enabled | bool | `false` | Whether to create a pod disruption budget | +| controlPlane.podDisruptionBudget.maxUnavailable | int | `1` | The maximum number of unavailable pods allowed by the budget | +| controlPlane.affinity | object | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["{{ include \"kuma.name\" . }}"]},{"key":"app.kubernetes.io/instance","operator":"In","values":["{{ .Release.Name }}"]},{"key":"app","operator":"In","values":["{{ include \"kuma.name\" . }}-control-plane"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100}]}}` | Affinity placement rule for the Kuma Control Plane pods. This is rendered as a template, so you can reference other helm variables or includes. | +| controlPlane.topologySpreadConstraints | string | `nil` | Topology spread constraints rule for the Kuma Control Plane pods. This is rendered as a template, so you can use variables to generate match labels. | +| controlPlane.injectorFailurePolicy | string | `"Fail"` | Failure policy of the mutating webhook implemented by the Kuma Injector component | +| controlPlane.service.apiServer.http.nodePort | int | `30681` | Port on which Http api server Service is exposed on Node for service of type NodePort | +| controlPlane.service.apiServer.https.nodePort | int | `30682` | Port on which Https api server Service is exposed on Node for service of type NodePort | +| controlPlane.service.enabled | bool | `true` | Whether to create a service resource. | +| controlPlane.service.name | string | `nil` | Optionally override of the Kuma Control Plane Service's name | +| controlPlane.service.type | string | `"ClusterIP"` | Service type of the Kuma Control Plane | +| controlPlane.service.annotations | object | `{"prometheus.io/port":"5680","prometheus.io/scrape":"true"}` | Annotations to put on the Kuma Control Plane | +| controlPlane.ingress.enabled | bool | `false` | Install K8s Ingress resource that exposes GUI and API | +| controlPlane.ingress.ingressClassName | string | `nil` | IngressClass defines which controller will implement the resource | +| controlPlane.ingress.hostname | string | `nil` | Ingress hostname | +| controlPlane.ingress.annotations | object | `{}` | Map of ingress annotations. | +| controlPlane.ingress.path | string | `"/"` | Ingress path. | +| controlPlane.ingress.pathType | string | `"ImplementationSpecific"` | Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) | +| controlPlane.ingress.servicePort | int | `5681` | Port from kuma-cp to use to expose API and GUI. Switch to 5682 to expose TLS port | +| controlPlane.globalZoneSyncService.enabled | bool | `true` | Whether to create a k8s service for the global zone sync service. It will only be created when enabled and deploying the global control plane. | +| controlPlane.globalZoneSyncService.type | string | `"LoadBalancer"` | Service type of the Global-zone sync | +| controlPlane.globalZoneSyncService.loadBalancerIP | string | `nil` | Optionally specify IP to be used by cloud provider when configuring load balancer | +| controlPlane.globalZoneSyncService.loadBalancerSourceRanges | list | `[]` | Optionally specify allowed source ranges that can access the load balancer | +| controlPlane.globalZoneSyncService.annotations | object | `{}` | Additional annotations to put on the Global Zone Sync Service | +| controlPlane.globalZoneSyncService.nodePort | int | `30685` | Port on which Global Zone Sync Service is exposed on Node for service of type NodePort | +| controlPlane.globalZoneSyncService.port | int | `5685` | Port on which Global Zone Sync Service is exposed | +| controlPlane.globalZoneSyncService.protocol | string | `"grpc"` | Protocol of the Global Zone Sync service port | +| controlPlane.defaults.skipMeshCreation | bool | `false` | Whether to skip creating the default Mesh | +| controlPlane.automountServiceAccountToken | bool | `true` | Whether to automountServiceAccountToken for cp. Optionally set to false | +| controlPlane.resources | object | `{"limits":{"memory":"256Mi"},"requests":{"cpu":"500m","memory":"256Mi"}}` | Optionally override the resource spec | +| controlPlane.lifecycle | object | `{}` | Pod lifecycle settings (useful for adding a preStop hook, when using AWS ALB or NLB) | +| controlPlane.terminationGracePeriodSeconds | int | `30` | Number of seconds to wait before force killing the pod. Make sure to update this if you add a preStop hook. | +| controlPlane.tls.general.secretName | string | `""` | Secret that contains tls.crt, tls.key [and ca.crt when no controlPlane.tls.general.caSecretName specified] for protecting Kuma in-cluster communication | +| controlPlane.tls.general.caSecretName | string | `""` | Secret that contains ca.crt that was used to sign cert for protecting Kuma in-cluster communication (ca.crt present in this secret have precedence over the one provided in the controlPlane.tls.general.secretName) | +| controlPlane.tls.general.caBundle | string | `""` | Base64 encoded CA certificate (the same as in controlPlane.tls.general.secret#ca.crt) | +| controlPlane.tls.apiServer.secretName | string | `""` | Secret that contains tls.crt, tls.key for protecting Kuma API on HTTPS | +| controlPlane.tls.apiServer.clientCertsSecretName | string | `""` | Secret that contains list of .pem certificates that can access admin endpoints of Kuma API on HTTPS | +| controlPlane.tls.kdsGlobalServer.secretName | string | `""` | Name of the K8s TLS Secret resource. If you set this and don't set create=true, you have to create the secret manually. | +| controlPlane.tls.kdsGlobalServer.create | bool | `false` | Whether to create the TLS secret in helm. | +| controlPlane.tls.kdsGlobalServer.cert | string | `""` | The TLS certificate to offer. | +| controlPlane.tls.kdsGlobalServer.key | string | `""` | The TLS key to use. | +| controlPlane.tls.kdsZoneClient.secretName | string | `""` | Name of the K8s Secret resource that contains ca.crt which was used to sign the certificate of KDS Global Server. If you set this and don't set create=true, you have to create the secret manually. | +| controlPlane.tls.kdsZoneClient.create | bool | `false` | Whether to create the TLS secret in helm. | +| controlPlane.tls.kdsZoneClient.cert | string | `""` | CA bundle that was used to sign the certificate of KDS Global Server. | +| controlPlane.tls.kdsZoneClient.skipVerify | bool | `false` | If true, TLS cert of the server is not verified. | +| controlPlane.serviceAccountAnnotations | object | `{}` | Annotations to add for Control Plane's Service Account | +| controlPlane.image.pullPolicy | string | `"IfNotPresent"` | Kuma CP ImagePullPolicy | +| controlPlane.image.repository | string | `"kuma-cp"` | Kuma CP image repository | +| controlPlane.image.tag | string | `nil` | Kuma CP Image tag. When not specified, the value is copied from global.tag | +| controlPlane.secrets | object with { Env: string, Secret: string, Key: string } | `nil` | Secrets to add as environment variables, where `Env` is the name of the env variable, `Secret` is the name of the Secret, and `Key` is the key of the Secret value to use | +| controlPlane.envVars | object | `{}` | Additional environment variables that will be passed to the control plane | +| controlPlane.envVarEntries | string | `nil` | Additional environment variables that will be passed to the control plane. Can be used with Kubernetes downward API | +| controlPlane.extraConfigMaps | list | `[]` | Additional config maps to mount into the control plane, with optional inline values | +| controlPlane.extraSecrets | object with { name: string, mountPath: string, readOnly: string } | `nil` | Additional secrets to mount into the control plane, where `Env` is the name of the env variable, `Secret` is the name of the Secret, and `Key` is the key of the Secret value to use | +| controlPlane.webhooks.validator.additionalRules | string | `""` | Additional rules to apply on Kuma validator webhook. Useful when building custom policy on top of Kuma. | +| controlPlane.webhooks.ownerReference.additionalRules | string | `""` | Additional rules to apply on Kuma owner reference webhook. Useful when building custom policy on top of Kuma. | +| controlPlane.hostNetwork | bool | `false` | Specifies if the deployment should be started in hostNetwork mode. | +| controlPlane.admissionServerPort | int | `5443` | Define a new server port for the admission controller. Recommended to set in combination with hostNetwork to prevent multiple port bindings on the same port (like Calico in AWS EKS). | +| controlPlane.podSecurityContext | object | `{"runAsNonRoot":true}` | Security context at the pod level for control plane. | +| controlPlane.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for control plane. | +| controlPlane.supportGatewaySecretsInAllNamespaces | bool | `false` | If true, then control plane can support TLS secrets for builtin gateway outside of mesh system namespace. The downside is that control plane requires permission to read Secrets in all namespaces. | +| controlPlane.dns | object | `{"config":{"nameservers":[],"searches":[]},"policy":""}` | DNS configuration for the control-plane pod. This is equivalent to the [Kubernetes DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). | +| controlPlane.dns.policy | string | `""` | Defines how DNS resolution is configured for that Pod. | +| controlPlane.dns.config | object | `{"nameservers":[],"searches":[]}` | Optional dns configuration, required when policy is 'None' | +| controlPlane.dns.config.nameservers | list | `[]` | A list of IP addresses that will be used as DNS servers for the Pod. There can be at most 3 IP addresses specified. | +| controlPlane.dns.config.searches | list | `[]` | A list of DNS search domains for hostname lookup in the Pod. | +| cni.enabled | bool | `false` | Install Kuma with CNI instead of proxy init container | +| cni.chained | bool | `false` | Install CNI in chained mode | +| cni.netDir | string | `"/etc/cni/multus/net.d"` | Set the CNI install directory | +| cni.binDir | string | `"/var/lib/cni/bin"` | Set the CNI bin directory | +| cni.confName | string | `"kuma-cni.conf"` | Set the CNI configuration name | +| cni.logLevel | string | `"info"` | CNI log level: one of off,info,debug | +| cni.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node Selector for the CNI pods | +| cni.tolerations | list | `[]` | Tolerations for the CNI pods | +| cni.podAnnotations | object | `{}` | Additional pod annotations | +| cni.namespace | string | `"kube-system"` | Set the CNI namespace | +| cni.image.repository | string | `"kuma-cni"` | CNI image repository | +| cni.image.tag | string | `nil` | CNI image tag - defaults to .Chart.AppVersion | +| cni.image.imagePullPolicy | string | `"IfNotPresent"` | CNI image pull policy | +| cni.delayStartupSeconds | int | `0` | it's only useful in tests to trigger a possible race condition | +| cni.experimental | object | `{"imageEbpf":{"registry":"docker.io/kumahq","repository":"merbridge","tag":"0.8.5"}}` | use new CNI (experimental) | +| cni.experimental.imageEbpf.registry | string | `"docker.io/kumahq"` | CNI experimental eBPF image registry | +| cni.experimental.imageEbpf.repository | string | `"merbridge"` | CNI experimental eBPF image repository | +| cni.experimental.imageEbpf.tag | string | `"0.8.5"` | CNI experimental eBPF image tag | +| cni.resources.requests.cpu | string | `"100m"` | | +| cni.resources.requests.memory | string | `"100Mi"` | | +| cni.resources.limits.memory | string | `"100Mi"` | | +| cni.podSecurityContext | object | `{}` | Security context at the pod level for cni | +| cni.containerSecurityContext | object | `{"readOnlyRootFilesystem":true,"runAsGroup":0,"runAsNonRoot":false,"runAsUser":0}` | Security context at the container level for cni | +| dataPlane.dnsLogging | bool | `false` | If true, then turn on CoreDNS query logging | +| dataPlane.image.repository | string | `"kuma-dp"` | The Kuma DP image repository | +| dataPlane.image.pullPolicy | string | `"IfNotPresent"` | Kuma DP ImagePullPolicy | +| dataPlane.image.tag | string | `nil` | Kuma DP Image Tag. When not specified, the value is copied from global.tag | +| dataPlane.initImage.repository | string | `"kuma-init"` | The Kuma DP init image repository | +| dataPlane.initImage.tag | string | `nil` | Kuma DP init image tag When not specified, the value is copied from global.tag | +| ingress.enabled | bool | `false` | If true, it deploys Ingress for cross cluster communication | +| ingress.extraLabels | object | `{}` | Labels to add to resources, in addition to default labels | +| ingress.drainTime | string | `"30s"` | Time for which old listener will still be active as draining | +| ingress.replicas | int | `1` | Number of replicas of the Ingress. Ignored when autoscaling is enabled. | +| ingress.logLevel | string | `"info"` | Log level for ingress (available values: off|info|debug) | +| ingress.resources | object | `{"limits":{"cpu":"1000m","memory":"512Mi"},"requests":{"cpu":"50m","memory":"64Mi"}}` | Define the resources to allocate to mesh ingress | +| ingress.lifecycle | object | `{}` | Pod lifecycle settings (useful for adding a preStop hook, when using AWS ALB or NLB) | +| ingress.terminationGracePeriodSeconds | int | `40` | Number of seconds to wait before force killing the pod. Make sure to update this if you add a preStop hook. | +| ingress.autoscaling.enabled | bool | `false` | Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster | +| ingress.autoscaling.minReplicas | int | `2` | The minimum CP pods to allow | +| ingress.autoscaling.maxReplicas | int | `5` | The max CP pods to scale to | +| ingress.autoscaling.targetCPUUtilizationPercentage | int | `80` | For clusters that don't support autoscaling/v2, autoscaling/v1 is used | +| ingress.autoscaling.metrics | list | `[{"resource":{"name":"cpu","target":{"averageUtilization":80,"type":"Utilization"}},"type":"Resource"}]` | For clusters that do support autoscaling/v2, use metrics | +| ingress.service.enabled | bool | `true` | Whether to create a Service resource. | +| ingress.service.type | string | `"LoadBalancer"` | Service type of the Ingress | +| ingress.service.loadBalancerIP | string | `nil` | Optionally specify IP to be used by cloud provider when configuring load balancer | +| ingress.service.annotations | object | `{}` | Additional annotations to put on the Ingress service | +| ingress.service.port | int | `10001` | Port on which Ingress is exposed | +| ingress.service.nodePort | string | `nil` | Port on which service is exposed on Node for service of type NodePort | +| ingress.annotations | object | `{}` | Additional pod annotations (deprecated favor `podAnnotations`) | +| ingress.podAnnotations | object | `{}` | Additional pod annotations | +| ingress.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node Selector for the Ingress pods | +| ingress.tolerations | list | `[]` | Tolerations for the Ingress pods | +| ingress.podDisruptionBudget.enabled | bool | `false` | Whether to create a pod disruption budget | +| ingress.podDisruptionBudget.maxUnavailable | int | `1` | The maximum number of unavailable pods allowed by the budget | +| ingress.affinity | object | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["{{ include \"kuma.name\" . }}"]},{"key":"app.kubernetes.io/instance","operator":"In","values":["{{ .Release.Name }}"]},{"key":"app","operator":"In","values":["kuma-ingress"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100}]}}` | Affinity placement rule for the Kuma Ingress pods This is rendered as a template, so you can reference other helm variables or includes. | +| ingress.topologySpreadConstraints | string | `nil` | Topology spread constraints rule for the Kuma Mesh Ingress pods. This is rendered as a template, so you can use variables to generate match labels. | +| ingress.podSecurityContext | object | `{"runAsGroup":5678,"runAsNonRoot":true,"runAsUser":5678}` | Security context at the pod level for ingress | +| ingress.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for ingress | +| ingress.serviceAccountAnnotations | object | `{}` | Annotations to add for Control Plane's Service Account | +| ingress.automountServiceAccountToken | bool | `true` | Whether to automountServiceAccountToken for cp. Optionally set to false | +| ingress.dns | object | `{"config":{"nameservers":[],"searches":[]},"policy":""}` | DNS configuration for the ingress pod. This is equivalent to the [Kubernetes DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). | +| ingress.dns.policy | string | `""` | Defines how DNS resolution is configured for that Pod. | +| ingress.dns.config | object | `{"nameservers":[],"searches":[]}` | Optional dns configuration, required when policy is 'None' | +| ingress.dns.config.nameservers | list | `[]` | A list of IP addresses that will be used as DNS servers for the Pod. There can be at most 3 IP addresses specified. | +| ingress.dns.config.searches | list | `[]` | A list of DNS search domains for hostname lookup in the Pod. | +| egress.enabled | bool | `false` | If true, it deploys Egress for cross cluster communication | +| egress.extraLabels | object | `{}` | Labels to add to resources, in addition to the default labels. | +| egress.drainTime | string | `"30s"` | Time for which old listener will still be active as draining | +| egress.replicas | int | `1` | Number of replicas of the Egress. Ignored when autoscaling is enabled. | +| egress.logLevel | string | `"info"` | Log level for egress (available values: off|info|debug) | +| egress.autoscaling.enabled | bool | `false` | Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster | +| egress.autoscaling.minReplicas | int | `2` | The minimum CP pods to allow | +| egress.autoscaling.maxReplicas | int | `5` | The max CP pods to scale to | +| egress.autoscaling.targetCPUUtilizationPercentage | int | `80` | For clusters that don't support autoscaling/v2, autoscaling/v1 is used | +| egress.autoscaling.metrics | list | `[{"resource":{"name":"cpu","target":{"averageUtilization":80,"type":"Utilization"}},"type":"Resource"}]` | For clusters that do support autoscaling/v2, use metrics | +| egress.resources.requests.cpu | string | `"50m"` | | +| egress.resources.requests.memory | string | `"64Mi"` | | +| egress.resources.limits.cpu | string | `"1000m"` | | +| egress.resources.limits.memory | string | `"512Mi"` | | +| egress.service.enabled | bool | `true` | Whether to create the service object | +| egress.service.type | string | `"ClusterIP"` | Service type of the Egress | +| egress.service.loadBalancerIP | string | `nil` | Optionally specify IP to be used by cloud provider when configuring load balancer | +| egress.service.annotations | object | `{}` | Additional annotations to put on the Egress service | +| egress.service.port | int | `10002` | Port on which Egress is exposed | +| egress.service.nodePort | string | `nil` | Port on which service is exposed on Node for service of type NodePort | +| egress.annotations | object | `{}` | Additional pod annotations (deprecated favor `podAnnotations`) | +| egress.podAnnotations | object | `{}` | Additional pod annotations | +| egress.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node Selector for the Egress pods | +| egress.tolerations | list | `[]` | Tolerations for the Egress pods | +| egress.podDisruptionBudget.enabled | bool | `false` | Whether to create a pod disruption budget | +| egress.podDisruptionBudget.maxUnavailable | int | `1` | The maximum number of unavailable pods allowed by the budget | +| egress.affinity | object | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["{{ include \"kuma.name\" . }}"]},{"key":"app.kubernetes.io/instance","operator":"In","values":["{{ .Release.Name }}"]},{"key":"app","operator":"In","values":["kuma-egress"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100}]}}` | Affinity placement rule for the Kuma Egress pods. This is rendered as a template, so you can reference other helm variables or includes. | +| egress.topologySpreadConstraints | string | `nil` | Topology spread constraints rule for the Kuma Egress pods. This is rendered as a template, so you can use variables to generate match labels. | +| egress.podSecurityContext | object | `{"runAsGroup":5678,"runAsNonRoot":true,"runAsUser":5678}` | Security context at the pod level for egress | +| egress.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for egress | +| egress.serviceAccountAnnotations | object | `{}` | Annotations to add for Control Plane's Service Account | +| egress.automountServiceAccountToken | bool | `true` | Whether to automountServiceAccountToken for cp. Optionally set to false | +| egress.dns | object | `{"config":{"nameservers":[],"searches":[]},"policy":""}` | DNS configuration for the egress pod. This is equivalent to the [Kubernetes DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). | +| egress.dns.policy | string | `""` | Defines how DNS resolution is configured for that Pod. | +| egress.dns.config | object | `{"nameservers":[],"searches":[]}` | Optional dns configuration, required when policy is 'None' | +| egress.dns.config.nameservers | list | `[]` | A list of IP addresses that will be used as DNS servers for the Pod. There can be at most 3 IP addresses specified. | +| egress.dns.config.searches | list | `[]` | A list of DNS search domains for hostname lookup in the Pod. | +| kumactl.image.repository | string | `"kumactl"` | The kumactl image repository | +| kumactl.image.tag | string | `nil` | The kumactl image tag. When not specified, the value is copied from global.tag | +| kubectl.image.registry | string | `"docker.io"` | The kubectl image registry | +| kubectl.image.repository | string | `"bitnami/kubectl"` | The kubectl image repository | +| kubectl.image.tag | string | `"1.27.5"` | The kubectl image tag | +| hooks.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for the HELM hooks | +| hooks.tolerations | list | `[]` | Tolerations for the HELM hooks | +| hooks.podSecurityContext | object | `{"runAsNonRoot":true}` | Security context at the pod level for crd/webhook/ns | +| hooks.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for crd/webhook/ns | +| hooks.ebpfCleanup | object | `{"containerSecurityContext":{"readOnlyRootFilesystem":false},"podSecurityContext":{"runAsNonRoot":false}}` | ebpf-cleanup hook needs write access to the root filesystem to clean ebpf programs Changing below values will potentially break ebpf cleanup completely, so be cautious when doing so. | +| hooks.ebpfCleanup.podSecurityContext | object | `{"runAsNonRoot":false}` | Security context at the pod level for crd/webhook/cleanup-ebpf | +| hooks.ebpfCleanup.containerSecurityContext | object | `{"readOnlyRootFilesystem":false}` | Security context at the container level for crd/webhook/cleanup-ebpf | +| transparentProxy.configMap.enabled | bool | `false` | If true, enables the use of a ConfigMap to manage transparent proxy configuration instead of directly configuring it within the Kuma system | +| transparentProxy.configMap.name | string | `"kuma-transparent-proxy-config"` | The name of the ConfigMap used to store the transparent proxy configuration | +| transparentProxy.configMap.config.kumaDPUser | string | `"5678"` | The username or UID of the user that will run kuma-dp. If not provided, the system will use the default UID ("5678") or the default username ("kuma-dp") | +| transparentProxy.configMap.config.ipFamilyMode | string | `"dualstack"` | The IP family mode used for configuring traffic redirection in the transparent proxy Supports "dualstack" (for both IPv4 and IPv6) and "ipv4" modes | +| transparentProxy.configMap.config.redirect.dns.enabled | bool | `true` | Enables DNS redirection in the transparent proxy | +| transparentProxy.configMap.config.redirect.dns.captureAll | bool | `true` | Redirect all DNS queries | +| transparentProxy.configMap.config.redirect.dns.port | int | `15053` | The port on which the DNS server listens | +| transparentProxy.configMap.config.redirect.dns.resolvConfigPath | string | `"/etc/resolv.conf"` | Path to the system's resolv.conf file | +| transparentProxy.configMap.config.redirect.dns.skipConntrackZoneSplit | bool | `false` | Disables conntrack zone splitting, which can prevent potential DNS issues | +| transparentProxy.configMap.config.redirect.inbound.enabled | bool | `true` | Enables inbound traffic redirection | +| transparentProxy.configMap.config.redirect.inbound.port | int | `15006` | Port used for redirecting inbound traffic | +| transparentProxy.configMap.config.redirect.inbound.excludePorts | list | `[]` | List of ports to exclude from inbound traffic redirection | +| transparentProxy.configMap.config.redirect.inbound.excludePortsForIPs | list | `[]` | List of IP addresses to exclude from inbound traffic redirection for specific ports | +| transparentProxy.configMap.config.redirect.inbound.excludePortsForUIDs | list | `[]` | List of UIDs to exclude from inbound traffic redirection for specific ports | +| transparentProxy.configMap.config.redirect.inbound.includePorts | list | `[]` | List of ports to include in inbound traffic redirection | +| transparentProxy.configMap.config.redirect.inbound.insertRedirectInsteadOfAppend | bool | `false` | Inserts the redirection rule at the beginning of the chain instead of appending it | +| transparentProxy.configMap.config.redirect.outbound.enabled | bool | `true` | Enables outbound traffic redirection | +| transparentProxy.configMap.config.redirect.outbound.port | int | `15001` | Port used for redirecting outbound traffic | +| transparentProxy.configMap.config.redirect.outbound.excludePorts | list | `[]` | List of ports to exclude from outbound traffic redirection | +| transparentProxy.configMap.config.redirect.outbound.excludePortsForIPs | list | `[]` | List of IP addresses to exclude from outbound traffic redirection for specific ports | +| transparentProxy.configMap.config.redirect.outbound.excludePortsForUIDs | list | `[]` | List of UIDs to exclude from outbound traffic redirection for specific ports | +| transparentProxy.configMap.config.redirect.outbound.includePorts | list | `[]` | List of ports to include in outbound traffic redirection | +| transparentProxy.configMap.config.redirect.outbound.insertRedirectInsteadOfAppend | bool | `false` | Inserts the redirection rule at the beginning of the chain instead of appending it | +| transparentProxy.configMap.config.redirect.vnet.networks | list | `[]` | Specifies virtual networks using the format interfaceName:CIDR Allows matching traffic on specific network interfaces Examples: - "docker0:172.17.0.0/16" - "br+:172.18.0.0/16" (matches any interface starting with "br") - "iface:::1/64" (for IPv6) | +| transparentProxy.configMap.config.ebpf.enabled | bool | `false` | Enables eBPF support for handling traffic redirection in the transparent proxy | +| transparentProxy.configMap.config.ebpf.bpffsPath | string | `"/run/kuma/bpf"` | The path of the BPF filesystem | +| transparentProxy.configMap.config.ebpf.cgroupPath | string | `"/sys/fs/cgroup"` | The path of cgroup2 | +| transparentProxy.configMap.config.ebpf.instanceIPEnvVarName | string | `""` | The name of the environment variable containing the IP address of the instance (pod/vm) where transparent proxy will be installed | +| transparentProxy.configMap.config.ebpf.programsSourcePath | string | `"/tmp/kuma-ebpf"` | Path where compiled eBPF programs and other necessary files for eBPF mode can be found | +| transparentProxy.configMap.config.ebpf.tcAttachIface | string | `""` | The network interface for TC eBPF programs to bind to. If not provided, it will be automatically determined | +| transparentProxy.configMap.config.retry.maxRetries | int | `4` | The maximum number of retry attempts for operations | +| transparentProxy.configMap.config.retry.sleepBetweenRetries | string | `"2s"` | The time duration to wait between retry attempts | +| transparentProxy.configMap.config.iptablesExecutables.iptables | string | `""` | Custom path for the iptables executable (IPv4) | +| transparentProxy.configMap.config.iptablesExecutables.iptables-save | string | `""` | Custom path for the iptables-save executable (IPv4) | +| transparentProxy.configMap.config.iptablesExecutables.iptables-restore | string | `""` | Custom path for the iptables-restore executable (IPv4) | +| transparentProxy.configMap.config.iptablesExecutables.ip6tables | string | `""` | Custom path for the ip6tables executable (IPv6) | +| transparentProxy.configMap.config.iptablesExecutables.ip6tables-save | string | `""` | Custom path for the ip6tables-save executable (IPv6) | +| transparentProxy.configMap.config.iptablesExecutables.ip6tables-restore | string | `""` | Custom path for the ip6tables-restore executable (IPv6) | +| transparentProxy.configMap.config.log.enabled | bool | `false` | Enables logging of iptables rules for diagnostics and monitoring | +| transparentProxy.configMap.config.comments.disabled | bool | `false` | Disables comments in the generated iptables rules | +| transparentProxy.configMap.config.wait | int | `5` | Time in seconds to wait for acquiring the xtables lock before failing Value 0 means wait indefinitely | +| transparentProxy.configMap.config.waitInterval | int | `0` | Time interval between retries to acquire the xtables lock in seconds | +| transparentProxy.configMap.config.dropInvalidPackets | bool | `false` | Drops invalid packets to avoid connection resets in high-throughput scenarios | +| transparentProxy.configMap.config.storeFirewalld | bool | `false` | Enables firewalld support to store iptables rules | +| transparentProxy.configMap.config.verbose | bool | `false` | Enables verbose mode with longer argument/flag names and additional comments | +| experimental.ebpf.enabled | bool | `false` | If true, ebpf will be used instead of using iptables to install/configure transparent proxy | +| experimental.ebpf.instanceIPEnvVarName | string | `"INSTANCE_IP"` | Name of the environmental variable which will contain the IP address of a pod | +| experimental.ebpf.bpffsPath | string | `"/sys/fs/bpf"` | Path where BPF file system should be mounted | +| experimental.ebpf.cgroupPath | string | `"/sys/fs/cgroup"` | Host's cgroup2 path | +| experimental.ebpf.tcAttachIface | string | `""` | Name of the network interface which TC programs should be attached to, we'll try to automatically determine it if empty | +| experimental.ebpf.programsSourcePath | string | `"/tmp/kuma-ebpf"` | Path where compiled eBPF programs which will be installed can be found | +| experimental.sidecarContainers | bool | `false` | If true, enable native Kubernetes sidecars. This requires at least Kubernetes v1.29 | +| postgres.port | string | `"5432"` | Postgres port, password should be provided as a secret reference in "controlPlane.secrets" with the Env value "KUMA_STORE_POSTGRES_PASSWORD". Example: controlPlane: secrets: - Secret: postgres-postgresql Key: postgresql-password Env: KUMA_STORE_POSTGRES_PASSWORD | +| postgres.tls.mode | string | `"disable"` | Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull" | +| postgres.tls.disableSSLSNI | bool | `false` | Whether to disable SNI the postgres `sslsni` option. | +| postgres.tls.caSecretName | string | `nil` | Secret name that contains the ca.crt | +| postgres.tls.secretName | string | `nil` | Secret name that contains the client tls.crt, tls.key | + +## Custom Resource Definitions + +All Kuma CRDs are loaded via the [`crds`](crds) directory. For more detailed information on CRDs and Helm, +please refer to [the Helm documentation][helm-crd]. + +## Deleting + +As part of [Helm's limitations][helm-crd-limitations], CRDs will not be deleted when the `kuma` chart is deleted and +must be deleted manually. When a CRD is deleted Kubernetes deletes all resources of that kind as well, so this should +be done carefully. + +To do this with `kubectl` on *nix platforms, run: + +```shell +kubectl get crds | grep kuma.io | tr -s " " | cut -d " " -f1 | xargs kubectl delete crd + +# or with jq +kubectl get crds -o json | jq '.items[].metadata.name | select(.|test(".*kuma\\.io"))' | xargs kubectl delete crd +``` + +## Autoscaling + +In production, it is advisable to enable Control Plane autoscaling for High Availability. Autoscaling uses the +`HorizontalPodAutoscaler` resource to add redundancy and scale the CP pods based on CPU utilization, which requires +the [k8s metrics-server][kube-metrics-server] to be running on the cluster. + +## Development + +The charts are used internally in `kumactl install`, therefore the following rules apply when developing new chat features: + * all templates that start with `pre-` and `post-` are omitted when processing in `kumactl install` + +### Installing Metrics Server for Autoscaling + +If running on kind, or on a cluster with a similarly self-signed cert, the metrics server must be configured to allow +insecure kubelet TLS. The make task `kind/deploy/metrics-server` installs this patched version of the server. + +[kuma-url]: https://kuma.io/ +[kuma-logo]: https://kuma-public-assets.s3.amazonaws.com/kuma-logo-v2.png +[helm-crd]: https://helm.sh/docs/chart_best_practices/custom_resource_definitions/ +[helm-crd-limitations]: https://helm.sh/docs/topics/charts/#limitations-on-crds +[kube-metrics-server]: https://github.com/kubernetes-sigs/metrics-server diff --git a/charts/kuma/kuma/2.9.1/README.md.gotmpl b/charts/kuma/kuma/2.9.1/README.md.gotmpl new file mode 100644 index 000000000..3b296a411 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/README.md.gotmpl @@ -0,0 +1,52 @@ +[![][kuma-logo]][kuma-url] + +{{ template "chart.description" . }} + +{{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.valuesSection" . }} + +## Custom Resource Definitions + +All Kuma CRDs are loaded via the [`crds`](crds) directory. For more detailed information on CRDs and Helm, +please refer to [the Helm documentation][helm-crd]. + +## Deleting + +As part of [Helm's limitations][helm-crd-limitations], CRDs will not be deleted when the `kuma` chart is deleted and +must be deleted manually. When a CRD is deleted Kubernetes deletes all resources of that kind as well, so this should +be done carefully. + +To do this with `kubectl` on *nix platforms, run: + +```shell +kubectl get crds | grep kuma.io | tr -s " " | cut -d " " -f1 | xargs kubectl delete crd + +# or with jq +kubectl get crds -o json | jq '.items[].metadata.name | select(.|test(".*kuma\\.io"))' | xargs kubectl delete crd +``` + +## Autoscaling + +In production, it is advisable to enable Control Plane autoscaling for High Availability. Autoscaling uses the +`HorizontalPodAutoscaler` resource to add redundancy and scale the CP pods based on CPU utilization, which requires +the [k8s metrics-server][kube-metrics-server] to be running on the cluster. + +## Development + +The charts are used internally in `kumactl install`, therefore the following rules apply when developing new chat features: + * all templates that start with `pre-` and `post-` are omitted when processing in `kumactl install` + +### Installing Metrics Server for Autoscaling + +If running on kind, or on a cluster with a similarly self-signed cert, the metrics server must be configured to allow +insecure kubelet TLS. The make task `kind/deploy/metrics-server` installs this patched version of the server. + + +[kuma-url]: https://kuma.io/ +[kuma-logo]: https://kuma-public-assets.s3.amazonaws.com/kuma-logo-v2.png +[helm-crd]: https://helm.sh/docs/chart_best_practices/custom_resource_definitions/ +[helm-crd-limitations]: https://helm.sh/docs/topics/charts/#limitations-on-crds +[kube-metrics-server]: https://github.com/kubernetes-sigs/metrics-server diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_circuitbreakers.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_circuitbreakers.yaml new file mode 100644 index 000000000..ea955f2ab --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_circuitbreakers.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: circuitbreakers.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: CircuitBreaker + listKind: CircuitBreakerList + plural: circuitbreakers + singular: circuitbreaker + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma CircuitBreaker resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_containerpatches.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_containerpatches.yaml new file mode 100644 index 000000000..9fc77a966 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_containerpatches.yaml @@ -0,0 +1,114 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: containerpatches.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ContainerPatch + listKind: ContainerPatchList + plural: containerpatches + singular: containerpatch + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ContainerPatch stores a list of patches to apply to init and + sidecar containers. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + type: string + metadata: + type: object + spec: + description: ContainerPatchSpec specifies the options available for a + ContainerPatch + properties: + initPatch: + description: InitPatch specifies jsonpatch to apply to an init container. + items: + description: JsonPatchBlock is one json patch operation block. + properties: + from: + description: From is a jsonpatch from string, used by move and + copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: |- + Value must be a string representing a valid json object used + by replace and add operations. String has to be escaped with " to be valid a json object. + type: string + required: + - op + - path + type: object + type: array + sidecarPatch: + description: SidecarPatch specifies jsonpatch to apply to a sidecar + container. + items: + description: JsonPatchBlock is one json patch operation block. + properties: + from: + description: From is a jsonpatch from string, used by move and + copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: |- + Value must be a string representing a valid json object used + by replace and add operations. String has to be escaped with " to be valid a json object. + type: string + required: + - op + - path + type: object + type: array + type: object + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_dataplaneinsights.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_dataplaneinsights.yaml new file mode 100644 index 000000000..23c4538ea --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_dataplaneinsights.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: dataplaneinsights.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: DataplaneInsight + listKind: DataplaneInsightList + plural: dataplaneinsights + singular: dataplaneinsight + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + status: + description: Status is the status the Kuma resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_dataplanes.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_dataplanes.yaml new file mode 100644 index 000000000..ec8f06342 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_dataplanes.yaml @@ -0,0 +1,70 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: dataplanes.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: Dataplane + listKind: DataplaneList + plural: dataplanes + singular: dataplane + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Service tag of the first inbound + jsonPath: .spec.networking.inbound[0].tags['kuma\.io/service'] + name: kuma.io/service + type: string + - description: Service tag of the second inbound + jsonPath: .spec.networking.inbound[1].tags['kuma\.io/service'] + name: kuma.io/service + type: string + - description: Service tag of the third inbound + jsonPath: .spec.networking.inbound[2].tags['kuma\.io/service'] + name: kuma.io/service + priority: 1 + type: string + - description: Service tag of the fourth inbound + jsonPath: .spec.networking.inbound[3].tags['kuma\.io/service'] + name: kuma.io/service + priority: 1 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma Dataplane resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_externalservices.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_externalservices.yaml new file mode 100644 index 000000000..be37a7b7f --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_externalservices.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: externalservices.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ExternalService + listKind: ExternalServiceList + plural: externalservices + singular: externalservice + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ExternalService resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_faultinjections.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_faultinjections.yaml new file mode 100644 index 000000000..6fb6366d5 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_faultinjections.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: faultinjections.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: FaultInjection + listKind: FaultInjectionList + plural: faultinjections + singular: faultinjection + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma FaultInjection resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_healthchecks.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_healthchecks.yaml new file mode 100644 index 000000000..9f2d075b5 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_healthchecks.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: healthchecks.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: HealthCheck + listKind: HealthCheckList + plural: healthchecks + singular: healthcheck + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma HealthCheck resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_hostnamegenerators.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_hostnamegenerators.yaml new file mode 100644 index 000000000..943421775 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_hostnamegenerators.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: hostnamegenerators.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: HostnameGenerator + listKind: HostnameGeneratorList + plural: hostnamegenerators + singular: hostnamegenerator + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma HostnameGenerator resource. + properties: + selector: + properties: + meshExternalService: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + meshMultiZoneService: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + meshService: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + template: + type: string + type: object + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshaccesslogs.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshaccesslogs.yaml new file mode 100644 index 000000000..16191c5ba --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshaccesslogs.yaml @@ -0,0 +1,557 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshaccesslogs.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshAccessLog + listKind: MeshAccessLogList + plural: meshaccesslogs + singular: meshaccesslog + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshAccessLog resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + backends: + items: + properties: + file: + description: FileBackend defines configuration for + file based access logs + properties: + format: + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + properties: + json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + omitEmptyValues: + default: false + type: boolean + plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' + type: string + type: + enum: + - Plain + - Json + type: string + required: + - type + type: object + path: + description: Path to a file that logs will be + written to + example: /tmp/access.log + minLength: 1 + type: string + required: + - path + type: object + openTelemetry: + description: Defines an OpenTelemetry logging backend. + properties: + attributes: + description: |- + Attributes can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + - key: mesh + value: '%KUMA_MESH%' + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + body: + description: |- + Body is a raw string or an OTLP any value as described at + https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/data-model.md#field-body + It can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + kvlistValue: + values: + - key: mesh + value: + stringValue: '%KUMA_MESH%' + x-kubernetes-preserve-unknown-fields: true + endpoint: + description: Endpoint of OpenTelemetry collector. + An empty port defaults to 4317. + example: otel-collector:4317 + minLength: 1 + type: string + required: + - endpoint + type: object + tcp: + description: TCPBackend defines a TCP logging backend. + properties: + address: + description: Address of the TCP logging backend + example: 127.0.0.1:5000 + minLength: 1 + type: string + format: + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + properties: + json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + omitEmptyValues: + default: false + type: boolean + plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' + type: string + type: + enum: + - Plain + - Json + type: string + required: + - type + type: object + required: + - address + type: object + type: + enum: + - Tcp + - File + - OpenTelemetry + type: string + required: + - type + type: object + type: array + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + to: + description: To list makes a match between the consumed services and + corresponding configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + backends: + items: + properties: + file: + description: FileBackend defines configuration for + file based access logs + properties: + format: + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + properties: + json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + omitEmptyValues: + default: false + type: boolean + plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' + type: string + type: + enum: + - Plain + - Json + type: string + required: + - type + type: object + path: + description: Path to a file that logs will be + written to + example: /tmp/access.log + minLength: 1 + type: string + required: + - path + type: object + openTelemetry: + description: Defines an OpenTelemetry logging backend. + properties: + attributes: + description: |- + Attributes can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + - key: mesh + value: '%KUMA_MESH%' + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + body: + description: |- + Body is a raw string or an OTLP any value as described at + https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/data-model.md#field-body + It can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + kvlistValue: + values: + - key: mesh + value: + stringValue: '%KUMA_MESH%' + x-kubernetes-preserve-unknown-fields: true + endpoint: + description: Endpoint of OpenTelemetry collector. + An empty port defaults to 4317. + example: otel-collector:4317 + minLength: 1 + type: string + required: + - endpoint + type: object + tcp: + description: TCPBackend defines a TCP logging backend. + properties: + address: + description: Address of the TCP logging backend + example: 127.0.0.1:5000 + minLength: 1 + type: string + format: + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + properties: + json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' + items: + properties: + key: + type: string + value: + type: string + type: object + type: array + omitEmptyValues: + default: false + type: boolean + plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' + type: string + type: + enum: + - Plain + - Json + type: string + required: + - type + type: object + required: + - address + type: object + type: + enum: + - Tcp + - File + - OpenTelemetry + type: string + required: + - type + type: object + type: array + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshcircuitbreakers.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshcircuitbreakers.yaml new file mode 100644 index 000000000..bea1fb597 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshcircuitbreakers.yaml @@ -0,0 +1,739 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshcircuitbreakers.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshCircuitBreaker + listKind: MeshCircuitBreakerList + plural: meshcircuitbreakers + singular: meshcircuitbreaker + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshCircuitBreaker + resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations + referenced in 'targetRef' + properties: + connectionLimits: + description: |- + ConnectionLimits contains configuration of each circuit breaking limit, + which when exceeded makes the circuit breaker to become open (no traffic + is allowed like no current is allowed in the circuits when physical + circuit breaker ir open) + properties: + maxConnectionPools: + description: |- + The maximum number of connection pools per cluster that are concurrently + supported at once. Set this for clusters which create a large number of + connection pools. + format: int32 + type: integer + maxConnections: + description: |- + The maximum number of connections allowed to be made to the upstream + cluster. + format: int32 + type: integer + maxPendingRequests: + description: |- + The maximum number of pending requests that are allowed to the upstream + cluster. This limit is applied as a connection limit for non-HTTP + traffic. + format: int32 + type: integer + maxRequests: + description: |- + The maximum number of parallel requests that are allowed to be made + to the upstream cluster. This limit does not apply to non-HTTP traffic. + format: int32 + type: integer + maxRetries: + description: |- + The maximum number of parallel retries that will be allowed to + the upstream cluster. + format: int32 + type: integer + type: object + outlierDetection: + description: |- + OutlierDetection contains the configuration of the process of dynamically + determining whether some number of hosts in an upstream cluster are + performing unlike the others and removing them from the healthy load + balancing set. Performance might be along different axes such as + consecutive failures, temporal success rate, temporal latency, etc. + Outlier detection is a form of passive health checking. + properties: + baseEjectionTime: + description: |- + The base time that a host is ejected for. The real time is equal to + the base time multiplied by the number of times the host has been + ejected. + type: string + detectors: + description: Contains configuration for supported outlier + detectors + properties: + failurePercentage: + description: |- + Failure Percentage based outlier detection functions similarly to success + rate detection, in that it relies on success rate data from each host in + a cluster. However, rather than compare those values to the mean success + rate of the cluster as a whole, they are compared to a flat + user-configured threshold. This threshold is configured via the + outlierDetection.failurePercentageThreshold field. + The other configuration fields for failure percentage based detection are + similar to the fields for success rate detection. As with success rate + detection, detection will not be performed for a host if its request + volume over the aggregation interval is less than the + outlierDetection.detectors.failurePercentage.requestVolume value. + Detection also will not be performed for a cluster if the number of hosts + with the minimum required request volume in an interval is less than the + outlierDetection.detectors.failurePercentage.minimumHosts value. + properties: + minimumHosts: + description: |- + The minimum number of hosts in a cluster in order to perform failure + percentage-based ejection. If the total number of hosts in the cluster is + less than this value, failure percentage-based ejection will not be + performed. + format: int32 + type: integer + requestVolume: + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration above) to perform failure + percentage-based ejection for this host. If the volume is lower than this + setting, failure percentage-based ejection will not be performed for this + host. + format: int32 + type: integer + threshold: + description: |- + The failure percentage to use when determining failure percentage-based + outlier detection. If the failure percentage of a given host is greater + than or equal to this value, it will be ejected. + format: int32 + type: integer + type: object + gatewayFailures: + description: |- + In the default mode (outlierDetection.splitExternalLocalOriginErrors is + false) this detection type takes into account a subset of 5xx errors, + called "gateway errors" (502, 503 or 504 status code) and local origin + failures, such as timeout, TCP reset etc. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account a subset of 5xx errors, called + "gateway errors" (502, 503 or 504 status code) and is supported only by + the http router. + properties: + consecutive: + description: |- + The number of consecutive gateway failures (502, 503, 504 status codes) + before a consecutive gateway failure ejection occurs. + format: int32 + type: integer + type: object + localOriginFailures: + description: |- + This detection type is enabled only when + outlierDetection.splitExternalLocalOriginErrors is true and takes into + account only locally originated errors (timeout, reset, etc). + If Envoy repeatedly cannot connect to an upstream host or communication + with the upstream host is repeatedly interrupted, it will be ejected. + Various locally originated problems are detected: timeout, TCP reset, + ICMP errors, etc. This detection type is supported by http router and + tcp proxy. + properties: + consecutive: + description: |- + The number of consecutive locally originated failures before ejection + occurs. Parameter takes effect only when splitExternalAndLocalErrors + is set to true. + format: int32 + type: integer + type: object + successRate: + description: |- + Success Rate based outlier detection aggregates success rate data from + every host in a cluster. Then at given intervals ejects hosts based on + statistical outlier detection. Success Rate outlier detection will not be + calculated for a host if its request volume over the aggregation interval + is less than the outlierDetection.detectors.successRate.requestVolume + value. + Moreover, detection will not be performed for a cluster if the number of + hosts with the minimum required request volume in an interval is less + than the outlierDetection.detectors.successRate.minimumHosts value. + In the default configuration mode + (outlierDetection.splitExternalLocalOriginErrors is false) this detection + type takes into account all types of errors: locally and externally + originated. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true), + locally originated errors and externally originated (transaction) errors + are counted and treated separately. + properties: + minimumHosts: + description: |- + The number of hosts in a cluster that must have enough request volume to + detect success rate outliers. If the number of hosts is less than this + setting, outlier detection via success rate statistics is not performed + for any host in the cluster. + format: int32 + type: integer + requestVolume: + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration configured in + outlierDetection section) to include this host in success rate based + outlier detection. If the volume is lower than this setting, outlier + detection via success rate statistics is not performed for that host. + format: int32 + type: integer + standardDeviationFactor: + anyOf: + - type: integer + - type: string + description: |- + This factor is used to determine the ejection threshold for success rate + outlier ejection. The ejection threshold is the difference between + the mean success rate, and the product of this factor and the standard + deviation of the mean success rate: mean - (standard_deviation * + success_rate_standard_deviation_factor). + Either int or decimal represented as string. + x-kubernetes-int-or-string: true + type: object + totalFailures: + description: |- + In the default mode (outlierDetection.splitExternalAndLocalErrors is + false) this detection type takes into account all generated errors: + locally originated and externally originated (transaction) errors. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account only externally originated + (transaction) errors, ignoring locally originated errors. + If an upstream host is an HTTP-server, only 5xx types of error are taken + into account (see Consecutive Gateway Failure for exceptions). + Properly formatted responses, even when they carry an operational error + (like index not found, access denied) are not taken into account. + properties: + consecutive: + description: |- + The number of consecutive server-side error responses (for HTTP traffic, + 5xx responses; for TCP traffic, connection failures; for Redis, failure + to respond PONG; etc.) before a consecutive total failure ejection + occurs. + format: int32 + type: integer + type: object + type: object + disabled: + description: When set to true, outlierDetection configuration + won't take any effect + type: boolean + interval: + description: |- + The time interval between ejection analysis sweeps. This can result in + both new ejections and hosts being returned to service. + type: string + maxEjectionPercent: + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier + detection. Defaults to 10% but will eject at least one host regardless of + the value. + format: int32 + type: integer + splitExternalAndLocalErrors: + description: |- + Determines whether to distinguish local origin failures from external + errors. If set to true the following configuration parameters are taken + into account: detectors.localOriginFailures.consecutive + type: boolean + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + to: + description: |- + To list makes a match between the consumed services and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations + referenced in 'targetRef' + properties: + connectionLimits: + description: |- + ConnectionLimits contains configuration of each circuit breaking limit, + which when exceeded makes the circuit breaker to become open (no traffic + is allowed like no current is allowed in the circuits when physical + circuit breaker ir open) + properties: + maxConnectionPools: + description: |- + The maximum number of connection pools per cluster that are concurrently + supported at once. Set this for clusters which create a large number of + connection pools. + format: int32 + type: integer + maxConnections: + description: |- + The maximum number of connections allowed to be made to the upstream + cluster. + format: int32 + type: integer + maxPendingRequests: + description: |- + The maximum number of pending requests that are allowed to the upstream + cluster. This limit is applied as a connection limit for non-HTTP + traffic. + format: int32 + type: integer + maxRequests: + description: |- + The maximum number of parallel requests that are allowed to be made + to the upstream cluster. This limit does not apply to non-HTTP traffic. + format: int32 + type: integer + maxRetries: + description: |- + The maximum number of parallel retries that will be allowed to + the upstream cluster. + format: int32 + type: integer + type: object + outlierDetection: + description: |- + OutlierDetection contains the configuration of the process of dynamically + determining whether some number of hosts in an upstream cluster are + performing unlike the others and removing them from the healthy load + balancing set. Performance might be along different axes such as + consecutive failures, temporal success rate, temporal latency, etc. + Outlier detection is a form of passive health checking. + properties: + baseEjectionTime: + description: |- + The base time that a host is ejected for. The real time is equal to + the base time multiplied by the number of times the host has been + ejected. + type: string + detectors: + description: Contains configuration for supported outlier + detectors + properties: + failurePercentage: + description: |- + Failure Percentage based outlier detection functions similarly to success + rate detection, in that it relies on success rate data from each host in + a cluster. However, rather than compare those values to the mean success + rate of the cluster as a whole, they are compared to a flat + user-configured threshold. This threshold is configured via the + outlierDetection.failurePercentageThreshold field. + The other configuration fields for failure percentage based detection are + similar to the fields for success rate detection. As with success rate + detection, detection will not be performed for a host if its request + volume over the aggregation interval is less than the + outlierDetection.detectors.failurePercentage.requestVolume value. + Detection also will not be performed for a cluster if the number of hosts + with the minimum required request volume in an interval is less than the + outlierDetection.detectors.failurePercentage.minimumHosts value. + properties: + minimumHosts: + description: |- + The minimum number of hosts in a cluster in order to perform failure + percentage-based ejection. If the total number of hosts in the cluster is + less than this value, failure percentage-based ejection will not be + performed. + format: int32 + type: integer + requestVolume: + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration above) to perform failure + percentage-based ejection for this host. If the volume is lower than this + setting, failure percentage-based ejection will not be performed for this + host. + format: int32 + type: integer + threshold: + description: |- + The failure percentage to use when determining failure percentage-based + outlier detection. If the failure percentage of a given host is greater + than or equal to this value, it will be ejected. + format: int32 + type: integer + type: object + gatewayFailures: + description: |- + In the default mode (outlierDetection.splitExternalLocalOriginErrors is + false) this detection type takes into account a subset of 5xx errors, + called "gateway errors" (502, 503 or 504 status code) and local origin + failures, such as timeout, TCP reset etc. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account a subset of 5xx errors, called + "gateway errors" (502, 503 or 504 status code) and is supported only by + the http router. + properties: + consecutive: + description: |- + The number of consecutive gateway failures (502, 503, 504 status codes) + before a consecutive gateway failure ejection occurs. + format: int32 + type: integer + type: object + localOriginFailures: + description: |- + This detection type is enabled only when + outlierDetection.splitExternalLocalOriginErrors is true and takes into + account only locally originated errors (timeout, reset, etc). + If Envoy repeatedly cannot connect to an upstream host or communication + with the upstream host is repeatedly interrupted, it will be ejected. + Various locally originated problems are detected: timeout, TCP reset, + ICMP errors, etc. This detection type is supported by http router and + tcp proxy. + properties: + consecutive: + description: |- + The number of consecutive locally originated failures before ejection + occurs. Parameter takes effect only when splitExternalAndLocalErrors + is set to true. + format: int32 + type: integer + type: object + successRate: + description: |- + Success Rate based outlier detection aggregates success rate data from + every host in a cluster. Then at given intervals ejects hosts based on + statistical outlier detection. Success Rate outlier detection will not be + calculated for a host if its request volume over the aggregation interval + is less than the outlierDetection.detectors.successRate.requestVolume + value. + Moreover, detection will not be performed for a cluster if the number of + hosts with the minimum required request volume in an interval is less + than the outlierDetection.detectors.successRate.minimumHosts value. + In the default configuration mode + (outlierDetection.splitExternalLocalOriginErrors is false) this detection + type takes into account all types of errors: locally and externally + originated. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true), + locally originated errors and externally originated (transaction) errors + are counted and treated separately. + properties: + minimumHosts: + description: |- + The number of hosts in a cluster that must have enough request volume to + detect success rate outliers. If the number of hosts is less than this + setting, outlier detection via success rate statistics is not performed + for any host in the cluster. + format: int32 + type: integer + requestVolume: + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration configured in + outlierDetection section) to include this host in success rate based + outlier detection. If the volume is lower than this setting, outlier + detection via success rate statistics is not performed for that host. + format: int32 + type: integer + standardDeviationFactor: + anyOf: + - type: integer + - type: string + description: |- + This factor is used to determine the ejection threshold for success rate + outlier ejection. The ejection threshold is the difference between + the mean success rate, and the product of this factor and the standard + deviation of the mean success rate: mean - (standard_deviation * + success_rate_standard_deviation_factor). + Either int or decimal represented as string. + x-kubernetes-int-or-string: true + type: object + totalFailures: + description: |- + In the default mode (outlierDetection.splitExternalAndLocalErrors is + false) this detection type takes into account all generated errors: + locally originated and externally originated (transaction) errors. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account only externally originated + (transaction) errors, ignoring locally originated errors. + If an upstream host is an HTTP-server, only 5xx types of error are taken + into account (see Consecutive Gateway Failure for exceptions). + Properly formatted responses, even when they carry an operational error + (like index not found, access denied) are not taken into account. + properties: + consecutive: + description: |- + The number of consecutive server-side error responses (for HTTP traffic, + 5xx responses; for TCP traffic, connection failures; for Redis, failure + to respond PONG; etc.) before a consecutive total failure ejection + occurs. + format: int32 + type: integer + type: object + type: object + disabled: + description: When set to true, outlierDetection configuration + won't take any effect + type: boolean + interval: + description: |- + The time interval between ejection analysis sweeps. This can result in + both new ejections and hosts being returned to service. + type: string + maxEjectionPercent: + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier + detection. Defaults to 10% but will eject at least one host regardless of + the value. + format: int32 + type: integer + splitExternalAndLocalErrors: + description: |- + Determines whether to distinguish local origin failures from external + errors. If set to true the following configuration parameters are taken + into account: detectors.localOriginFailures.consecutive + type: boolean + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshes.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshes.yaml new file mode 100644 index 000000000..a9fec649c --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshes.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshes.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: Mesh + listKind: MeshList + plural: meshes + singular: mesh + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma Mesh resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshexternalservices.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshexternalservices.yaml new file mode 100644 index 000000000..12f87ab5a --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshexternalservices.yaml @@ -0,0 +1,333 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshexternalservices.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshExternalService + listKind: MeshExternalServiceList + plural: meshexternalservices + singular: meshexternalservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.addresses[0].hostname + name: Hostname + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshExternalService + resource. + properties: + endpoints: + description: Endpoints defines a list of destinations to send traffic + to. + items: + properties: + address: + description: Address defines an address to which a user want + to send a request. Is possible to provide `domain`, `ip`. + example: example.com + minLength: 1 + type: string + port: + description: Port of the endpoint + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: array + extension: + description: Extension struct for a plugin configuration, in the presence + of an extension `endpoints` and `tls` are not required anymore - + it's up to the extension to validate them independently. + properties: + config: + description: Config freeform configuration for the extension. + x-kubernetes-preserve-unknown-fields: true + type: + description: Type of the extension. + type: string + required: + - config + - type + type: object + match: + description: Match defines traffic that should be routed through the + sidecar. + properties: + port: + description: Port defines a port to which a user does request. + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: tcp + description: 'Protocol defines a protocol of the communication. + Possible values: `tcp`, `grpc`, `http`, `http2`.' + enum: + - tcp + - grpc + - http + - http2 + type: string + type: + default: HostnameGenerator + description: Type of the match, only `HostnameGenerator` is available + at the moment. + enum: + - HostnameGenerator + type: string + required: + - port + type: object + tls: + description: Tls provides a TLS configuration when proxy is resposible + for a TLS origination + properties: + allowRenegotiation: + default: false + description: |- + AllowRenegotiation defines if TLS sessions will allow renegotiation. + Setting this to true is not recommended for security reasons. + type: boolean + enabled: + default: false + description: Enabled defines if proxy should originate TLS. + type: boolean + verification: + description: Verification section for providing TLS verification + details. + properties: + caCert: + description: CaCert defines a certificate of CA. + properties: + inline: + description: Data source is inline bytes. + format: byte + type: string + inlineString: + description: Data source is inline string` + type: string + secret: + description: Data source is a secret with given Secret + key. + type: string + type: object + clientCert: + description: ClientCert defines a certificate of a client. + properties: + inline: + description: Data source is inline bytes. + format: byte + type: string + inlineString: + description: Data source is inline string` + type: string + secret: + description: Data source is a secret with given Secret + key. + type: string + type: object + clientKey: + description: ClientKey defines a client private key. + properties: + inline: + description: Data source is inline bytes. + format: byte + type: string + inlineString: + description: Data source is inline string` + type: string + secret: + description: Data source is a secret with given Secret + key. + type: string + type: object + mode: + default: Secured + description: Mode defines if proxy should skip verification, + one of `SkipSAN`, `SkipCA`, `Secured`, `SkipAll`. Default + `Secured`. + enum: + - SkipSAN + - SkipCA + - Secured + - SkipAll + type: string + serverName: + description: ServerName overrides the default Server Name + Indicator set by Kuma. + type: string + subjectAltNames: + description: SubjectAltNames list of names to verify in the + certificate. + items: + properties: + type: + default: Exact + description: 'Type specifies matching type, one of `Exact`, + `Prefix`. Default: `Exact`' + enum: + - Exact + - Prefix + type: string + value: + description: Value to match. + type: string + required: + - value + type: object + type: array + type: object + version: + description: Version section for providing version specification. + properties: + max: + default: TLSAuto + description: Max defines maximum supported version. One of + `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`. + enum: + - TLSAuto + - TLS10 + - TLS11 + - TLS12 + - TLS13 + type: string + min: + default: TLSAuto + description: Min defines minimum supported version. One of + `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`. + enum: + - TLSAuto + - TLS10 + - TLS11 + - TLS12 + - TLS13 + type: string + type: object + type: object + required: + - match + type: object + status: + description: Status is the current status of the Kuma MeshExternalService + resource. + properties: + addresses: + description: Addresses section for generated domains + items: + properties: + hostname: + type: string + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + origin: + type: string + type: object + type: array + hostnameGenerators: + items: + properties: + conditions: + description: Conditions is an array of hostname generator conditions. + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + required: + - hostnameGeneratorRef + type: object + type: array + vip: + description: Vip section for allocated IP + properties: + ip: + description: Value allocated IP for a provided domain with `HostnameGenerator` + type in a match section. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshfaultinjections.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshfaultinjections.yaml new file mode 100644 index 000000000..538675b6e --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshfaultinjections.yaml @@ -0,0 +1,420 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshfaultinjections.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshFaultInjection + listKind: MeshFaultInjectionList + plural: meshfaultinjections + singular: meshfaultinjection + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshFaultInjection + resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + http: + description: Http allows to define list of Http faults between + dataplanes. + items: + description: FaultInjection defines the configuration + of faults between dataplanes. + properties: + abort: + description: |- + Abort defines a configuration of not delivering requests to destination + service and replacing the responses from destination dataplane by + predefined status code + properties: + httpStatus: + description: HTTP status code which will be returned + to source side + format: int32 + type: integer + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which abort will be injected, has to be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + required: + - httpStatus + - percentage + type: object + delay: + description: Delay defines configuration of delaying + a response from a destination + properties: + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which delay will be injected, has to be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + value: + description: The duration during which the response + will be delayed + type: string + required: + - percentage + - value + type: object + responseBandwidth: + description: |- + ResponseBandwidth defines a configuration to limit the speed of + responding to the requests + properties: + limit: + description: |- + Limit is represented by value measure in Gbps, Mbps, kbps, e.g. + 10kbps + type: string + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which response bandwidth limit will be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + required: + - limit + - percentage + type: object + type: object + type: array + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + to: + description: To list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + http: + description: Http allows to define list of Http faults between + dataplanes. + items: + description: FaultInjection defines the configuration + of faults between dataplanes. + properties: + abort: + description: |- + Abort defines a configuration of not delivering requests to destination + service and replacing the responses from destination dataplane by + predefined status code + properties: + httpStatus: + description: HTTP status code which will be returned + to source side + format: int32 + type: integer + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which abort will be injected, has to be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + required: + - httpStatus + - percentage + type: object + delay: + description: Delay defines configuration of delaying + a response from a destination + properties: + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which delay will be injected, has to be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + value: + description: The duration during which the response + will be delayed + type: string + required: + - percentage + - value + type: object + responseBandwidth: + description: |- + ResponseBandwidth defines a configuration to limit the speed of + responding to the requests + properties: + limit: + description: |- + Limit is represented by value measure in Gbps, Mbps, kbps, e.g. + 10kbps + type: string + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which response bandwidth limit will be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + required: + - limit + - percentage + type: object + type: object + type: array + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshgatewayinstances.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshgatewayinstances.yaml new file mode 100644 index 000000000..f68545cf0 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshgatewayinstances.yaml @@ -0,0 +1,354 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshgatewayinstances.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshGatewayInstance + listKind: MeshGatewayInstanceList + plural: meshgatewayinstances + singular: meshgatewayinstance + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + MeshGatewayInstance represents a managed instance of a dataplane proxy for a Kuma + Gateway. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: MeshGatewayInstanceSpec specifies the options available for + a GatewayDataplane. + properties: + podTemplate: + description: PodTemplate configures the Pod owned by this config. + properties: + metadata: + description: Metadata holds metadata configuration for a Service. + properties: + annotations: + additionalProperties: + type: string + description: Annotations holds annotations to be set on an + object. + type: object + labels: + additionalProperties: + type: string + description: Labels holds labels to be set on an objects. + type: object + type: object + spec: + description: Spec holds some customizable fields of a Pod. + properties: + container: + description: Container corresponds to PodSpec.Container + properties: + securityContext: + description: ContainerSecurityContext corresponds to PodSpec.Container.SecurityContext + properties: + readOnlyRootFilesystem: + description: ReadOnlyRootFilesystem corresponds to + PodSpec.Container.SecurityContext.ReadOnlyRootFilesystem + type: boolean + type: object + type: object + securityContext: + description: PodSecurityContext corresponds to PodSpec.SecurityContext + properties: + fsGroup: + description: FSGroup corresponds to PodSpec.SecurityContext.FSGroup + format: int64 + type: integer + type: object + serviceAccountName: + description: ServiceAccountName corresponds to PodSpec.ServiceAccountName. + type: string + type: object + type: object + replicas: + default: 1 + description: |- + Replicas is the number of dataplane proxy replicas to create. For + now this is a fixed number, but in the future it could be + automatically scaled based on metrics. + format: int32 + minimum: 1 + type: integer + resources: + description: |- + Resources specifies the compute resources for the proxy container. + The default can be set in the control plane config. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This is an alpha field and requires enabling the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + serviceTemplate: + description: ServiceTemplate configures the Service owned by this + config. + properties: + metadata: + description: Metadata holds metadata configuration for a Service. + properties: + annotations: + additionalProperties: + type: string + description: Annotations holds annotations to be set on an + object. + type: object + labels: + additionalProperties: + type: string + description: Labels holds labels to be set on an objects. + type: object + type: object + spec: + description: Spec holds some customizable fields of a Service. + properties: + loadBalancerIP: + description: LoadBalancerIP corresponds to ServiceSpec.LoadBalancerIP. + type: string + type: object + type: object + serviceType: + default: LoadBalancer + description: |- + ServiceType specifies the type of managed Service that will be + created to expose the dataplane proxies to traffic from outside + the cluster. The ports to expose will be taken from the matching Gateway + resource. If there is no matching Gateway, the managed Service will + be deleted. + enum: + - LoadBalancer + - ClusterIP + - NodePort + type: string + tags: + additionalProperties: + type: string + description: |- + Tags specifies the Kuma tags that are propagated to the managed + dataplane proxies. These tags should not include `kuma.io/service` tag + since is auto-generated, and should match exactly one Gateway + resource. + type: object + type: object + status: + description: |- + MeshGatewayInstanceStatus holds information about the status of the gateway + instance. + properties: + conditions: + description: Conditions is an array of gateway instance conditions. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + loadBalancer: + description: |- + LoadBalancer contains the current status of the load-balancer, + if one is present. + properties: + ingress: + description: |- + Ingress is a list containing ingress points for the load-balancer. + Traffic intended for the service should be sent to these ingress points. + items: + description: |- + LoadBalancerIngress represents the status of a load-balancer ingress point: + traffic intended for the service should be sent to an ingress point. + properties: + hostname: + description: |- + Hostname is set for load-balancer ingress points that are DNS based + (typically AWS load-balancers) + type: string + ip: + description: |- + IP is set for load-balancer ingress points that are IP based + (typically GCE or OpenStack load-balancers) + type: string + ipMode: + description: |- + IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered to the node with + the destination set to the load-balancer's IP and port. + Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + the destination set to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust traffic routing. + type: string + ports: + description: |- + Ports is a list of records of service ports + If used, every port defined in the service should have an entry in it + items: + properties: + error: + description: |- + Error is to record the problem with the service port + The format of the error shall comply with the following rules: + - built-in error values shall be specified in this file and those shall use + CamelCase names + - cloud provider specific error values must have names that comply with the + format foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + port: + description: Port is the port number of the service + port of which status is recorded here + format: int32 + type: integer + protocol: + description: |- + Protocol is the protocol of the service port of which status is recorded here + The supported values are: "TCP", "UDP", "SCTP" + type: string + required: + - error + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshgatewayroutes.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshgatewayroutes.yaml new file mode 100644 index 000000000..ef006e9cb --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshgatewayroutes.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshgatewayroutes.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshGatewayRoute + listKind: MeshGatewayRouteList + plural: meshgatewayroutes + singular: meshgatewayroute + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshGatewayRoute resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshgateways.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshgateways.yaml new file mode 100644 index 000000000..20ff66677 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshgateways.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshgateways.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshGateway + listKind: MeshGatewayList + plural: meshgateways + singular: meshgateway + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshGateway resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshhealthchecks.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshhealthchecks.yaml new file mode 100644 index 000000000..d1a3a49f9 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshhealthchecks.yaml @@ -0,0 +1,382 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshhealthchecks.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshHealthCheck + listKind: MeshHealthCheckList + plural: meshhealthchecks + singular: meshhealthcheck + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshHealthCheck resource. + properties: + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + to: + description: To list makes a match between the consumed services and + corresponding configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + alwaysLogHealthCheckFailures: + description: |- + If set to true, health check failure events will always be logged. If set + to false, only the initial health check failure event will be logged. The + default value is false. + type: boolean + eventLogPath: + description: |- + Specifies the path to the file where Envoy can log health check events. + If empty, no event log will be written. + type: string + failTrafficOnPanic: + description: |- + If set to true, Envoy will not consider any hosts when the cluster is in + 'panic mode'. Instead, the cluster will fail all requests as if all hosts + are unhealthy. This can help avoid potentially overwhelming a failing + service. + type: boolean + grpc: + description: |- + GrpcHealthCheck defines gRPC configuration which will instruct the service + the health check will be made for is a gRPC service. + properties: + authority: + description: |- + The value of the :authority header in the gRPC health check request, + by default name of the cluster this health check is associated with + type: string + disabled: + description: If true the GrpcHealthCheck is disabled + type: boolean + serviceName: + description: Service name parameter which will be sent + to gRPC service + type: string + type: object + healthyPanicThreshold: + anyOf: + - type: integer + - type: string + description: |- + Allows to configure panic threshold for Envoy cluster. If not specified, + the default is 50%. To disable panic mode, set to 0%. + Either int or decimal represented as string. + x-kubernetes-int-or-string: true + healthyThreshold: + default: 1 + description: Number of consecutive healthy checks before + considering a host healthy. + format: int32 + type: integer + http: + description: |- + HttpHealthCheck defines HTTP configuration which will instruct the service + the health check will be made for is an HTTP service. + properties: + disabled: + description: If true the HttpHealthCheck is disabled + type: boolean + expectedStatuses: + description: List of HTTP response statuses which are + considered healthy + items: + format: int32 + type: integer + type: array + path: + default: / + description: |- + The HTTP path which will be requested during the health check + (ie. /health) + type: string + requestHeadersToAdd: + description: |- + The list of HTTP headers which should be added to each health check + request + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: object + initialJitter: + description: |- + If specified, Envoy will start health checking after a random time in + ms between 0 and initialJitter. This only applies to the first health + check. + type: string + interval: + default: 1m + description: Interval between consecutive health checks. + type: string + intervalJitter: + description: |- + If specified, during every interval Envoy will add IntervalJitter to the + wait time. + type: string + intervalJitterPercent: + description: |- + If specified, during every interval Envoy will add IntervalJitter * + IntervalJitterPercent / 100 to the wait time. If IntervalJitter and + IntervalJitterPercent are both set, both of them will be used to + increase the wait time. + format: int32 + type: integer + noTrafficInterval: + description: |- + The "no traffic interval" is a special health check interval that is used + when a cluster has never had traffic routed to it. This lower interval + allows cluster information to be kept up to date, without sending a + potentially large amount of active health checking traffic for no reason. + Once a cluster has been used for traffic routing, Envoy will shift back + to using the standard health check interval that is defined. Note that + this interval takes precedence over any other. The default value for "no + traffic interval" is 60 seconds. + type: string + reuseConnection: + description: Reuse health check connection between health + checks. Default is true. + type: boolean + tcp: + description: |- + TcpHealthCheck defines configuration for specifying bytes to send and + expected response during the health check + properties: + disabled: + description: If true the TcpHealthCheck is disabled + type: boolean + receive: + description: |- + List of Base64 encoded blocks of strings expected as a response. When checking the response, + "fuzzy" matching is performed such that each block must be found, and + in the order specified, but not necessarily contiguous. + If not provided or empty, checks will be performed as "connect only" and be marked as successful when TCP connection is successfully established. + items: + type: string + type: array + send: + description: Base64 encoded content of the message which + will be sent during the health check to the target + type: string + type: object + timeout: + default: 15s + description: Maximum time to wait for a health check response. + type: string + unhealthyThreshold: + default: 5 + description: |- + Number of consecutive unhealthy checks before considering a host + unhealthy. + format: int32 + type: integer + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshhttproutes.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshhttproutes.yaml new file mode 100644 index 000000000..14f8974b1 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshhttproutes.yaml @@ -0,0 +1,668 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshhttproutes.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshHTTPRoute + listKind: MeshHTTPRouteList + plural: meshhttproutes + singular: meshhttproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshHTTPRoute resource. + properties: + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + to: + description: To matches destination services of requests and holds + configuration. + items: + properties: + hostnames: + description: |- + Hostnames is only valid when targeting MeshGateway and limits the + effects of the rules to requests to this hostname. + Given hostnames must intersect with the hostname of the listeners the + route attaches to. + items: + type: string + type: array + rules: + description: |- + Rules contains the routing rules applies to a combination of top-level + targetRef and the targetRef in this entry. + items: + properties: + default: + description: |- + Default holds routing rules that can be merged with rules from other + policies. + properties: + backendRefs: + items: + description: BackendRef defines where to forward + traffic. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use + to identify cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + port: + description: Port is only supported when this + ref refers to a real MeshService object + format: int32 + type: integer + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + weight: + default: 1 + minimum: 0 + type: integer + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: |- + Only one action is supported per header name. + Configuration to set or add multiple values for a header must use RFC 7230 + header value formatting, separating each value with a comma. + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + items: + type: string + maxItems: 16 + type: array + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + properties: + backendRef: + description: BackendRef defines where to + forward traffic. + properties: + kind: + description: Kind of the referenced + resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future + use to identify cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + port: + description: Port is only supported + when this ref refers to a real MeshService + object + format: int32 + type: integer + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + weight: + default: 1 + minimum: 0 + type: integer + type: object + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests to mirror. If not specified, all requests + to the target cluster will be mirrored. + x-kubernetes-int-or-string: true + required: + - backendRef + type: object + requestRedirect: + properties: + hostname: + description: |- + PreciseHostname is the fully qualified domain name of a network host. This + matches the RFC 1123 definition of a hostname with 1 notable exception that + numeric IP addresses are not allowed. + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the location header. + When empty, the request path is used as-is. + properties: + replaceFullPath: + type: string + replacePrefixMatch: + type: string + type: + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + When empty, port (if specified) of the request is used. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + enum: + - http + - https + type: string + statusCode: + default: 302 + description: StatusCode is the HTTP status + code to be used in response. + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: |- + Only one action is supported per header name. + Configuration to set or add multiple values for a header must use RFC 7230 + header value formatting, separating each value with a comma. + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + items: + type: string + maxItems: 16 + type: array + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + - URLRewrite + - RequestMirror + type: string + urlRewrite: + properties: + hostToBackendHostname: + description: |- + HostToBackendHostname rewrites the hostname to the hostname of the + upstream host. This option is only available when targeting MeshGateways. + type: boolean + hostname: + description: Hostname is the value to be + used to replace the host header value + during forwarding. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: Path defines a path rewrite. + properties: + replaceFullPath: + type: string + replacePrefixMatch: + type: string + type: + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + type: array + type: object + matches: + description: |- + Matches describes how to match HTTP requests this rule should be applied + to. + items: + properties: + headers: + items: + description: |- + HeaderMatch describes how to select an HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name MUST be lower case + as they will be handled with case insensitivity (See https://tools.ietf.org/html/rfc7230#section-3.2). + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - Present + - RegularExpression + - Absent + - Prefix + type: string + value: + description: Value is the value of HTTP Header + to be matched. + type: string + required: + - name + type: object + type: array + method: + enum: + - CONNECT + - DELETE + - GET + - HEAD + - OPTIONS + - PATCH + - POST + - PUT + - TRACE + type: string + path: + properties: + type: + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + description: |- + Exact or prefix matches must be an absolute path. A prefix matches only + if separated by a slash or the entire path. + minLength: 1 + type: string + required: + - type + - value + type: object + queryParams: + description: |- + QueryParams matches based on HTTP URL query parameters. Multiple matches + are ANDed together such that all listed matches must succeed. + items: + properties: + name: + minLength: 1 + type: string + type: + enum: + - Exact + - RegularExpression + type: string + value: + type: string + required: + - name + - type + - value + type: object + type: array + type: object + minItems: 1 + type: array + required: + - default + - matches + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + request destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshinsights.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshinsights.yaml new file mode 100644 index 000000000..93b570048 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshinsights.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshinsights.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshInsight + listKind: MeshInsightList + plural: meshinsights + singular: meshinsight + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshInsight resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshloadbalancingstrategies.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshloadbalancingstrategies.yaml new file mode 100644 index 000000000..8fe3d6634 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshloadbalancingstrategies.yaml @@ -0,0 +1,572 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshloadbalancingstrategies.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshLoadBalancingStrategy + listKind: MeshLoadBalancingStrategyList + plural: meshloadbalancingstrategies + singular: meshloadbalancingstrategy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshLoadBalancingStrategy + resource. + properties: + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + to: + description: To list makes a match between the consumed services and + corresponding configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + loadBalancer: + description: LoadBalancer allows to specify load balancing + algorithm. + properties: + leastRequest: + description: |- + LeastRequest selects N random available hosts as specified in 'choiceCount' (2 by default) + and picks the host which has the fewest active requests + properties: + activeRequestBias: + anyOf: + - type: integer + - type: string + description: |- + ActiveRequestBias refers to dynamic weights applied when hosts have varying load + balancing weights. A higher value here aggressively reduces the weight of endpoints + that are currently handling active requests. In essence, the higher the ActiveRequestBias + value, the more forcefully it reduces the load balancing weight of endpoints that are + actively serving requests. + x-kubernetes-int-or-string: true + choiceCount: + description: |- + ChoiceCount is the number of random healthy hosts from which the host with + the fewest active requests will be chosen. Defaults to 2 so that Envoy performs + two-choice selection if the field is not set. + format: int32 + minimum: 2 + type: integer + type: object + maglev: + description: |- + Maglev implements consistent hashing to upstream hosts. Maglev can be used as + a drop in replacement for the ring hash load balancer any place in which + consistent hashing is desired. + properties: + hashPolicies: + description: |- + HashPolicies specify a list of request/connection properties that are used to calculate a hash. + These hash policies are executed in the specified order. If a hash policy has the “terminal” attribute + set to true, and there is already a hash generated, the hash is returned immediately, + ignoring the rest of the hash policy list. + items: + properties: + connection: + properties: + sourceIP: + description: Hash on source IP address. + type: boolean + type: object + cookie: + properties: + name: + description: The name of the cookie that + will be used to obtain the hash key. + minLength: 1 + type: string + path: + description: The name of the path for + the cookie. + type: string + ttl: + description: If specified, a cookie with + the TTL will be generated if the cookie + is not present. + type: string + required: + - name + type: object + filterState: + properties: + key: + description: |- + The name of the Object in the per-request filterState, which is + an Envoy::Hashable object. If there is no data associated with the key, + or the stored object is not Envoy::Hashable, no hash will be produced. + minLength: 1 + type: string + required: + - key + type: object + header: + properties: + name: + description: The name of the request header + that will be used to obtain the hash + key. + minLength: 1 + type: string + required: + - name + type: object + queryParameter: + properties: + name: + description: |- + The name of the URL query parameter that will be used to obtain the hash key. + If the parameter is not present, no hash will be produced. Query parameter names + are case-sensitive. + minLength: 1 + type: string + required: + - name + type: object + terminal: + description: |- + Terminal is a flag that short-circuits the hash computing. This field provides + a ‘fallback’ style of configuration: “if a terminal policy doesn’t work, fallback + to rest of the policy list”, it saves time when the terminal policy works. + If true, and there is already a hash computed, ignore rest of the list of hash polices. + type: boolean + type: + enum: + - Header + - Cookie + - SourceIP + - QueryParameter + - FilterState + type: string + required: + - type + type: object + type: array + tableSize: + description: |- + The table size for Maglev hashing. Maglev aims for “minimal disruption” + rather than an absolute guarantee. Minimal disruption means that when + the set of upstream hosts change, a connection will likely be sent + to the same upstream as it was before. Increasing the table size reduces + the amount of disruption. The table size must be prime number limited to 5000011. + If it is not specified, the default is 65537. + format: int32 + maximum: 5000011 + minimum: 1 + type: integer + type: object + random: + description: |- + Random selects a random available host. The random load balancer generally + performs better than round-robin if no health checking policy is configured. + Random selection avoids bias towards the host in the set that comes after a failed host. + type: object + ringHash: + description: |- + RingHash implements consistent hashing to upstream hosts. Each host is mapped + onto a circle (the “ring”) by hashing its address; each request is then routed + to a host by hashing some property of the request, and finding the nearest + corresponding host clockwise around the ring. + properties: + hashFunction: + description: |- + HashFunction is a function used to hash hosts onto the ketama ring. + The value defaults to XX_HASH. Available values – XX_HASH, MURMUR_HASH_2. + enum: + - XXHash + - MurmurHash2 + type: string + hashPolicies: + description: |- + HashPolicies specify a list of request/connection properties that are used to calculate a hash. + These hash policies are executed in the specified order. If a hash policy has the “terminal” attribute + set to true, and there is already a hash generated, the hash is returned immediately, + ignoring the rest of the hash policy list. + items: + properties: + connection: + properties: + sourceIP: + description: Hash on source IP address. + type: boolean + type: object + cookie: + properties: + name: + description: The name of the cookie that + will be used to obtain the hash key. + minLength: 1 + type: string + path: + description: The name of the path for + the cookie. + type: string + ttl: + description: If specified, a cookie with + the TTL will be generated if the cookie + is not present. + type: string + required: + - name + type: object + filterState: + properties: + key: + description: |- + The name of the Object in the per-request filterState, which is + an Envoy::Hashable object. If there is no data associated with the key, + or the stored object is not Envoy::Hashable, no hash will be produced. + minLength: 1 + type: string + required: + - key + type: object + header: + properties: + name: + description: The name of the request header + that will be used to obtain the hash + key. + minLength: 1 + type: string + required: + - name + type: object + queryParameter: + properties: + name: + description: |- + The name of the URL query parameter that will be used to obtain the hash key. + If the parameter is not present, no hash will be produced. Query parameter names + are case-sensitive. + minLength: 1 + type: string + required: + - name + type: object + terminal: + description: |- + Terminal is a flag that short-circuits the hash computing. This field provides + a ‘fallback’ style of configuration: “if a terminal policy doesn’t work, fallback + to rest of the policy list”, it saves time when the terminal policy works. + If true, and there is already a hash computed, ignore rest of the list of hash polices. + type: boolean + type: + enum: + - Header + - Cookie + - SourceIP + - QueryParameter + - FilterState + type: string + required: + - type + type: object + type: array + maxRingSize: + description: |- + Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries, + but can be lowered to further constrain resource use. + format: int32 + maximum: 8000000 + minimum: 1 + type: integer + minRingSize: + description: |- + Minimum hash ring size. The larger the ring is (that is, + the more hashes there are for each provided host) the better the request distribution + will reflect the desired weights. Defaults to 1024 entries, and limited to 8M entries. + format: int32 + maximum: 8000000 + minimum: 1 + type: integer + type: object + roundRobin: + description: |- + RoundRobin is a load balancing algorithm that distributes requests + across available upstream hosts in round-robin order. + type: object + type: + enum: + - RoundRobin + - LeastRequest + - RingHash + - Random + - Maglev + type: string + required: + - type + type: object + localityAwareness: + description: LocalityAwareness contains configuration for + locality aware load balancing. + properties: + crossZone: + description: |- + CrossZone defines locality aware load balancing priorities when dataplane proxies inside local zone + are unavailable + properties: + failover: + description: Failover defines list of load balancing + rules in order of priority + items: + properties: + from: + description: From defines the list of zones + to which the rule applies + properties: + zones: + items: + type: string + type: array + required: + - zones + type: object + to: + description: To defines to which zones the + traffic should be load balanced + properties: + type: + description: Type defines how target zones + will be picked from available zones + enum: + - None + - Only + - Any + - AnyExcept + type: string + zones: + items: + type: string + type: array + required: + - type + type: object + required: + - to + type: object + type: array + failoverThreshold: + description: |- + FailoverThreshold defines the percentage of live destination dataplane proxies below which load balancing to the + next priority starts. + Example: If you configure failoverThreshold to 70, and you have deployed 10 destination dataplane proxies. + Load balancing to next priority will start when number of live destination dataplane proxies drops below 7. + Default 50 + properties: + percentage: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - percentage + type: object + type: object + disabled: + description: |- + Disabled allows to disable locality-aware load balancing. + When disabled requests are distributed across all endpoints regardless of locality. + type: boolean + localZone: + description: LocalZone defines locality aware load balancing + priorities between dataplane proxies inside a zone + properties: + affinityTags: + description: AffinityTags list of tags for local + zone load balancing. + items: + properties: + key: + description: Key defines tag for which affinity + is configured + type: string + weight: + description: |- + Weight of the tag used for load balancing. The bigger the weight the bigger the priority. + Percentage of local traffic load balanced to tag is computed by dividing weight by sum of weights from all tags. + For example with two affinity tags first with weight 80 and second with weight 20, + then 80% of traffic will be redirected to the first tag, and 20% of traffic will be redirected to second one. + Setting weights is not mandatory. When weights are not set control plane will compute default weight based on list order. + Default: If you do not specify weight we will adjust them so that 90% traffic goes to first tag, 9% to next, and 1% to third and so on. + format: int32 + type: integer + required: + - key + type: object + type: array + type: object + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshmetrics.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshmetrics.yaml new file mode 100644 index 000000000..d244c2e04 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshmetrics.yaml @@ -0,0 +1,292 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshmetrics.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshMetric + listKind: MeshMetricList + plural: meshmetrics + singular: meshmetric + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshMetric resource. + properties: + default: + description: MeshMetric configuration. + properties: + applications: + description: Applications is a list of application that Dataplane + Proxy will scrape + items: + properties: + address: + description: Address on which an application listens. + type: string + name: + description: Name of the application to scrape + type: string + path: + default: /metrics/prometheus + description: Path on which an application expose HTTP endpoint + with metrics. + type: string + port: + description: Port on which an application expose HTTP endpoint + with metrics. + format: int32 + type: integer + required: + - port + type: object + type: array + backends: + description: Backends list that will be used to collect metrics. + items: + properties: + openTelemetry: + description: OpenTelemetry backend configuration + properties: + endpoint: + description: Endpoint for OpenTelemetry collector + type: string + refreshInterval: + description: RefreshInterval defines how frequent metrics + should be pushed to collector + type: string + required: + - endpoint + type: object + prometheus: + description: Prometheus backend configuration. + properties: + clientId: + description: ClientId of the Prometheus backend. Needed + when using MADS for DP discovery. + type: string + path: + default: /metrics + description: Path on which a dataplane should expose + HTTP endpoint with Prometheus metrics. + type: string + port: + default: 5670 + description: Port on which a dataplane should expose + HTTP endpoint with Prometheus metrics. + format: int32 + type: integer + tls: + description: Configuration of TLS for prometheus listener. + properties: + mode: + default: Disabled + description: Configuration of TLS for Prometheus + listener. + enum: + - Disabled + - ProvidedTLS + - ActiveMTLSBackend + type: string + required: + - mode + type: object + required: + - path + - port + type: object + type: + description: Type of the backend that will be used to collect + metrics. At the moment only Prometheus backend is available. + enum: + - Prometheus + - OpenTelemetry + type: string + required: + - type + type: object + type: array + sidecar: + description: Sidecar metrics collection configuration + properties: + includeUnused: + default: false + description: |- + IncludeUnused if false will scrape only metrics that has been by sidecar (counters incremented + at least once, gauges changed at least once, and histograms added to at + least once). If true will scrape all metrics (even the ones with zeros). + type: boolean + profiles: + description: Profiles allows to customize which metrics are + published. + properties: + appendProfiles: + description: AppendProfiles allows to combine the metrics + from multiple predefined profiles. + items: + properties: + name: + description: 'Name of the predefined profile, one + of: all, basic, none' + enum: + - All + - Basic + - None + type: string + required: + - name + type: object + type: array + exclude: + description: |- + Exclude makes it possible to exclude groups of metrics from a resulting profile. + Exclude is subordinate to Include. + items: + properties: + match: + description: Match is the value used to match using + particular Type + type: string + type: + description: 'Type defined the type of selector, + one of: prefix, regex, exact' + enum: + - Prefix + - Regex + - Exact + - Contains + type: string + required: + - match + - type + type: object + type: array + include: + description: |- + Include makes it possible to include additional metrics in a selected profiles. + Include takes precedence over Exclude. + items: + properties: + match: + description: Match is the value used to match using + particular Type + type: string + type: + description: 'Type defined the type of selector, + one of: prefix, regex, exact' + enum: + - Prefix + - Regex + - Exact + - Contains + type: string + required: + - match + - type + type: object + type: array + type: object + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshmultizoneservices.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshmultizoneservices.yaml new file mode 100644 index 000000000..4772b0cfb --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshmultizoneservices.yaml @@ -0,0 +1,199 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshmultizoneservices.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshMultiZoneService + listKind: MeshMultiZoneServiceList + plural: meshmultizoneservices + singular: meshmultizoneservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.addresses[0].hostname + name: Hostname + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshMultiZoneService + resource. + properties: + ports: + description: Ports is a list of ports from selected MeshServices + items: + properties: + appProtocol: + default: tcp + description: Protocol identifies a protocol supported by a service. + type: string + name: + type: string + port: + format: int32 + type: integer + required: + - port + type: object + minItems: 1 + type: array + selector: + description: Selector is a way to select multiple MeshServices + properties: + meshService: + description: MeshService selects MeshServices + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels matches multiple MeshServices by + labels + type: object + required: + - matchLabels + type: object + required: + - meshService + type: object + required: + - selector + type: object + status: + description: Status is the current status of the Kuma MeshMultiZoneService + resource. + properties: + addresses: + description: Addresses is a list of addresses generated by HostnameGenerator + items: + properties: + hostname: + type: string + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + origin: + type: string + type: object + type: array + hostnameGenerators: + description: Status of hostnames generator applied on this resource + items: + properties: + conditions: + description: Conditions is an array of hostname generator conditions. + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + required: + - hostnameGeneratorRef + type: object + type: array + meshServices: + description: MeshServices is a list of matched MeshServices + items: + properties: + mesh: + type: string + name: + description: Name is a core name of MeshService + type: string + namespace: + type: string + zone: + type: string + required: + - mesh + - name + - namespace + - zone + type: object + type: array + vips: + description: VIPs is a list of assigned Kuma VIPs. + items: + properties: + ip: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshpassthroughs.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshpassthroughs.yaml new file mode 100644 index 000000000..9f5822b55 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshpassthroughs.yaml @@ -0,0 +1,164 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshpassthroughs.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshPassthrough + listKind: MeshPassthroughList + plural: meshpassthroughs + singular: meshpassthrough + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshPassthrough resource. + properties: + default: + description: MeshPassthrough configuration. + properties: + appendMatch: + description: AppendMatch is a list of destinations that should + be allowed through the sidecar. + items: + properties: + port: + description: Port defines the port to which a user makes + a request. + type: integer + protocol: + default: tcp + description: 'Protocol defines the communication protocol. + Possible values: `tcp`, `tls`, `grpc`, `http`, `http2`.' + enum: + - tcp + - tls + - grpc + - http + - http2 + type: string + type: + description: Type of the match, one of `Domain`, `IP` or + `CIDR` is available. + enum: + - Domain + - IP + - CIDR + type: string + value: + description: Value for the specified Type. + type: string + type: object + type: array + passthroughMode: + default: None + description: |- + Defines the passthrough behavior. Possible values: `All`, `None`, `Matched` + When `All` or `None` `appendMatch` has no effect. + enum: + - All + - Matched + - None + type: string + type: object + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshproxypatches.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshproxypatches.yaml new file mode 100644 index 000000000..bf6342d25 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshproxypatches.yaml @@ -0,0 +1,550 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshproxypatches.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshProxyPatch + listKind: MeshProxyPatchList + plural: meshproxypatches + singular: meshproxypatch + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshProxyPatch resource. + properties: + default: + description: |- + Default is a configuration specific to the group of destinations + referenced in 'targetRef'. + properties: + appendModifications: + description: AppendModifications is a list of modifications applied + on the selected proxy. + items: + properties: + cluster: + description: Cluster is a modification of Envoy's Cluster + resource. + properties: + jsonPatches: + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy's Cluster + resource + items: + description: JsonPatchBlock is one json patch operation + block. + properties: + from: + description: From is a jsonpatch from string, + used by move and copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: Value must be a valid json value + used by replace and add operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + match: + description: Match is a set of conditions that have + to be matched for modification operation to happen. + properties: + name: + description: Name of the cluster to match. + type: string + origin: + description: |- + Origin is the name of the component or plugin that generated the resource. + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. + ingress - resources generated for Zone Ingress. + egress - resources generated for Zone Egress. + gateway - resources generated for MeshGateway. + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. + type: string + type: object + operation: + description: Operation to execute on matched cluster. + enum: + - Add + - Remove + - Patch + type: string + value: + description: Value of xDS resource in YAML format to + add or patch. + type: string + required: + - operation + type: object + httpFilter: + description: |- + HTTPFilter is a modification of Envoy HTTP Filter + available in HTTP Connection Manager in a Listener resource. + properties: + jsonPatches: + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy's + HTTP Filter available in HTTP Connection Manager in a Listener resource. + items: + description: JsonPatchBlock is one json patch operation + block. + properties: + from: + description: From is a jsonpatch from string, + used by move and copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: Value must be a valid json value + used by replace and add operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + match: + description: Match is a set of conditions that have + to be matched for modification operation to happen. + properties: + listenerName: + description: Name of the listener to match. + type: string + listenerTags: + additionalProperties: + type: string + description: Listener tags available in Listener#Metadata#FilterMetadata[io.kuma.tags] + type: object + name: + description: Name of the HTTP filter. For example + "envoy.filters.http.local_ratelimit" + type: string + origin: + description: |- + Origin is the name of the component or plugin that generated the resource. + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. + ingress - resources generated for Zone Ingress. + egress - resources generated for Zone Egress. + gateway - resources generated for MeshGateway. + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. + type: string + type: object + operation: + description: Operation to execute on matched listener. + enum: + - Remove + - Patch + - AddFirst + - AddBefore + - AddAfter + - AddLast + type: string + value: + description: Value of xDS resource in YAML format to + add or patch. + type: string + required: + - operation + type: object + listener: + description: Listener is a modification of Envoy's Listener + resource. + properties: + jsonPatches: + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy's Listener + resource + items: + description: JsonPatchBlock is one json patch operation + block. + properties: + from: + description: From is a jsonpatch from string, + used by move and copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: Value must be a valid json value + used by replace and add operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + match: + description: Match is a set of conditions that have + to be matched for modification operation to happen. + properties: + name: + description: Name of the listener to match. + type: string + origin: + description: |- + Origin is the name of the component or plugin that generated the resource. + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. + ingress - resources generated for Zone Ingress. + egress - resources generated for Zone Egress. + gateway - resources generated for MeshGateway. + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. + type: string + tags: + additionalProperties: + type: string + description: Tags available in Listener#Metadata#FilterMetadata[io.kuma.tags] + type: object + type: object + operation: + description: Operation to execute on matched listener. + enum: + - Add + - Remove + - Patch + type: string + value: + description: Value of xDS resource in YAML format to + add or patch. + type: string + required: + - operation + type: object + networkFilter: + description: NetworkFilter is a modification of Envoy Listener's + filter. + properties: + jsonPatches: + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy Listener's + filter. + items: + description: JsonPatchBlock is one json patch operation + block. + properties: + from: + description: From is a jsonpatch from string, + used by move and copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: Value must be a valid json value + used by replace and add operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + match: + description: Match is a set of conditions that have + to be matched for modification operation to happen. + properties: + listenerName: + description: Name of the listener to match. + type: string + listenerTags: + additionalProperties: + type: string + description: Listener tags available in Listener#Metadata#FilterMetadata[io.kuma.tags] + type: object + name: + description: Name of the network filter. For example + "envoy.filters.network.ratelimit" + type: string + origin: + description: |- + Origin is the name of the component or plugin that generated the resource. + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. + ingress - resources generated for Zone Ingress. + egress - resources generated for Zone Egress. + gateway - resources generated for MeshGateway. + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. + type: string + type: object + operation: + description: Operation to execute on matched listener. + enum: + - Remove + - Patch + - AddFirst + - AddBefore + - AddAfter + - AddLast + type: string + value: + description: Value of xDS resource in YAML format to + add or patch. + type: string + required: + - operation + type: object + virtualHost: + description: |- + VirtualHost is a modification of Envoy's VirtualHost + referenced in HTTP Connection Manager in a Listener resource. + properties: + jsonPatches: + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy's + VirtualHost resource + items: + description: JsonPatchBlock is one json patch operation + block. + properties: + from: + description: From is a jsonpatch from string, + used by move and copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: Value must be a valid json value + used by replace and add operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + match: + description: Match is a set of conditions that have + to be matched for modification operation to happen. + properties: + name: + description: Name of the VirtualHost to match. + type: string + origin: + description: |- + Origin is the name of the component or plugin that generated the resource. + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. + ingress - resources generated for Zone Ingress. + egress - resources generated for Zone Egress. + gateway - resources generated for MeshGateway. + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. + type: string + routeConfigurationName: + description: Name of the RouteConfiguration resource + to match. + type: string + type: object + operation: + description: Operation to execute on matched listener. + enum: + - Add + - Remove + - Patch + type: string + value: + description: Value of xDS resource in YAML format to + add or patch. + type: string + required: + - match + - operation + type: object + type: object + type: array + required: + - appendModifications + type: object + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - default + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshratelimits.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshratelimits.yaml new file mode 100644 index 000000000..52424a985 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshratelimits.yaml @@ -0,0 +1,499 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshratelimits.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshRateLimit + listKind: MeshRateLimitList + plural: meshratelimits + singular: meshratelimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshRateLimit resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + local: + description: LocalConf defines local http or/and tcp rate + limit configuration + properties: + http: + description: |- + LocalHTTP defines configuration of local HTTP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter + properties: + disabled: + description: Define if rate limiting should be disabled. + type: boolean + onRateLimit: + description: Describes the actions to take on a + rate limit event + properties: + headers: + description: The Headers to be added to the + HTTP response on a rate limit event + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + status: + description: The HTTP status code to be set + on a rate limit event + format: int32 + type: integer + type: object + requestRate: + description: Defines how many requests are allowed + per interval. + properties: + interval: + description: The interval the number of units + is accounted for. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + type: object + tcp: + description: |- + LocalTCP defines confguration of local TCP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/local_rate_limit_filter + properties: + connectionRate: + description: Defines how many connections are allowed + per interval. + properties: + interval: + description: The interval the number of units + is accounted for. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + disabled: + description: |- + Define if rate limiting should be disabled. + Default: false + type: boolean + type: object + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + to: + description: To list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + local: + description: LocalConf defines local http or/and tcp rate + limit configuration + properties: + http: + description: |- + LocalHTTP defines configuration of local HTTP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter + properties: + disabled: + description: Define if rate limiting should be disabled. + type: boolean + onRateLimit: + description: Describes the actions to take on a + rate limit event + properties: + headers: + description: The Headers to be added to the + HTTP response on a rate limit event + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + status: + description: The HTTP status code to be set + on a rate limit event + format: int32 + type: integer + type: object + requestRate: + description: Defines how many requests are allowed + per interval. + properties: + interval: + description: The interval the number of units + is accounted for. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + type: object + tcp: + description: |- + LocalTCP defines confguration of local TCP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/local_rate_limit_filter + properties: + connectionRate: + description: Defines how many connections are allowed + per interval. + properties: + interval: + description: The interval the number of units + is accounted for. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + disabled: + description: |- + Define if rate limiting should be disabled. + Default: false + type: boolean + type: object + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshretries.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshretries.yaml new file mode 100644 index 000000000..f4337a105 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshretries.yaml @@ -0,0 +1,507 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshretries.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshRetry + listKind: MeshRetryList + plural: meshretries + singular: meshretry + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshRetry resource. + properties: + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + to: + description: To list makes a match between the consumed services and + corresponding configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + grpc: + description: GRPC defines a configuration of retries for + GRPC traffic + properties: + backOff: + description: |- + BackOff is a configuration of durations which will be used in an exponential + backoff strategy between retries. + properties: + baseInterval: + default: 25ms + description: |- + BaseInterval is an amount of time which should be taken between retries. + Must be greater than zero. Values less than 1 ms are rounded up to 1 ms. + type: string + maxInterval: + description: |- + MaxInterval is a maximal amount of time which will be taken between retries. + Default is 10 times the "BaseInterval". + type: string + type: object + numRetries: + description: |- + NumRetries is the number of attempts that will be made on failed (and + retriable) requests. If not set, the default value is 1. + format: int32 + type: integer + perTryTimeout: + description: |- + PerTryTimeout is the maximum amount of time each retry attempt can take + before it times out. If not set, the global request timeout for the route + will be used. Setting this value to 0 will disable the per-try timeout. + type: string + rateLimitedBackOff: + description: |- + RateLimitedBackOff is a configuration of backoff which will be used when + the upstream returns one of the headers configured. + properties: + maxInterval: + default: 300s + description: MaxInterval is a maximal amount of + time which will be taken between retries. + type: string + resetHeaders: + description: |- + ResetHeaders specifies the list of headers (like Retry-After or X-RateLimit-Reset) + to match against the response. Headers are tried in order, and matched + case-insensitive. The first header to be parsed successfully is used. + If no headers match the default exponential BackOff is used instead. + items: + properties: + format: + description: The format of the reset header. + enum: + - Seconds + - UnixTimestamp + type: string + name: + description: The Name of the reset header. + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + required: + - format + - name + type: object + type: array + type: object + retryOn: + description: RetryOn is a list of conditions which will + cause a retry. + example: + - Canceled + - DeadlineExceeded + - Internal + - ResourceExhausted + - Unavailable + items: + enum: + - Canceled + - DeadlineExceeded + - Internal + - ResourceExhausted + - Unavailable + type: string + type: array + type: object + http: + description: HTTP defines a configuration of retries for + HTTP traffic + properties: + backOff: + description: |- + BackOff is a configuration of durations which will be used in exponential + backoff strategy between retries. + properties: + baseInterval: + default: 25ms + description: |- + BaseInterval is an amount of time which should be taken between retries. + Must be greater than zero. Values less than 1 ms are rounded up to 1 ms. + type: string + maxInterval: + description: |- + MaxInterval is a maximal amount of time which will be taken between retries. + Default is 10 times the "BaseInterval". + type: string + type: object + hostSelection: + description: |- + HostSelection is a list of predicates that dictate how hosts should be selected + when requests are retried. + items: + properties: + predicate: + description: Type is requested predicate mode. + enum: + - OmitPreviousHosts + - OmitHostsWithTags + - OmitPreviousPriorities + type: string + tags: + additionalProperties: + type: string + description: |- + Tags is a map of metadata to match against for selecting the omitted hosts. Required if Type is + OmitHostsWithTags + type: object + updateFrequency: + default: 2 + description: |- + UpdateFrequency is how often the priority load should be updated based on previously attempted priorities. + Used for OmitPreviousPriorities. + format: int32 + type: integer + required: + - predicate + type: object + type: array + hostSelectionMaxAttempts: + description: |- + HostSelectionMaxAttempts is the maximum number of times host selection will be + reattempted before giving up, at which point the host that was last selected will + be routed to. If unspecified, this will default to retrying once. + format: int64 + type: integer + numRetries: + description: |- + NumRetries is the number of attempts that will be made on failed (and + retriable) requests. If not set, the default value is 1. + format: int32 + type: integer + perTryTimeout: + description: |- + PerTryTimeout is the amount of time after which retry attempt should time out. + If left unspecified, the global route timeout for the request will be used. + Consequently, when using a 5xx based retry policy, a request that times out + will not be retried as the total timeout budget would have been exhausted. + Setting this timeout to 0 will disable it. + type: string + rateLimitedBackOff: + description: |- + RateLimitedBackOff is a configuration of backoff which will be used + when the upstream returns one of the headers configured. + properties: + maxInterval: + default: 300s + description: MaxInterval is a maximal amount of + time which will be taken between retries. + type: string + resetHeaders: + description: |- + ResetHeaders specifies the list of headers (like Retry-After or X-RateLimit-Reset) + to match against the response. Headers are tried in order, and matched + case-insensitive. The first header to be parsed successfully is used. + If no headers match the default exponential BackOff is used instead. + items: + properties: + format: + description: The format of the reset header. + enum: + - Seconds + - UnixTimestamp + type: string + name: + description: The Name of the reset header. + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + required: + - format + - name + type: object + type: array + type: object + retriableRequestHeaders: + description: |- + RetriableRequestHeaders is an HTTP headers which must be present in the request + for retries to be attempted. + items: + description: |- + HeaderMatch describes how to select an HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name MUST be lower case + as they will be handled with case insensitivity (See https://tools.ietf.org/html/rfc7230#section-3.2). + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - Present + - RegularExpression + - Absent + - Prefix + type: string + value: + description: Value is the value of HTTP Header + to be matched. + type: string + required: + - name + type: object + type: array + retriableResponseHeaders: + description: |- + RetriableResponseHeaders is an HTTP response headers that trigger a retry + if present in the response. A retry will be triggered if any of the header + matches the upstream response headers. + items: + description: |- + HeaderMatch describes how to select an HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name MUST be lower case + as they will be handled with case insensitivity (See https://tools.ietf.org/html/rfc7230#section-3.2). + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - Present + - RegularExpression + - Absent + - Prefix + type: string + value: + description: Value is the value of HTTP Header + to be matched. + type: string + required: + - name + type: object + type: array + retryOn: + description: |- + RetryOn is a list of conditions which will cause a retry. Available values are: + [5XX, GatewayError, Reset, Retriable4xx, ConnectFailure, EnvoyRatelimited, + RefusedStream, Http3PostConnectFailure, HttpMethodConnect, HttpMethodDelete, + HttpMethodGet, HttpMethodHead, HttpMethodOptions, HttpMethodPatch, + HttpMethodPost, HttpMethodPut, HttpMethodTrace]. + Also, any HTTP status code (500, 503, etc.). + example: + - 5XX + - GatewayError + - Reset + - Retriable4xx + - ConnectFailure + - EnvoyRatelimited + - RefusedStream + - Http3PostConnectFailure + - HttpMethodConnect + - HttpMethodDelete + - HttpMethodGet + - HttpMethodHead + - HttpMethodOptions + - HttpMethodPatch + - HttpMethodPost + - HttpMethodPut + - HttpMethodTrace + - "500" + - "503" + items: + type: string + type: array + type: object + tcp: + description: TCP defines a configuration of retries for + TCP traffic + properties: + maxConnectAttempt: + description: |- + MaxConnectAttempt is a maximal amount of TCP connection attempts + which will be made before giving up + format: int32 + type: integer + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshservices.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshservices.yaml new file mode 100644 index 000000000..5ac9cf40b --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshservices.yaml @@ -0,0 +1,218 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshservices.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshService + listKind: MeshServiceList + plural: meshservices + singular: meshservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.addresses[0].hostname + name: Hostname + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshService resource. + properties: + identities: + items: + properties: + type: + enum: + - ServiceTag + type: string + value: + type: string + required: + - type + - value + type: object + type: array + ports: + items: + properties: + appProtocol: + default: tcp + description: Protocol identifies a protocol supported by a service. + type: string + name: + type: string + port: + format: int32 + type: integer + targetPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: array + x-kubernetes-list-map-keys: + - port + - appProtocol + x-kubernetes-list-type: map + selector: + properties: + dataplaneRef: + properties: + name: + type: string + type: object + dataplaneTags: + additionalProperties: + type: string + type: object + type: object + state: + description: |- + State of MeshService. Available if there is at least one healthy endpoint. Otherwise, Unavailable. + It's used for cross zone communication to check if we should send traffic to it, when MeshService is aggregated into MeshMultiZoneService. + enum: + - Available + - Unavailable + type: string + type: object + status: + description: Status is the current status of the Kuma MeshService resource. + properties: + addresses: + items: + properties: + hostname: + type: string + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + origin: + type: string + type: object + type: array + dataplaneProxies: + description: Data plane proxies statistics selected by this MeshService. + properties: + connected: + description: Number of data plane proxies connected to the zone + control plane + type: integer + healthy: + description: Number of data plane proxies with all healthy inbounds + selected by this MeshService. + type: integer + total: + description: Total number of data plane proxies. + type: integer + type: object + hostnameGenerators: + items: + properties: + conditions: + description: Conditions is an array of hostname generator conditions. + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + required: + - hostnameGeneratorRef + type: object + type: array + tls: + properties: + status: + enum: + - Ready + - NotReady + type: string + type: object + vips: + items: + properties: + ip: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtcproutes.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtcproutes.yaml new file mode 100644 index 000000000..9d1d0ad7e --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtcproutes.yaml @@ -0,0 +1,282 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshtcproutes.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshTCPRoute + listKind: MeshTCPRouteList + plural: meshtcproutes + singular: meshtcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshTCPRoute resource. + properties: + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + to: + description: |- + To list makes a match between the consumed services and corresponding + configurations + items: + properties: + rules: + description: |- + Rules contains the routing rules applies to a combination of top-level + targetRef and the targetRef in this entry. + items: + properties: + default: + description: |- + Default holds routing rules that can be merged with rules from other + policies. + properties: + backendRefs: + items: + description: BackendRef defines where to forward + traffic. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use + to identify cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + port: + description: Port is only supported when this + ref refers to a real MeshService object + format: int32 + type: integer + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + weight: + default: 1 + minimum: 0 + type: integer + type: object + minItems: 1 + type: array + required: + - backendRefs + type: object + required: + - default + type: object + maxItems: 1 + type: array + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + minItems: 1 + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtimeouts.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtimeouts.yaml new file mode 100644 index 000000000..330873a94 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtimeouts.yaml @@ -0,0 +1,363 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshtimeouts.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshTimeout + listKind: MeshTimeoutList + plural: meshtimeouts + singular: meshtimeout + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshTimeout resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + connectionTimeout: + description: |- + ConnectionTimeout specifies the amount of time proxy will wait for an TCP connection to be established. + Default value is 5 seconds. Cannot be set to 0. + type: string + http: + description: Http provides configuration for HTTP specific + timeouts + properties: + maxConnectionDuration: + description: |- + MaxConnectionDuration is the time after which a connection will be drained and/or closed, + starting from when it was first established. Setting this timeout to 0 will disable it. + Disabled by default. + type: string + maxStreamDuration: + description: |- + MaxStreamDuration is the maximum time that a stream’s lifetime will span. + Setting this timeout to 0 will disable it. Disabled by default. + type: string + requestHeadersTimeout: + description: |- + RequestHeadersTimeout The amount of time that proxy will wait for the request headers to be received. The timer is + activated when the first byte of the headers is received, and is disarmed when the last byte of + the headers has been received. If not specified or set to 0, this timeout is disabled. + Disabled by default. + type: string + requestTimeout: + description: |- + RequestTimeout The amount of time that proxy will wait for the entire request to be received. + The timer is activated when the request is initiated, and is disarmed when the last byte of the request is sent, + OR when the response is initiated. Setting this timeout to 0 will disable it. + Default is 15s. + type: string + streamIdleTimeout: + description: |- + StreamIdleTimeout is the amount of time that proxy will allow a stream to exist with no activity. + Setting this timeout to 0 will disable it. Default is 30m + type: string + type: object + idleTimeout: + description: |- + IdleTimeout is defined as the period in which there are no bytes sent or received on connection + Setting this timeout to 0 will disable it. Be cautious when disabling it because + it can lead to connection leaking. Default value is 1h. + type: string + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + to: + description: To list makes a match between the consumed services and + corresponding configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + connectionTimeout: + description: |- + ConnectionTimeout specifies the amount of time proxy will wait for an TCP connection to be established. + Default value is 5 seconds. Cannot be set to 0. + type: string + http: + description: Http provides configuration for HTTP specific + timeouts + properties: + maxConnectionDuration: + description: |- + MaxConnectionDuration is the time after which a connection will be drained and/or closed, + starting from when it was first established. Setting this timeout to 0 will disable it. + Disabled by default. + type: string + maxStreamDuration: + description: |- + MaxStreamDuration is the maximum time that a stream’s lifetime will span. + Setting this timeout to 0 will disable it. Disabled by default. + type: string + requestHeadersTimeout: + description: |- + RequestHeadersTimeout The amount of time that proxy will wait for the request headers to be received. The timer is + activated when the first byte of the headers is received, and is disarmed when the last byte of + the headers has been received. If not specified or set to 0, this timeout is disabled. + Disabled by default. + type: string + requestTimeout: + description: |- + RequestTimeout The amount of time that proxy will wait for the entire request to be received. + The timer is activated when the request is initiated, and is disarmed when the last byte of the request is sent, + OR when the response is initiated. Setting this timeout to 0 will disable it. + Default is 15s. + type: string + streamIdleTimeout: + description: |- + StreamIdleTimeout is the amount of time that proxy will allow a stream to exist with no activity. + Setting this timeout to 0 will disable it. Default is 30m + type: string + type: object + idleTimeout: + description: |- + IdleTimeout is defined as the period in which there are no bytes sent or received on connection + Setting this timeout to 0 will disable it. Be cautious when disabling it because + it can lead to connection leaking. Default value is 1h. + type: string + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtlses.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtlses.yaml new file mode 100644 index 000000000..4ddbfffcb --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtlses.yaml @@ -0,0 +1,239 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshtlses.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshTLS + listKind: MeshTLSList + plural: meshtlses + singular: meshtls + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshTLS resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + mode: + description: Mode defines the behavior of inbound listeners + with regard to traffic encryption. + enum: + - Permissive + - Strict + type: string + tlsCiphers: + description: TlsCiphers section for providing ciphers specification. + items: + enum: + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-RSA-CHACHA20-POLY1305 + type: string + type: array + tlsVersion: + description: Version section for providing version specification. + properties: + max: + default: TLSAuto + description: Max defines maximum supported version. + One of `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`. + enum: + - TLSAuto + - TLS10 + - TLS11 + - TLS12 + - TLS13 + type: string + min: + default: TLSAuto + description: Min defines minimum supported version. + One of `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`. + enum: + - TLSAuto + - TLS10 + - TLS11 + - TLS12 + - TLS13 + type: string + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtraces.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtraces.yaml new file mode 100644 index 000000000..b16244ce6 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtraces.yaml @@ -0,0 +1,283 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshtraces.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshTrace + listKind: MeshTraceList + plural: meshtraces + singular: meshtrace + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshTrace resource. + properties: + default: + description: MeshTrace configuration. + properties: + backends: + description: |- + A one element array of backend definition. + Envoy allows configuring only 1 backend, so the natural way of + representing that would be just one object. Unfortunately due to the + reasons explained in MADR 009-tracing-policy this has to be a one element + array for now. + items: + description: Only one of zipkin, datadog or openTelemetry can + be used. + properties: + datadog: + description: Datadog backend configuration. + properties: + splitService: + default: false + description: |- + Determines if datadog service name should be split based on traffic + direction and destination. For example, with `splitService: true` and a + `backend` service that communicates with a couple of databases, you would + get service names like `backend_INBOUND`, `backend_OUTBOUND_db1`, and + `backend_OUTBOUND_db2` in Datadog. + type: boolean + url: + description: |- + Address of Datadog collector, only host and port are allowed (no paths, + fragments etc.) + type: string + required: + - url + type: object + openTelemetry: + description: OpenTelemetry backend configuration. + properties: + endpoint: + description: Address of OpenTelemetry collector. + example: otel-collector:4317 + minLength: 1 + type: string + required: + - endpoint + type: object + type: + enum: + - Zipkin + - Datadog + - OpenTelemetry + type: string + zipkin: + description: Zipkin backend configuration. + properties: + apiVersion: + default: httpJson + description: |- + Version of the API. + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/trace/v3/zipkin.proto#L66 + enum: + - httpJson + - httpProto + type: string + sharedSpanContext: + default: true + description: |- + Determines whether client and server spans will share the same span + context. + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/trace/v3/zipkin.proto#L63 + type: boolean + traceId128bit: + default: false + description: Generate 128bit traces. + type: boolean + url: + description: Address of Zipkin collector. + type: string + required: + - url + type: object + required: + - type + type: object + maxItems: 1 + type: array + sampling: + description: |- + Sampling configuration. + Sampling is the process by which a decision is made on whether to + process/export a span or not. + properties: + client: + anyOf: + - type: integer + - type: string + default: 100 + description: |- + Target percentage of requests that will be force traced if the + 'x-client-trace-id' header is set. Mirror of client_sampling in Envoy + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L127-L133 + Either int or decimal represented as string. + x-kubernetes-int-or-string: true + overall: + anyOf: + - type: integer + - type: string + default: 100 + description: |- + Target percentage of requests will be traced + after all other sampling checks have been applied (client, force tracing, + random sampling). This field functions as an upper limit on the total + configured sampling rate. For instance, setting client to 100 + but overall to 1 will result in only 1% of client requests with + the appropriate headers to be force traced. Mirror of + overall_sampling in Envoy + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L142-L150 + Either int or decimal represented as string. + x-kubernetes-int-or-string: true + random: + anyOf: + - type: integer + - type: string + default: 100 + description: |- + Target percentage of requests that will be randomly selected for trace + generation, if not requested by the client or not forced. + Mirror of random_sampling in Envoy + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L135-L140 + Either int or decimal represented as string. + x-kubernetes-int-or-string: true + type: object + tags: + description: |- + Custom tags configuration. You can add custom tags to traces based on + headers or literal values. + items: + description: |- + Custom tags configuration. + Only one of literal or header can be used. + properties: + header: + description: Tag taken from a header. + properties: + default: + description: |- + Default value to use if header is missing. + If the default is missing and there is no value the tag will not be + included. + type: string + name: + description: Name of the header. + type: string + required: + - name + type: object + literal: + description: Tag taken from literal value. + type: string + name: + description: Name of the tag. + type: string + required: + - name + type: object + type: array + type: object + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtrafficpermissions.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtrafficpermissions.yaml new file mode 100644 index 000000000..3e38acc06 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_meshtrafficpermissions.yaml @@ -0,0 +1,203 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: meshtrafficpermissions.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshTrafficPermission + listKind: MeshTrafficPermissionList + plural: meshtrafficpermissions + singular: meshtrafficpermission + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshTrafficPermission + resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + action: + description: 'Action defines a behavior for the specified + group of clients:' + enum: + - Allow + - Deny + - AllowWithShadowDeny + type: string + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + required: + - targetRef + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + minItems: 1 + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_proxytemplates.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_proxytemplates.yaml new file mode 100644 index 000000000..78b1d55e4 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_proxytemplates.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: proxytemplates.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ProxyTemplate + listKind: ProxyTemplateList + plural: proxytemplates + singular: proxytemplate + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ProxyTemplate resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_ratelimits.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_ratelimits.yaml new file mode 100644 index 000000000..85f1876eb --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_ratelimits.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: ratelimits.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: RateLimit + listKind: RateLimitList + plural: ratelimits + singular: ratelimit + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma RateLimit resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_retries.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_retries.yaml new file mode 100644 index 000000000..10a4843e1 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_retries.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: retries.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: Retry + listKind: RetryList + plural: retries + singular: retry + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma Retry resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_serviceinsights.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_serviceinsights.yaml new file mode 100644 index 000000000..827ea521d --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_serviceinsights.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: serviceinsights.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ServiceInsight + listKind: ServiceInsightList + plural: serviceinsights + singular: serviceinsight + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ServiceInsight resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_timeouts.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_timeouts.yaml new file mode 100644 index 000000000..ba78d88c5 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_timeouts.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: timeouts.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: Timeout + listKind: TimeoutList + plural: timeouts + singular: timeout + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma Timeout resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_trafficlogs.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_trafficlogs.yaml new file mode 100644 index 000000000..ece8562e5 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_trafficlogs.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: trafficlogs.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: TrafficLog + listKind: TrafficLogList + plural: trafficlogs + singular: trafficlog + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma TrafficLog resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_trafficpermissions.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_trafficpermissions.yaml new file mode 100644 index 000000000..9c79605af --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_trafficpermissions.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: trafficpermissions.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: TrafficPermission + listKind: TrafficPermissionList + plural: trafficpermissions + singular: trafficpermission + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma TrafficPermission resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_trafficroutes.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_trafficroutes.yaml new file mode 100644 index 000000000..5bdd3ac85 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_trafficroutes.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: trafficroutes.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: TrafficRoute + listKind: TrafficRouteList + plural: trafficroutes + singular: trafficroute + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma TrafficRoute resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_traffictraces.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_traffictraces.yaml new file mode 100644 index 000000000..c224ea526 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_traffictraces.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: traffictraces.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: TrafficTrace + listKind: TrafficTraceList + plural: traffictraces + singular: traffictrace + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma TrafficTrace resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_virtualoutbounds.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_virtualoutbounds.yaml new file mode 100644 index 000000000..c4372dd0b --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_virtualoutbounds.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: virtualoutbounds.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: VirtualOutbound + listKind: VirtualOutboundList + plural: virtualoutbounds + singular: virtualoutbound + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma VirtualOutbound resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneegresses.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneegresses.yaml new file mode 100644 index 000000000..143aaafdb --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneegresses.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: zoneegresses.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ZoneEgress + listKind: ZoneEgressList + plural: zoneegresses + singular: zoneegress + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Zone name + jsonPath: .spec.zone + name: zone + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ZoneEgress resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneegressinsights.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneegressinsights.yaml new file mode 100644 index 000000000..05746b39a --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneegressinsights.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: zoneegressinsights.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ZoneEgressInsight + listKind: ZoneEgressInsightList + plural: zoneegressinsights + singular: zoneegressinsight + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ZoneEgressInsight resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneingresses.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneingresses.yaml new file mode 100644 index 000000000..d02c5b35b --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneingresses.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: zoneingresses.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ZoneIngress + listKind: ZoneIngressList + plural: zoneingresses + singular: zoneingress + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Zone name + jsonPath: .spec.zone + name: zone + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ZoneIngress resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: {} diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneingressinsights.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneingressinsights.yaml new file mode 100644 index 000000000..ded86e6c2 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneingressinsights.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: zoneingressinsights.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ZoneIngressInsight + listKind: ZoneIngressInsightList + plural: zoneingressinsights + singular: zoneingressinsight + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ZoneIngressInsight + resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneinsights.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneinsights.yaml new file mode 100644 index 000000000..aad82d4be --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_zoneinsights.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: zoneinsights.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ZoneInsight + listKind: ZoneInsightList + plural: zoneinsights + singular: zoneinsight + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ZoneInsight resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/crds/kuma.io_zones.yaml b/charts/kuma/kuma/2.9.1/crds/kuma.io_zones.yaml new file mode 100644 index 000000000..12022fce9 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/crds/kuma.io_zones.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.3 + name: zones.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: Zone + listKind: ZoneList + plural: zones + singular: zone + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma Zone resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/charts/kuma/kuma/2.9.1/templates/NOTES.txt b/charts/kuma/kuma/2.9.1/templates/NOTES.txt new file mode 100644 index 000000000..228ac26e7 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/NOTES.txt @@ -0,0 +1,42 @@ +{{ .Chart.Name }} has been installed! + +Your release is named '{{ .Release.Name }}'. + +You can access the control-plane via either the GUI, kubectl, the HTTP API, or the kumactl CLI. +{{- if .Values.noHelmHooks }} + +------------------------------------------------------------------------------- + + WARNING + + When the "noHelmHooks" value is provided, you will need to manually delete + the "ValidatingWebhookConfiguration" responsible for validating {{ include "kuma.name" . }} resources + before you can uninstall Helm release. This is because the validation provided + by the webhook is not necessary during the release removal and might potentially + even prevent you from doing it. You can do this by running the following command: + + kubectl delete ValidatingWebhookConfiguration {{ include "kuma.name" . }}-validating-webhook-configuration + + WARNING + + When the "noHelmHooks" value is set, Helm will not automatically update + the CustomResourceDefinitions (CRDs) when upgrading release. You must manually + update the CRDs if the new {{ include "kuma.name" . }} version has changes + to the CRDs. You can achieve this by calling the following command: + + kumactl install crds --no-config | kubectl apply -f + +{{- if and .Values.experimental.ebpf.enabled (not .Values.cni.enabled) }} + + WARNING + + When the "noHelmHooks" value is set, Helm will not automatically uninstall + the eBPF resources. You will need to manually uninstall these resources after + uninstalling Helm release. To do this, run the following command: + + kumactl uninstall ebpf --cleanup-image-registry {{ .Values.global.image.registry }} --cleanup-image-repository {{ .Values.dataPlane.initImage.repository }} + +{{- end }} + +------------------------------------------------------------------------------- +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/_helpers.tpl b/charts/kuma/kuma/2.9.1/templates/_helpers.tpl new file mode 100644 index 000000000..a33fa04dc --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/_helpers.tpl @@ -0,0 +1,432 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kuma.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +This is the Kuma version the chart is intended to be used with. +*/}} +{{- define "kuma.appVersion" -}} +{{- .Chart.AppVersion -}} +{{- end }} + +{{/* +This is only used in the `kuma.formatImage` function below. +*/}} +{{- define "kuma.defaultRegistry" -}} +docker.io/kumahq +{{- end }} + +{{- define "kuma.product" -}} +Kuma +{{- end }} + +{{- define "kuma.tagPrefix" -}} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kuma.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kuma.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "kuma.controlPlane.serviceName" -}} +{{- $defaultSvcName := printf "%s-control-plane" (include "kuma.name" .) -}} +{{ printf "%s" (default $defaultSvcName .Values.controlPlane.service.name) }} +{{- end }} + +{{- define "kuma.controlPlane.globalZoneSync.serviceName" -}} +{{- $defaultSvcName := printf "%s-global-zone-sync" (include "kuma.name" .) -}} +{{ printf "%s" (default $defaultSvcName .Values.controlPlane.globalZoneSyncService.name) }} +{{- end }} + +{{- define "kuma.ingress.serviceName" -}} +{{- $defaultSvcName := printf "%s-ingress" (include "kuma.name" .) -}} +{{ printf "%s" (default $defaultSvcName .Values.ingress.service.name) }} +{{- end }} + +{{- define "kuma.egress.serviceName" -}} +{{- $defaultSvcName := printf "%s-egress" (include "kuma.name" .) -}} +{{ printf "%s" (default $defaultSvcName .Values.egress.service.name) }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "kuma.labels" -}} +helm.sh/chart: {{ include "kuma.chart" . }} +{{ include "kuma.selectorLabels" . }} +{{- if (include "kuma.appVersion" .) }} +app.kubernetes.io/version: {{ (include "kuma.appVersion" .) | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kuma.selectorLabels" -}} +app.kubernetes.io/name: {{ include "kuma.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +CNI labels +*/}} +{{- define "kuma.cniLabels" -}} +app: {{ include "kuma.name" . }}-cni +{{ include "kuma.labels" . }} +{{- end }} + +{{/* +control plane labels +*/}} +{{- define "kuma.cpLabels" -}} +app: {{ include "kuma.name" . }}-control-plane +{{- range $key, $value := $.Values.controlPlane.extraLabels }} +{{ $key | quote }}: {{ $value | quote }} +{{- end }} +{{ include "kuma.labels" . }} +{{- end }} + +{{/* +control plane deployment annotations +*/}} +{{- define "kuma.cpDeploymentAnnotations" -}} +{{- range $key, $value := $.Values.controlPlane.deploymentAnnotations }} +{{ $key | quote }}: {{ $value | quote }} +{{- end }} +{{- end }} + +{{/* +ingress labels +*/}} +{{- define "kuma.ingressLabels" -}} +app: {{ include "kuma.name" . }}-ingress +{{- range $key, $value := .Values.ingress.extraLabels }} +{{ $key | quote }}: {{ $value | quote }} +{{- end }} +{{ include "kuma.labels" . }} +{{- end }} + +{{/* +egress labels +*/}} +{{- define "kuma.egressLabels" -}} +app: {{ include "kuma.name" . }}-egress +{{ range $key, $value := .Values.egress.extraLabels }} +{{ $key | quote }}: {{ $value | quote }} +{{ end }} +{{- include "kuma.labels" . }} +{{- end }} + +{{/* +CNI selector labels +*/}} +{{- define "kuma.cniSelectorLabels" -}} +app: {{ include "kuma.name" . }}-cni +{{ include "kuma.selectorLabels" . }} +{{- end }} + +{{/* +params: { dns: { policy?, config: {nameservers?, searches?}} } +returns: formatted dnsConfig +*/}} +{{- define "kuma.dnsConfig" -}} +{{- $dns := .dns }} +{{- if $dns.policy }} +dnsPolicy: {{ $dns.policy }} +{{- end }} +{{- if or (gt (len $dns.config.nameservers) 0) (gt (len $dns.config.searches) 0) }} +dnsConfig: + {{- if gt (len $dns.config.nameservers) 0 }} + nameservers: + {{- range $nameserver := $dns.config.nameservers }} + - {{ $nameserver }} + {{- end }} + {{- end }} + {{- if gt (len $dns.config.searches) 0 }} + searches: + {{- range $search := $dns.config.searches }} + - {{ $search }} + {{- end }} + {{- end }} +{{- end }} +{{- end -}} + +{{/* +params: { image: { registry?, repository, tag? }, root: $ } +returns: formatted image string +*/}} +{{- define "kuma.formatImage" -}} +{{- $img := .image }} +{{- $root := .root }} +{{- $registry := ($img.registry | default $root.Values.global.image.registry) -}} +{{- $repo := ($img.repository | required "Must specify image repository") -}} +{{- $product := (include "kuma.product" .) }} +{{- $tagPrefix := (include "kuma.tagPrefix" .) }} +{{- $expectedVersion := (include "kuma.appVersion" $root) }} +{{- if + and + $root.Values.global.image.tag + (ne $root.Values.global.image.tag (include "kuma.appVersion" $root)) + (eq $root.Values.global.image.registry (include "kuma.defaultRegistry" .)) +-}} +{{- fail ( + printf "This chart only supports %s version %q but %sglobal.image.tag is set to %q. Set %sglobal.image.tag to %q or skip this check by setting %s*.image.tag for each individual component." + $product $expectedVersion $tagPrefix $root.Values.global.image.tag $tagPrefix $expectedVersion $tagPrefix +) -}} +{{- end -}} +{{- $defaultTag := ($root.Values.global.image.tag | default (include "kuma.appVersion" $root)) -}} +{{- $tag := ($img.tag | default $defaultTag) -}} +{{- printf "%s/%s:%s" $registry $repo $tag -}} +{{- end -}} + +{{- define "kuma.parentEnv" -}} +{{- end -}} + +{{- define "kuma.parentSecrets" -}} +{{- end -}} + +{{- define "kuma.pluginPoliciesEnabled" -}} +{{- $list := list -}} +{{- range $k, $v := .Values.plugins.policies -}} +{{- if $v -}} +{{- $list = append $list (printf "%s" $k) -}} +{{- end -}} +{{- end -}} +{{ join "," $list }} +{{- end -}} + +{{- define "kuma.transparentProxyConfigMapName" -}} +{{- if .Values.transparentProxy.configMap.name }} +{{- .Values.transparentProxy.configMap.name | trunc 253 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-transparent-proxy-config" .Chart.Name }} +{{- end }} +{{- end }} + +{{- define "kuma.defaultEnv" -}} +env: +{{ include "kuma.parentEnv" . }} +- name: KUMA_ENVIRONMENT + value: "kubernetes" +- name: KUMA_STORE_TYPE + value: "kubernetes" +- name: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE + value: {{ .Release.Namespace | quote }} +- name: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME + value: {{ include "kuma.controlPlane.serviceName" . }} +- name: KUMA_GENERAL_TLS_CERT_FILE + value: /var/run/secrets/kuma.io/tls-cert/tls.crt +- name: KUMA_GENERAL_TLS_KEY_FILE + value: /var/run/secrets/kuma.io/tls-cert/tls.key +{{- if eq .Values.controlPlane.mode "zone" }} +- name: KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS + value: {{ .Values.controlPlane.kdsGlobalAddress }} +{{- end }} +- name: KUMA_DP_SERVER_HDS_ENABLED + value: "false" +- name: KUMA_API_SERVER_READ_ONLY + value: "true" +- name: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT + value: {{ .Values.controlPlane.admissionServerPort | default "5443" | quote }} +- name: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_CERT_DIR + value: /var/run/secrets/kuma.io/tls-cert +- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED + value: {{ .Values.cni.enabled | quote }} +- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE + value: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.image "root" $) | quote }} +- name: KUMA_INJECTOR_INIT_CONTAINER_IMAGE + value: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.initImage "root" $) | quote }} +{{- if .Values.dataPlane.dnsLogging }} +- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_LOGGING + value: "true" +{{- end }} +{{- if and .Values.transparentProxy.configMap.enabled .Values.transparentProxy.configMap.config }} +- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_TRANSPARENT_PROXY_CONFIGMAP_NAME + value: {{ include "kuma.transparentProxyConfigMapName" . | quote }} +{{- end }} +- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE + value: /var/run/secrets/kuma.io/tls-cert/ca.crt +- name: KUMA_DEFAULTS_SKIP_MESH_CREATION + value: {{ .Values.controlPlane.defaults.skipMeshCreation | quote }} +- name: KUMA_MODE + value: {{ .Values.controlPlane.mode | quote }} +{{- if .Values.controlPlane.zone }} +- name: KUMA_MULTIZONE_ZONE_NAME + value: {{ .Values.controlPlane.zone | quote }} +{{- end }} +{{- if .Values.controlPlane.tls.apiServer.secretName }} +- name: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE + value: /var/run/secrets/kuma.io/api-server-tls-cert/tls.crt +- name: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE + value: /var/run/secrets/kuma.io/api-server-tls-cert/tls.key +{{- end }} +{{- if .Values.controlPlane.tls.apiServer.clientCertsSecretName }} +- name: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR + value: /var/run/secrets/kuma.io/api-server-client-certs/ +{{- end }} +{{- if and (eq .Values.controlPlane.mode "global") (or .Values.controlPlane.tls.kdsGlobalServer.secretName .Values.controlPlane.tls.kdsGlobalServer.create) }} +- name: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE + value: /var/run/secrets/kuma.io/kds-server-tls-cert/tls.crt +- name: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE + value: /var/run/secrets/kuma.io/kds-server-tls-cert/tls.key +{{- end }} +{{- if and (eq .Values.controlPlane.mode "zone") (or .Values.controlPlane.tls.kdsZoneClient.secretName .Values.controlPlane.tls.kdsZoneClient.create) }} +- name: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE + value: /var/run/secrets/kuma.io/kds-client-tls-cert/ca.crt +{{- end }} +- name: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN + value: "false" +- name: KUMA_RUNTIME_KUBERNETES_ALLOWED_USERS + value: "system:serviceaccount:{{ .Release.Namespace }}:{{ include "kuma.name" . }}-control-plane" +{{- if .Values.experimental.sidecarContainers }} +- name: KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS + value: "true" +{{- end }} +{{- if .Values.cni.enabled }} +- name: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED + value: "true" +- name: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP + value: "{{ include "kuma.name" . }}-cni" +- name: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_NAMESPACE + value: {{ .Values.cni.namespace }} +{{- end }} +{{- if .Values.experimental.ebpf.enabled }} +- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED + value: "true" +- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_INSTANCE_IP_ENV_VAR_NAME + value: {{ .Values.experimental.ebpf.instanceIPEnvVarName }} +- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_BPFFS_PATH + value: {{ .Values.experimental.ebpf.bpffsPath }} +- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_CGROUP_PATH + value: {{ .Values.experimental.ebpf.cgroupPath }} +- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_TC_ATTACH_IFACE + value: {{ .Values.experimental.ebpf.tcAttachIface }} +- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_PROGRAMS_SOURCE_PATH + value: {{ .Values.experimental.ebpf.programsSourcePath }} +{{- end }} +{{- if .Values.controlPlane.tls.kdsZoneClient.skipVerify }} +- name: KUMA_MULTIZONE_ZONE_KDS_TLS_SKIP_VERIFY + value: "true" +{{- end }} +- name: KUMA_PLUGIN_POLICIES_ENABLED + value: {{ include "kuma.pluginPoliciesEnabled" . | quote }} +{{- if .Values.controlPlane.supportGatewaySecretsInAllNamespaces }} +- name: KUMA_RUNTIME_KUBERNETES_SUPPORT_GATEWAY_SECRETS_IN_ALL_NAMESPACES + value: true +{{- end }} +{{- end }} + +{{- define "kuma.controlPlane.tls.general.caSecretName" -}} +{{ .Values.controlPlane.tls.general.caSecretName | default .Values.controlPlane.tls.general.secretName | default (printf "%s-tls-cert" (include "kuma.name" .)) | quote }} +{{- end }} + +{{- define "kuma.universal.defaultEnv" -}} +{{ if eq .Values.controlPlane.mode "zone" }} + {{ if .Values.ingress.enabled }} + {{ fail "Can't have ingress.enabled when running controlPlane.mode=='universal'" }} + {{ end }} + {{ if .Values.egress.enabled }} + {{ fail "Can't have egress.enabled when running controlPlane.mode=='universal'" }} + {{ end }} +{{ end }} + +env: +- name: KUMA_PLUGIN_POLICIES_ENABLED + value: {{ include "kuma.pluginPoliciesEnabled" . | quote }} +- name: KUMA_GENERAL_WORK_DIR + value: "/tmp/kuma" +- name: KUMA_ENVIRONMENT + value: "universal" +- name: KUMA_STORE_TYPE + value: "postgres" +- name: KUMA_STORE_POSTGRES_PORT + value: "{{ .Values.postgres.port }}" +- name: KUMA_DEFAULTS_SKIP_MESH_CREATION + value: {{ .Values.controlPlane.defaults.skipMeshCreation | quote }} +{{ if and (eq .Values.controlPlane.mode "zone") .Values.controlPlane.tls.general.secretName }} +- name: KUMA_GENERAL_TLS_CERT_FILE + value: /var/run/secrets/kuma.io/tls-cert/tls.crt +- name: KUMA_GENERAL_TLS_KEY_FILE + value: /var/run/secrets/kuma.io/tls-cert/tls.key +{{ end }} +- name: KUMA_MODE + value: {{ .Values.controlPlane.mode | quote }} +{{- if eq .Values.controlPlane.mode "zone" }} +- name: KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS + value: {{ .Values.controlPlane.kdsGlobalAddress }} +{{- end }} +{{- if .Values.controlPlane.zone }} +- name: KUMA_MULTIZONE_ZONE_NAME + value: {{ .Values.controlPlane.zone | quote }} +{{- end }} +{{- if and (eq .Values.controlPlane.mode "zone") (or .Values.controlPlane.tls.kdsZoneClient.secretName .Values.controlPlane.tls.kdsZoneClient.create) }} +- name: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE + value: /var/run/secrets/kuma.io/kds-client-tls-cert/ca.crt +{{- end }} +{{- if .Values.controlPlane.tls.kdsZoneClient.skipVerify }} +- name: KUMA_MULTIZONE_ZONE_KDS_TLS_SKIP_VERIFY + value: "true" +{{- end }} +{{- if .Values.controlPlane.tls.apiServer.secretName }} +- name: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE + value: /var/run/secrets/kuma.io/api-server-tls-cert/tls.crt +- name: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE + value: /var/run/secrets/kuma.io/api-server-tls-cert/tls.key +{{- end }} +{{- if .Values.controlPlane.tls.apiServer.clientCertsSecretName }} +- name: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR + value: /var/run/secrets/kuma.io/api-server-client-certs/ +{{- end }} +{{- if .Values.controlPlane.tls.kdsGlobalServer.secretName }} +- name: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE + value: /var/run/secrets/kuma.io/kds-server-tls-cert/tls.crt +- name: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE + value: /var/run/secrets/kuma.io/kds-server-tls-cert/tls.key +{{- end }} +- name: KUMA_STORE_POSTGRES_TLS_MODE + value: {{ .Values.postgres.tls.mode }} +{{- if or (eq .Values.postgres.tls.mode "verifyCa") (eq .Values.postgres.tls.mode "verifyFull") }} +{{- if empty .Values.postgres.tls.caSecretName }} +{{ fail "if mode is 'verifyCa' or 'verifyFull' then you must provide .Values.postgres.tls.caSecretName" }} +{{- end }} +{{- if .Values.postgres.tls.secretName }} +- name: KUMA_STORE_POSTGRES_TLS_CERT_PATH + value: /var/run/secrets/kuma.io/postgres-tls-cert/tls.crt +- name: KUMA_STORE_POSTGRES_TLS_KEY_PATH + value: /var/run/secrets/kuma.io/postgres-tls-cert/tls.key +{{- end }} +{{- if .Values.postgres.tls.caSecretName }} +- name: KUMA_STORE_POSTGRES_TLS_CA_PATH + value: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt +{{- end }} +{{- if .Values.postgres.tls.disableSSLSNI }} +- name: KUMA_STORE_POSTGRES_TLS_DISABLE_SSLSNI + value: {{ .Values.postgres.tls.disableSSLSNI }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cni-configmap.yaml b/charts/kuma/kuma/2.9.1/templates/cni-configmap.yaml new file mode 100644 index 000000000..8d27de9ef --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cni-configmap.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.cni.enabled (not .Values.experimental.ebpf.enabled) }} +kind: ConfigMap +apiVersion: v1 +metadata: + name: {{ include "kuma.name" . }}-cni-config + namespace: {{ .Values.cni.namespace }} + labels: {{ include "kuma.cniLabels" . | nindent 4 }} +data: + # The CNI network configuration to add to the plugin chain on each node. + cni_network_config: |- + { + "cniVersion": "0.3.1", + "name": "kuma-cni", + "type": "kuma-cni", + "log_level": "{{ .Values.cni.logLevel }}", + "kubernetes": { + "kubeconfig": "__KUBECONFIG_FILEPATH__", + "cni_bin_dir": "{{ .Values.cni.binDir }}", + "exclude_namespaces": [ "kube-system" ] + } + } + {{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cni-daemonset.yaml b/charts/kuma/kuma/2.9.1/templates/cni-daemonset.yaml new file mode 100644 index 000000000..b5d8db761 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cni-daemonset.yaml @@ -0,0 +1,152 @@ +{{- if .Values.cni.enabled }} +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: {{ include "kuma.name" . }}-cni-node + namespace: {{ .Values.cni.namespace }} + annotations: + ignore-check.kube-linter.io/run-as-non-root: "The container installs a CNI plugin" + labels: {{- include "kuma.cniLabels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "kuma.cniSelectorLabels" . | nindent 6 }} + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + {{- include "kuma.cniSelectorLabels" . | nindent 8 }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cni-configmap.yaml") . | sha256sum }} + {{- range $key, $value := .Values.cni.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + # This, along with the CriticalAddonsOnly toleration below, + # marks the pod as a critical add-on, ensuring it gets + # priority scheduling and that its resources are reserved + # if it ever gets evicted. + priorityClassName: system-node-critical + {{- with .Values.cni.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.cni.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + tolerations: + # Make sure kuma-cni-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: {{ include "kuma.name" . }}-cni + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 5 + securityContext: + {{- toYaml .Values.cni.podSecurityContext | trim | nindent 8 }} + containers: + - name: install-cni + imagePullPolicy: {{ .Values.cni.image.imagePullPolicy }} + {{- if not .Values.experimental.ebpf.enabled }} + image: {{ include "kuma.formatImage" (dict "image" .Values.cni.image "root" $) | quote }} + readinessProbe: + initialDelaySeconds: {{ .Values.cni.delayStartupSeconds }} + exec: + command: + - cat + - /tmp/ready + command: [ "sh", "-c", "--" ] + args: [ "sleep {{.Values.cni.delayStartupSeconds}} && exec /install-cni" ] + {{- else }} + {{- with .Values.cni.experimental.imageEbpf }} + image: {{ printf "%s/%s:%s" .registry .repository .tag | quote }} + {{- end }} + args: + - /app/mbctl + - --mode=kuma + - --use-reconnect=true + - --cni-mode=true + {{- if eq .Values.cni.logLevel "debug" }} + - --debug=true + {{- end }} + lifecycle: + preStop: + exec: + command: + - make + - --keep-going + - clean + {{- end }} + securityContext: + {{- toYaml .Values.cni.containerSecurityContext | trim | nindent 12 }} + {{- if .Values.experimental.ebpf.enabled }} + privileged: true + {{- end }} + {{- if not .Values.experimental.ebpf.enabled }} + env: + # Name of the CNI config file to create. + - name: CNI_CONF_NAME + value: "{{ .Values.cni.confName }}" + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: {{ include "kuma.name" . }}-cni-config + key: cni_network_config + - name: CNI_NET_DIR + value: "{{ .Values.cni.netDir }}" + # If true, deploy as a chained CNI plugin, otherwise deploy as a standalone CNI + - name: CHAINED_CNI_PLUGIN + value: "{{ .Values.cni.chained }}" + - name: CNI_LOG_LEVEL + value: "{{ .Values.cni.logLevel }}" + {{- end }} + resources: + {{- toYaml .Values.cni.resources | trim | nindent 12 }} + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + {{- if .Values.experimental.ebpf.enabled }} + - mountPath: /sys/fs/cgroup + name: sys-fs-cgroup + - mountPath: /host/proc + name: host-proc + - mountPath: /host/var/run + name: host-var-run + mountPropagation: Bidirectional + {{- end }} + - name: tmp + mountPath: /tmp + volumes: + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: {{ .Values.cni.binDir }} + - name: cni-net-dir + hostPath: + path: {{ .Values.cni.netDir }} + {{- if .Values.experimental.ebpf.enabled }} + - hostPath: + path: /var/run + name: host-var-run + - hostPath: + path: /sys/fs/cgroup + name: sys-fs-cgroup + - hostPath: + path: /proc + name: host-proc + {{- end }} + - name: tmp + emptyDir: {} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cni-rbac.yaml b/charts/kuma/kuma/2.9.1/templates/cni-rbac.yaml new file mode 100644 index 000000000..07af2b215 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cni-rbac.yaml @@ -0,0 +1,51 @@ +{{- if .Values.cni.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kuma.name" . }}-cni + namespace: {{ .Values.cni.namespace }} + labels: {{ include "kuma.cniLabels" . | nindent 4 }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kuma.name" . }}-cni + labels: + {{ include "kuma.cniLabels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: + - nodes + verbs: + - get + - apiGroups: [""] + resources: + - pods + verbs: + - get + {{- if .Values.experimental.ebpf.enabled }} + - list + - watch + {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kuma.name" . }}-cni + labels: + {{ include "kuma.cniLabels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kuma.name" . }}-cni +subjects: + - kind: ServiceAccount + name: {{ include "kuma.name" . }}-cni + namespace: {{ .Values.cni.namespace }} + {{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cp-configmap.yaml b/charts/kuma/kuma/2.9.1/templates/cp-configmap.yaml new file mode 100644 index 000000000..b2c94ed4d --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cp-configmap.yaml @@ -0,0 +1,46 @@ +{{ $kumaCpLabels := include "kuma.cpLabels" . }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kuma.name" . }}-control-plane-config + namespace: {{ .Release.Namespace }} + labels: {{ $kumaCpLabels | nindent 4 }} +data: + config.yaml: | + # use this file to override default configuration of `kuma-cp` + # + # see conf/kuma-cp.conf.yml for available settings + {{ if .Values.controlPlane.config }} + {{ .Values.controlPlane.config | nindent 4 }} + {{ end }} + +{{- $releaseNamespace := .Release.Namespace}} +{{- range $extraConfigMap := .Values.controlPlane.extraConfigMaps }} +{{- if $extraConfigMap.values }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ $extraConfigMap.name }} + namespace: {{ $releaseNamespace }} + labels: {{ $kumaCpLabels | nindent 4 }} +data: + {{- range $fileName, $fileContents := $extraConfigMap.values }} + {{- $fileName | nindent 2 }}: | + {{- $fileContents | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} +{{- if and .Values.transparentProxy.configMap.enabled .Values.transparentProxy.configMap.config }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kuma.transparentProxyConfigMapName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- $kumaCpLabels | nindent 4 }} +data: + config.yaml: | + {{- .Values.transparentProxy.configMap.config | toYaml | nindent 4 }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cp-deployment.yaml b/charts/kuma/kuma/2.9.1/templates/cp-deployment.yaml new file mode 100644 index 000000000..1111b149b --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cp-deployment.yaml @@ -0,0 +1,412 @@ +{{ $kdsGlobalServerTLSSecretName := "" }} +{{ if eq .Values.controlPlane.mode "global" }} + {{ $kdsGlobalServerTLSSecretName = .Values.controlPlane.tls.kdsGlobalServer.secretName }} + {{ if and .Values.controlPlane.tls.kdsGlobalServer.create (not $kdsGlobalServerTLSSecretName) }} + {{ $kdsGlobalServerTLSSecretName = print (include "kuma.name" .) "-kds-global-server-tls" }} + {{ end }} +{{ end }} + +{{ $kdsZoneClientTLSSecretName := "" }} +{{ if eq .Values.controlPlane.mode "zone" }} + {{ $kdsZoneClientTLSSecretName = .Values.controlPlane.tls.kdsZoneClient.secretName }} + {{ if and .Values.controlPlane.tls.kdsZoneClient.create (not $kdsZoneClientTLSSecretName) }} + {{ $kdsZoneClientTLSSecretName = print (include "kuma.name" .) "-kds-zone-client-tls" }} + {{ end }} +{{ end }} + +{{ if not (or (eq .Values.controlPlane.mode "zone") (eq .Values.controlPlane.mode "global") (eq .Values.controlPlane.mode "standalone")) }} + {{ $msg := printf "controlPlane.mode invalid got:'%s' supported values: global,zone,standalone" .Values.controlPlane.mode }} + {{ fail $msg }} +{{ end }} +{{ if eq .Values.controlPlane.mode "zone" }} + {{ if not (empty .Values.controlPlane.zone) }} + {{ if gt (len .Values.controlPlane.zone) 253 }} + {{ fail "controlPlane.zone must be no more than 253 characters" }} + {{ else }} + {{ if not (regexMatch "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" .Values.controlPlane.zone) }} + {{ fail "controlPlane.zone must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" }} + {{ end }} + {{ end }} + {{ end }} + {{ if not (empty .Values.controlPlane.kdsGlobalAddress) }} + {{ $url := urlParse .Values.controlPlane.kdsGlobalAddress }} + {{ if not (or (eq $url.scheme "grpcs") (eq $url.scheme "grpc")) }} + {{ $msg := printf "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// or grpc:// got:'%s'" .Values.controlPlane.kdsGlobalAddress }} + {{ fail $msg }} + {{ end }} + {{ end }} +{{ else }} + {{ if not (empty .Values.controlPlane.zone) }} + {{ fail "Can't specify a controlPlane.zone when controlPlane.mode!='zone'" }} + {{ end }} + {{ if not (empty .Values.controlPlane.kdsGlobalAddress) }} + {{ fail "Can't specify a controlPlane.kdsGlobalAddress when controlPlane.mode!='zone'" }} + {{ end }} +{{ end }} + +{{- $defaultEnv := include "kuma.defaultEnv" . | fromYaml | pluck "env" | first }} +{{- if eq .Values.controlPlane.environment "universal" }} +{{- $defaultEnv = include "kuma.universal.defaultEnv" . | fromYaml | pluck "env" | first }} +{{- end }} +{{- $defaultEnvDict := dict }} +{{- range $index, $item := $defaultEnv }} +{{- $name := $item.name | upper }} +{{- $defaultEnvDict := set $defaultEnvDict $name $item.value }} +{{- end }} +{{- $envVarsCopy := deepCopy .Values.controlPlane.envVars }} +{{- $mergedEnv := merge $envVarsCopy $defaultEnvDict }} +{{- $defaultSecrets := include "kuma.parentSecrets" . | fromYaml }} +{{- $extraSecrets := .Values.controlPlane.extraSecrets }} +{{- $mergedSecrets := merge $extraSecrets $defaultSecrets }} + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kuma.name" . }}-control-plane + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} + annotations: {{ include "kuma.cpDeploymentAnnotations" . | nindent 4 }} +spec: + {{- if not .Values.controlPlane.autoscaling.enabled }} + replicas: {{ .Values.controlPlane.replicas }} + {{- end }} + minReadySeconds: {{ .Values.controlPlane.minReadySeconds }} + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + {{- include "kuma.selectorLabels" . | nindent 6 }} + app: {{ include "kuma.name" . }}-control-plane + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/cp-configmap.yaml") . | sha256sum }} + {{- if .Values.restartOnSecretChange }} + checksum/tls-secrets: {{ include (print $.Template.BasePath "/cp-webhooks-and-secrets.yaml") . | sha256sum }} + {{- end }} + {{- range $key, $value := $.Values.controlPlane.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: {{ include "kuma.cpLabels" . | nindent 8 }} + spec: + {{- with .Values.controlPlane.affinity }} + affinity: {{ tpl (toYaml . | nindent 8) $ }} + {{- end }} + {{- with .Values.controlPlane.topologySpreadConstraints }} + topologySpreadConstraints: {{ tpl (toYaml . | nindent 8) $ }} + {{- end }} + securityContext: + {{- toYaml .Values.controlPlane.podSecurityContext | trim | nindent 8 }} + serviceAccountName: {{ include "kuma.name" . }}-control-plane + automountServiceAccountToken: {{ .Values.controlPlane.automountServiceAccountToken }} + {{- with .Values.controlPlane.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.controlPlane.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.controlPlane.hostNetwork }} + terminationGracePeriodSeconds: {{ .Values.controlPlane.terminationGracePeriodSeconds }} + {{ include "kuma.dnsConfig" (dict "dns" .Values.controlPlane.dns) | nindent 6 | trim }} + {{- if (eq .Values.controlPlane.environment "universal") }} + initContainers: + - name: migration + image: {{ include "kuma.formatImage" (dict "image" .Values.controlPlane.image "root" $) | quote }} + imagePullPolicy: {{ .Values.controlPlane.image.pullPolicy }} + securityContext: + {{- toYaml .Values.controlPlane.containerSecurityContext | trim | nindent 12 }} + env: + {{- range $key, $value := $mergedEnv }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $element := .Values.controlPlane.secrets }} + - name: {{ $element.Env }} + valueFrom: + secretKeyRef: + name: {{ $element.Secret }} + key: {{ $element.Key }} + {{- end }} + args: + - migrate + - up + - --log-level=info + - --config-file=/etc/kuma.io/kuma-control-plane/config.yaml + resources: + {{- if .Values.controlPlane.resources }} + {{- .Values.controlPlane.resources | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.postgres.tls.caSecretName }} + - name: postgres-tls-cert-ca + subPath: ca.crt + mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt + readOnly: true + {{- end }} + {{- if .Values.postgres.tls.secretName }} + - name: postgres-tls-cert + subPath: tls.crt + mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/tls.crt + readOnly: true + - name: postgres-tls-cert + subPath: tls.key + mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/tls.key + readOnly: true + {{- end }} + - name: {{ include "kuma.name" . }}-control-plane-config + mountPath: /etc/kuma.io/kuma-control-plane + readOnly: true + {{- end }} + containers: + - name: control-plane + image: {{ include "kuma.formatImage" (dict "image" .Values.controlPlane.image "root" $) | quote }} + imagePullPolicy: {{ .Values.controlPlane.image.pullPolicy }} + securityContext: + {{- toYaml .Values.controlPlane.containerSecurityContext | trim | nindent 12 }} + env: + {{- if .Values.controlPlane.envVarEntries }} + {{- .Values.controlPlane.envVarEntries | toYaml | nindent 12 }} + {{- end }} + {{- range $key, $value := $mergedEnv }} + - name: {{ $key }} + value: {{ $value | quote }} + {{- end }} + {{- range $element := .Values.controlPlane.secrets }} + - name: {{ $element.Env }} + valueFrom: + secretKeyRef: + name: {{ $element.Secret }} + key: {{ $element.Key }} + {{- end }} + - name: KUMA_INTER_CP_CATALOG_INSTANCE_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + - name: GOMEMLIMIT + valueFrom: + resourceFieldRef: + containerName: control-plane + resource: limits.memory + - name: GOMAXPROCS + valueFrom: + resourceFieldRef: + containerName: control-plane + resource: limits.cpu + args: + - run + - --log-level={{ .Values.controlPlane.logLevel }} + - --log-output-path={{ .Values.controlPlane.logOutputPath }} + - --config-file=/etc/kuma.io/kuma-control-plane/config.yaml + ports: + - containerPort: 5680 + name: diagnostics + protocol: TCP + - containerPort: 5681 + - containerPort: 5682 + - containerPort: {{ .Values.controlPlane.admissionServerPort | default "5443" }} + {{- if ne .Values.controlPlane.mode "global" }} + - containerPort: 5678 + {{- end }} + livenessProbe: + timeoutSeconds: 10 + httpGet: + path: /healthy + port: 5680 + readinessProbe: + timeoutSeconds: 10 + httpGet: + path: /ready + port: 5680 + resources: + {{- if .Values.controlPlane.resources }} + {{- .Values.controlPlane.resources | toYaml | nindent 12 }} + {{- end }} + {{ with .Values.controlPlane.lifecycle }} + lifecycle: {{ . | toYaml | nindent 14 }} + {{ end }} + volumeMounts: + {{- if eq .Values.controlPlane.environment "kubernetes" }} + {{- if not .Values.controlPlane.automountServiceAccountToken }} + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: serviceaccount-token + readOnly: true + {{- end }} + - name: general-tls-cert + mountPath: /var/run/secrets/kuma.io/tls-cert/tls.crt + subPath: tls.crt + readOnly: true + - name: general-tls-cert + mountPath: /var/run/secrets/kuma.io/tls-cert/tls.key + subPath: tls.key + readOnly: true + - name: general-tls-cert{{- if .Values.controlPlane.tls.general.caSecretName }}-ca{{- end }} + mountPath: /var/run/secrets/kuma.io/tls-cert/ca.crt + subPath: ca.crt + readOnly: true + {{- end }} + {{- if and (eq .Values.controlPlane.environment "universal") (eq .Values.controlPlane.mode "zone") }} + {{- if .Values.controlPlane.tls.general.secretName }} + - name: general-tls-cert + mountPath: /var/run/secrets/kuma.io/tls-cert/tls.crt + subPath: tls.crt + readOnly: true + - name: general-tls-cert + mountPath: /var/run/secrets/kuma.io/tls-cert/tls.key + subPath: tls.key + readOnly: true + - name: general-tls-cert{{- if .Values.controlPlane.tls.general.caSecretName }}-ca{{- end }} + mountPath: /var/run/secrets/kuma.io/tls-cert/ca.crt + subPath: ca.crt + readOnly: true + {{- end }} + {{- end }} + - name: {{ include "kuma.name" . }}-control-plane-config + mountPath: /etc/kuma.io/kuma-control-plane + readOnly: true + {{- if .Values.controlPlane.tls.apiServer.secretName }} + - name: api-server-tls-cert + mountPath: /var/run/secrets/kuma.io/api-server-tls-cert + readOnly: true + {{- end }} + {{- if .Values.postgres.tls.caSecretName }} + - name: postgres-tls-cert-ca + subPath: ca.crt + mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt + readOnly: true + {{- end }} + {{- if .Values.postgres.tls.secretName }} + - name: postgres-tls-cert + subPath: tls.crt + mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/tls.crt + readOnly: true + - name: postgres-tls-cert + subPath: tls.key + mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/tls.key + readOnly: true + {{- end }} + {{- if .Values.controlPlane.tls.apiServer.clientCertsSecretName }} + - name: api-server-client-certs + mountPath: /var/run/secrets/kuma.io/api-server-client-certs + readOnly: true + {{- end }} + {{- if $kdsGlobalServerTLSSecretName }} + - name: kds-server-tls-cert + mountPath: /var/run/secrets/kuma.io/kds-server-tls-cert + readOnly: true + {{- end }} + {{- if $kdsZoneClientTLSSecretName }} + - name: kds-client-tls-cert + mountPath: /var/run/secrets/kuma.io/kds-client-tls-cert + readOnly: true + {{- end }} + {{- range $extraConfigMap := .Values.controlPlane.extraConfigMaps }} + - name: {{ $extraConfigMap.name }} + mountPath: {{ $extraConfigMap.mountPath }} + readOnly: {{ $extraConfigMap.readOnly }} + {{- end }} + {{- range $mergedSecret := $mergedSecrets }} + - name: {{ $mergedSecret.name }} + mountPath: {{ $mergedSecret.mountPath }} + subPath: {{ $mergedSecret.subPath }} + readOnly: {{ $mergedSecret.readOnly }} + {{- end }} + - name: tmp + mountPath: /tmp + volumes: + {{- if eq .Values.controlPlane.environment "kubernetes" }} + {{- if not .Values.controlPlane.automountServiceAccountToken }} + - name: serviceaccount-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3600 + path: token + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- end }} + {{- if .Values.controlPlane.tls.general.secretName }} + - name: general-tls-cert + secret: + secretName: {{ .Values.controlPlane.tls.general.secretName }} + {{- else }} + - name: general-tls-cert + secret: + secretName: {{ include "kuma.name" . }}-tls-cert + {{- end }} + {{- if .Values.controlPlane.tls.general.caSecretName }} + - name: general-tls-cert-ca + secret: + secretName: {{ .Values.controlPlane.tls.general.caSecretName }} + {{- end }} + {{- end }} + {{- if and (eq .Values.controlPlane.environment "universal") (eq .Values.controlPlane.mode "zone") }} + {{- if .Values.controlPlane.tls.general.secretName }} + - name: general-tls-cert + secret: + secretName: {{ .Values.controlPlane.tls.general.secretName }} + {{- end }} + {{- if .Values.controlPlane.tls.general.caSecretName }} + - name: general-tls-cert-ca + secret: + secretName: {{ .Values.controlPlane.tls.general.caSecretName }} + {{- end }} + {{- end }} + {{- if .Values.controlPlane.tls.apiServer.secretName }} + - name: api-server-tls-cert + secret: + secretName: {{ .Values.controlPlane.tls.apiServer.secretName }} + {{- end }} + {{- if .Values.postgres.tls.caSecretName }} + - name: postgres-tls-cert-ca + secret: + secretName: {{ .Values.postgres.tls.caSecretName }} + {{- end }} + {{- if .Values.postgres.tls.secretName }} + - name: postgres-tls-cert + secret: + secretName: {{ .Values.postgres.tls.secretName }} + {{- end }} + {{- if .Values.controlPlane.tls.apiServer.clientCertsSecretName }} + - name: api-server-client-certs + secret: + secretName: {{ .Values.controlPlane.tls.apiServer.clientCertsSecretName }} + {{- end }} + {{- if $kdsGlobalServerTLSSecretName }} + - name: kds-server-tls-cert + secret: + secretName: {{ $kdsGlobalServerTLSSecretName }} + {{- end }} + {{- if $kdsZoneClientTLSSecretName }} + - name: kds-client-tls-cert + secret: + secretName: {{ $kdsZoneClientTLSSecretName }} + {{- end }} + - name: {{ include "kuma.name" . }}-control-plane-config + configMap: + name: {{ include "kuma.name" . }}-control-plane-config + {{- range $extraConfigMap := .Values.controlPlane.extraConfigMaps }} + - name: {{ $extraConfigMap.name }} + configMap: + name: {{ $extraConfigMap.name }} + {{- end }} + {{- range $mergedSecret := $mergedSecrets }} + - name: {{ $mergedSecret.name }} + secret: + secretName: {{ $mergedSecret.name }} + {{- end }} + - name: tmp + emptyDir: {} diff --git a/charts/kuma/kuma/2.9.1/templates/cp-global-sync-service.yaml b/charts/kuma/kuma/2.9.1/templates/cp-global-sync-service.yaml new file mode 100644 index 000000000..c5b3555a8 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cp-global-sync-service.yaml @@ -0,0 +1,33 @@ +{{- if and (eq .Values.controlPlane.mode "global") .Values.controlPlane.globalZoneSyncService.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kuma.controlPlane.globalZoneSync.serviceName" . }} + namespace: {{ .Release.Namespace }} + annotations: + {{- range $key, $value := .Values.controlPlane.globalZoneSyncService.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +spec: + type: {{ .Values.controlPlane.globalZoneSyncService.type }} + {{- if .Values.controlPlane.globalZoneSyncService.loadBalancerIP }} + loadBalancerIP: {{ .Values.controlPlane.globalZoneSyncService.loadBalancerIP }} + {{- end }} + {{- if .Values.controlPlane.globalZoneSyncService.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range .Values.controlPlane.globalZoneSyncService.loadBalancerSourceRanges }} + - {{.}} + {{- end }} + {{- end }} + ports: + - port: {{ .Values.controlPlane.globalZoneSyncService.port }} + appProtocol: {{ .Values.controlPlane.globalZoneSyncService.protocol }} + {{- if and (eq .Values.controlPlane.globalZoneSyncService.type "NodePort") .Values.controlPlane.globalZoneSyncService.nodePort }} + nodePort: {{ .Values.controlPlane.globalZoneSyncService.nodePort }} + {{- end }} + name: global-zone-sync + selector: + app: {{ include "kuma.name" . }}-control-plane + {{ include "kuma.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cp-hpa.yaml b/charts/kuma/kuma/2.9.1/templates/cp-hpa.yaml new file mode 100644 index 000000000..dc4981020 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cp-hpa.yaml @@ -0,0 +1,24 @@ +{{- if .Values.controlPlane.autoscaling.enabled }} +{{ if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: "autoscaling/v2" +{{ else }} +apiVersion: "autoscaling/v1" +{{ end }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "kuma.name" . }}-control-plane + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kuma.name" . }}-control-plane + minReplicas: {{ .Values.controlPlane.autoscaling.minReplicas }} + maxReplicas: {{ .Values.controlPlane.autoscaling.maxReplicas }} + {{ if .Capabilities.APIVersions.Has "autoscaling/v2" }} + metrics: {{- toYaml .Values.controlPlane.autoscaling.metrics | nindent 4 }} + {{ else }} + targetCPUUtilizationPercentage: {{ .Values.controlPlane.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cp-ingress.yaml b/charts/kuma/kuma/2.9.1/templates/cp-ingress.yaml new file mode 100644 index 000000000..8ceae01f8 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cp-ingress.yaml @@ -0,0 +1,25 @@ +{{- if .Values.controlPlane.ingress.enabled }} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "kuma.controlPlane.serviceName" . }} + namespace: {{ .Release.Namespace }} + {{- with .Values.controlPlane.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +spec: + ingressClassName: {{ .Values.controlPlane.ingress.ingressClassName }} + rules: + - host: {{ .Values.controlPlane.ingress.hostname }} + http: + paths: + - path: {{ .Values.controlPlane.ingress.path }} + pathType: {{ .Values.controlPlane.ingress.pathType }} + backend: + service: + name: {{ include "kuma.controlPlane.serviceName" . }} + port: + number: {{ .Values.controlPlane.ingress.servicePort }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cp-kds-global-server-secret.yaml b/charts/kuma/kuma/2.9.1/templates/cp-kds-global-server-secret.yaml new file mode 100644 index 000000000..5ea3314a3 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cp-kds-global-server-secret.yaml @@ -0,0 +1,15 @@ +{{ if and (eq .Values.controlPlane.mode "global") .Values.controlPlane.tls.kdsGlobalServer.create }} +apiVersion: v1 +kind: Secret +metadata: +{{ with .Values.controlPlane.tls.kdsGlobalServer.secretName }} + name: {{ . }} +{{ else }} + name: {{ include "kuma.name" . }}-kds-global-server-tls +{{ end }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +type: kubernetes.io/tls +stringData: + tls.crt: {{ required "you must provide a kds tls cert" .Values.controlPlane.tls.kdsGlobalServer.cert | quote }} + tls.key: {{ required "you must provide a kds tls key" .Values.controlPlane.tls.kdsGlobalServer.key | quote }} +{{ end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cp-kds-zone-client-tls-secret.yaml b/charts/kuma/kuma/2.9.1/templates/cp-kds-zone-client-tls-secret.yaml new file mode 100644 index 000000000..99b15c5bd --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cp-kds-zone-client-tls-secret.yaml @@ -0,0 +1,13 @@ +{{ if and (eq .Values.controlPlane.mode "zone") .Values.controlPlane.tls.kdsZoneClient.create }} +apiVersion: v1 +kind: Secret +metadata: +{{ with .Values.controlPlane.tls.kdsZoneClient.secretName }} + name: {{ . }} +{{ else }} + name: {{ include "kuma.name" . }}-kds-zone-client-tls +{{ end }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +stringData: + ca.crt: {{ required "you must provide a kds cert" .Values.controlPlane.tls.kdsZoneClient.cert | quote }} +{{ end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cp-pdb.yaml b/charts/kuma/kuma/2.9.1/templates/cp-pdb.yaml new file mode 100644 index 000000000..bb29bfd20 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cp-pdb.yaml @@ -0,0 +1,20 @@ +{{ if $.Values.controlPlane.podDisruptionBudget.enabled }} +{{ if .Capabilities.APIVersions.Has "policy/v1" }} +apiVersion: policy/v1 +{{ else if .Capabilities.APIVersions.Has "policy/v1beta1" }} +apiVersion: policy/v1beta1 +{{ else }} +{{ fail "pod disruption budgets are not supported by this version of kubernetes" }} +{{ end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kuma.name" . }}-control-plane + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.controlPlane.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "kuma.selectorLabels" . | nindent 6 }} + app: {{ include "kuma.name" . }}-control-plane +{{ end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cp-rbac.yaml b/charts/kuma/kuma/2.9.1/templates/cp-rbac.yaml new file mode 100644 index 000000000..52ce1bfa8 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cp-rbac.yaml @@ -0,0 +1,320 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kuma.name" . }}-control-plane + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +{{- with .Values.controlPlane.serviceAccountAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} +{{- end }} +{{- if (eq .Values.controlPlane.environment "kubernetes") }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kuma.name" . }}-control-plane + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - namespaces + - pods +{{- if not (and .Values.transparentProxy.configMap.enabled .Values.transparentProxy.configMap.config) }} + - configmaps +{{- end }} + - nodes +{{- if .Values.controlPlane.supportGatewaySecretsInAllNamespaces }} + - secrets +{{- end }} + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - list + - watch + - apiGroups: + - "discovery.k8s.io" + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - "apps" + resources: + - deployments + - replicasets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "batch" + resources: + - jobs + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - referencegrants + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + verbs: + - get + - patch + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - services +{{- if and .Values.transparentProxy.configMap.enabled .Values.transparentProxy.configMap.config }} + - configmaps +{{- end }} + verbs: + - get + - delete + - list + - watch + - create + - update + - patch + - apiGroups: + - "discovery.k8s.io" + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - kuma.io + resources: + - dataplanes + - dataplaneinsights + - meshes + - zones + - zoneinsights + - zoneingresses + - zoneingressinsights + - zoneegresses + - zoneegressinsights + - meshinsights + - serviceinsights + - proxytemplates + - ratelimits + - trafficpermissions + - trafficroutes + - timeouts + - retries + - circuitbreakers + - virtualoutbounds + - containerpatches + - externalservices + - faultinjections + - healthchecks + - trafficlogs + - traffictraces + - meshgateways + - meshgatewayroutes + - meshgatewayinstances + - meshgatewayconfigs + {{- range $policy, $v := .Values.plugins.policies }} + {{- if $v }} + - {{ $policy }} + {{- end}} + {{- end}} + {{- range $policy, $v := .Values.plugins.resources }} + {{- if $v }} + - {{ $policy }} + {{- end}} + {{- end}} + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - kuma.io + resources: + - meshgatewayinstances/status + - meshgatewayinstances/finalizers + - meshes/finalizers + - dataplanes/finalizers + verbs: + - get + - patch + - update + - apiGroups: + - "" + resources: + - pods/finalizers + verbs: + - get + - patch + - update + {{- if .Values.cni.enabled }} + - apiGroups: + - k8s.cni.cncf.io + resources: + - network-attachment-definitions + verbs: + - get + - list + - watch + - create + - delete + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - update + - apiGroups: + - "pods" + resources: + - pods + verbs: + - list + {{- end }} + # validate k8s token before issuing mTLS cert + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kuma.name" . }}-control-plane + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kuma.name" . }}-control-plane +subjects: + - kind: ServiceAccount + name: {{ include "kuma.name" . }}-control-plane + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "kuma.name" . }}-control-plane + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + # leader-for-life election deletes Pods in some circumstances + - apiGroups: + - "" + resources: + - pods + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "kuma.name" . }}-control-plane + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "kuma.name" . }}-control-plane +subjects: + - kind: ServiceAccount + name: {{ include "kuma.name" . }}-control-plane + namespace: {{ .Release.Namespace }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cp-service.yaml b/charts/kuma/kuma/2.9.1/templates/cp-service.yaml new file mode 100644 index 000000000..3b9c3e31f --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cp-service.yaml @@ -0,0 +1,49 @@ +{{ if .Values.controlPlane.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kuma.controlPlane.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.controlPlane.service.annotations }} + {{- if $value }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: + type: {{ .Values.controlPlane.service.type }} + ports: + - port: 5680 + name: diagnostics + appProtocol: http + - port: 5681 + name: http-api-server + appProtocol: http + {{- if and (eq .Values.controlPlane.service.type "NodePort") .Values.controlPlane.service.apiServer.http.nodePort }} + nodePort: {{ .Values.controlPlane.service.apiServer.http.nodePort }} + {{- end }} + - port: 5682 + name: https-api-server + appProtocol: https + {{- if and (eq .Values.controlPlane.service.type "NodePort") .Values.controlPlane.service.apiServer.https.nodePort }} + nodePort: {{ .Values.controlPlane.service.apiServer.https.nodePort }} + {{- end }} + {{- if ne .Values.controlPlane.environment "universal" }} + - port: 443 + name: https-admission-server + targetPort: {{ .Values.controlPlane.admissionServerPort | default "5443" }} + appProtocol: https + {{- end }} + {{- if ne .Values.controlPlane.mode "global" }} + - port: 5676 + name: mads-server + appProtocol: https + - port: 5678 + name: dp-server + appProtocol: https + {{- end }} + selector: + app: {{ include "kuma.name" . }}-control-plane + {{- include "kuma.selectorLabels" . | nindent 4 }} +{{ end }} diff --git a/charts/kuma/kuma/2.9.1/templates/cp-webhooks-and-secrets.yaml b/charts/kuma/kuma/2.9.1/templates/cp-webhooks-and-secrets.yaml new file mode 100644 index 000000000..15b38e0fd --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/cp-webhooks-and-secrets.yaml @@ -0,0 +1,346 @@ +{{- if not (eq (empty .Values.controlPlane.tls.general.caBundle) (empty .Values.controlPlane.tls.general.secretName)) }} + {{ fail "You need to send both or neither of controlPlane.tls.general.caBundle and controlPlane.tls.general.secretName"}} +{{- end }} +{{- $caBundle := .Values.controlPlane.tls.general.caBundle }} +{{/* +Generate certificates +see: https://masterminds.github.io/sprig/crypto.html +see: https://medium.com/nuvo-group-tech/move-your-certs-to-helm-4f5f61338aca +see: https://github.com/networkservicemesh/networkservicemesh/blob/804ad5026bb5dbd285c220f15395fe25e46f5edb/deployments/helm/nsm/charts/admission-webhook/templates/admission-webhook-secret.tpl + +We only autogenerate certs if user did not chose their own secret. +We only autogenerate certs if the cert is not yet generated. This way we keep the secrets between HELM upgrades. +*/}} + +{{- if eq .Values.controlPlane.tls.general.secretName "" -}} +{{- $cert := "" }} +{{- $key := "" }} +{{- $secretName := print (include "kuma.name" .) "-tls-cert" }} + +{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}} +{{- if $secret -}} + {{- $cert = index $secret.data "tls.crt" -}} + {{- $key = index $secret.data "tls.key" -}} + {{- $caBundle = index $secret.data "ca.crt" -}} +{{- else -}} + {{- $commonName := (include "kuma.controlPlane.serviceName" .) -}} + {{- $altNames := list (printf "%s.%s" $commonName .Release.Namespace) (printf "%s.%s.svc" $commonName .Release.Namespace) -}} + {{- $certTTL := 3650 -}} + {{- $ca := genCA "kuma-ca" $certTTL -}} + + {{- $genCert := genSignedCert $commonName nil $altNames $certTTL $ca -}} + {{- $cert = $genCert.Cert | b64enc -}} + {{- $key = $genCert.Key | b64enc -}} + {{ $caBundle = $ca.Cert | b64enc }} +{{- end -}} +--- +apiVersion: v1 +kind: Secret +type: kubernetes.io/tls +metadata: + name: {{ $secretName }} + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +data: + tls.crt: {{ $cert }} + tls.key: {{ $key }} + ca.crt: {{ $caBundle }} +{{- end }} +{{- if (eq .Values.controlPlane.environment "kubernetes") }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ include "kuma.name" . }}-admission-mutating-webhook-configuration + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +webhooks: + - name: mesh.defaulter.kuma-admission.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: ["kube-system"] + clientConfig: + caBundle: {{ $caBundle }} + service: + namespace: {{ .Release.Namespace }} + name: {{ include "kuma.controlPlane.serviceName" . }} + path: /default-kuma-io-v1alpha1-mesh + rules: + - apiGroups: + - kuma.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + - dataplanes + - dataplaneinsights + - meshgateways + - zoneingresses + - zoneingressinsights + - zoneegresses + - zoneegressinsights + - serviceinsights + - zone + - zoneinsights + {{- range $policy, $v := .Values.plugins.policies }} + {{- if $v }} + - {{ $policy }} + {{- end}} + {{- end}} + {{- range $policy, $v := .Values.plugins.resources }} + {{- if $v }} + - {{ $policy }} + {{- end}} + {{- end}} + sideEffects: None + - name: owner-reference.kuma-admission.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: ["kube-system"] + clientConfig: + caBundle: {{ $caBundle }} + service: + namespace: {{ .Release.Namespace }} + name: {{ include "kuma.controlPlane.serviceName" . }} + path: /owner-reference-kuma-io-v1alpha1 + rules: + - apiGroups: + - kuma.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - circuitbreakers + - externalservices + - faultinjections + - healthchecks + - meshgateways + - meshgatewayroutes + - proxytemplates + - ratelimits + - retries + - timeouts + - trafficlogs + - trafficpermissions + - trafficroutes + - traffictraces + - virtualoutbounds + {{- range $policy, $v := .Values.plugins.policies }} + {{- if $v }} + - {{ $policy }} + {{- end}} + {{- end}} + {{- range $policy, $v := .Values.plugins.resources }} + {{- if $v }} + - {{ $policy }} + {{- end}} + {{- end}} + {{ .Values.controlPlane.webhooks.ownerReference.additionalRules | nindent 6 }} + sideEffects: None + {{- if ne .Values.controlPlane.mode "global" }} + - name: namespace-kuma-injector.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }} + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: ["kube-system"] + - key: kuma.io/sidecar-injection + operator: In + values: ["enabled", "true"] + clientConfig: + caBundle: {{ $caBundle }} + service: + namespace: {{ .Release.Namespace }} + name: {{ include "kuma.controlPlane.serviceName" . }} + path: /inject-sidecar + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None + - name: pods-kuma-injector.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }} + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: ["kube-system"] + objectSelector: + matchLabels: + kuma.io/sidecar-injection: enabled + clientConfig: + caBundle: {{ $caBundle }} + service: + namespace: {{ .Release.Namespace }} + name: {{ include "kuma.controlPlane.serviceName" . }} + path: /inject-sidecar + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None + {{- end }} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ include "kuma.name" . }}-validating-webhook-configuration + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.cpLabels" . | nindent 4 }} +webhooks: + - name: validator.kuma-admission.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Fail + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: ["kube-system"] + clientConfig: + caBundle: {{ $caBundle }} + service: + namespace: {{ .Release.Namespace }} + name: {{ include "kuma.controlPlane.serviceName" . }} + path: /validate-kuma-io-v1alpha1 + rules: + - apiGroups: + - kuma.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - circuitbreakers + - dataplanes + - externalservices + - faultinjections + - meshgatewayinstances + - healthchecks + - meshes + - meshgateways + - meshgatewayroutes + - proxytemplates + - ratelimits + - retries + - trafficlogs + - trafficpermissions + - trafficroutes + - traffictraces + - virtualoutbounds + - zones + - containerpatches + {{- range $policy, $v := .Values.plugins.policies }} + {{- if $v }} + - {{ $policy }} + {{- end}} + {{- end}} + {{- range $policy, $v := .Values.plugins.resources }} + {{- if $v }} + - {{ $policy }} + {{- end}} + {{- end}} + {{ .Values.controlPlane.webhooks.validator.additionalRules | nindent 6 }} + sideEffects: None + {{- if ne .Values.controlPlane.mode "global" }} + - name: service.validator.kuma-admission.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Ignore + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: ["kube-system"] + clientConfig: + caBundle: {{ $caBundle }} + service: + namespace: {{ .Release.Namespace }} + name: {{ include "kuma.controlPlane.serviceName" . }} + path: /validate-v1-service + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - services + sideEffects: None + {{- end }} + - name: secret.validator.kuma-admission.kuma.io + admissionReviewVersions: ["v1"] + namespaceSelector: + matchLabels: + kuma.io/system-namespace: "true" + failurePolicy: Ignore + clientConfig: + caBundle: {{ $caBundle }} + service: + namespace: {{ .Release.Namespace }} + name: {{ include "kuma.controlPlane.serviceName" . }} + path: /validate-v1-secret + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - secrets + sideEffects: None + - name: gateway.validator.kuma-admission.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Ignore + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: NotIn + values: ["kube-system"] + clientConfig: + caBundle: {{ $caBundle }} + service: + namespace: {{ .Release.Namespace }} + name: {{ include "kuma.controlPlane.serviceName" . }} + path: /validate-gatewayclass + rules: + - apiGroups: + - "gateway.networking.k8s.io" + apiVersions: + - v1beta1 + operations: + - CREATE + resources: + - gatewayclasses + sideEffects: None +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/egress-deployment.yaml b/charts/kuma/kuma/2.9.1/templates/egress-deployment.yaml new file mode 100644 index 000000000..3b6617eee --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/egress-deployment.yaml @@ -0,0 +1,138 @@ +{{- if .Values.egress.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kuma.name" . }}-egress + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.egressLabels" . | nindent 4 }} +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + {{- if not .Values.egress.autoscaling.enabled }} + replicas: {{ .Values.egress.replicas }} + {{- end }} + selector: + matchLabels: + {{- include "kuma.selectorLabels" . | nindent 6 }} + app: {{ include "kuma.name" . }}-egress + template: + metadata: + annotations: + kuma.io/egress: enabled + {{- range $key, $value := merge .Values.egress.podAnnotations .Values.egress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + {{- include "kuma.egressLabels" . | nindent 8 }} + spec: + {{- with .Values.egress.affinity }} + affinity: {{ tpl (toYaml . | nindent 8) $ }} + {{- end }} + {{- with .Values.egress.topologySpreadConstraints }} + topologySpreadConstraints: {{ tpl (toYaml . | nindent 8) $ }} + {{- end }} + securityContext: + {{- toYaml .Values.egress.podSecurityContext | trim | nindent 8 }} + serviceAccountName: {{ include "kuma.name" . }}-egress + automountServiceAccountToken: {{ .Values.egress.automountServiceAccountToken }} + {{- with .Values.egress.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.egress.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + {{ include "kuma.dnsConfig" (dict "dns" .Values.egress.dns) | nindent 6 | trim }} + containers: + - name: egress + image: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.image "root" $) | quote }} + imagePullPolicy: {{ .Values.dataPlane.image.pullPolicy }} + securityContext: + {{- toYaml .Values.egress.containerSecurityContext | trim | nindent 12 }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUMA_CONTROL_PLANE_URL + value: "https://{{ include "kuma.controlPlane.serviceName" . }}.{{ .Release.Namespace }}:5678" + - name: KUMA_CONTROL_PLANE_CA_CERT_FILE + value: /var/run/secrets/kuma.io/cp-ca/ca.crt + - name: KUMA_DATAPLANE_DRAIN_TIME + value: {{ .Values.egress.drainTime }} + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DATAPLANE_PROXY_TYPE + value: "egress" + args: + - run + - --log-level={{ .Values.egress.logLevel | default "info" }} + ports: + - containerPort: 10002 + livenessProbe: + httpGet: + path: "/ready" + port: 9901 + failureThreshold: 12 + initialDelaySeconds: 60 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/ready" + port: 9901 + failureThreshold: 12 + initialDelaySeconds: 1 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + resources: {{ toYaml .Values.egress.resources | nindent 12 }} + volumeMounts: +{{- if not .Values.egress.automountServiceAccountToken }} + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: serviceaccount-token + readOnly: true +{{- end }} + - name: control-plane-ca + mountPath: /var/run/secrets/kuma.io/cp-ca + readOnly: true + - name: tmp + mountPath: /tmp + volumes: +{{- if not .Values.egress.automountServiceAccountToken }} + - name: serviceaccount-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3600 + path: token + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +{{- end }} + - name: control-plane-ca + secret: + secretName: {{ include "kuma.controlPlane.tls.general.caSecretName" . }} + items: + - key: ca.crt + path: ca.crt + - name: tmp + emptyDir: {} + {{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/egress-hpa.yaml b/charts/kuma/kuma/2.9.1/templates/egress-hpa.yaml new file mode 100644 index 000000000..8d4284f41 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/egress-hpa.yaml @@ -0,0 +1,24 @@ +{{- if .Values.egress.autoscaling.enabled }} +{{ if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: "autoscaling/v2" +{{ else }} +apiVersion: "autoscaling/v1" +{{ end }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "kuma.name" . }}-egress + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.egressLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kuma.name" . }}-egress + minReplicas: {{ .Values.egress.autoscaling.minReplicas }} + maxReplicas: {{ .Values.egress.autoscaling.maxReplicas }} + {{ if .Capabilities.APIVersions.Has "autoscaling/v2" }} + metrics: {{- toYaml .Values.egress.autoscaling.metrics | nindent 4 }} + {{ else }} + targetCPUUtilizationPercentage: {{ .Values.egress.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/egress-pdb.yaml b/charts/kuma/kuma/2.9.1/templates/egress-pdb.yaml new file mode 100644 index 000000000..ee599003b --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/egress-pdb.yaml @@ -0,0 +1,20 @@ +{{ if $.Values.egress.podDisruptionBudget.enabled }} +{{ if .Capabilities.APIVersions.Has "policy/v1" }} +apiVersion: policy/v1 +{{ else if .Capabilities.APIVersions.Has "policy/v1beta1" }} +apiVersion: policy/v1beta1 +{{ else }} +{{ fail "pod disruption budgets are not supported by this version of kubernetes" }} +{{ end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kuma.name" . }}-egress + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.egressLabels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.egress.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "kuma.selectorLabels" . | nindent 6 }} + app: {{ include "kuma.name" . }}-egress +{{ end }} diff --git a/charts/kuma/kuma/2.9.1/templates/egress-rbac.yaml b/charts/kuma/kuma/2.9.1/templates/egress-rbac.yaml new file mode 100644 index 000000000..1b4326fdb --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/egress-rbac.yaml @@ -0,0 +1,18 @@ +{{- if .Values.egress.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kuma.name" . }}-egress + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.egressLabels" . | nindent 4 }} +{{- with .Values.egress.serviceAccountAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/egress-service.yaml b/charts/kuma/kuma/2.9.1/templates/egress-service.yaml new file mode 100644 index 000000000..2127811fe --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/egress-service.yaml @@ -0,0 +1,32 @@ +{{- if .Values.egress.enabled }} +{{- if eq .Values.controlPlane.mode "global" }} +{{ fail "You shouldn't run zoneEgress when running the CP in global" }} +{{- end }} +{{- end }} +{{- if and .Values.egress.enabled .Values.egress.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kuma.egress.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.egressLabels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.egress.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + type: {{ .Values.egress.service.type }} + {{- if .Values.egress.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.egress.service.loadBalancerIP }} + {{- end }} + ports: + - port: {{ .Values.egress.service.port }} + protocol: TCP + targetPort: 10002 + {{- if and (eq .Values.egress.service.type "NodePort") .Values.egress.service.nodePort }} + nodePort: {{ .Values.egress.service.nodePort }} + {{- end }} + selector: + app: {{ include "kuma.name" . }}-egress + {{- include "kuma.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/gateway-class.yaml b/charts/kuma/kuma/2.9.1/templates/gateway-class.yaml new file mode 100644 index 000000000..cf1ae305d --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/gateway-class.yaml @@ -0,0 +1,19 @@ +{{- if and (eq .Values.controlPlane.environment "kubernetes") (eq .Values.controlPlane.mode "zone") }} +{{- if .Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1/GatewayClass" }} +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: kuma +spec: + controllerName: "gateways.kuma.io/controller" +{{- else if .Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1/GatewayClass" }} +--- +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: GatewayClass +metadata: + name: kuma +spec: + controllerName: "gateways.kuma.io/controller" +{{- end }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/ingress-deployment.yaml b/charts/kuma/kuma/2.9.1/templates/ingress-deployment.yaml new file mode 100644 index 000000000..fcefeaac6 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/ingress-deployment.yaml @@ -0,0 +1,142 @@ +{{- if .Values.ingress.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "kuma.name" . }}-ingress + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.ingressLabels" . | nindent 4 }} +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + {{- if not .Values.ingress.autoscaling.enabled }} + replicas: {{ .Values.ingress.replicas }} + {{- end }} + selector: + matchLabels: + {{- include "kuma.selectorLabels" . | nindent 6 }} + app: {{ include "kuma.name" . }}-ingress + template: + metadata: + annotations: + kuma.io/ingress: enabled + {{- range $key, $value := merge .Values.ingress.podAnnotations .Values.ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + labels: + {{- include "kuma.ingressLabels" . | nindent 8 }} + spec: + {{- with .Values.ingress.affinity }} + affinity: {{ tpl (toYaml . | nindent 8) $ }} + {{- end }} + {{- with .Values.ingress.topologySpreadConstraints }} + topologySpreadConstraints: {{ tpl (toYaml . | nindent 8) $ }} + {{- end }} + securityContext: + {{- toYaml .Values.ingress.podSecurityContext | trim | nindent 8 }} + serviceAccountName: {{ include "kuma.name" . }}-ingress + automountServiceAccountToken: {{ .Values.ingress.automountServiceAccountToken }} + {{- with .Values.ingress.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.ingress.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.ingress.terminationGracePeriodSeconds }} + {{ include "kuma.dnsConfig" (dict "dns" .Values.ingress.dns) | nindent 6 | trim }} + containers: + - name: ingress + image: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.image "root" $) | quote }} + imagePullPolicy: {{ .Values.dataPlane.image.pullPolicy }} + securityContext: + {{- toYaml .Values.ingress.containerSecurityContext | trim | nindent 12 }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUMA_CONTROL_PLANE_URL + value: "https://{{ include "kuma.controlPlane.serviceName" . }}.{{ .Release.Namespace }}:5678" + - name: KUMA_CONTROL_PLANE_CA_CERT_FILE + value: /var/run/secrets/kuma.io/cp-ca/ca.crt + - name: KUMA_DATAPLANE_DRAIN_TIME + value: {{ .Values.ingress.drainTime }} + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DATAPLANE_PROXY_TYPE + value: "ingress" + args: + - run + - --log-level={{ .Values.ingress.logLevel | default "info" }} + ports: + - containerPort: 10001 + livenessProbe: + httpGet: + path: "/ready" + port: 9901 + failureThreshold: 12 + initialDelaySeconds: 60 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/ready" + port: 9901 + failureThreshold: 12 + initialDelaySeconds: 1 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + resources: {{ toYaml .Values.ingress.resources | nindent 12 }} + {{ with .Values.ingress.lifecycle}} + lifecycle: {{ . | toYaml | nindent 12 }} + {{ end }} + volumeMounts: +{{- if not .Values.ingress.automountServiceAccountToken }} + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: serviceaccount-token + readOnly: true +{{- end }} + - name: control-plane-ca + mountPath: /var/run/secrets/kuma.io/cp-ca + readOnly: true + - name: tmp + mountPath: /tmp + volumes: +{{- if not .Values.ingress.automountServiceAccountToken }} + - name: serviceaccount-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3600 + path: token + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +{{- end }} + - name: control-plane-ca + secret: + secretName: {{ include "kuma.controlPlane.tls.general.caSecretName" . }} + items: + - key: ca.crt + path: ca.crt + - name: tmp + emptyDir: {} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/ingress-hpa.yaml b/charts/kuma/kuma/2.9.1/templates/ingress-hpa.yaml new file mode 100644 index 000000000..4aaeabe67 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/ingress-hpa.yaml @@ -0,0 +1,24 @@ +{{- if .Values.ingress.autoscaling.enabled }} +{{ if .Capabilities.APIVersions.Has "autoscaling/v2" }} +apiVersion: "autoscaling/v2" +{{ else }} +apiVersion: "autoscaling/v1" +{{ end }} +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "kuma.name" . }}-ingress + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.ingressLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "kuma.name" . }}-ingress + minReplicas: {{ .Values.ingress.autoscaling.minReplicas }} + maxReplicas: {{ .Values.ingress.autoscaling.maxReplicas }} + {{ if .Capabilities.APIVersions.Has "autoscaling/v2" }} + metrics: {{- toYaml .Values.ingress.autoscaling.metrics | nindent 4 }} + {{ else }} + targetCPUUtilizationPercentage: {{ .Values.ingress.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/ingress-pdb.yaml b/charts/kuma/kuma/2.9.1/templates/ingress-pdb.yaml new file mode 100644 index 000000000..639d1b574 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/ingress-pdb.yaml @@ -0,0 +1,20 @@ +{{ if $.Values.ingress.podDisruptionBudget.enabled }} +{{ if .Capabilities.APIVersions.Has "policy/v1" }} +apiVersion: policy/v1 +{{ else if .Capabilities.APIVersions.Has "policy/v1beta1" }} +apiVersion: policy/v1beta1 +{{ else }} +{{ fail "pod disruption budgets are not supported by this version of kubernetes" }} +{{ end }} +kind: PodDisruptionBudget +metadata: + name: {{ include "kuma.name" . }}-ingress + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.ingressLabels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.ingress.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "kuma.selectorLabels" . | nindent 6 }} + app: {{ include "kuma.name" . }}-ingress +{{ end }} diff --git a/charts/kuma/kuma/2.9.1/templates/ingress-rbac.yaml b/charts/kuma/kuma/2.9.1/templates/ingress-rbac.yaml new file mode 100644 index 000000000..e4e1d61ce --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/ingress-rbac.yaml @@ -0,0 +1,18 @@ +{{- if .Values.ingress.enabled }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "kuma.name" . }}-ingress + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.ingressLabels" . | nindent 4 }} +{{- with .Values.ingress.serviceAccountAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/ingress-service.yaml b/charts/kuma/kuma/2.9.1/templates/ingress-service.yaml new file mode 100644 index 000000000..74a4dde90 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/ingress-service.yaml @@ -0,0 +1,32 @@ +{{- if .Values.ingress.enabled }} +{{- if or (eq .Values.controlPlane.mode "global") (eq .Values.controlPlane.mode "standalone") }} +{{ fail "You shouldn't run zoneIngress when running the CP in global or standalone" }} +{{- end }} +{{- end }} +{{- if and .Values.ingress.enabled .Values.ingress.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "kuma.ingress.serviceName" . }} + namespace: {{ .Release.Namespace }} + labels: {{ include "kuma.ingressLabels" . | nindent 4 }} + annotations: + {{- range $key, $value := .Values.ingress.service.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + type: {{ .Values.ingress.service.type }} + {{- if .Values.ingress.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.ingress.service.loadBalancerIP }} + {{- end }} + ports: + - port: {{ .Values.ingress.service.port }} + protocol: TCP + targetPort: 10001 + {{- if and (eq .Values.ingress.service.type "NodePort") .Values.ingress.service.nodePort }} + nodePort: {{ .Values.ingress.service.nodePort }} + {{- end }} + selector: + app: {{ include "kuma.name" . }}-ingress + {{- include "kuma.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/post-delete-cleanup-ebpf-job.yaml b/charts/kuma/kuma/2.9.1/templates/post-delete-cleanup-ebpf-job.yaml new file mode 100644 index 000000000..aaa3166ff --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/post-delete-cleanup-ebpf-job.yaml @@ -0,0 +1,126 @@ +{{- if and (.Values.experimental.ebpf.enabled) (and (not .Values.cni.enabled) (not .Values.noHelmHooks) (eq .Values.controlPlane.environment "kubernetes")) }} + {{- $serviceAccountName := printf "%s-cleanup-node-ebpf-job" (include "kuma.name" .) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "post-delete" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" + labels: + {{- include "kuma.labels" . | nindent 4 }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kuma.name" . }}-cleanup-node-ebpf-job + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "post-delete" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" + labels: + {{- include "kuma.labels" . | nindent 4 }} +rules: + - apiGroups: [""] + resources: + - nodes + verbs: + - list + - apiGroups: [""] + resources: + - pods + verbs: + - watch + - delete + - deletecollection + - apiGroups: ["batch"] + resources: + - jobs + verbs: + - watch + - create + - delete + - deletecollection +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kuma.name" . }}-cleanup-node-ebpf-job + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "post-delete" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" + labels: + {{- include "kuma.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kuma.name" . }}-cleanup-node-ebpf-job +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kuma.name" . }}-cleanup-node-ebpf-job + namespace: {{ .Release.Namespace }} + labels: + {{ include "kuma.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "post-delete" + {{/* Ensure the job is created after the RBAC resources */}} + "helm.sh/hook-weight": "5" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" +spec: + template: + metadata: + name: {{ template "kuma.name" . }}-cleanup-node-ebpf-job + labels: + {{ include "kuma.labels" . | nindent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + {{- with .Values.hooks.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.hooks.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + restartPolicy: OnFailure + {{- if .Values.hooks.ebpfCleanup.podSecurityContext }} + securityContext: + {{ toYaml .Values.hooks.ebpfCleanup.podSecurityContext | trim | nindent 8 }} + {{- end }} + containers: + - name: post-delete-job + image: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.initImage "root" $) | quote }} + {{- if .Values.hooks.ebpfCleanup.containerSecurityContext }} + securityContext: + {{ toYaml .Values.hooks.ebpfCleanup.containerSecurityContext | trim | nindent 12 }} + {{- end }} + resources: + requests: + cpu: "20m" + memory: "20Mi" + limits: + cpu: "40m" + memory: "40Mi" + command: + - 'kumactl' + - 'uninstall' + - 'ebpf' + - '--cleanup-image-registry' + - {{ .Values.global.image.registry }} + - '--cleanup-image-repository' + - {{ .Values.dataPlane.initImage.repository }} + {{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/pre-delete-webhooks.yaml b/charts/kuma/kuma/2.9.1/templates/pre-delete-webhooks.yaml new file mode 100644 index 000000000..e6948af2f --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/pre-delete-webhooks.yaml @@ -0,0 +1,109 @@ +{{- if and (eq .Values.controlPlane.environment "kubernetes") (not .Values.noHelmHooks) }} +# HELM first deletes RBAC of Kuma, then it tries to delete Secrets. We've got validating webhook on Secrets. +# But even that the policy of this webhook is Ignore, it fails because Kuma does not have permission to access Secrets anymore. +# Therefore we first need to delete webhook so we can delete the rest of the deployment +{{- $serviceAccountName := printf "%s-pre-delete-job" (include "kuma.name" .) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "pre-delete" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" + labels: + {{- include "kuma.labels" . | nindent 4 }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kuma.name" . }}-pre-delete-job + annotations: + "helm.sh/hook": "pre-delete" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" + labels: + {{- include "kuma.labels" . | nindent 4 }} +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + resourceNames: + - {{ include "kuma.name" . }}-validating-webhook-configuration + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kuma.name" . }}-pre-delete-job + annotations: + "helm.sh/hook": "pre-delete" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" + labels: + {{- include "kuma.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kuma.name" . }}-pre-delete-job +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kuma.name" . }}-delete-webhook + namespace: {{ .Release.Namespace }} + labels: + {{ include "kuma.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-delete" + {{/* Ensure the job is created after the RBAC resources */}} + "helm.sh/hook-weight": "5" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" +spec: + template: + metadata: + name: {{ template "kuma.name" . }}-delete-webhook + labels: + {{ include "kuma.labels" . | nindent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + {{- with .Values.hooks.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.hooks.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + restartPolicy: OnFailure + securityContext: + {{- toYaml .Values.hooks.podSecurityContext | trim | nindent 8 }} + containers: + - name: pre-delete-job + image: "{{ .Values.kubectl.image.registry }}/{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}" + command: + - 'kubectl' + - 'delete' + - 'ValidatingWebhookConfiguration' + - '--ignore-not-found' + - {{ include "kuma.name" . }}-validating-webhook-configuration + securityContext: + {{- toYaml (mergeOverwrite (dict "runAsUser" 65534) .Values.hooks.containerSecurityContext) | trim | nindent 12 }} + resources: + requests: + cpu: "100m" + memory: "256Mi" + limits: + cpu: "100m" + memory: "256Mi" +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/pre-install-patch-namespace-job.yaml b/charts/kuma/kuma/2.9.1/templates/pre-install-patch-namespace-job.yaml new file mode 100644 index 000000000..a84d7accf --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/pre-install-patch-namespace-job.yaml @@ -0,0 +1,124 @@ +{{- if and ( .Values.noHelmHooks ) (eq .Values.controlPlane.environment "kubernetes") }} + {{- $errorMessage := ".Values.noHelmHooks is set. You must manually create and label the system namespace with kuma.io/system-namespace: \"true\" before installing or upgrading the chart" }} + {{- $systemNamespace := (lookup "v1" "Namespace" "" .Release.Namespace) }} + {{- if not $systemNamespace }} + {{- fail $errorMessage }} + {{- end }} + {{- $systemNamespaceLabels := ($systemNamespace).metadata.labels }} + {{- if ne (get $systemNamespaceLabels "kuma.io/system-namespace") "true" }} + {{- fail $errorMessage }} + {{- end }} +{{- else}} + {{- if .Values.patchSystemNamespace }} + {{- $serviceAccountName := printf "%s-patch-ns-job" (include "kuma.name" .) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" + labels: + {{- include "kuma.labels" . | nindent 4 }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kuma.name" . }}-patch-ns-job + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" + labels: + {{- include "kuma.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - namespaces + resourceNames: + - {{ .Release.Namespace }} + verbs: + - get + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kuma.name" . }}-patch-ns-job + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" + labels: + {{- include "kuma.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kuma.name" . }}-patch-ns-job +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kuma.name" . }}-patch-ns + namespace: {{ .Release.Namespace }} + labels: + {{ include "kuma.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "pre-install" + {{/* Ensure the job is created after the RBAC resources */}} + "helm.sh/hook-weight": "5" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" +spec: + template: + metadata: + name: {{ template "kuma.name" . }}-patch-ns-script + labels: + {{ include "kuma.labels" . | nindent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + {{- with .Values.hooks.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.hooks.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + restartPolicy: OnFailure + securityContext: + {{- toYaml .Values.hooks.podSecurityContext | trim | nindent 8 }} + containers: + - name: pre-install-job + image: "{{ .Values.kubectl.image.registry }}/{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}" + securityContext: + {{- toYaml (mergeOverwrite (dict "runAsUser" 65534) .Values.hooks.containerSecurityContext) | trim | nindent 12 }} + resources: + requests: + cpu: "100m" + memory: "256Mi" + limits: + cpu: "100m" + memory: "256Mi" + command: + - 'kubectl' + - 'patch' + - 'namespace' + - {{ .Release.Namespace | quote }} + - '--type' + - 'merge' + - '--patch' + - '{ "metadata": { "labels": { "kuma.io/system-namespace": "true" } } }' + {{- end }} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/templates/pre-upgrade-install-crds-job.yaml b/charts/kuma/kuma/2.9.1/templates/pre-upgrade-install-crds-job.yaml new file mode 100644 index 000000000..8fadf1722 --- /dev/null +++ b/charts/kuma/kuma/2.9.1/templates/pre-upgrade-install-crds-job.yaml @@ -0,0 +1,171 @@ +{{- if (and .Values.installCrdsOnUpgrade.enabled (and (not .Values.noHelmHooks) (eq .Values.controlPlane.environment "kubernetes"))) }} + {{ $hook := "pre-upgrade,pre-install" }} + {{- $serviceAccountName := printf "%s-install-crds" (include "kuma.name" .) }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "{{ $hook }}" + "helm.sh/hook-weight": "-1" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" + labels: + {{- include "kuma.labels" . | nindent 4 }} +{{- with concat .Values.installCrdsOnUpgrade.imagePullSecrets .Values.global.imagePullSecrets | uniq }} +imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "kuma.name" . }}-install-crds + annotations: + "helm.sh/hook": "{{ $hook }}" + "helm.sh/hook-weight": "-1" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" + labels: + {{- include "kuma.labels" . | nindent 4 }} +rules: + - apiGroups: + - "apiextensions.k8s.io" + resources: + - customresourcedefinitions + verbs: + - create + - patch + - update + - list + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "kuma.name" . }}-install-crds + annotations: + "helm.sh/hook": "{{ $hook }}" + "helm.sh/hook-weight": "-1" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed" + labels: + {{- include "kuma.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "kuma.name" . }}-install-crds +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "kuma.name" . }}-install-crds-scripts + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": "{{ $hook }}" + "helm.sh/hook-weight": "-1" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" + labels: + {{- include "kuma.labels" . | nindent 4 }} +data: + install_crds.sh: | + #!/usr/bin/env sh + set -e + + if [ -s /kuma/crds/crds.yaml ]; then + echo "/kuma/crds/crds.yaml found and is not empty, adding crds" + kubectl apply -f /kuma/crds/crds.yaml + else + echo "/kuma/crds/crds.yaml not found or empty, it looks like there is no crds to install" + fi + save_crds.sh: | + set -e + + crds="$(kumactl install crds --no-config)" + + if [ -n "${crds}" ]; then + echo "found crds - saving to /kuma/crds/crds.yaml" + echo "${crds}" > /kuma/crds/crds.yaml + fi +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kuma.name" . }}-install-crds + namespace: {{ .Release.Namespace }} + labels: + {{ include "kuma.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": "{{ $hook }}" + "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded" +spec: + template: + metadata: + name: {{ template "kuma.name" . }}-install-crds-job + labels: + {{ include "kuma.labels" . | nindent 8 }} + spec: + serviceAccountName: {{ $serviceAccountName }} + {{- with .Values.hooks.nodeSelector }} + nodeSelector: + {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.hooks.tolerations }} + tolerations: + {{ toYaml . | nindent 8 }} + {{- end }} + restartPolicy: OnFailure + securityContext: + {{- toYaml .Values.hooks.podSecurityContext | trim | nindent 8 }} + containers: + - name: pre-upgrade-job + image: "{{ .Values.kubectl.image.registry }}/{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}" + securityContext: + {{- toYaml (mergeOverwrite (dict "runAsUser" 65534) .Values.hooks.containerSecurityContext) | trim | nindent 12 }} + resources: + requests: + cpu: "100m" + memory: "256Mi" + limits: + cpu: "100m" + memory: "256Mi" + command: ["/kuma/scripts/install_crds.sh"] + volumeMounts: + - mountPath: /kuma/crds + name: crds + readOnly: true + - mountPath: /kuma/scripts + name: scripts + readOnly: true + initContainers: + - name: pre-upgrade-job-init + image: {{ include "kuma.formatImage" (dict "image" .Values.kumactl.image "root" $) | quote }} + securityContext: + {{- toYaml .Values.hooks.containerSecurityContext | trim | nindent 12 }} + resources: + requests: + cpu: "100m" + memory: "256Mi" + limits: + cpu: "100m" + memory: "256Mi" + volumeMounts: + - mountPath: /kuma/crds + name: crds + - mountPath: /kuma/scripts + name: scripts + readOnly: true + command: ["sh", "-c"] + args: ["/kuma/scripts/save_crds.sh"] + volumes: + - name: scripts + configMap: + name: {{ include "kuma.name" . }}-install-crds-scripts + defaultMode: 0755 + - name: crds + emptyDir: {} +{{- end }} diff --git a/charts/kuma/kuma/2.9.1/values.yaml b/charts/kuma/kuma/2.9.1/values.yaml new file mode 100644 index 000000000..766792e5b --- /dev/null +++ b/charts/kuma/kuma/2.9.1/values.yaml @@ -0,0 +1,903 @@ +global: + image: + # -- Default registry for all Kuma Images + registry: "docker.io/kumahq" + # -- The default tag for all Kuma images, which itself defaults to .Chart.AppVersion + tag: + # -- Add `imagePullSecrets` to all the service accounts used for Kuma components + imagePullSecrets: [] + +# -- Whether to patch the target namespace with the system label +patchSystemNamespace: true + +installCrdsOnUpgrade: + # -- Whether install new CRDs before upgrade (if any were introduced with the new version of Kuma) + enabled: true + # -- The `imagePullSecrets` to attach to the Service Account running CRD installation. + # This field will be deprecated in a future release, please use .global.imagePullSecrets + imagePullSecrets: [] + +# -- Whether to disable all helm hooks +noHelmHooks: false + +# -- Whether to restart control-plane by calculating a new checksum for the secret +restartOnSecretChange: true + +controlPlane: + # -- Environment that control plane is run in, useful when running universal global control plane on k8s + environment: "kubernetes" + + # -- Labels to add to resources in addition to default labels + extraLabels: {} + + # -- Kuma CP log level: one of off,info,debug + logLevel: "info" + + # -- Kuma CP log output path: Defaults to /dev/stdout + logOutputPath: "" + + # -- Kuma CP modes: one of zone,global + mode: "zone" + + # -- (string) Kuma CP zone, if running multizone + zone: + + # -- Only used in `zone` mode + kdsGlobalAddress: "" + + # -- Number of replicas of the Kuma CP. Ignored when autoscaling is enabled + replicas: 1 + + # -- Minimum number of seconds for which a newly created pod should be ready for it to be considered available. + minReadySeconds: 0 + + # -- Annotations applied only to the `Deployment` resource + deploymentAnnotations: {} + + # -- Annotations applied only to the `Pod` resource + podAnnotations: {} + + # Horizontal Pod Autoscaling configuration + autoscaling: + # -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster + enabled: false + + # -- The minimum CP pods to allow + minReplicas: 2 + # -- The max CP pods to scale to + maxReplicas: 5 + + # -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used + targetCPUUtilizationPercentage: 80 + # -- For clusters that do support autoscaling/v2, use metrics + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + + # -- Node selector for the Kuma Control Plane pods + nodeSelector: + kubernetes.io/os: linux + + # -- Tolerations for the Kuma Control Plane pods + tolerations: [] + + podDisruptionBudget: + # -- Whether to create a pod disruption budget + enabled: false + # -- The maximum number of unavailable pods allowed by the budget + maxUnavailable: 1 + + # -- Affinity placement rule for the Kuma Control Plane pods. + # This is rendered as a template, so you can reference other helm variables or includes. + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + # These match the selector labels used on the deployment. + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - '{{ include "kuma.name" . }}' + - key: app.kubernetes.io/instance + operator: In + values: + - '{{ .Release.Name }}' + - key: app + operator: In + values: + - '{{ include "kuma.name" . }}-control-plane' + topologyKey: kubernetes.io/hostname + + # -- Topology spread constraints rule for the Kuma Control Plane pods. + # This is rendered as a template, so you can use variables to generate match labels. + topologySpreadConstraints: + + # -- Failure policy of the mutating webhook implemented by the Kuma Injector component + injectorFailurePolicy: Fail + + service: + apiServer: + http: + # -- Port on which Http api server Service is exposed on Node for service of type NodePort + nodePort: 30681 + https: + # -- Port on which Https api server Service is exposed on Node for service of type NodePort + nodePort: 30682 + + # -- Whether to create a service resource. + enabled: true + + # -- (string) Optionally override of the Kuma Control Plane Service's name + name: + + # -- Service type of the Kuma Control Plane + type: ClusterIP + + # -- Annotations to put on the Kuma Control Plane + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "5680" + + # Kuma API and GUI ingress settings. Useful if you want to expose the + # API and GUI of Kuma outside the k8s cluster. + ingress: + # -- Install K8s Ingress resource that exposes GUI and API + enabled: false + # -- IngressClass defines which controller will implement the resource + ingressClassName: + # -- Ingress hostname + hostname: + # -- Map of ingress annotations. + annotations: {} + # -- Ingress path. + path: / + # -- Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) + pathType: ImplementationSpecific + # -- Port from kuma-cp to use to expose API and GUI. Switch to 5682 to expose TLS port + servicePort: 5681 + + globalZoneSyncService: + # -- Whether to create a k8s service for the global zone sync + # service. It will only be created when enabled and deploying the global + # control plane. + enabled: true + # -- Service type of the Global-zone sync + type: LoadBalancer + # -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer + loadBalancerIP: + # -- Optionally specify allowed source ranges that can access the load balancer + loadBalancerSourceRanges: [] + # -- Additional annotations to put on the Global Zone Sync Service + annotations: { } + # -- Port on which Global Zone Sync Service is exposed on Node for service of type NodePort + nodePort: 30685 + # -- Port on which Global Zone Sync Service is exposed + port: 5685 + # -- Protocol of the Global Zone Sync service port + protocol: grpc + + defaults: + # -- Whether to skip creating the default Mesh + skipMeshCreation: false + + # -- Whether to automountServiceAccountToken for cp. Optionally set to false + automountServiceAccountToken: true + + # -- Optionally override the resource spec + resources: + requests: + cpu: 500m + memory: 256Mi + limits: + memory: 256Mi + + # -- Pod lifecycle settings (useful for adding a preStop hook, when + # using AWS ALB or NLB) + lifecycle: {} + + # -- Number of seconds to wait before force killing the pod. Make sure to + # update this if you add a preStop hook. + terminationGracePeriodSeconds: 30 + + # TLS for various servers + tls: + general: + # -- Secret that contains tls.crt, tls.key [and ca.crt when no + # controlPlane.tls.general.caSecretName specified] for protecting + # Kuma in-cluster communication + secretName: "" + # -- Secret that contains ca.crt that was used to sign cert for protecting + # Kuma in-cluster communication (ca.crt present in this secret + # have precedence over the one provided in the controlPlane.tls.general.secretName) + caSecretName: "" + # -- Base64 encoded CA certificate (the same as in controlPlane.tls.general.secret#ca.crt) + caBundle: "" + apiServer: + # -- Secret that contains tls.crt, tls.key for protecting Kuma API on HTTPS + secretName: "" + # -- Secret that contains list of .pem certificates that can access admin endpoints of Kuma API on HTTPS + clientCertsSecretName: "" + # - if not creating the global control plane, then do nothing + # - if secretName is empty and create is false, then do nothing + # - if secretName is non-empty and create is false, then use the secret made outside of helm with the name secretName + # - if secretName is empty and create is true, then create a secret with a default name and use it + # - if secretName is non-empty and create is true, then create the secret using the provided name + kdsGlobalServer: + # -- Name of the K8s TLS Secret resource. If you set this and don't set + # create=true, you have to create the secret manually. + secretName: "" + # -- Whether to create the TLS secret in helm. + create: false + # -- The TLS certificate to offer. + cert: "" + # -- The TLS key to use. + key: "" + # - if not creating the zonal control plane, then do nothing + # - if secretName is empty and create is false, then do nothing + # - if secretName is non-empty and create is false, then use the secret made outside of helm with the name secretName + # - if secretName is empty and create is true, then create a secret with a default name and use it + # - if secretName is non-empty and create is true, then create the secret using the provided name + kdsZoneClient: + # -- Name of the K8s Secret resource that contains ca.crt which was + # used to sign the certificate of KDS Global Server. If you set this + # and don't set create=true, you have to create the secret manually. + secretName: "" + # -- Whether to create the TLS secret in helm. + create: false + # -- CA bundle that was used to sign the certificate of KDS Global Server. + cert: "" + # -- If true, TLS cert of the server is not verified. + skipVerify: false + + # -- Annotations to add for Control Plane's Service Account + serviceAccountAnnotations: { } + + image: + # -- Kuma CP ImagePullPolicy + pullPolicy: IfNotPresent + # -- Kuma CP image repository + repository: "kuma-cp" + # -- Kuma CP Image tag. When not specified, the value is copied from global.tag + tag: + + # -- (object with { Env: string, Secret: string, Key: string }) Secrets to add as environment variables, + # where `Env` is the name of the env variable, + # `Secret` is the name of the Secret, + # and `Key` is the key of the Secret value to use + secrets: + # someSecret: + # Secret: some-secret + # Key: secret_key + # Env: SOME_SECRET + + # -- Additional environment variables that will be passed to the control plane + envVars: { } + + # -- Additional environment variables that will be passed to the control plane. Can be used with Kubernetes downward API + envVarEntries: + # - name: MY_NODE_NAME + # valueFrom: + # fieldRef: + # fieldPath: spec.nodeName + + # -- Additional config maps to mount into the control plane, with optional inline values + extraConfigMaps: [ ] +# - name: extra-config +# mountPath: /etc/extra-config +# readOnly: true +# values: +# extra-config-key: | +# extra-config-value + + # -- (object with { name: string, mountPath: string, readOnly: string }) Additional secrets to mount into the control plane, + # where `Env` is the name of the env variable, + # `Secret` is the name of the Secret, + # and `Key` is the key of the Secret value to use + extraSecrets: + # extraConfig: + # name: extra-config + # mountPath: /etc/extra-config + # readOnly: true + + webhooks: + validator: + # -- Additional rules to apply on Kuma validator webhook. Useful when building custom policy on top of Kuma. + additionalRules: "" + ownerReference: + # -- Additional rules to apply on Kuma owner reference webhook. Useful when building custom policy on top of Kuma. + additionalRules: "" + + # -- Specifies if the deployment should be started in hostNetwork mode. + hostNetwork: false + # -- Define a new server port for the admission controller. Recommended to set in combination with + # hostNetwork to prevent multiple port bindings on the same port (like Calico in AWS EKS). + admissionServerPort: 5443 + + # -- Security context at the pod level for control plane. + podSecurityContext: + runAsNonRoot: true + + # -- Security context at the container level for control plane. + containerSecurityContext: + readOnlyRootFilesystem: true + + # -- If true, then control plane can support TLS secrets for builtin gateway outside of mesh system namespace. + # The downside is that control plane requires permission to read Secrets in all namespaces. + supportGatewaySecretsInAllNamespaces: false + # -- DNS configuration for the control-plane pod. + # This is equivalent to the [Kubernetes DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). + dns: + # -- Defines how DNS resolution is configured for that Pod. + policy: "" + # -- Optional dns configuration, required when policy is 'None' + config: + # -- A list of IP addresses that will be used as DNS servers for the Pod. There can be at most 3 IP addresses specified. + nameservers: [] + # -- A list of DNS search domains for hostname lookup in the Pod. + searches: [] + +cni: + # -- Install Kuma with CNI instead of proxy init container + enabled: false + # -- Install CNI in chained mode + chained: false + # -- Set the CNI install directory + netDir: /etc/cni/multus/net.d + # -- Set the CNI bin directory + binDir: /var/lib/cni/bin + # -- Set the CNI configuration name + confName: kuma-cni.conf + # -- CNI log level: one of off,info,debug + logLevel: info + # -- Node Selector for the CNI pods + nodeSelector: + kubernetes.io/os: linux + # -- Tolerations for the CNI pods + tolerations: [] + # -- Additional pod annotations + podAnnotations: { } + # -- Set the CNI namespace + namespace: kube-system + + image: + # -- CNI image repository + repository: "kuma-cni" + # -- CNI image tag - defaults to .Chart.AppVersion + tag: + # -- CNI image pull policy + imagePullPolicy: IfNotPresent + + # -- it's only useful in tests to trigger a possible race condition + delayStartupSeconds: 0 + + # -- use new CNI (experimental) + experimental: + imageEbpf: + # -- CNI experimental eBPF image registry + registry: "docker.io/kumahq" + # -- CNI experimental eBPF image repository + repository: "merbridge" + # -- CNI experimental eBPF image tag + tag: "0.8.5" + + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + memory: 100Mi + + # -- Security context at the pod level for cni + podSecurityContext: {} + + # -- Security context at the container level for cni + containerSecurityContext: + readOnlyRootFilesystem: true + runAsNonRoot: false + runAsUser: 0 + runAsGroup: 0 + +dataPlane: + # -- If true, then turn on CoreDNS query logging + dnsLogging: false + image: + # -- The Kuma DP image repository + repository: "kuma-dp" + # -- Kuma DP ImagePullPolicy + pullPolicy: IfNotPresent + # -- Kuma DP Image Tag. When not specified, the value is copied from global.tag + tag: + + initImage: + # -- The Kuma DP init image repository + repository: "kuma-init" + # -- Kuma DP init image tag When not specified, the value is copied from global.tag + tag: + +ingress: + # -- If true, it deploys Ingress for cross cluster communication + enabled: false + + # -- Labels to add to resources, in addition to default labels + extraLabels: {} + + # -- Time for which old listener will still be active as draining + drainTime: 30s + + # -- Number of replicas of the Ingress. Ignored when autoscaling is enabled. + replicas: 1 + + # -- Log level for ingress (available values: off|info|debug) + logLevel: info + + # -- Define the resources to allocate to mesh ingress + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 1000m + memory: 512Mi + + # -- Pod lifecycle settings (useful for adding a preStop hook, when + # using AWS ALB or NLB) + lifecycle: {} + + # -- Number of seconds to wait before force killing the pod. Make sure to + # update this if you add a preStop hook. + terminationGracePeriodSeconds: 40 + + # Horizontal Pod Autoscaling configuration + autoscaling: + # -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster + enabled: false + + # -- The minimum CP pods to allow + minReplicas: 2 + # -- The max CP pods to scale to + maxReplicas: 5 + + # -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used + targetCPUUtilizationPercentage: 80 + # -- For clusters that do support autoscaling/v2, use metrics + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + + service: + # -- Whether to create a Service resource. + enabled: true + # -- Service type of the Ingress + type: LoadBalancer + # -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer + loadBalancerIP: + # -- Additional annotations to put on the Ingress service + annotations: { } + # -- Port on which Ingress is exposed + port: 10001 + # -- Port on which service is exposed on Node for service of type NodePort + nodePort: + # -- Additional pod annotations (deprecated favor `podAnnotations`) + annotations: { } + # -- Additional pod annotations + podAnnotations: { } + # -- Node Selector for the Ingress pods + nodeSelector: + kubernetes.io/os: linux + # -- Tolerations for the Ingress pods + tolerations: [] + podDisruptionBudget: + # -- Whether to create a pod disruption budget + enabled: false + # -- The maximum number of unavailable pods allowed by the budget + maxUnavailable: 1 + + # -- Affinity placement rule for the Kuma Ingress pods + # This is rendered as a template, so you can reference other helm variables + # or includes. + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + # These match the selector labels used on the deployment. + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - '{{ include "kuma.name" . }}' + - key: app.kubernetes.io/instance + operator: In + values: + - '{{ .Release.Name }}' + - key: app + operator: In + values: + - kuma-ingress + topologyKey: kubernetes.io/hostname + + # -- Topology spread constraints rule for the Kuma Mesh Ingress pods. + # This is rendered as a template, so you can use variables to generate match labels. + topologySpreadConstraints: + + # -- Security context at the pod level for ingress + podSecurityContext: + runAsNonRoot: true + runAsUser: 5678 + runAsGroup: 5678 + + # -- Security context at the container level for ingress + containerSecurityContext: + readOnlyRootFilesystem: true + + # -- Annotations to add for Control Plane's Service Account + serviceAccountAnnotations: { } + # -- Whether to automountServiceAccountToken for cp. Optionally set to false + automountServiceAccountToken: true + # -- DNS configuration for the ingress pod. + # This is equivalent to the [Kubernetes DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). + dns: + # -- Defines how DNS resolution is configured for that Pod. + policy: "" + # -- Optional dns configuration, required when policy is 'None' + config: + # -- A list of IP addresses that will be used as DNS servers for the Pod. There can be at most 3 IP addresses specified. + nameservers: [] + # -- A list of DNS search domains for hostname lookup in the Pod. + searches: [] + +egress: + # -- If true, it deploys Egress for cross cluster communication + enabled: false + # -- Labels to add to resources, in addition to the default labels. + extraLabels: {} + # -- Time for which old listener will still be active as draining + drainTime: 30s + # -- Number of replicas of the Egress. Ignored when autoscaling is enabled. + replicas: 1 + + # -- Log level for egress (available values: off|info|debug) + logLevel: info + + # Horizontal Pod Autoscaling configuration + autoscaling: + # -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster + enabled: false + + # -- The minimum CP pods to allow + minReplicas: 2 + # -- The max CP pods to scale to + maxReplicas: 5 + + # -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used + targetCPUUtilizationPercentage: 80 + # -- For clusters that do support autoscaling/v2, use metrics + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 1000m + memory: 512Mi + + service: + # -- Whether to create the service object + enabled: true + # -- Service type of the Egress + type: ClusterIP + # -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer + loadBalancerIP: + # -- Additional annotations to put on the Egress service + annotations: { } + # -- Port on which Egress is exposed + port: 10002 + # -- Port on which service is exposed on Node for service of type NodePort + nodePort: + # -- Additional pod annotations (deprecated favor `podAnnotations`) + annotations: { } + # -- Additional pod annotations + podAnnotations: { } + # -- Node Selector for the Egress pods + nodeSelector: + kubernetes.io/os: linux + # -- Tolerations for the Egress pods + tolerations: [] + podDisruptionBudget: + # -- Whether to create a pod disruption budget + enabled: false + # -- The maximum number of unavailable pods allowed by the budget + maxUnavailable: 1 + + # -- Affinity placement rule for the Kuma Egress pods. + # This is rendered as a template, so you can reference other helm variables or includes. + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + # These match the selector labels used on the deployment. + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - '{{ include "kuma.name" . }}' + - key: app.kubernetes.io/instance + operator: In + values: + - '{{ .Release.Name }}' + - key: app + operator: In + values: + - kuma-egress + topologyKey: kubernetes.io/hostname + + # -- Topology spread constraints rule for the Kuma Egress pods. + # This is rendered as a template, so you can use variables to generate match labels. + topologySpreadConstraints: + + # -- Security context at the pod level for egress + podSecurityContext: + runAsNonRoot: true + runAsUser: 5678 + runAsGroup: 5678 + + # -- Security context at the container level for egress + containerSecurityContext: + readOnlyRootFilesystem: true + + # -- Annotations to add for Control Plane's Service Account + serviceAccountAnnotations: { } + # -- Whether to automountServiceAccountToken for cp. Optionally set to false + automountServiceAccountToken: true + # -- DNS configuration for the egress pod. + # This is equivalent to the [Kubernetes DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy). + dns: + # -- Defines how DNS resolution is configured for that Pod. + policy: "" + # -- Optional dns configuration, required when policy is 'None' + config: + # -- A list of IP addresses that will be used as DNS servers for the Pod. There can be at most 3 IP addresses specified. + nameservers: [] + # -- A list of DNS search domains for hostname lookup in the Pod. + searches: [] + +kumactl: + image: + # -- The kumactl image repository + repository: kumactl + # -- The kumactl image tag. When not specified, the value is copied from global.tag + tag: + +kubectl: + image: + # -- The kubectl image registry + registry: docker.io + # -- The kubectl image repository + repository: bitnami/kubectl + # -- The kubectl image tag + tag: "1.27.5" +hooks: + # -- Node selector for the HELM hooks + nodeSelector: + kubernetes.io/os: linux + # -- Tolerations for the HELM hooks + tolerations: [] + # -- Security context at the pod level for crd/webhook/ns + podSecurityContext: + runAsNonRoot: true + + # -- Security context at the container level for crd/webhook/ns + containerSecurityContext: + readOnlyRootFilesystem: true + + # -- ebpf-cleanup hook needs write access to the root filesystem to clean ebpf programs + # Changing below values will potentially break ebpf cleanup completely, + # so be cautious when doing so. + ebpfCleanup: + # -- Security context at the pod level for crd/webhook/cleanup-ebpf + podSecurityContext: + runAsNonRoot: false + # -- Security context at the container level for crd/webhook/cleanup-ebpf + containerSecurityContext: + readOnlyRootFilesystem: false + +transparentProxy: + configMap: + # -- If true, enables the use of a ConfigMap to manage transparent proxy configuration + # instead of directly configuring it within the Kuma system + enabled: false + # -- The name of the ConfigMap used to store the transparent proxy configuration + name: kuma-transparent-proxy-config + config: + # -- The username or UID of the user that will run kuma-dp. If not provided, the system will + # use the default UID ("5678") or the default username ("kuma-dp") + kumaDPUser: "5678" + # -- The IP family mode used for configuring traffic redirection in the transparent proxy + # Supports "dualstack" (for both IPv4 and IPv6) and "ipv4" modes + ipFamilyMode: dualstack + redirect: + dns: + # -- Enables DNS redirection in the transparent proxy + enabled: true + # -- Redirect all DNS queries + captureAll: true + # -- The port on which the DNS server listens + port: 15053 + # -- Path to the system's resolv.conf file + resolvConfigPath: /etc/resolv.conf + # -- Disables conntrack zone splitting, which can prevent potential DNS issues + skipConntrackZoneSplit: false + inbound: + # -- Enables inbound traffic redirection + enabled: true + # -- Port used for redirecting inbound traffic + port: 15006 + # -- List of ports to exclude from inbound traffic redirection + excludePorts: [] + # -- List of IP addresses to exclude from inbound traffic redirection for specific ports + excludePortsForIPs: [] + # -- List of UIDs to exclude from inbound traffic redirection for specific ports + excludePortsForUIDs: [] + # -- List of ports to include in inbound traffic redirection + includePorts: [] + # -- Inserts the redirection rule at the beginning of the chain instead of appending it + insertRedirectInsteadOfAppend: false + outbound: + # -- Enables outbound traffic redirection + enabled: true + # -- Port used for redirecting outbound traffic + port: 15001 + # -- List of ports to exclude from outbound traffic redirection + excludePorts: [] + # -- List of IP addresses to exclude from outbound traffic redirection for specific ports + excludePortsForIPs: [] + # -- List of UIDs to exclude from outbound traffic redirection for specific ports + excludePortsForUIDs: [] + # -- List of ports to include in outbound traffic redirection + includePorts: [] + # -- Inserts the redirection rule at the beginning of the chain instead of appending it + insertRedirectInsteadOfAppend: false + vnet: + # -- Specifies virtual networks using the format interfaceName:CIDR + # Allows matching traffic on specific network interfaces + # Examples: + # - "docker0:172.17.0.0/16" + # - "br+:172.18.0.0/16" (matches any interface starting with "br") + # - "iface:::1/64" (for IPv6) + networks: [] + ebpf: + # -- Enables eBPF support for handling traffic redirection in the transparent proxy + enabled: false + # -- The path of the BPF filesystem + bpffsPath: /run/kuma/bpf + # -- The path of cgroup2 + cgroupPath: /sys/fs/cgroup + # -- The name of the environment variable containing the IP address of the instance (pod/vm) + # where transparent proxy will be installed + instanceIPEnvVarName: "" + # -- Path where compiled eBPF programs and other necessary files for eBPF mode can be found + programsSourcePath: /tmp/kuma-ebpf + # -- The network interface for TC eBPF programs to bind to. If not provided, it will be + # automatically determined + tcAttachIface: "" + retry: + # -- The maximum number of retry attempts for operations + maxRetries: 4 + # -- The time duration to wait between retry attempts + sleepBetweenRetries: 2s + iptablesExecutables: + # -- Custom path for the iptables executable (IPv4) + iptables: "" + # -- Custom path for the iptables-save executable (IPv4) + iptables-save: "" + # -- Custom path for the iptables-restore executable (IPv4) + iptables-restore: "" + # -- Custom path for the ip6tables executable (IPv6) + ip6tables: "" + # -- Custom path for the ip6tables-save executable (IPv6) + ip6tables-save: "" + # -- Custom path for the ip6tables-restore executable (IPv6) + ip6tables-restore: "" + log: + # -- Enables logging of iptables rules for diagnostics and monitoring + enabled: false + comments: + # -- Disables comments in the generated iptables rules + disabled: false + # -- Time in seconds to wait for acquiring the xtables lock before failing + # Value 0 means wait indefinitely + wait: 5 + # -- Time interval between retries to acquire the xtables lock in seconds + waitInterval: 0 + # -- Drops invalid packets to avoid connection resets in high-throughput scenarios + dropInvalidPackets: false + # -- Enables firewalld support to store iptables rules + storeFirewalld: false + # -- Enables verbose mode with longer argument/flag names and additional comments + verbose: false + +experimental: + # Configuration for the experimental ebpf mode for transparent proxy + ebpf: + # -- If true, ebpf will be used instead of using iptables to install/configure transparent proxy + enabled: false + # -- Name of the environmental variable which will contain the IP address of a pod + instanceIPEnvVarName: INSTANCE_IP + # -- Path where BPF file system should be mounted + bpffsPath: /sys/fs/bpf + # -- Host's cgroup2 path + cgroupPath: /sys/fs/cgroup + # -- Name of the network interface which TC programs should be attached to, we'll try to automatically determine it if empty + tcAttachIface: "" + # -- Path where compiled eBPF programs which will be installed can be found + programsSourcePath: /tmp/kuma-ebpf + # -- If true, enable native Kubernetes sidecars. This requires at least + # Kubernetes v1.29 + sidecarContainers: false + +# Postgres' settings for universal control plane on k8s +postgres: + # -- Postgres port, password should be provided as a secret reference in "controlPlane.secrets" + # with the Env value "KUMA_STORE_POSTGRES_PASSWORD". + # Example: + # controlPlane: + # secrets: + # - Secret: postgres-postgresql + # Key: postgresql-password + # Env: KUMA_STORE_POSTGRES_PASSWORD + port: "5432" + # TLS settings + tls: + # -- Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull" + mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE + # -- Whether to disable SNI the postgres `sslsni` option. + disableSSLSNI: false # ENV: KUMA_STORE_POSTGRES_TLS_DISABLE_SSLSNI + # -- Secret name that contains the ca.crt + caSecretName: + # -- Secret name that contains the client tls.crt, tls.key + secretName: + +# @ignored for helm-docs +plugins: + resources: + hostnamegenerators: true + meshexternalservices: true + meshmultizoneservices: true + meshservices: true + policies: + meshaccesslogs: true + meshcircuitbreakers: true + meshfaultinjections: true + meshhealthchecks: true + meshhttproutes: true + meshloadbalancingstrategies: true + meshmetrics: true + meshpassthroughs: true + meshproxypatches: true + meshratelimits: true + meshretries: true + meshtcproutes: true + meshtimeouts: true + meshtlses: true + meshtraces: true + meshtrafficpermissions: true diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/Chart.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/Chart.yaml new file mode 100644 index 000000000..341bdd9e5 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/Chart.yaml @@ -0,0 +1,21 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NetScaler CPX with Ingress Controller + catalog.cattle.io/kube-version: '>=v1.16.0-0' + catalog.cattle.io/release-name: netscaler-cpx-with-ingress-controller +apiVersion: v2 +appVersion: 2.2.10 +description: A Helm chart for NetScaler CPX with NetScaler ingress Controller running + as sidecar. +home: https://www.netscaler.com +icon: file://assets/icons/netscaler-cpx-with-ingress-controller.png +kubeVersion: '>=v1.16.0-0' +maintainers: +- email: priyanka.sharma@cloud.com + name: priyankash-citrix +- email: subash.dangol@cloud.com + name: subashd +name: netscaler-cpx-with-ingress-controller +sources: +- https://github.com/netscaler/netscaler-k8s-ingress-controller +version: 2.2.10 diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/README.md b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/README.md new file mode 100644 index 000000000..c3dca3ff0 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/README.md @@ -0,0 +1,747 @@ +# NetScaler CPX with NetScaler Ingress Controller running as sidecar. + +In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [NetScaler CPX](https://docs.netscaler.com/en-us/citrix-adc-cpx/cpx/) with NetScaler ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/pod-overview/). The NetScaler CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar NetScaler ingress controller configures the NetScaler CPX. + +## TL;DR; + +### For Kubernetes + ``` + helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + + helm install netscaler-cpx-with-ingress-controller netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes + ``` + +### For OpenShift + + ``` + helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + + helm install netscaler-cpx-with-ingress-controller netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,openshift=true + ``` + +> **Important:** +> +> The "license.accept" is a mandatory argument and should be set to "yes" to accept the terms of the NetScaler license. + +> **NOTE:** +> +> The CRDs supported by NetScaler will be installed automatically with the installation of the Helm Charts if CRDs are not already available in the cluster. + +## Introduction +This Helm chart deploys a NetScaler CPX with NetScaler ingress controller as a sidecar in the [Kubernetes](https://kubernetes.io/) or in the [Openshift](https://www.openshift.com) cluster using the [Helm](https://helm.sh/) package manager. + +### Prerequisites + +- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. +- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. +- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/netscaler/netscaler-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. +- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the NetScaler CPX collected by the [metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). +- Registration of NetScaler CPX in ADM: You may want to register your CPX in ADM for licensing or to obtain [servicegraph](https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/application-analytics-and-management/service-graph.html). For this you will have to create a Kubernetes secret using ADM credentials and provide it while install the chart. Create a Kubernetes secret for the user name and password using the following command: + + ``` + kubectl create secret generic admlogin --from-literal=username= --from-literal=password= + ``` + +## Installing the Chart +Add the NetScaler Ingress Controller helm chart repository using command: + + ``` + helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + ``` + +### For Kubernetes: +#### 1. NetScaler CPX with NetScaler Ingress Controller running as side car. +To install the chart with the release name ``` my-release```: + + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]= + ``` + +> **Note:** +> +> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. + +The command deploys NetScaler CPX with NetScaler ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. + +#### 2. NetScaler CPX with NetScaler Ingress Controller and Exporter running as side car. +[Metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the NetScaler CPX and collects metrics from the NetScaler CPX instance. You can then [visualize these metrics](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/metrics/promotheus-grafana.html) using Prometheus Operator and Grafana. +> **Note:** +> +> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). + +Use the following command for this: + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,ingressClass[0]=,exporter.required=true + ``` + +### For OpenShift: +Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: + + ``` + oc adm policy add-scc-to-user privileged system:serviceaccount:: + ``` + +#### 1. NetScaler CPX with NetScaler Ingress Controller running as side car. +To install the chart with the release name, `my-release`, use the following command: + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,openshift=true + ``` + +#### 2. NetScaler CPX with NetScaler Ingress Controller and Exporter running as side car. +[Metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the NetScaler CPX and collects metrics from the NetScaler CPX instance. You can then [visualize these metrics](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/metrics/promotheus-grafana.html) using Prometheus Operator and Grafana. +> **Note:** +> +> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). + +Use the following command for this: + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,openshift=true,exporter.required=true + ``` + +### Installed components + +The following components are installed: + +- [NetScaler CPX](https://docs.netscaler.com/en-us/citrix-adc-cpx/current-release/about) +- [NetScaler ingress controller](https://github.com/netscaler/netscaler-k8s-ingress-controller) (if enabled) +- [Exporter](https://github.com/netscaler/netscaler-adc-metrics-exporter) (if enabled) + + +### NetScaler CPX Service Annotations: + + The parameter `serviceAnnotations` can be used to annotate CPX service while installing NetScaler CPX using this helm chart. + For example, if CPX is getting deployed in Azure and an Azure Internal Load Balancer is required before CPX then the annotation `service.beta.kubernetes.io/azure-load-balancer-internal:True` can be set in CPX service using Helm command: + + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,serviceAnnotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal=True + ``` + + or the same can be provided in [values.yaml](https://github.com/netscaler/netscaler-helm-charts/blob/master/netscaler-cpx-with-ingress-controller/values.yaml): + + ``` + license: + accept: yes + serviceAnnotations: + service.beta.kubernetes.io/azure-load-balancer-internal: True + ``` + + which can be used to install NetScaler CPX using Helm command: + + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller -f values.yaml + ``` + + To know more about service annotations supported by Kubernetes on various platforms please see [this](https://kubernetes.io/docs/concepts/services-networking/service/). + +### NetScaler CPX Service Ports: + + By default, port 80 and 443 of CPX service will exposed when CPX is installed using this helm chart. If it is required to expose any other ports in CPX service then the parameter `servicePorts` can be used for it. + For example, if port 9999 is required to be exposed then below helm command can be used for installing NetScaler CPX: + + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,servicePorts[0].port=9999,servicePorts[0].protocol=TCP,servicePorts[0].name=https + ``` + + or the same can be provided in [values.yaml](https://github.com/netscaler/netscaler-helm-charts/blob/master/netscaler-cpx-with-ingress-controller/values.yaml): + + ``` + license: + accept: yes + servicePorts: + - port: 9090 + protocol: TCP + name: https + ``` + + which can be used to install NetScaler using Helm command: + + ``` + helm install my-release netscaler/netscaler-cpx-with-ingress-controller -f values.yaml + ``` + +> **Note:** If `servicePorts` parameters is used, only ports provided in this parameter will be exposed in CPX service. +> If you want to expose default ports 80 or 443, then you will need to explicity mention these also in this parameter. + +### Configuration for ServiceGraph: + If NetScaler CPX need to send data to the NetScaler ADM to bring up the servicegraph, then the below steps can be followed to install NetScaler CPX with ingress controller. NetScaler ingress controller configures NetScaler CPX with the configuration required for servicegraph. + + 1. Create secret using NetScaler Agent credentials, which will be used by NetScaler CPX to communicate with NetScaler ADM Agent: + + kubectl create secret generic admlogin --from-literal=username= --from-literal=password= + + 2. Deploy NetScaler CPX with NetScaler ingress controller using helm command: + + helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.metrics.service=,ADMSettings.ADMIP=,ADMSettings.loginSecret= + +> **Note:** +> If container agent is being used here for NetScaler ADM, please provide `svcIP` of container agent in the `analyticsConfig.endpoint.metrics.service` parameter. + +## NetScaler CPX DaemonSet with NetScaler Ingress Controller as sidecar for BGP Advertisement + + The previous section of deploying CPX as a Deployment requires a Tier-1 Loadbalancer such as NetScaler VPX or cloud loadbalancers to route the traffic to CPX instances running in Kubernetes cluster, but you can also leverage BGP network fabric in your on-prem environemnt to route the traffic to CPX instances in a Kubernetes or Openshift cluster. you need to deploy CPX with NetScaler Ingress Controller as Daemonset to advertise the ExternalIPs of the K8s services of type LoadBalancer to your BGP Fabric. NetScaler CPX establishes a BGP peering session with your network routers, and uses that peering session to advertise the IP addresses of external cluster services. If your routers have ECMP capability, the traffic is load-balanced to multiple CPX instances by the upstream router, which in turn load-balances to actual application pods. When you deploy the NetScaler CPX with this mode, NetScaler CPX adds iptables rules for each service of type LoadBalancer on Kubernetes nodes. The traffic destined to the external IP address is routed to NetScaler CPX pods. You can also set the 'ingressIP' variable to an IP Address to advertise the External IP address for Ingress resources. Refer [documentation](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/network/bgp-enhancement.md) for complete details about BGP advertisement with CPX. + +### Download the chart +You can download the chart usimg `helm pull` command. +``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ +helm pull netscaler/netscaler-cpx-with-ingress-controller +tar -zxvf netscaler-cpx-with-ingress-controller-x.y.z.tgz +``` + +### Edit the BGP configuration in values.yaml +BGP configurations enables CPX to peer with neighbor routers for advertisting the routes for Service of Type LoadBalancer. NetScaler Ingress Controllers uses static IPs given in Service YAML or using an IPAM controller to allocate an External IP address, and same is advertisted to the neighbour router with the Gateway as Node IP. An example BGP configurations is given below. + +``` +# BGP configurations: local AS, remote AS and remote address is mandatory to provide. +bgpSettings: + required: true + bgpConfig: + - bgpRouter: + # Local AS number for BGP advertisement + localAS: + neighbor: + # Address of the nighbor router for BGP advertisement + - address: xx.xx.xx.xx + # Remote AS number + remoteAS: + advertisementInterval: 10 + ASOriginationInterval: 10 +``` +If the cluster spawns across multiple networks, you can also specify the NodeSelector to give different neighbors for different Cluster Nodes as shown below. + +``` +bgpSettings: + required: true + bgpConfig: + - nodeSelector: datacenter=ds1 + bgpRouter: + localAS: + neighbor: + - address: xx.xx.xx.xx + remoteAS: + advertisementInterval: 10 + ASOriginationInterval: 10 + - nodeSelector: datacenter=ds2 + bgpRouter: + localAS: + neighbor: + - address: yy.yy.yy.yy + remoteAS: + advertisementInterval: 10 + ASOriginationInterval: 10 +``` + +### Deploy the chart +#### For Kubernetes: +#### 1. NetScaler CPX DaemonSet with NetScaler Ingress Controller running as side car for BGP Advertisement. + + +To install the chart with the release name ``` my-release```: + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true + ``` +If you are running NetScaler IPAM for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in NetScaler Ingress Controller as show below: + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true + ``` +If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP= + ``` + +> **Note:** +> +> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. + +The command deploys NetScaler CPX Daemonset with NetScaler ingress controller as a sidecar on the Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. + +#### 2. NetScaler CPX with NetScaler Ingress Controller and Exporter running as side car for BGP Advertisement. +[Metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the NetScaler CPX and collects metrics from the NetScaler CPX instance. You can then [visualize these metrics](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/metrics/promotheus-grafana.html) using Prometheus Operator and Grafana. +> **Note:** +> +> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). + +Use the following command for this: + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,exporter.required=true + ``` +If you are running NetScaler IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in NetScaler Ingress Controller as show below: + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,exporter.required=true + ``` +If you are using ingress resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=, exporter.required=true + ``` + +#### For OpenShift: +Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: + + ``` + oc adm policy add-scc-to-user privileged system:serviceaccount:: + ``` + +#### 1. NetScaler CPX DaemonSet with NetScaler Ingress Controller running as side car for BGP Advertisement. +To install the chart with the release name, `my-release`, use the following command: + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,openshift=true + ``` +If you are running NetScaler IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in NetScaler Ingress Controller as show below: + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true + ``` + + If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true + ``` + +#### 2. NetScaler CPX with NetScaler Ingress Controller and Exporter running as side car for BGP Advertisement. +[Metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed as sidecar to the NetScaler CPX and collects metrics from the NetScaler CPX instance. You can then [visualize these metrics](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/metrics/promotheus-grafana.html) using Prometheus Operator and Grafana. +> **Note:** +> +> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). + +Use the following command for this: + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,openshift=true,openshift=true,exporter.required=true + ``` +If you are running NetScaler IPAM controller for auto allocation of IPs for Service of type LoadBalancer, you must enable the IPAM configurations in NetScaler Ingress Controller as show below: + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ipam=true,openshift=true,exporter.required=true + ``` + +If you are using ingress or Route resources, you must set the `ingressIP` to a valid IP Address which will enable the BGP route advertisement for this IP when ingress resource is deployed. + + ``` + helm install my-release ./netscaler-cpx-with-ingress-controller --set license.accept=yes,cpxBgpRouter=true,ingressIP=,openshift=true,exporter.required=true + ``` + +## CRDs configuration + +CRDs will be installed when we install NetScaler ingress controller via Helm automatically if CRDs are not installed in cluster already. If you wish to skip the CRD installation step, you can pass the --skip-crds flag. For more information about this option in Helm please see [this](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/). + +There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: +```kubectl create -f ``` + +### Details of the supported CRDs: + +#### authpolicies CRD: + +Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. + +NetScaler provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/auth) that you can use with the NetScaler ingress controller to define authentication policies on the ingress NetScaler. + +Example file: [auth_example.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/auth_example.yaml) + +#### continuousdeployments CRD for canary: + +Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. NetScaler-Integrated [Canary Deployment solution](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. + +#### httproutes and listeners CRDs for contentrouting: + +[Content Routing (CR)](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. + +Example files: [HTTPRoute_crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/Listener_crd.yaml) + +#### ratelimits CRD: + +In a Kubernetes deployment, you can [rate limit the requests](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress NetScaler. + +Example files: [ratelimit-example1.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) + +#### vips CRD: + +NetScaler provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and NetScaler ingress controller. + +The IPAM controller is provided by NetScaler for IP address management. It allocates IP address to the service from a defined IP address range. The NetScaler ingress controller configures the IP address allocated to the service as virtual IP (VIP) in NetScaler VPX. And, the service is exposed using the IP address. + +When a new service is created, the NetScaler ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the NetScaler ingress controller automatically configures NetScaler-specfic configuration in the tier-1 NetScaler VPX. + +#### rewritepolicies CRD: + +In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/crd/rewrite-policy/rewrite-responder-policies-deployment.yaml) provided by the Ingress NetScaler device to deploy these policies. + +Example files: [target-url-rewrite.yaml](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/simplified-deployment-usecases/CRDs/rewrite.md#url-manipulation) + +#### wafs CRD: + +[WAF CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the NetScaler ingress controller on the NetScaler VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the NetScaler ingress controller and NetScaler for enforcing web application firewall policies. + +In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.netscaler.com/en-us/citrix-adc/current-release/application-firewall/introduction-to-citrix-web-app-firewall.html). + +Example files: [wafhtmlxsssql.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) + +#### CORS CRD: + +[CORS CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on NetScaler using NetScaler ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. + +Example files: [cors-crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/corspolicy-example.yaml) + +#### APPQOE CRD: + +[APPQOE CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a NetScaler appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on NetScaler to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when NetScaler initiates the same request to the next available service. +For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. + +Example files: [appqoe-crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/appqoe_example.yaml) + +#### WILDCARDDNS CRD: + +[WILDCARDDNS CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. +For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. + +Example files: [wildcarddns-crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) + +## NetScaler CPX servicetype LoadBalancer +NetScaler CPX can be installed with service having servicetype LoadBalancer. Following arguments can be used in the `helm install` command for the same: + +``` +helm install netscaler-cpx-with-ingress-controller netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,serviceType.loadBalancer.enabled=True +``` + +## NetScaler CPX servicetype NodePort +NetScaler CPX can be installed with service having servicetype Nodeport. Following arguments can be used in the `helm install` command for the same: + +``` +helm install netscaler-cpx-with-ingress-controller netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,serviceType.nodePort.enabled=True +``` + +Additionally, `serviceType.nodePort.httpPort` and `serviceType.nodePort.httpsPort` arguments can be used to select the nodePort for the CPX service for HTTP and HTTPS ports. + +### Tolerations + +Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). + +Toleration can be applied to pod running NetScaler CPX and ingress controller containers using `tolerations` argument while deploying CPX+NSIC using helm chart. This argument takes list of tolerations that user need to apply on the CPX+NSIC pods. + +For example, following command can be used to apply toleration on the CPX+NSIC pod: + +``` +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= +``` + +Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. +Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. +Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. + +### Resource Quotas +There are various use-cases when resource quotas are configured on the Kubernetes cluster. If quota is enabled in a namespace for compute resources like cpu and memory, users must specify requests or limits for those values; otherwise, the quota system may reject pod creation. The resource quotas for the NSIC and CPX containers can be provided explicitly in the helm chart. + +To set requests and limits for the NSIC container, use the variables `nsic.resources.requests` and `nsic.resources.limits` respectively. +Similarly, to set requests and limits for the CPX container, use the variable `resources.requests` and `resources.limits` respectively. + +Below is an example of the helm command that configures + +A) For NSIC container: + + CPU request for 500milli CPUs + + CPU limit at 1000m + + Memory request for 512M + + Memory limit at 1000M + +B) For CPX container: + + CPU request for 250milli CPUs + + CPU limit at 500m + + Memory request for 256M + + Memory limit at 512M + +``` +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes --set nsic.resources.requests.cpu=500m,nsic.resources.requests.memory=512Mi,nsic.resources.limits.cpu=1000m,nsic.resources.limits.memory=1000Mi --set resources.limits.cpu=500m,resources.limits.memory=512Mi,resources.requests.cpu=250m,resources.requests.memory=256Mi +``` + +### Analytics Configuration +#### Analytics Configuration required for ADM + +If NetScaler CPX needs to send data to the ADM for analytics purpose, then the below steps can be followed to install NetScaler CPX with ingress controller. NSIC configures the NetScaler CPX with the configuration required for analytics. + +1. Create secret using ADM Agent credentials, which will be used by NetScaler CPX to communicate with ADM Agent: + +``` +kubectl create secret generic admlogin --from-literal=username= --from-literal=password= +``` + +|Note: If you have installed container based `adm-agent` using [this](https://github.com/netscaler/netscaler-helm-charts/tree/master/adm-agent) helm chart, above step is not required, you just need to tag the namespace where the CPX is being deployed with `citrix-cpx=enabled`. + +2. Deploy NetScaler CPX with NSIC using helm command: + +``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.transactions.service=,ADMSettings.ADMIP=,ADMSettings.loginSecret=,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557 +``` +|Note: For container based ADM agent, please provide the logstream service FQDN in `analyticsConfig.endpoint.transactions.service`. The `logstream` service will be running on port `5557`. + +#### Analytics Configuration required for NSOE + +If NetScaler CPX needs to send data to the NSOE for observability, then the below steps can be followed to install NetScaler CPX with ingress controller. NSIC configures NetScaler CPX with the configuration required. + +Deploy NetScaler CPX with NSIC using helm command: + +``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.timeseries.metrics.mode=prometheus,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557,analyticsConfig.distributedTracing.enable=true,analyticsConfig.endpoint.metrics.service=,analyticsConfig.endpoint.transactions.service= +``` + +#### Analytics Configuration required for export of metrics to Prometheus + +If NetScaler CPX needs to send data to Prometheus directly without an exporter resource in between, then the below steps can be followed to install NetScaler CPX with ingress controller. NSIC configures NetScaler CPX with the configuration required. + +1. Create secret to enable read-only access for a user, which will be required by NetScaler CPX to export metrics to Prometheus. + +``` +kubectl create secret generic prom-user --from-literal=username= --from-literal=password= +``` + +2. Deploy NetScaler CPX with NSIC using helm command: + +``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes,nsic.prometheusCredentialSecret=,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.timeseries.metrics.mode=prometheus,analyticsConfig.timeseries.metrics.enableNativeScrape=true +``` + +3. To setup Prometheus in order to scrape natively from NetScaler CPX pod, a new scrape job is required to be added under scrape_configs in the Prometheus [configuration](https://prometheus.io/docs/prometheus/latest/configuration/configuration/). For more details, check kubernetes_sd_config [here](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#kubernetes_sd_config). A sample of the Prometheus job is given below - + +``` + - job_name: 'kubernetes-cpx' + scheme: http + metrics_path: /nitro/v1/config/systemfile + params: + args: ['filename:metrics_prom_ns_analytics_time_series_profile.log,filelocation:/var/nslog'] + format: ['prometheus'] + basic_auth: + username: # Prometheus username set in nsic.prometheusCredentialSecret + password: # Prometheus password set in nsic.prometheusCredentialSecret + scrape_interval: 30s + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_netscaler_prometheus_scrape] + action: keep + regex: true + - source_labels: [__address__, __meta_kubernetes_pod_annotation_netscaler_prometheus_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: kubernetes_pod_name +``` + +> **Note:** +> +> For more details on Prometheus integration, please refer to [this](https://docs.netscaler.com/en-us/citrix-adc/current-release/observability/prometheus-integration) + +### NetScaler CPX License Provisioning +#### Bandwidth based licensing + +By default, CPX runs with 20 Mbps bandwidth called as [CPX Express](https://www.netscaler.com/platform/cpx-container). However, for better performance and production deployments, customer needs licensed CPX instances. [NetScaler ADM](https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/) is used to check out licenses for NetScaler CPX. For more detail on CPX licensing please refer [this](https://docs.netscaler.com/en-us/citrix-adc-cpx/current-release/cpx-licensing.html). + +For provisioning licensing on NetScaler CPX, it is mandatory to provide License Server information to CPX. This can be done by setting **ADMSettings.licenseServerIP** as License Server IP. In addition to this, **ADMSettings.bandWidthLicense** needs to be set true and desired bandwidth capacity in Mbps should be set **ADMSettings.bandWidth**. +For example, to set 2Gbps as bandwidth capacity, below command can be used. + + ``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes --set ADMSettings.licenseServerIP=,ADMSettings.bandWidthLicense=True --set ADMSettings.bandWidth=2000,ADMSettings.licenseEdition="ENTERPRISE" +``` + +#### vCPU based licensing + +For vCPU based licensing on NetScaler CPX, set `ADMSettings.vCPULicense` as True and `ADMSettings.cpxCores` with the number of cores that can be allocated for the CPX. + +``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + +helm install my-release netscaler/netscaler-cpx-with-ingress-controller --set license.accept=yes --set ADMSettings.licenseServerIP=,ADMSettings.vCPULicense=True --set ADMSettings.cpxCores=4,ADMSettings.licenseEdition="ENTERPRISE" +``` + +### Bootup Configuration for NetScaler CPX +To add bootup config on NetScaler CPX, add commands below `cpxCommands` and `cpxShellCommands` in the values.yaml file. The commands will be executed in order. + +For e.g. to add `X-FORWARDED-PROTO` header in all request packets processed by the CPX, add below commands under `cpxCommands` in the `values.yaml` file. + +``` +cpxCommands: | + add rewrite action rw_act_x_forwarded_proto insert_http_header X-Forwarded-Proto "\"https\"" + add rewrite policy rw_pol_x_forwarded_proto CLIENT.SSL.IS_SSL rw_act_x_forwarded_proto + bind rewrite global rw_pol_x_forwarded_proto 10 -type REQ_OVERRIDE +``` + +Commands that needs to be executed in shell of CPX should be kept under `cpxShellCommands` in the `values.yaml` file. + +``` +cpxShellCommands: | + touch /etc/a.txt + echo "this is a" > /etc/a.txt + echo "this is the file" >> /etc/a.txt + ls >> /etc/a.txt +``` + +## Configuration +The following table lists the configurable parameters of the NetScaler CPX with NetScaler ingress controller as side car chart and their default values. + +| Parameters | Mandatory or Optional | Default value | Description | +| ---------- | --------------------- | ------------- | ----------- | +| license.accept | Mandatory | no | Set `yes` to accept the NetScaler ingress controller end user license agreement. | +| imageRegistry | Mandatory | `quay.io` | The NetScaler CPX image registry | +| imageRepository | Mandatory | `netscaler/netscaler-cpx` | The NetScaler CPX image repository | +| imageTag | Mandatory | `14.1-25.111` | The NetScaler CPX image tag | +| pullPolicy | Mandatory | IfNotPresent | The NetScaler CPX image pull policy. | +| daemonSet | Optional | False | Set this to true if NetScaler CPX needs to be deployed as DaemonSet. | +| hostName | Optional | N/A | This entity will be used to set Hostname of the CPX | +| nsic.imageRegistry | Mandatory | `quay.io` | The NetScaler ingress controller image registry | +| nsic.imageRepository | Mandatory | `netscaler/netscaler-k8s-ingress-controller` | The NetScaler ingress controller image repository | +| nsic.imageTag | Mandatory | `2.2.10` | The NetScaler ingress controller image tag | +| nsic.pullPolicy | Mandatory | IfNotPresent | The NetScaler ingress controller image pull policy. | +| nsic.required | Mandatory | true | NSIC to be run as sidecar with NetScaler CPX | +| nsic.enableLivenessProbe| Optional | True | Enable liveness probe settings for NetScaler Ingress Controller | +| nsic.enableReadinessProbe| Optional | True | Enable Readineess probe settings for NetScaler Ingress Controller | +| nsic.livenessProbe | Optional | N/A | Set livenessProbe settings for NSIC | +| nsic.readinessProbe | Optional | N/A | Set readinessProbe settings| +| nsic.resources | Optional | {} | CPU/Memory resource requests/limits for NetScaler Ingress Controller container | +| nsic.rbacRole | Optional | false | To deploy NSIC with RBAC Role set rbacRole=true; by default NSIC gets installed with RBAC ClusterRole(rbacRole=false)) | +| nsic.prometheusCredentialSecret | Optional | N/A | The secret key required to create read only user for native export of metrics using Prometheus. | +| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | +| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | +| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | +| resources | Optional | {} | CPU/Memory resource requests/limits for NetScaler CPX container | +| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | +| logLevel | Optional | INFO | The loglevel to control the logs generated by NSIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG, TRACE and NONE. For more information, see [Logging](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| +| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | +| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in NetScaler through Ingress | +| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in NetScaler through Type Load Balancer Service | +| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in NetScaler | +| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for NetScaler Version >=13.0-45.7 | +| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in NetScaler. | +| defaultSSLSNICertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default SNI certificate in NetScaler. | +| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for NetScaler service group configurations. | +| cpxLicenseAggregator | Optional | N/A | IP/FQDN of the CPX License Aggregator if it is being used to license the CPX. | +| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | +| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | +| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | +| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | +| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for NetScaler observability exporter. | +| nsProtocol | Optional | http | Protocol http or https used for the communication between NetScaler Ingress Controller and CPX | +| nsEnableLabel | Optional | True | Set to true for plotting Servicegraph. Ensure `analyticsConfig` are set. | +| cpxBgpRouter | Optional | false| If set to true, this CPX is deployed as daemonset in BGP controller mode wherein BGP advertisements are done for attracting external traffic to Kubernetes clusters | +| replicaCount | Optional | 1 | Number of CPX-NSIC pods to be deployed. With `cpxBgpRouter : true`, replicaCount is 1 since CPX will be deployed as DaemonSet | +| nsIP | Optional | 192.168.1.2 | NSIP used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. A /24 internal network is created in this IP range which is used for internal communications withing the network namespace. | +| nsGateway | Optional | 192.168.1.1 | Gateway used by CPX for internal communication when run in Host mode, i.e when cpxBgpRouter is set to true. If not specified, first IP in the nsIP network is used as gateway. It must be in same network as nsIP | +| bgpPort | Optional | 179 | BGP port used by CPX for BGP advertisement if cpxBgpRouter is set to true| +| ingressIP | Optional | N/A | External IP address to be used by ingress resources if not overriden by ingress.com/frontend-ip annotation in Ingress resources. This is also advertised to external routers when pxBgpRouter is set to true| +| entityPrefix | Optional | k8s | The prefix for the resources on the NetScaler CPX. | +| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify NetScaler ingress controller to configure NetScaler associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | +| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | +| updateIngressStatus | Optional | False | Set this argument if you want to update ingress status of the ingress resources exposed via CPX. | +| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | +| openshift | Optional | false | Set this argument if OpenShift environment is being used. | +| disableOpenshiftRoutes | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | +| routeLabels | Optional | proxy in () | You can use this parameter to provide the route labels selectors to be used by NetScaler Ingress Controller for routeSharding in OpenShift cluster. | +| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by NetScaler Ingress Controller for routeSharding in OpenShift cluster. | +| sslCertManagedByAWS | Optional | False | Set this argument if SSL certs used is managed by AWS while deploying NetScaler CPX in AWS. | +| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option for CPX-NSIC deployment. | +| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in CPX-NSIC deployment. | +| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | +| affinity | Optional | N/A | Affinity labels for pod assignment. | +| tolerations | Optional | N/A | Specify the tolerations for the CPX-NSIC deployment. | +| serviceType.loadBalancer.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be LoadBalancer. | +| serviceType.nodePort.enabled | Optional | False | Set this argument if you want servicetype of CPX service to be NodePort. | +| serviceType.nodePort.httpPort | Optional | N/A | Specify the HTTP nodeport to be used for NodePort CPX service. | +| serviceType.nodePort.httpsPort | Optional | N/A | Specify the HTTPS nodeport to be used for NodePort CPX service. | +| serviceAnnotations | Optional | N/A | Dictionary of annotations to be used in CPX service. Key in this dictionary is the name of the annotation and Value is the required value of that annotation. For example, [see this](#netscaler-adc-cpx-service-annotations). | +| serviceSpec.externalTrafficPolicy | Optional | Cluster | Use this parameter to provide externalTrafficPolicy for CPX service of type LoadBalancer or NodePort. `serviceType.loadBalancer.enabled` or `serviceType.nodePort.enabled` should be set to `true` according to your use case for using this parameter. | +| serviceSpec.loadBalancerIP | Optional | N/A | Use this parameter to provide LoadBalancer IP to CPX service of type LoadBalancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. | +| serviceSpec.loadBalancerSourceRanges | Optional | N/A | Provide the list of IP Address or range which should be allowed to access the Network Load Balancer. `serviceType.loadBalancer.enabled` should be set to `true` for using this parameter. For details, see [Network Load Balancer support on AWS](https://kubernetes.io/docs/concepts/services-networking/service/#aws-nlb-support). | +| servicePorts | Optional | N/A | List of port. Each element in this list is a dictionary that contains information about the port. For example, [see this](#netscaler-adc-cpx-service-ports). | +| ADMSettings.licenseServerIP | Optional | N/A | Provide the NetScaler Application Delivery Management (ADM) IP address to license NetScaler CPX. For more information, see [Licensing]( https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/licensing/). | +| ADMSettings.licenseServerPort | Optional | 27000 | NetScaler ADM port if non-default port is used. | +| ADMSettings.ADMIP | Optional | N/A | NetScaler Application Delivery Management (ADM) IP address. | +| ADMSettings.loginSecret | Optional | N/A | The secret key to login to the ADM. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | +| ADMSettings.bandWidthLicense | Optional | False | Set to true if you want to use bandwidth based licensing for NetScaler CPX. | +| ADMSettings.bandWidth | Optional | 1000 | Desired bandwidth capacity to be set for NetScaler CPX in Mbps. | +| ADMSettings.vCPULicense | Optional | N/A | Set to true if you want to use vCPU based licensing for NetScaler CPX. | +| ADMSettings.licenseEdition| Optional | PLATINUM | License edition that can be Standard, Platinum and Enterprise . By default, Platinum is selected.| +| ADMSettings.cpxCores | Optional | 1 | Desired number of vCPU to be set for NetScaler CPX. | +| exporter.required | Optional | false | Use the argument if you want to run the [Exporter for NetScaler Stats](https://github.com/netscaler/netscaler-adc-metrics-exporter) along with NetScaler ingress controller to pull metrics for the NetScaler CPX| +| exporter.imageRegistry | Optional | `quay.io` | The Exporter for NetScaler Stats image registry | +| exporter.imageRepository | Optional | `netscaler/netscaler-adc-metrics-exporter` | The Exporter for NetScaler Stats image repository | +| exporter.imageTag | Optional | `1.4.9` | The Exporter for NetScaler Stats image tag | +| exporter.pullPolicy | Optional | IfNotPresent | The Exporter for NetScaler Stats image pull policy. | +| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | +| exporter.ports.containerPort | Optional | 8888 | The Exporter for NetScaler Stats container port. | +| exporter.serviceMonitorExtraLabels | Optional | | Extra labels for service monitor whem NetScaler-adc-metrics-exporter is enabled. | + analyticsConfig.required | Mandatory | false | Set this to true if you want to configure NetScaler to send metrics and transaction records to analytics service. | +| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in NetScaler. | +| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | +| analyticsConfig.endpoint.metrics.service | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. Format: servicename.namespace, servicename.namespace.svc.cluster.local, namespace/servicename *** This value replaces the analyticsConfig.endpoint.server value used earlier. *** | +| analyticsConfig.endpoint.transactions.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in k8s environment. Format: namespace/servicename *** This value replaces the analyticsConfig.endpoint.service value used earlier. *** | +| analyticsConfig.timeseries.port | Optional | 5563 | Specify the port used to expose analytics service for timeseries endpoint. | +| analyticsConfig.timeseries.metrics.enable | Optional | Set this value to true to enable sending metrics from NetScaler. | +| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | +| analyticsConfig.timeseries.metrics.exportFrequency | Optional | 30 | Specifies the time interval for exporting time-series data. Possible values range from 30 to 300 seconds. | +| analyticsConfig.timeseries.metrics.schemaFile | Optional | schema.json | Specifies the name of a schema file with the required Netscaler counters to be added and configured for metricscollector to export. A reference schema file reference_schema.json with all the supported counters is also available under the path /var/metrics_conf/. This schema file can be used as a reference to build a custom list of counters. | +| analyticsConfig.timeseries.metrics.enableNativeScrape | Optional | false | Set this value to true for native export of metrics. | +| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from NetScaler. | +| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the NetScaler. | +| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from NetScaler. | +| analyticsConfig.transactions.port | Optional | 5557 | Specify the port used to expose analytics service for transaction endpoint. | +| bgpSettings.required | Optional | false | Set this argument if you want to enable BGP configurations for exposing service of Type Loadbalancer through BGP fabric| +| bgpSettings.bgpConfig | Optional| N/A| This represents BGP configurations in YAML format. For the description about individual fields, please refer the [documentation](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/network/bgp-enhancement.md) | +| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | +| nsLbHashAlgo.hashFingers | Optional |256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | +| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | +| cpxCommands| Optional | N/A | This argument accepts user-provided NetScaler bootup config that is applied as soon as the CPX is instantiated. Please note that this is not a dynamic config, and any subsequent changes to the configmap don't reflect in the CPX config unless the pod is restarted. For more info, please refer the [documentation](https://docs.netscaler.com/en-us/citrix-adc-cpx/current-release/configure-cpx-kubernetes-using-configmaps.html). | +| cpxShellCommands| Optional | N/A | This argument accepts user-provided bootup config that is applied as soon as the CPX is instantiated. Please note that this is not a dynamic config, and any subsequent changes to the configmap don't reflect in the CPX config unless the pod is restarted. For more info, please refer the [documentation](https://docs.netscaler.com/en-us/citrix-adc-cpx/current-release/configure-cpx-kubernetes-using-configmaps.html). | +| enableStartupProbe | Optional | True | Enable startupProbe settings for CPX | +| enableLivenessProbe | Optional | True | Enable livenessProbe settings for CPX | +| startupProbe | Optional | N/A | Set startupProbe settings for CPX | +| livenessProbe | Optional | N/A | Set livenessProbe settings for CPX | + +> **Note:** +> +> If NetScaler ADM related information is not provided during installation, NetScaler CPX will come up with the default license. + +Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. + +For example: + ``` + helm install netscaler-cpx-with-ingress-controller netscaler/netscaler-cpx-with-ingress-controller -f values.yaml + ``` + +> **Tip:** +> +> The [values.yaml](https://github.com/netscaler/netscaler-helm-charts/blob/master/netscaler-cpx-with-ingress-controller/values.yaml) contains the default values of the parameters. + +## Uninstalling the Chart +To uninstall/delete the ```my-release``` deployment: + ``` + helm delete my-release + ``` + +## Related documentation + +- [NetScaler CPX Documentation](https://docs.netscaler.com/en-us/citrix-adc-cpx/current-release/cpx-architecture-and-traffic-flow) +- [NetScaler ingress controller Documentation](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/) +- [NetScaler ingress controller GitHub](https://github.com/netscaler/netscaler-k8s-ingress-controller) +- [BGP advertisement for External IPs with CPX](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/network/bgp-enhancement.md) diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/app-readme.md b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/app-readme.md new file mode 100644 index 000000000..6039d0e0c --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/app-readme.md @@ -0,0 +1,5 @@ +# NetScaler CPX with NetScaler Ingress Controller Running as Sidecar + +In a [Kubernetes](https://kubernetes.io/) or [OpenShift](https://www.openshift.com) cluster, you can deploy [NetScaler CPX](https://docs.netscaler.com/en-us/cpx.html) with NetScaler ingress controller as a [sidecar](https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/). The NetScaler CPX instance is used for load balancing the North-South traffic to the microservices in your cluster. And, the sidecar NetScaler ingress controller configures the NetScaler CPX. + +This chart bootstraps deployment of NetScaler CPX with NetScaler Ingress Controller as sidecar. diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/crds/crds.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/crds/crds.yaml new file mode 100644 index 000000000..9db6a9972 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/crds/crds.yaml @@ -0,0 +1,2706 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: rewritepolicies.citrix.com +spec: + group: citrix.com + names: + kind: rewritepolicy + plural: rewritepolicies + singular: rewritepolicy + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + rewrite-policies: + type: array + items: + type: object + properties: + servicenames: + description: 'Name of the services that needs to be binded to rewrite policy.' + type: array + items: + type: string + maxLength: 127 + goto-priority-expression: + description: 'Expression or other value specifying the next policy to be + evaluated if the current policy evaluates to TRUE. + Specify one of the following values: + * NEXT - Evaluate the policy with the next higher priority number. + * END - End policy evaluation. + Default value of goto-priority-expression: END' + type: string + maxLength: 1499 + logpackets: + type: object + description: 'Adds an audit message action. + The action specifies whether to log the message, and to which log.' + properties: + logexpression: + description: 'Default-syntax expression that defines the format and content of the log message.' + type: string + maxLength: 7991 + loglevel: + description: 'Audit log level, which specifies the severity level of the log message being generated.' + type: string + enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] + required: [logexpression, loglevel] + rewrite-policy: + type: object + properties: + rewrite-criteria: + description: 'Expression against which traffic is evaluated.' + type: string + maxLength: 1299 + default-action: + description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). + An UNDEF event indicates an internal error condition.' + type: string + maxLength: 77 + enum: ['NOREWRITE', 'RESET', 'DROP'] + operation: + description: 'Type of user-defined rewrite action.' + type: string + enum: ["noop", "delete", "insert_http_header", "delete_http_header", + "corrupt_http_header", "insert_before", "insert_after", "replace", + "replace_http_res", "delete_all", "replace_all", "insert_before_all", + "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", + "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", + "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", + "replace_dns_header_field", "replace_dns_answer_section"] + target: + description: 'Default syntax expression that specifies which part of the request or response to rewrite.' + type: string + maxLength: 1229 + modify-expression: + description: 'Default syntax expression that specifies the content to insert into the request + or response at the specified location, or that replaces the specified string.' + type: string + maxLength: 7991 + multiple-occurence-modify: + description: 'Search facility that is used to match multiple strings in the request or response.' + type: string + maxLength: 171 + additional-multiple-occurence-modify: + description: 'Specify additional criteria to refine the results of the search. + Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data + and "n" specifies number of bytes to the right of selected data. + You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: + INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' + type: string + maxLength: 1299 + direction: + description: 'Bind point to which to bind the policy.' + type: string + enum: ["REQUEST","RESPONSE"] + comment: + description: 'Any comments to preserve information about this rewrite policy.' + type: string + maxLength: 255 + required: [rewrite-criteria, operation, target, direction] + required: [rewrite-policy] + + responder-policies: + type: array + items: + type: object + properties: + servicenames: + description: 'Name of the services that needs to be binded to responder policy.' + type: array + items: + type: string + maxLength: 127 + goto-priority-expression: + description: 'Expression or other value specifying the next policy to be + evaluated if the current policy evaluates to TRUE. + Specify one of the following values: + * NEXT - Evaluate the policy with the next higher priority number. + * END - End policy evaluation. + Default value of goto-priority-expression: END' + type: string + maxLength: 1499 + logpackets: + type: object + description: 'Adds an audit message action. + The action specifies whether to log the message, and to which log.' + properties: + logexpression: + description: 'Default-syntax expression that defines the format and content of the log message.' + type: string + maxLength: 7991 + loglevel: + description: 'Audit log level, which specifies the severity level of the log message being generated.' + type: string + enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", + "NOTICE", "INFORMATIONAL", "DEBUG"] + required: [logexpression, loglevel] + responder-policy: + type: object + properties: + redirect: + type: object + description: 'Use this option when you want to Redirect the request when request matches to policy.' + properties: + url: + description: 'URL on which you want to redirect the request.' + type: string + maxLength: 7991 + redirect-status-code: + description: 'HTTP response status code, for example 200, 302, 404, etc.' + type: integer + minimum: 100 + maximum: 599 + redirect-reason: + description: 'Expression specifying the reason for redirecting the request.' + type: string + maxLength: 7991 + required: [url] + respondwith: + type: object + description: 'Use this parameter when you want to respond to the request when request matches to policy.' + properties: + http-payload-string: + description: 'Expression that you want to sent as response to the request.' + type: string + maxLength: 7991 + required: [http-payload-string] + noop: + type: string + description: 'Use this option when you want to send the request to the protected server instead of + responding to it when request matches to policy.' + properties: + target: + description: 'Default syntax expression that specifies to perform noop operation on' + type: string + maxLength: 1229 + reset: + type: string + description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' + properties: + drop: + type: string + description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' + properties: + respond-criteria: + description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' + type: string + maxLength: 1299 + default-action: + description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). + An UNDEF event indicates an internal error condition.' + type: string + maxLength: 77 + enum: ['NOOP', 'RESET', 'DROP'] + comment: + description: 'Any comments to preserve information about this responder policy.' + type: string + maxLength: 255 + required: [respond-criteria] + oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] + required: [responder-policy] + + dataset: + type: array + items: + type: object + properties: + name: + description: 'Name of the dataset.' + type: string + maxLength: 32 + type: + description: 'Type of value to bind to the dataset.' + type: string + enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] + comment: + description: 'Any comments to preserve information about this dataset.' + type: string + maxLength: 255 + values: + description: 'Value of the specified type that is associated with this dataset.' + type: array + items: + type: string + required: [name, type, values] + + patset: + type: array + items: + type: object + properties: + name: + description: 'Name of the Patset.' + type: string + maxLength: 32 + comment: + description: 'Any comments to preserve information about this patset.' + type: string + maxLength: 255 + values: + description: 'String of characters that constitutes a pattern and is associated with this patset.' + type: array + items: + type: string + required: [name, values] + + stringmap: + type: array + items: + type: object + properties: + name: + description: 'Name of the Stringmap.' + type: string + maxLength: 32 + comment: + description: 'Any comments to preserve information about this stringmap.' + type: string + maxLength: 255 + values: + description: 'List of (key,value) pairs to be bound to this string map.' + type: array + items: + type: object + properties: + key: + description: 'Character string constituting the key to be bound to this string map.' + type: string + maxLength: 2047 + value: + description: 'Character string constituting the value associated with the key.' + type: string + maxLength: 2047 + required: [name, values] + + httpcallout_policy: + type: array + items: + type: object + properties: + name: + description: 'httpcallout name' + type: string + maxLength: 32 + server_ip: + description: 'IP Address of the server(callout agent) to which the callout is sent.' + type: string + server_port: + description: 'Port of the server(callout agent) to which the callout is sent.' + type: integer + minimum: 1 + maximum: 65535 + http_method: + description: |+ + 'Method used in the HTTP request that this callout sends. + Default http method is GET' + type: string + enum: ['GET', 'POST'] + host_expr: + description: |+ + 'String expression to configure the Host header. Can contain a literal value + (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). + The literal value can be an IP address or a fully qualified domain name. Mutually + exclusive with the full HTTP request expression.' + type: string + maxLength: 255 + url_stem_expr: + description: |+ + 'String expression for generating the URL stem. Can contain a literal string + (for example, "/mysite/index.html") or an expression that derives the value + (for example, http.req.url).' + type: string + maxLength: 8191 + headers: + type: array + description: |+ + 'One or more headers to insert into the HTTP request. Each header is represented by + name and expr, where expr is an expression that is evaluated at runtime to provide + the value for the named header. You can configure a maximum of eight headers for + an HTTP callout.' + items: + type: object + properties: + name: + description: 'header name' + type: string + expr: + description: 'header expression' + type: string + parameters: + type: array + description: |+ + 'One or more query parameters to insert into the HTTP request URL (for a GET request) + or into the request body (for a POST request). Each parameter is represented by + name and expr, where expr is an expression that is evaluated at run time to provide + the value for the named parameter (name=value). The parameter values are URL encoded.' + items: + type: object + properties: + name: + description: 'parameter name' + type: string + expr: + description: 'parameter expression' + type: string + body_expr: + description: |+ + 'An advanced string expression for generating the body of the request. + The expression can contain a literal string or an expression that derives + the value (for example, client.ip.src).' + type: string + full_req_expr: + description: |+ + 'Exact HTTP request, in the form of an expression, which the NetScaler sends + to the callout agent. The request expression is constrained by the feature + for which the callout is used. For example, an HTTP.RES expression cannot be + used in a request-time policy bank or in a TCP content switching policy bank.' + type: string + scheme: + description: |+ + 'Type of scheme for the callout server. + Default scheme is HTTP' + type: string + enum: ['HTTP', 'HTTPS'] + cache_for_secs: + description: |+ + 'Duration, in seconds, for which the callout response is cached. + The cached responses are stored in an integrated caching content + group named "calloutContentGroup". If no duration is configured, + the callout responses will not be cached unless normal caching + configuration is used to cache them. This parameter takes precedence over any + normal caching configuration that would otherwise apply to these responses.' + type: integer + minimum: 1 + maximum: 31536000 + return_type: + description: |+ + 'Type of data that the target callout agent returns in response to the callout + Available settings function as follows: + * TEXT - Treat the returned value as a text string. + * NUM - Treat the returned value as a number. + * BOOL - Treat the returned value as a Boolean value.' + type: string + enum: ['TEXT', 'NUM', 'BOOL'] + result_expr: + description: |+ + 'Expression that extracts the callout results from the response sent by the HTTP callout + agent. Must be a response based expression, that is, it must begin with HTTP.RES. The + operations in this expression must match the return type. For example, if you configure + a return type of TEXT, the result expression must be a text based expression. If the + return type is NUM, the result expression (resultExpr) must return a numeric value, + as in the following example: http.res.body(10000).length.' + type: string + maxLength: 8191 + comment: + description: 'Any comments to preserve information about this HTTP callout.' + type: string + maxLength: 255 + allOf: + - properties: + required: [name, server_ip, server_port] + - properties: + oneOf: + - properties: + required: [full_req_expr] + - properties: + anyOf: + - properties: + required: [http_method] + - properties: + required: [host_expr] + - properties: + required: [url_stem_expr] + - properties: + required: [headers] + - properties: + required: [parameters] + - properties: + required: [body_expr] + anyOf: [required: [rewrite-policies], required: [responder-policies]] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ratelimits.citrix.com +spec: + group: citrix.com + names: + kind: ratelimit + plural: ratelimits + singular: ratelimit + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: 'Name of the services to which the ratelimit policies are applied.' + type: array + items: + type: string + maxLength: 127 + selector_keys: + type: object + description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' + properties: + basic: + type: object + description: "Basic traffic stream selection criteria to which to apply the ratelimit" + properties: + path: + type: array + description: "api resource path prefix match. e.g. /api/v1/products" + items: + type: string + method: + type: array + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + header_name: + description: "HTTP header that identifies the unique API client for e.g. X-apikey" + type: string + per_client_ip: + description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" + type: boolean + req_threshold: + description: 'Max requests per timeslice units to be allowed' + type: integer + timeslice: + description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' + type: integer + limittype: + description: "Burst mode or smooth. Defaults to smooth limittype if not specified" + type: string + enum: ['BURSTY','SMOOTH'] + throttle_action: + type: string + enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] + description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" + redirect_url: + type: string + description: "Redirect-URL" + logpackets: + type: object + description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' + properties: + logexpression: + description: 'Default-syntax expression that defines the format and content of the log message.' + type: string + maxLength: 7991 + loglevel: + description: 'Audit log level, which specifies the severity level of the log message being generated.' + type: string + enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] + required: [logexpression, loglevel] + required: [req_threshold] +--- +#Sample CRD instance + +#apiVersion: citrix.com/v1 +#description: VIP for apache service +#kind: vip +#metadata: +# name: service-apache +# namespace: default +#spec: +# description: VIP for the apache Service +# ipaddress: 10.99.98.90 +# kind: service +# name: apache + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: vips.citrix.com +spec: + group: citrix.com + names: + kind: vip + plural: vips + singular: vip + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.ipaddress + name: VIP + type: string + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + ipaddress: + type: string + name: + type: string + kind: + type: string + enum: ["service", "ingress", "listener"] + description: + type: string + range-name: + type: string + multicluster: + description: "The setting of this indicates that the VIP/csvserver IP address is shared by multiple netscaler ingress controllers on the VPX/MPX. For CPX, this field is not applicable" + type: boolean +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: authpolicies.citrix.com +spec: + group: citrix.com + names: + kind: authpolicy + plural: authpolicies + singular: authpolicy + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: 'Current Status of the CRD' + jsonPath: .status.state + - name: Message + type: string + description: 'Status Message' + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: |+ + 'Name of the services for which the policies applied' + type: array + items: + type: string + maxLength: 63 + authentication_mechanism: + type: object + description: |+ + 'Authentication mechanism. Options: using forms or using request header. + Default is Authentication using request header, when no option is specified' + properties: + using_request_header: + description: |+ + 'Enable user authentication using request header. Use when the credentials + or api keys are passed in a header. For example, when using Basic, Digest, + Bearer authentication or api keys. + When authentication using forms is provided, this is set to OFF' + + type: string + using_forms: + type: object + description: 'Enables authentication using forms. Use with user/web authentication.' + properties: + authentication_host: + description: |+ + 'Fully qualified domain name (FQDN) for authentication. + This FQDN should be unique and should resolve to frontend IP of + NetScaler with Ingress/service type LoadBalancer (or) vip of Listener CRD' + type: string + maxLength: 255 + authentication_host_cert: + description: |+ + 'Name of the SSL certificate to be used with authentication_host. + This certificate is mandatory while using_forms' + type: object + properties: + tls_secret: + type: string + description: 'Name of the Kubernetes Secret of type tls referring to Certificate' + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + preconfigured: + type: string + maxLength: 63 + description: |+ + 'Preconfigured SSL certkey name on NetScaler with the + certificate and key already added on NetScaler' + oneOf: + - properties: + required: [tls_secret] + - properties: + required: [preconfigured] + ingress_name: + description: |+ + 'Ingress name for which the authentication using forms + is applicable.' + type: string + maxLength: 63 + lb_service_name: + description: |+ + 'Service of type LoadBalancer for which the authentication using forms + is applicable.' + type: string + maxLength: 63 + listener_name: + description: |+ + 'Listener CRD name for which the authentication using forms is applicable.' + type: string + maxLength: 63 + vip: + description: |+ + 'Frontend IP of ingress for which the authentication + using forms is applicable. This refers to frontend-ip provided + with Ingress. It is suggested to use vip, if more than one Ingress + resource use the same frontend-ip' + type: string + required: [authentication_host, authentication_host_cert] + oneOf: + - properties: + required: [ingress_name] + - properties: + required: [lb_service_name] + - properties: + required: [listener_name] + - properties: + required: [vip] + oneOf: + - properties: + using_request_header: + enum: ['ON'] + required: [using_request_header] + - properties: + required: [using_forms] + + authentication_providers: + description: |+ + 'Authentication Configuration for required authentication providers/schemes. + One or more of these can be created' + type: array + items: + description: 'Create config for a single authentication provider of a particular type' + type: object + properties: + name: + description: 'Name for this provider, has to be unique, referenced by authentication policies' + type: string + maxLength: 127 + + oauth: + description: 'Authentication provided by external oAuth provider' + type: object + properties: + issuer: + description: 'Identity of the server whose tokens are to be accepted' + type: string + maxLength: 127 + audience: + description: 'Audience for which token sent by Authorization server is applicable' + type: array + items: + type: string + maxLength: 127 + jwks_uri: + description: |+ + 'URL of the endpoint that contains JWKs (Json Web Key) for + JWT (Json Web Token) verification' + type: string + maxLength: 127 + introspect_url: + description: ' URL of the introspection server' + type: string + maxLength: 127 + client_credentials: + description: |+ + 'secrets object that contains Client Id and secret as known + to Introspection server' + type: string + maxLength: 253 + token_in_hdr: + description: |+ + 'custom header name where token is present, + default is Authorization header' + type: array + items: + type: string + maxLength: 127 + maxItems: 2 + token_in_param: + description: 'query parameter name where token is present' + type: array + items: + type: string + maxLength: 127 + maxItems: 2 + signature_algorithms: + description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' + type: array + items: + type: string + enum: ['HS256', 'RS256', 'RS512'] + claims_to_save: + description: 'list of claims to be saved, used to create authorization policies' + type: array + items: + type: string + maxLength: 127 + metadata_url: + description: 'URL used to get OAUTH/OIDC provider metadata' + type: string + maxLength: 255 + user_field: + description: |+ + 'Attribute in the token from which username should be extracted. + by default, NetScaler looks at email attribute for user id' + type: string + maxLength: 127 + default_group: + description: |+ + 'group assigned to the request if authentication succeeds, + this is in addition to any extracted groups from token' + type: string + maxLength: 63 + grant_type: + description: 'used to specify the type of flow to the token end point, defaults to CODE' + type: array + items: + type: string + enum: ['CODE','PASSWORD'] + pkce: + description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' + type: string + enum: ['ENABLED', 'DISABLED'] + token_ep_auth_method: + description: |+ + 'authentication method to be used with token end point, + defaults to client_secret_post' + type: string + enum: ['client_secret_post', 'client_secret_jwt'] + + anyOf: + - properties: + required : [jwks_uri] + - properties: + required : [introspect_url, client_credentials] + - properties: + required : [metadata_url] + + ldap: + description: 'LDAP authentication provider' + type: object + properties: + server_ip: + description: 'IP address assigned to the LDAP server' + type: string + server_name: + description: 'LDAP server name as a FQDN' + type: string + maxLength: 127 + server_port: + description: 'Port on which the LDAP server accepts connections. Default is 389' + type: integer + minimum: 1 + maximum: 65535 + base: + description: |+ + 'Base (node) from which to start LDAP searches. If the LDAP server is + running locally, the default value of base is dc=netscaler, dc=com' + type: string + maxLength: 127 + server_login_credentials: + description: |+ + 'Kubernetes secret object providing credentials to login to LDAP server, + The secret data should have username and password' + type: string + login_name: + description: |+ + 'LDAP login name attribute. The NetScaler uses the LDAP login name + to query external LDAP servers or Active Directories' + type: string + maxLength: 127 + security_type: + description: |+ + 'Type of security used for communications between the NetScaler + and the LDAP server. Default is TLS' + type: string + enum: ['PLAINTEXT', 'TLS', 'SSL'] + validate_server_cert: + description: 'Validate LDAP Server certs. Default is NO' + type: string + enum: ['YES', 'NO'] + hostname: + description: |+ + 'Hostname for the LDAP server. If validate_server_cert is ON, + this must be the host name on the certificate from the LDAP + A hostname mismatch will cause a connection failure' + type: string + maxLength: 127 + sub_attribute_name: + description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' + type: string + maxLength: 31 + group_attribute_name: + description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' + type: string + maxLength: 31 + search_filter: + description: |+ + 'String to be combined with the default LDAP user search string to form the + search value. For example, if the search filter "vpnallowed=true" is combined + with the LDAP login name "samaccount" and the user-supplied username is "bob", + the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" + (Be sure to enclose the search string in two sets of double quotation marks)' + type: string + maxLength: 255 + auth_timeout: + description: |+ + 'Number of seconds the NetScaler waits for a response from the server + Default is 3' + type: integer + minimum: 1 + maximum: 4294967295 + password_change: + description: 'Allow password change requests. Default is DISABLED' + type: string + enum: ['ENABLED', 'DISABLED'] + attributes_to_save: + description: |+ + 'List of attribute names separated by comma which needs to be fetched + from LDAP server and stored as key-value pair for the session on NetScaler' + type: string + maxLength: 2047 + oneOf: + - properties: + required: [server_ip] + - properties: + required: [server_name] + + saml: + description: |+ + 'SAML authentication provider. + Currently SAML is supported only with authentication mechanism using forms' + type: object + properties: + metadata_url: + description: 'URL is used for obtaining saml metadata.' + type: string + maxLength: 255 + metadata_refresh_interval: + description: |+ + 'Interval in minutes for fetching metadata from specified metadata URL. + Default is 36000' + type: integer + minimum: 1 + maximum: 4294967295 + signing_cert: + description: 'SSL certificate to sign requests from SP to IDP' + type: object + properties: + tls_secret: + type: string + description: 'Name of the Kubernetes Secret of type tls referring to Certificate' + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + preconfigured: + type: string + maxLength: 63 + description: |+ + 'Preconfigured SSL certkey name on NetScaler with the + certificate and key already added on NetScaler' + oneOf: + - properties: + required: [tls_secret] + - properties: + required: [preconfigured] + audience: + description: 'Audience for which assertion sent by IdP is applicable' + type: string + maxLength: 127 + issuer_name: + description: 'The name to be used in requests sent from SP to IDP to identify NetScaler' + type: string + maxLength: 63 + binding: + description: 'Specifies the transport mechanism of saml message. Default is POST' + type: string + enum: ['REDIRECT', 'POST', 'ARTIFACT'] + artifact_resolution_service_url: + description: 'URL of the Artifact Resolution Service on IdP' + type: string + maxLength: 255 + logout_binding: + description: 'Specifies the transport mechanism of saml logout. Default is POST' + type: string + enum: ['REDIRECT', 'POST'] + reject_unsigned_assertion: + description: |+ + 'Reject unsigned SAML assertions. ON, rejects assertion without signature. + STRICT ensure that both Response and Assertion are signed. Default is ON' + type: string + enum: ['ON', 'OFF', 'STRICT'] + user_field: + description: 'SAML user ID, as given in the SAML assertion' + type: string + maxLength: 63 + default_authentication_group: + description: |+ + 'This is the default group that is chosen when the authentication + succeeds in addition to extracted groups' + type: string + maxLength: 63 + skew_time: + description: |+ + 'Allowed clock skew in number of minutes on an incoming assertion. + Default is 5' + type: integer + minimum: 1 + attributes_to_save: + description: |+ + 'List of attribute names separated by comma which needs to be extracted + and stored as key-value pair for the session on NetScaler' + type: string + maxLength: 2047 + required: + - metadata_url + + basic_local_db: + type: object + description: |+ + 'Basic HTTP authentication supported by NetScaler, user data in local DB of NetScaler. + Users needs to be added on NetScaler' + properties: + use_local_auth: + description: 'Use NetScaler authentication' + type: string + enum: ['YES'] + + required: + - name + + authentication_policies: + description: 'Authentication policies' + type: array + items: + type: object + description: 'Authentication policy' + properties: + resource: + type: object + description: 'endpoint/resource selection criteria' + properties: + path: + description: 'api resource path e.g. /products. ' + type: array + items: + type: string + maxLength: 511 + method: + type: array + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + required: + - path + expression: + description: 'NetScaler syntax expression for authentication' + type: string + maxLength: 1229 + provider: + description: 'name of the authentication provider for the policy, empty if no authentication required' + type: array + items: + type: string + maxLength: 127 + maxItems: 1 + oneOf: + - required: [resource, provider] + - required: [expression, provider] + + authorization_policies: + description: 'Authorization policies' + type: array + items: + type: object + description: 'Authorization policy' + properties: + resource: + type: object + description: 'endpoint/resource selection criteria' + properties: + path: + description: 'api resource path e.g. /products. ' + type: array + items: + type: string + maxLength: 511 + method: + description: ' http method' + type: array + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + claims: + description: 'authorization scopes required for selected resource saved as claims or attributes' + type: array + items: + type: object + properties: + name: + description: 'name of the claim/attribute to check' + type: string + maxLength: 127 + values: + description: 'list of claim values required for the request' + type: array + items: + type: string + maxLength: 127 + minItems: 1 + required: + - name + - values + required: + - claims + expression: + description: 'NetScaler syntax expression for authorization' + type: string + maxLength: 1229 + oneOf: + - required: [resource] + - required: [expression] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: listeners.citrix.com +spec: + group: citrix.com + names: + kind: Listener + plural: listeners + singular: listener + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + required: [spec] + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + required: [protocol] + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + multicluster: + description: "The setting of this indicates that the VIP/csvserver IP address is shared by multiple netscaler ingress controllers on the VPX/MPX. For CPX, this field is not applicable" + type: boolean + protocol: + type: string + enum: ["udp", "tcp", "https", "http"] + description: "Protocol for this listener" + vip: + type: string + description: "VIP address, Optional for CPX, required for Tier-1 deployments" + secondaryVips: + type: array + description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" + minItems: 1 + items: + type: string + redirectPort: + type: integer + minimum: 1 + maximum: 65535 + description: "Port from which http traffic should be redirected to https" + port: + type: integer + minimum: 1 + maximum: 65535 + certificates: + type: array + description: "certificates attached to the endpoints - Not applicable for HTTP" + minItems: 1 + items: + type: object + properties: + preconfigured: + type: string + description: "Preconfigured Certificate name on NetScaler " + secret: + type: object + description: "Kuberentes secret object" + required: [name] + properties: + name: + type: string + description: "name of the Kubernetes Secret object where Cert is located" + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + type: string + description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + default: + type: boolean + description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" + oneOf: + - required: ["preconfigured"] + - required: ["secret"] + policies: + type: object + description: "Policies attached to the Listener" + properties: + httpprofile: + type: object + description: "HTTP profile configurations for the Listener, HTTP level configurations" + properties: + preconfigured: + type: string + description: "Preconfigured or Built-in HTTP profile name" + config: + type: object + description: "HTTP profile configuration for the listener. For individual fields, refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/ns/nshttpprofile Name field is auto populated" + additionalProperties: + type: string + oneOf: + - required: ["preconfigured"] + - required: ["config"] + tcpprofile: + type: object + description: "TCP level configurations, uses ns tcpprofile of NetScaler" + properties: + preconfigured: + description: "Preconfigured or Built-in TCP profile name" + type: string + config: + type: object + description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/ns/nstcpprofile ; Name field is auto populated" + additionalProperties: + type: string + oneOf: + - required: ["preconfigured"] + - required: ["config"] + csvserverConfig: + type: object + description: "CS Vserver configuration for the listener" + additionalProperties: + type: string + sslprofile: + type: object + description: "SSL profile configuration" + properties: + preconfigured: + type: string + description: "SSL profile which is preconfigured in NetScaler. Ciphers bound to the profile is not overriden" + config: + description: "NetScaler frontend SSL profile configurations. Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/ssl/sslprofile.html for all configurations; Name field is auto generated" + type: object + additionalProperties: + type: string + oneOf: + - required: ["preconfigured"] + - required: ["config"] + sslciphers: + type: array + description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" + minItems: 1 + items: + type: string + description: "Cipher suite, cipher group name" + analyticsprofile: + type: object + description: "Analytics profile configuration" + properties: + preconfigured: + type: array + description: "Preconfigured Analytics profile that needs to be bound to the vserver" + minItems: 1 + items: + type: string + description: "Name of the analytics profile preconfigured that will be bound to the Vserver" + config: + type: array + description: "An array of analytics to be enabled" + minItems: 1 + items: + type: object + description: "Anlytics to be enabled" + required: ['type'] + properties: + type: + description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " + type: string + enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] + parameters: + type: object + description: "Additional parameters for analytics profile. Please refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/analytics/analyticsprofile/" + additionalProperties: + type: string + oneOf: + - required: ["preconfigured"] + - required: ["config"] + routes: + type: array + description: "List of route objects attached to the listener" + minItems: 1 + items: + type: object + properties: + name: + type: string + description: "Name of the HTTPRoute object" + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + type: string + description: "Namespace of the HTTPRoute object" + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + labelSelector: + description: "Labels key value pair, if the route carries the same labels, it is automatically attached" + type: object + additionalProperties: + type: string + oneOf: + - required: [name, namespace] + - required: [labelSelector] + defaultAction: + type: object + description: "Default action for the listener: One of Backend or Redirect" + properties: + backend: + type: object + oneOf: + - required: [kube] + properties: + kube: + type: object + required: [service, port] + properties: + service: + description: "Name of the backend service" + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + port: + description: "Service port" + type: integer + minimum: 1 + maximum: 65535 + namespace: + description: "Service namespace" + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + backendConfig: + description: "General backend service options" + type: object + properties: + secure_backend: + description: "Use Secure communications to the backends" + type: boolean + lbConfig: + description: "NetScaler LB vserver configurations for the backend. Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/lb/lbvserver.html for all configurations" + type: object + additionalProperties: + type: string + servicegroupConfig: + description: "NetScaler service group configurations for the backend; Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/basic/servicegroup.html for all configurations" + type: object + additionalProperties: + type: string + redirect: + type: object + oneOf: + - required: [targetExpression] + - required: [hostRedirect] + - required: [httpsRedirect] + properties: + httpsRedirect: + description: "Change the scheme from http to https keeping URL intact" + type: boolean + hostRedirect: + description: "Host name specified is used for redirection with URL intact" + type: string + targetExpression: + description: "A target can be specified using NetScaler policy expression" + type: string + responseCode: + description: "Default response code is 302, which can be customised using this attribute" + type: integer + minimum: 100 + maximum: 599 + oneOf: + - required: ["backend"] + - required: ["redirect"] + subresources: + # status enables the status subresource. + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: httproutes.citrix.com +spec: + group: citrix.com + names: + kind: HTTPRoute + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + required: [rules] + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + hostname: + type: array + description: "List of domain names that share the same route, default is '*'" + minItems: 1 + items: + type: string + description: "Domain name" + rules: + type: array + description: "List Content routing rules with an action defined" + minItems: 1 + items: + type: object + required: [name, action] + properties: + name: + type: string + description: "A name to represent the rule, this is used as an identifier in content routing policy name in NetScaler" + minLength: 1 + maxLength: 20 + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + match: + type: array + description: "List of rules with same action" + minItems: 1 + items: + type: object + anyOf: + - required: [path] + - required: [headers] + - required: [cookies] + - required: [queryParams] + - required: [method] + - required: [policyExpression] + properties: + path: + type: object + description: "URL Path based content routing" + properties: + prefix: + type: string + description: "URL path matches the prefix expression" + exact: + type: string + description: "URL Path must match exact path" + regex: + type: string + description: "PCRE based regex expression for path matching" + headers: + type: array + description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" + minItems: 1 + items: + type: object + description: "Header details for content routing, Check for existence of a header or header name-value match" + properties: + headerName: + type: object + description: "Header name based content routing, Here existence of header is used for routing" + properties: + exact: + type: string + description: "Header Name - treated as exact must exist" + contains: + type: string + description: "Header Name - A header must exist that contain the string the name" + regex: + type: string + description: "header Name - treated as PCRE regex expression" + not: + type: boolean + description: "Default False, if present, rules are inverted. I.e header name must not exist" + oneOf: + - required: [exact] + - required: [contains] + - required: [regex] + headerValue: + type: object + description: "Header Name and Value based match" + properties: + name: + type: string + description: "Header name that must match the value" + exact: + type: string + description: "Header value - treated as exact" + contains: + type: string + description: "Header value - treated as contains" + regex: + type: string + description: "header value - treated as PCRE regex expression" + not: + type: boolean + description: "Default False, if present, rules are inverted. I.e header if present must not match the value" + oneOf: + - required: [name, exact] + - required: [name, contains] + - required: [name, regex] + queryParams: + type: array + description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" + minItems: 1 + items: + type: object + description: "Query parameters Name and Value based match" + properties: + name: + type: string + description: "Query name that must match the value. If no value is specified, matches with any value" + exact: + type: string + description: "Query value - Exact match" + contains: + type: string + description: "Query value - value must have the string(substring)" + regex: + type: string + description: "Query value - Value must match this regex patterm" + not: + type: boolean + description: "Default False, if present, rules are inverted. I.e query if present must not match the value" + anyOf: + - required: [name] + - oneOf: + - required: [name, exact] + - required: [name, contains] + - required: [name, regex] + cookies: + type: array + description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" + minItems: 1 + items: + type: object + description: "Cookie based routing" + properties: + name: + type: string + description: "cookie name that must match the value. If no value specified, it matches with any value" + exact: + type: string + description: "cookie value - treated as exact" + contains: + type: string + description: "cookie value - treated as substring" + regex: + type: string + description: "cookie value - treated as PCRE regex expression" + not: + type: boolean + description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" + anyOf: + - required: [name] + - oneOf: + - required: [name, exact] + - required: [name, contains] + - required: [name, regex] + method: + type: string + description: "HTTP method for content routing eg: POST, PUT, DELETE etc" + policyExpression: + type: string + description: "NetScaler policy expressions; refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/policy/policyexpression.html" + action: + type: object + description: "Action for the matched rule" + properties: + backend: + type: object + oneOf: + - required: [kube] + properties: + kube: + type: object + required: [service, port] + properties: + service: + description: "Name of the backend service" + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + port: + description: "Service port" + type: integer + minimum: 1 + maximum: 65535 + backendConfig: + type: object + description: "General backend service options" + properties: + secureBackend: + description: "Use Secure communications to the backends" + type: boolean + lbConfig: + description: "NetScaler LB vserver configurations for the backend. Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/lb/lbvserver.html for all configurations" + type: object + additionalProperties: + type: string + servicegroupConfig: + description: "NetScaler service group configurations for the backend; Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/basic/servicegroup.html for all configurations" + type: object + additionalProperties: + type: string + redirect: + type: object + oneOf: + - required: [targetExpression] + - required: [hostRedirect] + - required: [httpsRedirect] + properties: + httpsRedirect: + description: "Change the scheme from http to https keeping URL intact" + type: boolean + hostRedirect: + description: "Host name specified is used for redirection with URL intact" + type: string + targetExpression: + description: "A target can be specified using NetScaler policy expression" + type: string + responseCode: + description: "Default response code is 302, which can be customised using this attribute" + type: integer + minimum: 100 + maximum: 599 + oneOf: + - required: ["backend"] + - required: ["redirect"] + subresources: + # status enables the status subresource. + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + # name must match the spec fields below, and be in the form: . + name: continuousdeployments.citrix.com +spec: + group: citrix.com + names: + kind: continuousdeployment + plural: continuousdeployments + singular: continuousdeployment + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + cronSpec: + type: integer + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: wafs.citrix.com +spec: + group: citrix.com + names: + kind: waf + plural: wafs + singular: waf + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: 'Name of the services to which the waf policies are applied.' + type: array + items: + type: string + maxLength: 127 + application_type: + description: 'Type of applications to protect' + type: array + items: + type: string + enum: ['HTML', 'JSON', 'XML'] + signatures: + description: 'Location of external signature file' + type: string + redirect_url: + description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' + type: string + html_error_object: + description: 'Location of customized error page to respond when html or common violation are hit' + type: string + xml_error_object: + description: 'Location of customized error page to respond when xml violations are hit' + type: string + json_error_object: + description: 'Location of customized error page to respond when json violations are hit' + type: string + ip_reputation: + type: object + x-kubernetes-preserve-unknown-fields: true + description: 'Enabling IP reputation feature' + target: + description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' + type: object + properties: + path: + type: array + description: "List of http urls to inspect" + items: + type: string + description: "URL path" + method: + type: array + description: "List of http methods to inspect" + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + header: + type: array + description: "List of http headers to inspect" + items: + type: string + description: "header name" + security_checks: + description: 'To enable/disable application firewall security checks' + type: object + properties: + common: + type: object + x-kubernetes-preserve-unknown-fields: true + html: + type: object + x-kubernetes-preserve-unknown-fields: true + json: + type: object + x-kubernetes-preserve-unknown-fields: true + xml: + type: object + x-kubernetes-preserve-unknown-fields: true + settings: + description: 'To fine tune application firewall security checks default settings' + type: object + properties: + common: + type: object + x-kubernetes-preserve-unknown-fields: true + html: + type: object + x-kubernetes-preserve-unknown-fields: true + json: + type: object + x-kubernetes-preserve-unknown-fields: true + xml: + type: object + x-kubernetes-preserve-unknown-fields: true + relaxations: + description: 'Section which contains relaxation rules for known traffic and false positives' + type: object + properties: + common: + type: object + x-kubernetes-preserve-unknown-fields: true + html: + type: object + x-kubernetes-preserve-unknown-fields: true + json: + type: object + x-kubernetes-preserve-unknown-fields: true + xml: + type: object + x-kubernetes-preserve-unknown-fields: true + enforcements: + description: 'Section which contains enforcement or restriction rules' + type: object + properties: + common: + type: object + x-kubernetes-preserve-unknown-fields: true + html: + type: object + x-kubernetes-preserve-unknown-fields: true + json: + type: object + x-kubernetes-preserve-unknown-fields: true + xml: + type: object + x-kubernetes-preserve-unknown-fields: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: bots.citrix.com +spec: + group: citrix.com + names: + kind: bot + plural: bots + singular: bot + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: 'Name of the services to which the bot policies are applied.' + type: array + items: + type: string + maxLength: 127 + signatures: + description: 'Location of external bot signature file' + type: string + redirect_url: + description: 'url to redirect when bot violation is hit' + type: string + target: + description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' + type: object + properties: + path: + type: array + description: "List of http urls to inspect" + items: + type: string + description: "URL path" + method: + type: array + description: "List of http methods to inspect" + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + header: + type: array + description: "List of http headers to inspect" + items: + type: string + description: "header name" + security_checks: + description: 'To enable/disable bot ecurity checks' + type: object + properties: + allow_list: + type: string + enum: ['ON', 'OFF'] + block_list: + type: string + enum: ['ON', 'OFF'] + device_fingerprint: + type: string + enum: ['ON', 'OFF'] + device_fingerprint_action: + type: object + x-kubernetes-preserve-unknown-fields: true + headless_browser: + type: string + enum: ['ON','OFF'] + reputation: + type: string + enum: ['ON', 'OFF'] + ratelimit: + type: string + enum: ['ON', 'OFF'] + tps: + type: string + enum: ['ON', 'OFF'] + trap: + type: object + x-kubernetes-preserve-unknown-fields: true + bindings: + description: 'Section which contains binding rules for bot security checks' + type: object + properties: + allow_list: + type: array + items: + type: object + properties: + subnet: + type: object + x-kubernetes-preserve-unknown-fields: true + ip: + type: object + x-kubernetes-preserve-unknown-fields: true + ipv6: + type: object + x-kubernetes-preserve-unknown-fields: true + ipv6_subnet: + type: object + x-kubernetes-preserve-unknown-fields: true + expression: + type: object + x-kubernetes-preserve-unknown-fields: true + + block_list: + type: array + items: + type: object + properties: + subnet: + type: object + x-kubernetes-preserve-unknown-fields: true + ip: + type: object + x-kubernetes-preserve-unknown-fields: true + ipv6: + type: object + x-kubernetes-preserve-unknown-fields: true + ipv6_subnet: + type: object + x-kubernetes-preserve-unknown-fields: true + expression: + type: object + x-kubernetes-preserve-unknown-fields: true + ratelimit: + type: array + items: + type: object + properties: + url: + type: object + x-kubernetes-preserve-unknown-fields: true + ip: + type: object + x-kubernetes-preserve-unknown-fields: true + cookie: + type: object + x-kubernetes-preserve-unknown-fields: true + geolocation: + type: object + x-kubernetes-preserve-unknown-fields: true + reputation: + type: object + x-kubernetes-preserve-unknown-fields: true + captcha: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + logexp: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + kbmexpr: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + tps: + type: object + properties: + geolocation: + type: object + x-kubernetes-preserve-unknown-fields: true + host: + type: object + x-kubernetes-preserve-unknown-fields: true + ip: + type: object + x-kubernetes-preserve-unknown-fields: true + url: + type: object + x-kubernetes-preserve-unknown-fields: true + trapinsertion: + type: object + x-kubernetes-preserve-unknown-fields: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: apigatewaypolicies.citrix.com +spec: + group: citrix.com + names: + kind: apigatewaypolicy + plural: apigatewaypolicies + singular: apigatewaypolicy + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + api_definition: + type: object + properties: + repository: + type: string + branch: + type: string + oas_secret_ref: + type: string + files: + type: array + items: + type: string + maxLength: 127 + api_proxy: + type: object + properties: + ipaddress: + type: string + port: + type: integer + protocol: + type: string + secret: + type: string + policies: + type: array + items: + type: object + properties: + name: + type: string + selector: + type: array + items: + type: object + properties: + tags: + type: array + items: + type: string + api: + type: string + method: + type: array + items: + type: string + maxLength: 127 + upstream: + type: object + properties: + service: + type: string + port: + type: integer + policy_bindings: + type: object + properties: + ratelimit: + type: object + properties: + name: + type: string + waf: + type: object + properties: + name: + type: string + rewritepolicy: + type: object + properties: + name: + type: string + bot: + type: object + properties: + name: + type: string + aaa: + type: array + items: + type: object + properties: + crd_name: + type: string + mappings: + type: array + items: + type: object + properties: + petstore_auth: + type: string + api_key: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: corspolicies.citrix.com +spec: + group: citrix.com + names: + kind: corspolicy + plural: corspolicies + singular: corspolicy + shortNames: + - cp + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: 'Current Status of the CRD' + jsonPath: .status.state + - name: Message + type: string + description: 'Status Message' + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: 'The list of Kubernetes services to which you want to apply the cors policies.' + type: array + items: + type: string + maxLength: 63 + allow_origin: + description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' + type: array + items: + type: string + maxLength: 2083 + allow_methods: + description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' + type: array + items: + type: string + maxLength: 127 + allow_headers: + description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' + type: array + items: + type: string + maxLength: 127 + max_age: + description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' + type: integer + allow_credentials: + description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' + type: boolean + required: [servicenames, allow_origin, allow_methods, allow_headers] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: appqoepolicies.citrix.com +spec: + group: citrix.com + names: + kind: appqoepolicy + plural: appqoepolicies + singular: appqoepolicy + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + appqoe-policies: + type: array + items: + type: object + properties: + servicenames: + description: 'Name of the services that needs to be binded to appqoe policy.' + type: array + items: + type: string + maxLength: 127 + appqoe-policy: + type: object + properties: + operation-retry: + type: object + properties: + on-reset: + description: "To set Retry on Connection Reset or Not" + type: string + enum: ['YES','NO'] + on-timeout: + description: "Time in milliseconds for retry" + type: integer + minimum: 30 + maximum: 2000 + number-of-retries: + description: "To set number of retries" + type: integer + minimum: 1 + maximum: 7 + required: [operation-retry] + appqoe-criteria: + description: 'Expression against which traffic is evaluated.' + type: string + maxLength: 1299 + direction: + description: 'Bind point to which to bind the policy.' + type: string + enum: ["REQUEST","RESPONSE"] + required: [appqoe-criteria, operation-retry] + required: [appqoe-policy] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: wildcarddnsentries.citrix.com +spec: + group: citrix.com + names: + kind: wildcarddnsentry + plural: wildcarddnsentries + singular: wildcarddnsentry + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: Current Status of the CRD + jsonPath: .status.state + - name: Message + type: string + description: Status Message + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + zone: + type: object + description: DNS configuration for a zone + properties: + domain: + type: string + description: Domain name + dnsaddrec: + type: object + description: DNS Address record + properties: + domain-ip: + type: string + description: IPv4 addresses to assign to the domain name + ttl: + type: integer + description: >- + TTL is the time for which the record must be cached + by DNS proxies + dnsaaaarec: + type: object + description: DNS AAAA record + properties: + domain-ip: + type: string + description: IPv6 addresses to assign to the domain name + ttl: + type: integer + description: >- + TTL is the time for which the record must be cached + by DNS proxies + soarec: + type: object + description: SOA record + properties: + origin-server: + type: string + description: Origin server domain + contact: + type: string + description: Admin contact + serial: + type: integer + description: >- + The secondary server uses this parameter to + determine whether it requires a zone transfer from + the primary server. + refresh: + type: integer + description: >- + Time, in seconds, for which a secondary server must + wait between successive checks on the value of the + serial number. + retry: + type: integer + description: >- + Time, in seconds, between retries if a secondary server's + attempt to contact the primary server for a zone refresh fails. + expire: + type: integer + description: >- + Time, in seconds, after which the zone data on a secondary + nameserver can no longer be considered authoritative because + all refresh and retry attempts made during the period have failed." + nsrec: + type: object + description: Name server record + properties: + nameserver: + type: string + description: Host name of the name server to add to the domain. + ttl: + type: integer + description: >- + Time to Live (TTL), in seconds, for the record. TTL + is the time for which the record must be cached by + DNS proxies. The specified TTL is applied to all the + resource records that are of the same record type + and belong to the specified domain name +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: icappolicies.citrix.com +spec: + group: citrix.com + names: + kind: icappolicy + plural: icappolicies + singular: icappolicy + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + description: "Ingress class, if not specified then all NetScaler ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + type: string + maxLength: 127 + services: + type: array + description: 'Name of the services for which the icap policy needs to be bound' + items: + type: string + icap-servers: + type: object + description: "ICAP service for the ICAP server that will be part of the load balancing setup. The service that you add provides the ICAP connection between the NetScaler appliance and load balancing virtual servers." + properties: + servers: + type: array + items: + type: object + properties: + ip: + type: string + description: 'IP of the ICAP Server' + format: ipv4 + port: + type: integer + description: 'Port number of the ICAP Server.' + minimum: 1 + maximum: 65535 + required: + - ip + - port + server-type: + type: string + description: 'Type of ICAP Server.' + enum: ['TCP', 'SSL_TCP'] + default: 'SSL_TCP' + server_host_cert: + description: |+ + 'Name of the SSL certificate to be used with ICAP server. + This certificate is mandatory for server-type SSL_TCP' + type: object + properties: + tls_secret: + type: string + description: 'Name of the Kubernetes Secret of type tls referring to Certificate' + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + preconfigured: + type: string + maxLength: 63 + description: |+ + 'Preconfigured SSL certkey name on NetScaler with the + certificate and key already added on NetScaler' + oneOf: + - required: [tls_secret] + - required: [preconfigured] + required: + - servers + icap: + type: array + items: + type: object + properties: + preconfigured-profile: + description: 'Names of the preconfigured ICAP profile.' + type: string + maxLength: 127 + direction: + description: 'ICAP Mode of operation. It is a mandatory argument while creating an icapprofile.' + type: string + enum: ['REQUEST','RESPONSE'] + profile: + type: object + description: 'ICAP profile(s) of the NetScaler.' + properties: + preview: + description: 'Enable or Disable preview header with ICAP request. This feature allows an ICAP server to see the beginning of a transaction, then decide if it wants to opt-out of the transaction early instead of receiving the remainder of the request message.' + type: string + enum: ["ENABLED", "DISABLED"] + preview-length: + description: 'Value of Preview Header field. NetScaler uses the minimum of this set value and the preview size received on OPTIONS' + type: integer + minimum: 0 + maximum: 4294967294 + uri: + description: 'URI representing icap service. It is a mandatory argument while creating an icapprofile.' + type: string + maxLength: 511 + host-header: + description: 'ICAP Host Header.' + type: string + maxLength: 255 + user-agent-header: + description: 'ICAP User Agent Header' + type: string + maxLength: 255 + query-params: + description: 'Query parameters to be included with ICAP request URI. Entered values should be in arg=value format. For more than one parameters, add & separated values. e.g.: arg1=val1&arg2=val2' + type: string + maxLength: 511 + connection-keep-alive: + description: 'Enable or Disable sending Allow: 204 header in ICAP request.' + type: string + enum: ["ENABLED", "DISABLED"] + insert-icap-headers: + description: 'Insert custom ICAP headers in the ICAP request to send to ICAP server. The headers can be static or can be dynamically constructed using PI Policy Expression. For example, to send static user agent and Client''s IP address, the expression can be specified as "User-Agent: NS-ICAP-Client/V1.0r0-Client-IP: "+CLIENT.IP.SRC+"r0. The NetScaler does not check the validity of the specified header name-value. You must manually validate the specified header syntax.' + type: string + maxLength: 8191 + insert-http-request: + description: 'Exact HTTP request, in the form of an expression, which the NetScaler encapsulates and sends to the ICAP server. If you set this parameter, the ICAP request is sent using only this header. This can be used when the HTTP header is not available to send or ICAP server only needs part of the incoming HTTP request. The request expression is constrained by the feature for which it is used. The NetScaler does not check the validity of this request. You must manually validate the request.' + type: string + maxLength: 8191 + req-timeout: + description: 'Time, in seconds, within which the remote server should respond to the ICAP-request. If the Netscaler does not receive full response with this time, the specified request timeout action is performed. Zero value disables this timeout functionality.' + type: integer + minimum: 0 + maximum: 86400 + req-timeout-action: + description: 'Name of the action to perform if the Vserver/Server representing the remote service does not respond with any response within the timeout value configured. The Supported actions are * BYPASS - This Ignores the remote server response and sends the request/response to Client/Server. * If the ICAP response with Encapsulated headers is not received within the request-timeout value configured, this Ignores the remote ICAP server response and sends the Full request/response to Server/Client' + type: string + enum: ['BYPASS', 'DROP', 'RESET'] + log-action: + description: 'Name of the audit message action which would be evaluated on receiving the ICAP response to emit the logs' + type: string + maxLength: 127 + required: + - uri + content-inspection-criteria: + description: 'Expression that the policy uses to determine whether to execute the specified action.' + type: string + maxLength: 1499 + default-action: + description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). An UNDEF event indicates an internal error condition. Only the above built-in actions can be used' + type: string + maxLength: 127 + log-action: + description: 'Name of the messagelog action to use for requests that match this policy.' + type: string + maxLength: 127 + goto-priority-expression: + description: 'Expression or other value specifying the next policy to be evaluated if the current policy evaluates to TRUE.Specify one of the following values:* NEXT - Evaluate the policy with the next higher priority number.* END - End policy evaluation.Default value of goto-priority-expression: END' + type: string + operation: + description: 'Type of operation this action is going to perform. following actions are available to configure: * ICAP - forward the incoming request or response to an ICAP server for modification. * INLINEINSPECTION - forward the incoming or outgoing packets to IPS server for Intrusion Prevention. * MIRROR - Forwards cloned packets for Intrusion Detection. * NOINSPECTION - This does not forward incoming and outgoing packets to the Inspection device. * NSTRACE - capture current and further incoming packets on this transaction.' + type: string + enum: ['ICAP', 'INLINEINSPECTION', 'MIRROR', 'NOINSPECTION'] + server-failure-action: + description: 'Name of the action to perform if the Vserver representing the remote service is not UP. This is not supported for NOINSPECTION Type. The Supported actions are: * RESET - Reset the client connection by closing it. The client program, such as a browser, will handle this and may inform the user. The client may then resend the request if desired. * DROP - Drop the request without sending a response to the user. * CONTINUE - It bypasses the ContentIsnpection and Continues/resumes the Traffic-Flow to Client/Server.' + type: string + enum: ['CONTINUE', 'DROP', 'RESET'] + oneOf: + - required: [preconfigured-profile] + - required: [profile] + required: + - direction + - content-inspection-criteria + - operation + required: + - ingressclass + - services + - icap-servers + - icap +--- diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/NOTES.txt b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/NOTES.txt new file mode 100644 index 000000000..3b390d5af --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/NOTES.txt @@ -0,0 +1,14 @@ +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }}. + + +To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get {{ .Release.Name }} + + +To delete : + helm delete {{ .Release.Name }} + diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/_helpers.tpl b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/_helpers.tpl new file mode 100644 index 000000000..4cb1cc8f2 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/_helpers.tpl @@ -0,0 +1,93 @@ +{{- define "netscaler-cpx-ingress-controller.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "netscaler-cpx-ingress-controller.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "cpxservice.fullname" -}} +{{- $name := default .Chart.Name "cpx-service" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "cpxexporter.fullname" -}} +{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "cpxservicemonitor.fullname" -}} +{{- $name := default .Chart.Name "netscaler-adc-cpx-servicemonitor" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "cpxservicemonitorlabel" -}} +{{- $name := default .Chart.Name "netscaler-adc-cpx-svcmon" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "cpxconfigmap.fullname" -}} +{{- $name := default .Chart.Name "cpx-nsic-configmap" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "bootupconfigmap.fullname" -}} +{{- $name := default .Chart.Name "cpx-bootup-configmap" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "netscaler-cpx-ingress-controller.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "netscaler-cpx-ingress-controller.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "netscaler-cpx-ingress-controller.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/configmap.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/configmap.yaml new file mode 100644 index 000000000..93f29f9e3 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/configmap.yaml @@ -0,0 +1,110 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "cpxconfigmap.fullname" . }} + namespace: {{ .Release.Namespace }} +data: + LOGLEVEL: {{ .Values.logLevel | quote | lower }} + JSONLOG: {{ .Values.jsonLog | quote | lower }} +{{- if eq (upper .Values.nsProtocol) "HTTPS" }} + NS_PROTOCOL: "https" +{{- if .Values.cpxBgpRouter }} + NS_PORT: "9443" +{{- else }} + NS_PORT: "443" +{{- end }} +{{- else }} + NS_PROTOCOL: "http" +{{- if .Values.cpxBgpRouter }} + NS_PORT: "9080" +{{- else }} + NS_PORT: "80" +{{- end }} +{{- end }} +{{- if .Values.analyticsConfig.required }} + NS_ENABLE_LABELS: {{ .Values.nsEnableLabel | quote }} +{{- end }} +{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} + NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} +{{- end }} +{{- if ne (toString .Values.nsCookieVersion) "0" }} + NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} +{{- end }} +{{- if .Values.nsDnsNameserver }} + NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} +{{- end }} + +{{- if .Values.analyticsConfig.required }} + NS_ANALYTICS_CONFIG: | + distributed_tracing: + enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} + samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} + endpoint: + {{- if not .Values.analyticsConfig.timeseries.metrics.enableNativeScrape }} + metrics: + service: {{ .Values.analyticsConfig.endpoint.metrics.service | quote }} + {{- end }} + transactions: + service: {{ .Values.analyticsConfig.endpoint.transactions.service | quote }} + timeseries: + port: {{ .Values.analyticsConfig.timeseries.port }} + metrics: + enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} + mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} + export_frequency: {{ .Values.analyticsConfig.timeseries.metrics.exportFrequency }} + schema_file: {{ .Values.analyticsConfig.timeseries.metrics.schemaFile | quote }} + enable_native_scrape: {{ .Values.analyticsConfig.timeseries.metrics.enableNativeScrape | quote }} + auditlogs: + enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} + events: + enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} + transactions: + enable: {{ .Values.analyticsConfig.transactions.enable | quote }} + port: {{ .Values.analyticsConfig.transactions.port }} +{{- end }} + +{{- if .Values.cpxBgpRouter }} +{{- if .Values.bgpSettings.required }} + NS_BGP_CONFIG: | +{{- with .Values.bgpSettings.bgpConfig }} + bgpConfig: +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +{{- end }} + +{{- if .Values.nsLbHashAlgo.required }} + NS_LB_HASH_ALGO: | + hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} + hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} +{{- end }} + +{{- if .Values.profileSslFrontend }} + FRONTEND_SSL_PROFILE: | + {{- toYaml .Values.profileSslFrontend | nindent 4 }} +{{- end }} + +{{- if .Values.profileTcpFrontend }} + FRONTEND_TCP_PROFILE: | + {{- toYaml .Values.profileTcpFrontend | nindent 4 }} +{{- end }} + +{{- if .Values.profileHttpFrontend }} + FRONTEND_HTTP_PROFILE: | + {{- toYaml .Values.profileHttpFrontend | nindent 4 }} +{{- end }} + +--- + +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "bootupconfigmap.fullname" . }} + namespace: {{ .Release.Namespace }} +data: + cpx.conf: | + #NetScaler commands + {{- .Values.cpxCommands | nindent 6 -}} + #Shell commands + {{- .Values.cpxShellCommands | nindent 6 -}} + # end of file diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/deployment.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/deployment.yaml new file mode 100644 index 000000000..402d43211 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/deployment.yaml @@ -0,0 +1,479 @@ +apiVersion: apps/v1 +{{- if or .Values.cpxBgpRouter .Values.daemonSet }} +kind: DaemonSet +{{- else }} +kind: Deployment +{{- end }} +metadata: + name: {{ include "netscaler-cpx-ingress-controller.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: + app: {{ include "netscaler-cpx-ingress-controller.fullname" . }} +{{- if not ( or .Values.cpxBgpRouter .Values.daemonSet ) }} + replicas: {{ .Values.replicaCount }} +{{- end }} + template: + metadata: + name: {{ include "netscaler-cpx-ingress-controller.fullname" . }} + labels: + app: {{ include "netscaler-cpx-ingress-controller.fullname" . }} + adc: "citrix" + annotations: +{{- if .Values.analyticsConfig.timeseries.metrics.enableNativeScrape }} + netscaler.prometheus/scrape: "true" + netscaler.prometheus/port: {{ .Values.mgmtHttpPort | quote }} +{{- end }} +{{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} +{{- end }} + spec: + serviceAccountName: {{ include "netscaler-cpx-ingress-controller.serviceAccountName" . }} +{{- if .Values.cpxBgpRouter }} + hostNetwork: true +{{- end }} +{{- if .Values.hostName }} + hostname: {{ .Values.hostName }}-{{ .Release.Namespace }} +{{- end }} + containers: + - name: cpx-ingress + image: "{{ tpl .Values.image . }}" + imagePullPolicy: {{ .Values.pullPolicy }} + tty: true + securityContext: + privileged: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace +{{- if .Values.cpxLicenseAggregator }} + - name: "CLA" + value: {{ .Values.cpxLicenseAggregator | quote }} +{{- else if .Values.ADMSettings.licenseServerIP }} + - name: "LS_IP" + value: {{ .Values.ADMSettings.licenseServerIP | quote }} + - name: "LS_PORT" + value: {{ .Values.ADMSettings.licenseServerPort | quote }} +{{- end }} + - name: "EULA" + value: "{{ .Values.license.accept }}" + - name: "KUBERNETES_TASK_ID" + value: "" +{{- if not .Values.cpxBgpRouter }} + - name: "MGMT_HTTP_PORT" + value: {{ .Values.mgmtHttpPort | quote }} + - name: "MGMT_HTTPS_PORT" + value: {{ .Values.mgmtHttpsPort | quote }} +{{- end }} +{{- if .Values.cpxBgpRouter }} + - name: NS_NETMODE + value: HOST +{{- if .Values.nsIP }} + - name: "NS_IP" + value: "{{ .Values.nsIP }}" +{{- end }} +{{- if .Values.nsGateway }} + - name: "NS_GATEWAY" + value: "{{ .Values.nsGateway }}" +{{- end }} +{{- end }} +{{- if .Values.ADMSettings.ADMIP }} + - name: "NS_MGMT_SERVER" + value: {{ .Values.ADMSettings.ADMIP | quote }} + - name: "NS_HTTP_PORT" + value: {{ .Values.mgmtHttpPort | quote }} + - name: "NS_HTTPS_PORT" + value: {{ .Values.mgmtHttpsPort | quote }} +{{- end }} +##Need to set env var BANDWIDTH in order to provide Bandwidth license to NetScaler CPX from ADM or CPX License Aggregator +{{- if or .Values.ADMSettings.licenseServerIP .Values.cpxLicenseAggregator }} +{{- if .Values.ADMSettings.bandWidthLicense }} + - name: "BANDWIDTH" + value: {{ .Values.ADMSettings.bandWidth | quote }} +{{- end }} +##for multiple-PE support, need to set CPX_CORES +{{- if or .Values.ADMSettings.vCPULicense .Values.ADMSettings.bandWidthLicense }} + - name: "CPX_CORES" + value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} + - name: "EDITION" + value: {{ .Values.ADMSettings.licenseEdition }} +{{- end }} +{{- if .Values.ADMSettings.platform }} + - name: "CPX_CORES" + value: {{ .Values.ADMSettings.cpxCores | default 1 | quote }} + - name: "PLATFORM" + value: "CP1000" +{{- end }} +{{- end }} +{{- if or (.Values.ADMSettings.ADMIP) (.Values.ADMSettings.licenseServerIP) }} + - name: NS_MGMT_USER + valueFrom: + secretKeyRef: + name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} + key: username + - name: NS_MGMT_PASS + valueFrom: + secretKeyRef: + name: {{ required "Provide Secret for ADM/LicenseServer credentials" .Values.ADMSettings.loginSecret }} + key: password +{{- end }} +{{- if .Values.exporter.required }} + - name: "METRICS_EXPORTER_PORT" + value: {{ .Values.exporter.ports.containerPort | quote }} +{{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: /var/deviceinfo + name: shared-data + - mountPath: /cpx/ + name: cpx-volume + - mountPath: /cpx/conf + name: cpx-volume-conf + - mountPath: /cpx/bootup_conf + name: bootupconfig-volume +{{- if .Values.enableStartupProbe }} + startupProbe: + {{- toYaml .Values.startupProbe | nindent 12 }} +{{- end }} +{{- if .Values.enableLivenessProbe }} + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} +{{- end }} +{{- if .Values.nsic.required }} + # Add nsic as a sidecar + - name: nsic + image: "{{ tpl .Values.nsic.image . }}" + imagePullPolicy: {{ .Values.nsic.pullPolicy }} + env: +{{- if .Values.nsic.enableLivenessProbe }} + - name: "LIVENESS_FILE_PATH" + value: '/tmp/liveness_path.log' +{{- end }} + - name: "ENABLE_LIVENESS_PROBE" + value: {{ .Values.nsic.enableLivenessProbe | quote }} +{{- if .Values.analyticsConfig.timeseries.metrics.enableNativeScrape }} + - name: "PROM_USER" + valueFrom: + secretKeyRef: + name: {{ required "Provide Secret for read only user for native Prometheus mode" .Values.nsic.prometheusCredentialSecret }} + key: username + - name: "PROM_PASSWORD" + valueFrom: + secretKeyRef: + name: {{ required "Provide Secret for read only user for native Prometheus mode" .Values.nsic.prometheusCredentialSecret }} + key: password +{{- end }} + - name: "EULA" + value: "{{ .Values.license.accept }}" +{{- if .Values.cpxBgpRouter }} + - name: "NS_IP" + value: {{ .Values.nsIP | default "192.168.1.2" | quote }} +{{- else }} + - name: "NS_IP" + value: "127.0.0.1" +{{- end }} +{{- if .Values.rbacRole }} + - name: "SCOPE" + value: "local" +{{- end }} + - name: "NS_APPS_NAME_PREFIX" + value: {{ .Values.entityPrefix | default "k8s"| quote }} + - name: "NS_DEPLOYMENT_MODE" + value: "SIDECAR" +{{- if and .Values.openshift .Values.routeLabels }} + - name: "ROUTE_LABELS" + value: {{ .Values.routeLabels | quote}} +{{- end }} +{{- if and .Values.openshift .Values.namespaceLabels }} + - name: "NAMESPACE_LABELS" + value: {{ .Values.namespaceLabels | quote }} +{{- end }} +{{- if .Values.openshift }} + - name: "PLATFORM" + value: "OPENSHIFT" +{{- else }} + - name: "PLATFORM" + value: "KUBERNETES" +{{- end }} +{{- if .Values.cpxBgpRouter }} +{{- if eq (upper .Values.nsProtocol) "HTTPS" }} + - name: NS_PROTOCOL + value: HTTPS + - name: NS_PORT + value: "9443" +{{- else }} + - name: NS_PROTOCOL + value: HTTP + - name: NS_PORT + value: "9080" +{{- end }} +{{- if .Values.bgpPort }} + - name: "BGP_PORT" + value: {{ .Values.bgpPort | quote }} +{{- end }} +{{- end }} + - name: "NS_ENABLE_MONITORING" + value: "YES" +{{- if .Values.logProxy }} + - name: "NS_LOGPROXY" + value: {{ .Values.logProxy | quote }} +{{- end }} +{{- if .Values.ingressIP }} + - name: "NS_VIP" + value: {{ .Values.ingressIP | quote }} +{{- end }} +{{- if .Values.nitroReadTimeout }} + - name: "NS_NITRO_READ_TIMEOUT" + value: "{{ .Values.nitroReadTimeout }}" +{{- end }} + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName +{{- if .Values.kubernetesURL }} + - name: "kubernetes_url" + value: "{{ .Values.kubernetesURL }}" +{{- end }} +{{- if .Values.disableOpenshiftRoutes }} + - name: "DISABLE_OPENSHIFT_ROUTES" + value: "{{ .Values.disableOpenshiftRoutes }}" +{{- end }} +{{- if .Values.nsConfigDnsRec }} + - name: "NS_CONFIG_DNS_REC" + value: "{{ .Values.nsConfigDnsRec }}" +{{- end }} +{{- if .Values.nsSvcLbDnsRec }} + - name: "NS_SVC_LB_DNS_REC" + value: "{{ .Values.nsSvcLbDnsRec }}" +{{- end }} +{{- if .Values.optimizeEndpointBinding }} + - name: "OPTIMIZE_ENDPOINT_BINDING" + value: "{{ .Values.optimizeEndpointBinding }}" +{{- end }} +{{- if .Values.cpxBgpRouter }} + securityContext: + runAsUser: 0 + capabilities: + add: + - NET_ADMIN +{{- end }} + args: + - --configmap + {{ .Release.Namespace }}/{{ include "cpxconfigmap.fullname" . }} +{{- if .Values.ipam }} + - --ipam + citrix-ipam-controller +{{- end }} +{{- if .Values.disableAPIServerCertVerify }} + - --disable-apiserver-cert-verify + {{ .Values.disableAPIServerCertVerify }} +{{- end }} +{{- if .Values.cpxBgpRouter }} + - --deployment-type + kube-bgp-router +{{- end }} +{{- if .Values.ingressClass }} + - --ingress-classes +{{- range .Values.ingressClass}} + {{.}} +{{- end }} +{{- end }} +{{- if .Values.defaultSSLCertSecret }} + - --default-ssl-certificate + {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} +{{- end }} +{{- if .Values.defaultSSLSNICertSecret }} + - --default-ssl-sni-certificate + {{ .Release.Namespace }}/{{ .Values.defaultSSLSNICertSecret }} +{{- end }} +{{- if .Values.updateIngressStatus }} + - --update-ingress-status + yes +{{- end }} + volumeMounts: + - mountPath: /var/deviceinfo + name: shared-data +{{- if .Values.nsic.enableReadinessProbe }} + readinessProbe: + {{- toYaml .Values.nsic.readinessProbe | nindent 12 }} +{{- end }} +{{- if .Values.nsic.enableLivenessProbe }} + livenessProbe: + {{- toYaml .Values.nsic.livenessProbe | nindent 12 }} +{{- end }} + resources: + {{- toYaml .Values.nsic.resources | nindent 12 }} +{{- end }} +{{- if .Values.exporter.required }} + - name: exporter + image: "{{ tpl .Values.exporter.image . }}" + imagePullPolicy: {{ .Values.exporter.pullPolicy }} + args: + - "--secure=no" +{{- if .Values.cpxBgpRouter }} + - --target-nsip={{ .Values.nsIP | default "192.168.1.2" }}:9080 +{{- else }} + - "--target-nsip=127.0.0.1" +{{- end }} + - "--port={{ .Values.exporter.ports.containerPort }}" + env: + - name: "NS_DEPLOYMENT_MODE" + value: "SIDECAR" + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/deviceinfo + name: shared-data + resources: + {{- toYaml .Values.exporter.resources | nindent 12 }} +{{- end }} + volumes: + - name: shared-data + emptyDir: {} + - name: cpx-volume + emptyDir: {} + - name: cpx-volume-conf + emptyDir: {} + - name: bootupconfig-volume + configMap: + name: {{ include "bootupconfigmap.fullname" . }} +{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} + nodeSelector: + {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} +{{- end }} + +--- +{{- if .Values.cpxBgpRouter }} +{{- if .Values.exporter.required }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "cpxexporter.fullname" . }} + labels: + app: {{ include "cpxexporter.fullname" . }} + service-type: {{ include "cpxservicemonitorlabel" . }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.exporter.ports.containerPort }} + targetPort: {{ .Values.exporter.ports.containerPort }} + name: exporter-port + selector: + app: {{ include "netscaler-cpx-ingress-controller.fullname" . }} +{{- end }} +{{- else }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "cpxservice.fullname" . }} + labels: + app: cpx-service + service-type: {{ include "cpxservicemonitorlabel" . }} + cpx: {{ include "netscaler-cpx-ingress-controller.fullname" . }} +{{- if .Values.serviceAnnotations }} + annotations: +{{- with .Values.serviceAnnotations }} +{{ toYaml . | indent 4 }} +{{- end }} +{{- end }} +spec: +{{- if or .Values.serviceType.loadBalancer.enabled .Values.serviceType.nodePort.enabled }} + externalTrafficPolicy: {{ .Values.serviceSpec.externalTrafficPolicy }} +{{- end }} +{{- if .Values.serviceType.loadBalancer.enabled }} + type: LoadBalancer +{{- if .Values.serviceSpec.loadBalancerIP }} + loadBalancerIP: {{ .Values.serviceSpec.loadBalancerIP }} +{{- end }} +{{- else if .Values.serviceType.nodePort.enabled }} + type: NodePort +{{- end }} +{{- if and .Values.serviceType.loadBalancer.enabled .Values.serviceSpec.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{- range .Values.serviceSpec.loadBalancerSourceRanges}} + - {{.}} +{{- end }} +{{- end }} + ports: +{{- if .Values.servicePorts }} +{{- with .Values.servicePorts }} +{{ toYaml . | indent 2 }} +{{- end }} +{{- else }} + - port: 80 + protocol: TCP + name: http +{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpPort }} + nodePort: {{ .Values.serviceType.nodePort.httpPort }} +{{- end }} + - port: 443 + protocol: TCP + name: https +{{- if and .Values.serviceType.nodePort.enabled .Values.serviceType.nodePort.httpsPort }} + nodePort: {{ .Values.serviceType.nodePort.httpsPort}} +{{- end }} +{{- end }} +{{- if .Values.exporter.required }} + - port: {{ .Values.exporter.ports.containerPort }} + targetPort: {{ .Values.exporter.ports.containerPort }} + name: exporter-port +{{- end }} + selector: + app: {{ include "netscaler-cpx-ingress-controller.fullname" . }} +{{- end }} + +--- + +{{- if .Values.exporter.required }} + +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "cpxservicemonitor.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + servicemonitor: netscaler-cpx + {{- with .Values.exporter.serviceMonitorExtraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + - interval: 30s + port: exporter-port + selector: + matchLabels: + service-type: {{ include "cpxservicemonitorlabel" . }} + namespaceSelector: + matchNames: + - monitoring + - default + - {{ .Release.Namespace }} + +{{- end }} diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/ingressclass.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/ingressclass.yaml new file mode 100644 index 000000000..da86715cc --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/ingressclass.yaml @@ -0,0 +1,18 @@ +{{- $default := .Values.setAsDefaultIngressClass -}} +{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} +{{- if .Values.ingressClass }} +{{- range .Values.ingressClass }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ . | quote }} +{{- if $default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: citrix.com/ingress-controller +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/rbac.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/rbac.yaml new file mode 100644 index 000000000..103d8e168 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/templates/rbac.yaml @@ -0,0 +1,106 @@ +{{- if not .Values.rbacRole }} +kind: ClusterRole +{{- else }} +kind: Role +{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "netscaler-cpx-ingress-controller.serviceAccountName" . }} +{{- if .Values.rbacRole }} + namespace: {{ .Release.Namespace }} +{{- end }} +rules: + - apiGroups: [""] +{{- if .Values.openshift }} + resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] +{{- else }} + resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] +{{- end }} + verbs: ["get", "list", "watch"] + # services/status is needed to update the loadbalancer IP in service status for integrating + # service of type LoadBalancer with external-dns + - apiGroups: [""] + resources: ["services/status"] + verbs: ["patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions","networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["patch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "watch"] + - apiGroups: ["citrix.com"] + resources: ["rewritepolicies", "icappolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] + verbs: ["get", "list", "watch", "create", "delete", "patch"] + - apiGroups: ["citrix.com"] + resources: ["rewritepolicies/status", "icappolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] + verbs: ["patch"] + - apiGroups: ["citrix.com"] + resources: ["vips"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["crd.projectcalico.org"] + resources: ["ipamblocks"] + verbs: ["get", "list", "watch"] +{{- if .Values.openshift }} + - apiGroups: ["route.openshift.io"] + resources: ["routes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["network.openshift.io"] + resources: ["hostsubnets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["config.openshift.io"] + resources: ["networks"] + verbs: ["get", "list"] +{{- end }} + +--- + +{{- if not .Values.rbacRole }} +kind: ClusterRoleBinding +{{- else }} +kind: RoleBinding +{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "netscaler-cpx-ingress-controller.serviceAccountName" . }} +{{- if .Values.rbacRole }} + namespace: {{ .Release.Namespace }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io +{{- if not .Values.rbacRole }} + kind: ClusterRole +{{- else }} + kind: Role +{{- end }} + name: {{ include "netscaler-cpx-ingress-controller.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "netscaler-cpx-ingress-controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "netscaler-cpx-ingress-controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} +- name: {{.}} +{{- end }} +{{- end }} + diff --git a/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/values.yaml b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/values.yaml new file mode 100644 index 000000000..16cf34e48 --- /dev/null +++ b/charts/netscaler/netscaler-cpx-with-ingress-controller/2.2.10/values.yaml @@ -0,0 +1,306 @@ +# Default values for netscaler-cpx-with-ingress-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# NetScaler CPX config details +imageRegistry: quay.io +imageRepository: netscaler/netscaler-cpx +imageTag: 14.1-25.111 +image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" +pullPolicy: IfNotPresent +imagePullSecrets: [] +daemonSet: False +nameOverride: "" +replicaCount: 1 +fullnameOverride: "" +mgmtHttpPort: 9080 +mgmtHttpsPort: 9443 +openshift: false +nsHTTP2ServerSide: "OFF" +nsCookieVersion: "0" +nsConfigDnsRec: false +nsSvcLbDnsRec: false +nsDnsNameserver: "" +nsEnableLabel: true +optimizeEndpointBinding: false +routeLabels: "" +namespaceLabels: "" +hostName: "" + +# Service Type LoadBalancer and ingress support with CPX through BGP advertisement +# If you enable this, CPX is run as DaemonSet. Please edit the bgpSettings for configuring +# BGP neighbors for propgation of external IPs. +cpxBgpRouter: false + +# If cpxBgpRouter is true, then this is the NSIP used by CPX for internal communication +nsIP: 192.168.1.2 + +# If cpxBgpRouter is true, then this is the Gateway used by CPX for internal communication +nsGateway: 192.168.1.1 + +# Protocol used for communication between NetScaler Ingress Controller sidecar and NetScaler CPX +nsProtocol: http + +# External IP for ingress resource when bgpRouter is set to True +ingressIP: "" + +# If IPAM controller is used for auto allocation of the external IP for service of type LoadBalancer, set this option to true +ipam: False + +# Enable RBAC role (so called local role), by default NSIC deployed with ClusterRole. +# below variable to deploy NSIC with RBAC role, only ingress service supported with this config +rbacRole: False + +# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True +disableAPIServerCertVerify: False + +cpxLicenseAggregator: "" + +nodeSelector: + key: "" + value: "" +tolerations: [] + +serviceType: + loadBalancer: + enabled: False + nodePort: + enabled: False + httpPort: "" + httpsPort: "" + +serviceAnnotations: {} + +serviceSpec: + externalTrafficPolicy: "Cluster" + loadBalancerIP: "" + loadBalancerSourceRanges: [] + +servicePorts: [] + +# NetScaler Ingress Controller config details +nsic: + imageRegistry: quay.io + imageRepository: netscaler/netscaler-k8s-ingress-controller + imageTag: 2.2.10 + image: "{{ .Values.nsic.imageRegistry }}/{{ .Values.nsic.imageRepository }}:{{ .Values.nsic.imageTag }}" + pullPolicy: IfNotPresent + required: true + resources: + requests: + cpu: 32m + memory: 128Mi + # Following values depends on no of ingresses configured by Ingress Controllers, so it is + # advised to test with maximum no of ingresses to set these values. + # limits: + # cpu: 1000m + # memory: 1000Mi + limits: {} + # Following values depends on no of ingresses configured by Ingress Controllers, so it is + # advised to test with maximum no of ingresses to set these values. + # limits: + # cpu: 1000m + # memory: 1000Mi + prometheusCredentialSecret: "" # K8s Secret Name for read only user creation for native Prometheus support + enableLivenessProbe: True + livenessProbe: + exec: + command: + - /bin/sh + - -c + - | + FILE_PATH="$LIVENESS_FILE_PATH" + [ -f "$FILE_PATH" ] && [ $(( $(date +%s) - $(stat -c %Y "$FILE_PATH") )) -lt 60 ] && exit 0 || exit 1 + initialDelaySeconds: 30 + periodSeconds: 60 + + enableReadinessProbe: True + readinessProbe: + exec: + command: + - cat + - /tmp/readiness + initialDelaySeconds: 50 + periodSeconds: 60 + failureThreshold: 3 + successThreshold: 1 + +entityPrefix: '' +license: + accept: no +ingressClass: [] +setAsDefaultIngressClass: False +# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) +nitroReadTimeout: 20 +logLevel: INFO +jsonLog: false +defaultSSLCertSecret: "" +defaultSSLSNICertSecret: "" +updateIngressStatus: False +logProxy: "" +kubernetesURL: "" +disableOpenshiftRoutes: false +profileSslFrontend: {} + # preconfigured: my_ssl_profile + # OR + # config: + # tls13: 'ENABLED' + # hsts: 'ENABLED' +profileHttpFrontend: {} + # preconfigured: my_http_profile + # OR + # config: + # dropinvalreqs: 'ENABLED' + # websocket: 'ENABLED' +profileTcpFrontend: {} + # preconfigured: my_tcp_profile + # OR + # config: + # sack: 'ENABLED' + # nagle: 'ENABLED' + + +# NetScaler ADM/License Server config details +ADMSettings: + licenseServerIP: + licenseServerPort: 27000 + ADMIP: "" + loginSecret: "" + bandWidthLicense: false + bandWidth: 1000 #bandwidth value shoule be in Mbps + vCPULicense: false + cpxCores: 1 + platform: false + licenseEdition: PLATINUM + +# Exporter config details +exporter: + required: false + imageRegistry: quay.io + imageRepository: netscaler/netscaler-adc-metrics-exporter + imageTag: 1.4.9 + image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" + pullPolicy: IfNotPresent + ports: + containerPort: 8888 + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + serviceMonitorExtraLabels: {} + +# Config required to be done by NetScaler Ingress Controller for sending metrics to NetScaler Observability Exporter +analyticsConfig: + required: false + distributedTracing: + enable: false + samplingrate: 100 + endpoint: + metrics: + service: "" + transactions: + service: "" + timeseries: + port: 5563 + metrics: + enable: false + mode: 'avro' + exportFrequency: 30 + schemaFile: schema.json + enableNativeScrape: false + auditlogs: + enable: false + events: + enable: false + transactions: + enable: false + port: 5557 + +# BGP configurations: local AS, remote AS and remote address is mandatory to provide. Please do the approrpiate changes with respect to your environment +bgpSettings: + # When bgpConfig is configured correctly, set the required to true for the configuration to be applied. + required: false + bgpConfig: + - bgpRouter: + # Local AS number for BGP advertisement + localAS: 100 + neighbor: + # Address of the nighbor router for BGP advertisement + - address: "" + # Remote AS number + remoteAS: 100 + advertisementInterval: 10 + ASOriginationInterval: 10 + +bgpPort: 179 + +nsLbHashAlgo: + required: false + hashFingers: 256 + hashAlgorithm: 'DEFAULT' + +# Specifies whether a ServiceAccount should be created +serviceAccount: + create: true + # The name of the ServiceAccount to use. + # If not set and `create` is true, a name is generated using the fullname template + # name: + +podAnnotations: {} + +# This is the resource for CPX container. +resources: + requests: + cpu: 128m + memory: 500Mi + limits: {} + # limits: + # cpu: 500m + # memory: 512Mi + +affinity: {} + +enableStartupProbe: True +startupProbe: + initialDelaySeconds: 30 + periodSeconds: 5 + failureThreshold: 20 + successThreshold: 1 + exec: + command: + - /bin/ping + - -c 1 + - 192.0.0.1 + +enableLivenessProbe: True +livenessProbe: + exec: + command: + - ls + - /tmp/cpx_started + periodSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + + + +# cpxCommands: to provide global config to be applied in CPX. The commands will be executed in order. For e.g. +# add rewrite action rw_act_x_forwarded_proto insert_http_header X-Forwarded-Proto "\"https\"" +# add rewrite policy rw_pol_x_forwarded_proto CLIENT.SSL.IS_SSL rw_act_x_forwarded_proto +# bind rewrite global rw_pol_x_forwarded_proto 10 -type REQ_OVERRIDE +cpxCommands: | + + +# cpxShellCommands: to provide commands that need to be executed in shell of CPX. For e.g. +# touch /etc/a.txt +# echo "this is a" > /etc/a.txt +# echo "this is the file" >> /etc/a.txt +# ls >> /etc/a.txt +cpxShellCommands: | diff --git a/charts/netscaler/netscaler-ingress-controller/2.2.10/Chart.yaml b/charts/netscaler/netscaler-ingress-controller/2.2.10/Chart.yaml new file mode 100644 index 000000000..d92ddf3fd --- /dev/null +++ b/charts/netscaler/netscaler-ingress-controller/2.2.10/Chart.yaml @@ -0,0 +1,20 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NetScaler Ingress Controller + catalog.cattle.io/kube-version: '>=v1.16.0-0' + catalog.cattle.io/release-name: netscaler-ingress-controller +apiVersion: v2 +appVersion: 2.2.10 +description: A Helm chart for NetScaler Ingress Controller configuring MPX/VPX. +home: https://www.netscaler.com +icon: file://assets/icons/netscaler-ingress-controller.png +kubeVersion: '>=v1.16.0-0' +maintainers: +- email: priyanka.sharma@cloud.com + name: priyankash-citrix +- email: subash.dangol@cloud.com + name: subashd +name: netscaler-ingress-controller +sources: +- https://github.com/netscaler/netscaler-k8s-ingress-controller +version: 2.2.10 diff --git a/charts/netscaler/netscaler-ingress-controller/2.2.10/README.md b/charts/netscaler/netscaler-ingress-controller/2.2.10/README.md new file mode 100644 index 000000000..6454196db --- /dev/null +++ b/charts/netscaler/netscaler-ingress-controller/2.2.10/README.md @@ -0,0 +1,533 @@ +# NetScaler Ingress Controller + +[NetScaler](https://www.netscaler.com/) provides an Ingress Controller for NetScaler MPX (hardware), NetScaler VPX (virtualized), and [NetScaler CPX](https://docs.netscaler.com/en-us/citrix-adc-cpx//13/about.html) (containerized) for [bare metal](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/deployment/baremetal) and [cloud](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/deployment) deployments. It configures one (or more) NetScaler based on the Ingress resource configuration in [Kubernetes](https://kubernetes.io/) or in [OpenShift](https://www.openshift.com) cluster. + +## TL;DR; + +### For Kubernetes + ``` + helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + + helm install nsic netscaler/netscaler-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret= + ``` + +### For OpenShift + + ``` + helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + + helm install nsic netscaler/netscaler-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true + ``` + +> **Important:** +> +> The `license.accept` argument is mandatory. Ensure that you set the value as `yes` to accept the terms and conditions of the NetScaler license. + +> **NOTE:** +> +> The CRDs supported by NetScaler will be installed automatically with the installation of the Helm Charts if CRDs are not already available in the cluster. + +## Introduction +This Helm chart deploys NetScaler ingress controller in the [Kubernetes](https://kubernetes.io) or in the [Openshift](https://www.openshift.com) cluster using [Helm](https://helm.sh) package manager. + +### Prerequisites + +- The [Kubernetes](https://kubernetes.io/) version should be 1.16 and above if using Kubernetes environment. +- The [Openshift](https://www.openshift.com) version 4.8 or later if using OpenShift platform. +- The [Helm](https://helm.sh/) version 3.x or later. You can follow instruction given [here](https://github.com/netscaler/netscaler-helm-charts/blob/master/Helm_Installation_version_3.md) to install the same. +- You determine the NS_IP IP address needed by the controller to communicate with NetScaler. The IP address might be anyone of the following depending on the type of NetScaler deployment: + + - (Standalone appliances) NSIP - The management IP address of a standalone NetScaler appliance. For more information, see [IP Addressing in NetScaler](https://docs.netscaler.com/en-us/citrix-adc/current-release/networking/ip-addressing.html). + + - (Appliances in High Availability mode) SNIP - The subnet IP address. For more information, see [IP Addressing in NetScaler](https://docs.netscaler.com/en-us/citrix-adc/current-release/networking/ip-addressing.html). + + - (Appliances in Clustered mode) CLIP - The cluster management IP (CLIP) address for a clustered NetScaler deployment. For more information, see [IP addressing for a cluster](https://docs.netscaler.com/en-us/citrix-adc/current-release/clustering/cluster-overview/ip-addressing.html). + +- You have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator), if you want to view the metrics of the NetScaler CPX collected by the [metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics). + +- The user name and password of the NetScaler VPX or MPX appliance used as the ingress device. The NetScaler appliance needs to have system user account (non-default) with certain privileges so that NetScaler ingress controller can configure the NetScaler VPX or MPX appliance. For instructions to create the system user account on NetScaler, see [Create System User Account for NSIC in NetScaler](#create-system-user-account-for-nsic-in-citrix-adc). + + You can pass user name and password using Kubernetes secrets. Create a Kubernetes secret for the user name and password using the following command: + + ``` + kubectl create secret generic nslogin --from-literal=username='nsic' --from-literal=password='mypassword' + ``` + +#### Create system User account for NetScaler ingress controller in NetScaler + +NetScaler ingress controller configures the NetScaler using a system user account of the NetScaler. The system user account should have certain privileges so that the NSIC has permission configure the following on the NetScaler: + +- Add, Delete, or View Content Switching (CS) virtual server +- Configure CS policies and actions +- Configure Load Balancing (LB) virtual server +- Configure Service groups +- Cofigure SSl certkeys +- Configure routes +- Configure user monitors +- Add system file (for uploading SSL certkeys from Kubernetes) +- Configure Virtual IP address (VIP) +- Check the status of the NetScaler appliance + +> **Note:** +> +> The system user account would have privileges based on the command policy that you define. + +To create the system user account, do the following: + +1. Log on to the NetScaler appliance. Perform the following: + 1. Use an SSH client, such as PuTTy, to open an SSH connection to the NetScaler appliance. + + 2. Log on to the appliance by using the administrator credentials. + +2. Create the system user account using the following command: + + ``` + add system user + ``` + + For example: + + ``` + add system user nsic mypassword + ``` + +3. Create a policy to provide required permissions to the system user account. Use the following command: + + ``` + add cmdpolicy nsic-policy ALLOW '^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(\?!shell)(\?!sftp)(\?!scp)(\?!batch)(\?!source)(\?!.*superuser)(\?!.*nsroot)(\?!install)(\?!show\s+system\s+(user|cmdPolicy|file))(\?!(set|add|rm|create|export|kill)\s+system)(\?!(unbind|bind)\s+system\s+(user|group))(\?!diff\s+ns\s+config)(\?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)' + ``` + + **Note**: The system user account would have privileges based on the command policy that you define. + The command policy mentioned in ***step 3*** is similar to the built-in `sysAdmin` command policy with another permission to upload files. + + The command policy spec provided above have already escaped special characters for easier copy pasting into the NetScaler command line. + + For configuring the command policy from NetScaler Configuration Wizard (GUI), use the below command policy spec. + + ``` + ^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file)^(?!shell)(?!sftp)(?!scp)(?!batch)(?!source)(?!.*superuser)(?!.*nsroot)(?!install)(?!show\s+system\s+(user|cmdPolicy|file))(?!(set|add|rm|create|export|kill)\s+system)(?!(unbind|bind)\s+system\s+(user|group))(?!diff\s+ns\s+config)(?!(set|unset|add|rm|bind|unbind|switch)\s+ns\s+partition).*|(^install\s*(wi|wf))|(^\S+\s+system\s+file) + ``` + +4. Bind the policy to the system user account using the following command: + + ``` + bind system user nsic nsic-policy 0 + ``` + +## Installing the Chart +Add the NetScaler Ingress Controller helm chart repository using command: + +``` + helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ +``` + +### For Kubernetes: +#### 1. NetScaler Ingress Controller +To install the chart with the release name, `my-release`, use the following command: + ``` + helm install my-release netscaler/netscaler-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]= + ``` + +> **Note:** +> +> By default the chart installs the recommended [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) roles and role bindings. + +The command deploys NetScaler ingress controller on Kubernetes cluster with the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. + +#### 2. NetScaler Ingress Controller with Exporter +[Metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with NetScaler ingress controller and collects metrics from the NetScaler instances. You can then [visualize these metrics](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/metrics/promotheus-grafana.html) using Prometheus Operator and Grafana. + +> **Note:** +> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator). + +Use the following command for this: + ``` + helm install my-release netscaler/netscaler-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,ingressClass[0]=,exporter.required=true + ``` + +### For Openshift: +Add the name of the service account created when the chart is deployed to the privileged Security Context Constraints of OpenShift: + + ``` + oc adm policy add-scc-to-user privileged system:serviceaccount:: + ``` + +#### 1. NetScaler Ingress Controller +To install the chart with the release name, `my-release`, use the following command: + ``` + helm install my-release netscaler/netscaler-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true + ``` + +The command deploys NetScaler ingress controller on your Openshift cluster in the default configuration. The [configuration](#configuration) section lists the mandatory and optional parameters that you can configure during installation. + +#### 2. NetScaler Ingress Controller with Exporter +[Metrics exporter](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/metrics-visualizer#visualization-of-metrics) can be deployed along with NetScaler ingress controller and collects metrics from the NetScaler instances. You can then [visualize these metrics](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/metrics/promotheus-grafana.html) using Prometheus Operator and Grafana. + +> **Note:** +> Ensure that you have installed [Prometheus Operator](https://github.com/coreos/prometheus-operator) + +Use the following command for this: + ``` + helm install my-release netscaler/netscaler-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,openshift=true,exporter.required=true + ``` + +### Installed components + +The following components are installed: + +- [NetScaler ingress controller](https://github.com/netscaler/netscaler-k8s-ingress-controller) +- [Exporter](https://github.com/netscaler/netscaler-adc-metrics-exporter) (if enabled) + +## Configuration for ServiceGraph: + If NetScaler VPX/MPX need to send data to the NetScaler ADM to bring up the servicegraph, then the below steps can be followed to install NetScaler ingress controller for NetScaler VPX/MPX. NetScaler ingress controller configures NetScaler VPX/MPX with the configuration required for servicegraph. + + 1. Create secret using NetScaler VPX credentials, which will be used by NetScaler ingress controller for configuring NetScaler VPX/MPX: + + kubectl create secret generic nslogin --from-literal=username='nsic' --from-literal=password='mypassword' + + 2. Deploy NetScaler ingress controller using helm command: + + helm install my-release netscaler/netscaler-ingress-controller --set nsIP=,nsVIP=,license.accept=yes,adcCredentialSecret=,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.distributedTracing.enable=true,analyticsConfig.transactions.enable=true,analyticsConfig.transactions.port=5557,analyticsConfig.endpoint.metrics.service= + +> **Note:** +> If container agent is being used here for NetScaler ADM, please provide `podIP` of container agent in the `analyticsConfig.endpoint.metrics.service` parameter. + +## CRDs configuration + +CRDs will be installed when we install NetScaler ingress controller via Helm automatically if CRDs are not installed in cluster already. If you wish to skip the CRD installation step, you can pass the --skip-crds flag. For more information about this option in Helm please see [this](https://helm.sh/docs/chart_best_practices/custom_resource_definitions/). + +There are a few examples of how to use these CRDs, which are placed in the folder: [Example-CRDs](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds). Refer to them and install as needed, using the following command: +```kubectl create -f ``` + +### Details of the supported CRDs: + +#### authpolicies CRD: + +Authentication policies are used to enforce access restrictions to resources hosted by an application or an API server. + +NetScaler provides a Kubernetes CustomResourceDefinitions (CRDs) called the [Auth CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/auth) that you can use with the NetScaler ingress controller to define authentication policies on the ingress NetScaler. + +Example file: [auth_example.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/auth_example.yaml) + +#### continuousdeployments CRD for canary: + +Canary release is a technique to reduce the risk of introducing a new software version in production by first rolling out the change to a small subset of users. After user validation, the application is rolled out to the larger set of users. NetScaler-Integrated [Canary Deployment solution](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/canary) stitches together all components of continuous delivery (CD) and makes canary deployment easier for the application developers. + +#### httproutes and listeners CRDs for contentrouting: + +[Content Routing (CR)](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/contentrouting) is the execution of defined rules that determine the placement and configuration of network traffic between users and web applications, based on the content being sent. For example, a pattern in the URL or header fields of the request. + +Example files: [HTTPRoute_crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/HTTPRoute_crd.yaml), [Listener_crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/Listener_crd.yaml) + +#### ratelimits CRD: + +In a Kubernetes deployment, you can [rate limit the requests](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/ratelimit) to the resources on the back end server or services using rate limiting feature provided by the ingress NetScaler. + +Example files: [ratelimit-example1.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/ratelimit-example1.yaml), [ratelimit-example2.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/ratelimit-example2.yaml) + +#### vips CRD: + +NetScaler provides a CustomResourceDefinitions (CRD) called [VIP](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/crd/vip) for asynchronous communication between the IPAM controller and NetScaler ingress controller. + +The IPAM controller is provided by NetScaler for IP address management. It allocates IP address to the service from a defined IP address range. The NetScaler ingress controller configures the IP address allocated to the service as virtual IP (VIP) in NetScaler ADX VPX. And, the service is exposed using the IP address. + +When a new service is created, the NetScaler ingress controller creates a CRD object for the service with an empty IP address field. The IPAM Controller listens to addition, deletion, or modification of the CRD and updates it with an IP address to the CRD. Once the CRD object is updated, the NetScaler ingress controller automatically configures NetScaler-specfic configuration in the tier-1 NetScaler VPX. + +#### rewritepolicies CRD: + +In kubernetes environment, to deploy specific layer 7 policies to handle scenarios such as, redirecting HTTP traffic to a specific URL, blocking a set of IP addresses to mitigate DDoS attacks, imposing HTTP to HTTPS and so on, requires you to add appropriate libraries within the microservices and manually configure the policies. Instead, you can use the [Rewrite and Responder features](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/crd/rewrite-policy/rewrite-responder-policies-deployment.yaml) provided by the Ingress NetScaler device to deploy these policies. + +Example files: [target-url-rewrite.yaml](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/simplified-deployment-usecases/CRDs/rewrite.md#url-manipulation) + +#### wafs CRD: + +[WAF CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/waf.md) can be used to configure the web application firewall policies with the NetScaler ingress controller on the NetScaler VPX, MPX, SDX, and CPX. The WAF CRD enables communication between the NetScaler ingress controller and NetScaler for enforcing web application firewall policies. + +In a Kubernetes deployment, you can enforce a web application firewall policy to protect the server using the WAF CRD. For more information about web application firewall, see [Web application security](https://docs.netscaler.com/en-us/citrix-adc/current-release/application-firewall/introduction-to-citrix-web-app-firewall.html). + +Example files: [wafhtmlxsssql.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/wafhtmlxsssql.yaml) + +#### apigateway CRD: + +API Gateway CRD is used to configure gitops framework on NetScaler API gateway. This solution enables NetScaler ingress controller to generate API gateway configurations out of Open API Specification documents checked in to git repository by API developers and designers. + +Example files: [api-gateway-crd-instance.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/api-gateway-crd-instance.yaml) +#### bots CRD: + +[BOT CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/bot.md) You can use Bot CRDs to configure the bot management policies with the NetScaler ingress controller on the NetScaler VPX. The Bot custom resource definition enables communication between the NetScaler ingress controller and NetScaler for enforcing bot management policies. + +In a Kubernetes deployment, you can enforce bot management policy on therequests and responses from and to the server using the Bot CRDs. For more information on security vulnerabilities, see [Bot Detection](https://docs.netscaler.com/en-us/citrix-adc/current-release/bot-management/bot-detection.html). + +Example files: [botallowlist.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/botallowlist.yaml) + +#### CORS CRD: + +[CORS CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/cors.md) Cross-origin resource sharing (CORS) is a mechanism allows a web application running under one domain to securely access resources in another domain. You can configure CORS policies on NetScaler using NetScaler ingress controller to allow one domain (the origin domain) to call APIs in another domain. For more information, see the [cross-origin resource sharing CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/cors.md) documentation. + +Example files: [cors-crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/corspolicy-example.yaml) + +#### APPQOE CRD: + +[APPQOE CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) When a NetScaler appliance receives an HTTP request and forwards it to a back-end server, sometimes there may be connection failures with the back-end server. You can configure the request-retry feature on NetScaler to forward the request to the next available server, instead of sending the reset to the client. Hence, the client saves round trip time when NetScaler initiates the same request to the next available service. +For more information, see the AppQoE support documentation. [Appqoe resource sharing CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/appqoe.md) documentation. + +Example files: [appqoe-crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/appqoe_example.yaml) + +#### WILDCARDDNS CRD: + +[WILDCARDDNS CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) Wildcard DNS domains are used to handle requests for nonexistent domains and subdomains. In a zone, use wildcard domains to redirect queries for all nonexistent domains or subdomains to a particular server, instead of creating a separate Resource Record (RR) for each domain. The most common use of a wildcard DNS domain is to create a zone that can be used to forward mail from the internet to some other mail system. +For more information, see the Wild card DNS domains support documentation. [Wildcard DNS Entry CRD](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/crds/wildcarddns.md) documentation. + +Example files: [wildcarddns-crd.yaml](https://github.com/netscaler/netscaler-helm-charts/tree/master/example-crds/wildcarddns-example.yaml) + +### Tolerations + +Taints are applied on cluster nodes whereas tolerations are applied on pods. Tolerations enable pods to be scheduled on node with matching taints. For more information see [Taints and Tolerations in Kubernetes](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/). + +Toleration can be applied to NetScaler ingress controller pod using `tolerations` argument while deploying NSIC using helm chart. This argument takes list of tolerations that user need to apply on the NSIC pods. + +For example, following command can be used to apply toleration on the NSIC pod: + +``` +helm install my-release netscaler/netscaler-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,tolerations[0].key=,tolerations[0].value=,tolerations[0].operator=,tolerations[0].effect= +``` + +Here tolerations[0].key, tolerations[0].value and tolerations[0].effect are the key, value and effect that was used while tainting the node. +Effect represents what should happen to the pod if the pod don't have any matching toleration. It can have values `NoSchedule`, `NoExecute` and `PreferNoSchedule`. +Operator represents the operation to be used for key and value comparison between taint and tolerations. It can have values `Exists` and `Equal`. The default value for operator is `Equal`. + +### Resource Quotas +There are various use-cases when resource quotas are configured on the Kubernetes cluster. If quota is enabled in a namespace for compute resources like cpu and memory, users must specify requests or limits for those values; otherwise, the quota system may reject pod creation. The resource quotas for the NSIC containers can be provided explicitly in the helm chart. + +To set requests and limits for the NSIC container, use the variables `resources.requests` and `resources.limits` respectively. + +Below is an example of the helm command that configures +- For NSIC container: +``` + CPU request for 500milli CPUs + CPU limit at 1000m + Memory request for 512M + Memory limit at 1000M +``` +``` +helm install my-release netscaler/netscaler-ingress-controller --set nsIP=,nsVIP=,license.accept=yes,adcCredentialSecret=,resources.requests.cpu=500m,resources.requests.memory=512Mi --set resources.limits.cpu=1000m,resources.limits.memory=1000Mi +``` + +#### Analytics Configuration required for export of metrics to Prometheus + +If NetScaler VPX needs to send data to Prometheus directly without an exporter resource in between, then the below steps can be followed to install NetScaler ingress controller for NetScaler VPX. NSIC configures NetScaler VPX with the configuration required. + +1. Deploy NetScaler ingress controller using helm command: + +``` +helm repo add netscaler https://netscaler.github.io/netscaler-helm-charts/ + +helm install my-release netscaler/netscaler-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,analyticsConfig.required=true,analyticsConfig.timeseries.metrics.enable=true,analyticsConfig.timeseries.port=5563,analyticsConfig.timeseries.metrics.mode=prometheus,analyticsConfig.timeseries.metrics.enableNativeScrape=true +``` + +2. For the NetScaler VPX to scrape using Prometheus, we need to create a system user with read only access. For more details on the user creation, refer [here](https://docs.netscaler.com/en-us/citrix-adc/current-release/observability/prometheus-integration#configure-read-only-prometheus-access-for-a-non-super-user) + +3. To setup Prometheus in order to scrape natively from NetScaler VPX, a new scrape job is required to be added under scrape_configs in the prometheus [configuration](https://prometheus.io/docs/prometheus/latest/configuration/configuration/). A sample of the Prometheus job is given [here](https://docs.netscaler.com/en-us/citrix-adc/current-release/observability/prometheus-integration#prometheus-configuration) + +> **Note:** +> +> For more details on Prometheus integration, please refer to [this](https://docs.netscaler.com/en-us/citrix-adc/current-release/observability/prometheus-integration) + +### Configuration + +The following table lists the mandatory and optional parameters that you can configure during installation: + +| Parameters | Mandatory or Optional | Default value | Description | +| --------- | --------------------- | ------------- | ----------- | +| license.accept | Mandatory | no | Set `yes` to accept the NSIC end user license agreement. | +| imageRegistry | Mandatory | `quay.io` | The NetScaler ingress controller image registry | +| imageRepository | Mandatory | `netscaler/netscaler-k8s-ingress-controller` | The NetScaler ingress controller image repository | +| imageTag | Mandatory | `2.2.10` | The NetScaler ingress controller image tag | +| pullPolicy | Mandatory | IfNotPresent | The NSIC image pull policy. | +| imagePullSecrets | Optional | N/A | Provide list of Kubernetes secrets to be used for pulling the images from a private Docker registry or repository. For more information on how to create this secret please see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). | +| nameOverride | Optional | N/A | String to partially override deployment fullname template with a string (will prepend the release name) | +| fullNameOverride | Optional | N/A | String to fully override deployment fullname template with a string | +| resources | Optional | {} | CPU/Memory resource requests/limits for NetScaler Ingress Controller container | +| adcCredentialSecret | Mandatory | N/A | The secret key to log on to the NetScaler VPX or MPX. For information on how to create the secret keys, see [Prerequisites](#prerequistes). | +| secretStore.enabled | Optional | False | Set to "True" for deploying other Secret Provider classes | +| secretStore.username | Optional | N/A | if `secretStore.enabled`, `username` of NetScaler will be fetched from the Secret Provider | +| secretStore.password | Optional | N/A | if `secretStore.enabled`, `password` of NetScaler will be fetched from the Secret Provider | +| nsIP | Mandatory | N/A | The IP address of the NetScaler device. For details, see [Prerequisites](#prerequistes). | +| nsVIP | Optional | N/A | The Virtual IP address on the NetScaler device. | +| nsSNIPS | Optional | N/A | The list of subnet IPAddresses on the NetScaler device, which will be used to create PBR Routes instead of Static Routes [PBR support](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) | +| nsPort | Optional | 443 | The port used by NSIC to communicate with NetScaler. You can use port 80 for HTTP. | +| nsProtocol | Optional | HTTPS | The protocol used by NSIC to communicate with NetScaler. You can also use HTTP on port 80. | +| nsEnableLabel | Optional | True | Set to true for plotting Servicegraph. Ensure `analyticsConfig` are set. | +| nitroReadTimeout | Optional | 20 | The nitro Read timeout in seconds, defaults to 20 | +| logLevel | Optional | INFO | The loglevel to control the logs generated by NSIC. The supported loglevels are: CRITICAL, ERROR, WARNING, INFO, DEBUG, TRACE and NONE. For more information, see [Logging](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/configure/log-levels.md).| +| jsonLog | Optional | false | Set this argument to true if log messages are required in JSON format | +| nsConfigDnsRec | Optional | false | To enable/disable DNS address Record addition in NetScaler through Ingress | +| nsSvcLbDnsRec | Optional | false | To enable/disable DNS address Record addition in NetScaler through Type Load Balancer Service | +| nsDnsNameserver | Optional | N/A | To add DNS Nameservers in NetScaler | +| optimizeEndpointBinding | Optional | false | To enable/disable binding of backend endpoints to servicegroup in a single API-call. Recommended when endpoints(pods) per application are large in number. Applicable only for NetScaler Version >=13.0-45.7 | +| kubernetesURL | Optional | N/A | The kube-apiserver url that NSIC uses to register the events. If the value is not specified, NSIC uses the [internal kube-apiserver IP address](https://kubernetes.io/docs/tasks/access-application-cluster/access-cluster/#accessing-the-api-from-a-pod). | +| clusterName | Optional | N/A | The unique identifier of the kubernetes cluster on which the NSIC is deployed. Used in GSLB deployments. | +| ingressClass | Optional | N/A | If multiple ingress load balancers are used to load balance different ingress resources. You can use this parameter to specify NSIC to configure NetScaler associated with specific ingress class. For more information on Ingress class, see [Ingress class support](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/ingress-classes/). For Kubernetes version >= 1.19, this will create an IngressClass object with the name specified here | +| setAsDefaultIngressClass | Optional | False | Set the IngressClass object as default ingress class. New Ingresses without an "ingressClassName" field specified will be assigned the class specified in ingressClass. Applicable only for kubernetes versions >= 1.19 | +| serviceClass | Optional | N/A | By Default ingress controller configures all TypeLB Service on the NetScaler. You can use this parameter to finetune this behavior by specifing NSIC to only configure TypeLB Service with specific service class. For more information on Service class, see [Service class support]( https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/service-classes/). | +| nodeWatch | Optional | false | Use the argument if you want to automatically configure network route from the Ingress NetScaler VPX or MPX to the pods in the Kubernetes cluster. For more information, see [Automatically configure route on the NetScaler instance](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/network/staticrouting/#automatically-configure-route-on-the-citrix-adc-instance). | +| nsncPbr | Optional | False | Use this argument to inform NSIC that NetScaler Node Controller(NSNC) is configuring Policy Based Routes(PBR) on the NetScaler. For more information, see [NSNC-PBR-SUPPORT](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/network/pbr.md#configure-pbr-using-the-citrix-node-controller) | +| defaultSSLCertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default non-SNI certificate in NetScaler. | +| defaultSSLSNICertSecret | Optional | N/A | Provide Kubernetes secret name that needs to be used as a default SNI certificate in NetScaler. | +| podIPsforServiceGroupMembers | Optional | False | By default NetScaler Ingress Controller will add NodeIP and NodePort as service group members while configuring type LoadBalancer Services and NodePort services. This variable if set to `True` will change the behaviour to add pod IP and Pod port instead of nodeIP and nodePort. Users can set this to `True` if there is a route between NetScaler and K8s clusters internal pods either using feature-node-watch argument or using NetScaler Node Controller. | +| ignoreNodeExternalIP | Optional | False | While adding NodeIP, as Service group members for type LoadBalancer services or NodePort services, NetScaler Ingress Controller has a selection criteria whereas it choose Node ExternalIP if available and Node InternalIP, if Node ExternalIP is not present. But some users may want to use Node InternalIP over Node ExternalIP even if Node ExternalIP is present. If this variable is set to `True`, then it prioritises the Node Internal IP to be used for service group members even if node ExternalIP is present | +| nsHTTP2ServerSide | Optional | OFF | Set this argument to `ON` for enabling HTTP2 for NetScaler service group configurations. | +| nsCookieVersion | Optional | 0 | Specify the persistence cookie version (0 or 1). | +| profileSslFrontend | Optional | N/A | Specify the frontend SSL profile. For Details see [Configuration using FRONTEND_SSL_PROFILE](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | +| profileTcpFrontend | Optional | N/A | Specify the frontend TCP profile. For Details see [Configuration using FRONTEND_TCP_PROFILE](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | +| profileHttpFrontend | Optional | N/A | Specify the frontend HTTP profile. For Details see [Configuration using FRONTEND_HTTP_PROFILE](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/configure/profiles.html#global-front-end-profile-configuration-using-configmap-variables) | +| ipam | Optional | False | Set this argument if you want to use the IPAM controller to automatically allocate an IP address to the service of type LoadBalancer. | +| disableAPIServerCertVerify | Optional | False | Set this parameter to True for disabling API Server certificate verification. | +| logProxy | Optional | N/A | Provide Elasticsearch or Kafka or Zipkin endpoint for NetScaler observability exporter. | +| entityPrefix | Optional | k8s | The prefix for the resources on the NetScaler VPX/MPX. | +| multiClusterPrefix | Optional | mc | The prefix for the shared resources on the NetScaler VPX/MPX for multicluster ingress feature. Ingress Controllers that are collaboratively sharing the csvserver IP should be configured with same value for multiclusterPrefix. For more information see [this](https://docs.netscaler.com/en-us/netscaler-k8s-ingress-controller/deploy/multicluster-ingress) | +| updateIngressStatus | Optional | True | Set this argurment if `Status.LoadBalancer.Ingress` field of the Ingress resources managed by the NetScaler ingress controller needs to be updated with allocated IP addresses. For more information see [this](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/configure/ingress-classes.md#updating-the-ingress-status-for-the-ingress-resources-with-the-specified-ip-address). | +| routeLabels | Optional | proxy in () | You can use this parameter to provide the route labels selectors to be used by NetScaler Ingress Controller for routeSharding in OpenShift cluster. | +| namespaceLabels | Optional | N/A | You can use this parameter to provide the namespace labels selectors to be used by NetScaler Ingress Controller for routeSharding in OpenShift cluster. | +| podAnnotations | Optional | N/A | Map of annotations to add to the pods. | +| affinity | Optional | N/A | Affinity labels for pod assignment. | +| exporter.required | Optional | false | Use the argument, if you want to run the [Exporter for NetScaler Stats](https://github.com/netscaler/netscaler-adc-metrics-exporter) along with NSIC to pull metrics for the NetScaler VPX or MPX| +| exporter.imageRegistry | Optional | `quay.io` | The Exporter for NetScaler Stats image registry | +| exporter.imageRepository | Optional | `netscaler/netscaler-adc-metrics-exporter` | The Exporter for NetScaler Stats image repository | +| exporter.imageTag | Optional | `1.4.9` | The Exporter for NetScaler Stats image tag | +| exporter.pullPolicy | Optional | IfNotPresent | The Exporter image pull policy. | +| exporter.ports.containerPort | Optional | 8888 | The Exporter container port. | +| exporter.resources | Optional | {} | CPU/Memory resource requests/limits for Metrics exporter container | +| exporter.extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in Exporter container. Specify the volumes in `extraVolumes` | +| exporter.serviceMonitorExtraLabels | Optional | | Extra labels for service monitor whem NetScaler-adc-metrics-exporter is enabled. | +| openshift | Optional | false | Set this argument if OpenShift environment is being used. | +| disableOpenshiftRoutes | Optional | false | By default Openshift routes are processed in openshift environment, this variable can be used to disable Ingress controller processing the openshift routes. | +| nodeSelector.key | Optional | N/A | Node label key to be used for nodeSelector option in NSIC deployment. | +| nodeSelector.value | Optional | N/A | Node label value to be used for nodeSelector option in NSIC deployment. | +| tolerations | Optional | N/A | Specify the tolerations for the NSIC deployment. | +| analyticsConfig.required | Mandatory | false | Set this to true if you want to configure NetScaler to send metrics and transaction records to analytics . | +| analyticsConfig.distributedTracing.enable | Optional | false | Set this value to true to enable OpenTracing in NetScaler. | +| analyticsConfig.distributedTracing.samplingrate | Optional | 100 | Specifies the OpenTracing sampling rate in percentage. | +| analyticsConfig.endpoint.metrics.service | Optional | N/A | Set this value as the IP address or DNS address of the analytics server. Format: servicename.namespace, servicename.namespace.svc.cluster.local, namespace/servicename *** This value replaces the analyticsConfig.endpoint.server value used earlier. *** | +| analyticsConfig.endpoint.transactions.service | Optional | N/A | Set this value as the IP address or service name with namespace of the analytics service deployed in k8s environment. Format: namespace/servicename *** This value replaces the analyticsConfig.endpoint.service value used earlier. *** | +| analyticsConfig.timeseries.port | Optional | 30002 | Specify the port used to expose analytics service outside cluster for timeseries endpoint. | +| analyticsConfig.timeseries.metrics.enable | Optional | False | Set this value to true to enable sending metrics from NetScaler. | +| analyticsConfig.timeseries.metrics.mode | Optional | avro | Specifies the mode of metric endpoint. | +| analyticsConfig.timeseries.metrics.exportFrequency | Optional | 30 | Specifies the time interval for exporting time-series data. Possible values range from 30 to 300 seconds. | +| analyticsConfig.timeseries.metrics.schemaFile | Optional | schema.json | Specifies the name of a schema file with the required Netscaler counters to be added and configured for metricscollector to export. A reference schema file reference_schema.json with all the supported counters is also available under the path /var/metrics_conf/. This schema file can be used as a reference to build a custom list of counters. | +| analyticsConfig.timeseries.metrics.enableNativeScrape | Optional | false | Set this value to true for native export of metrics. | +| analyticsConfig.timeseries.auditlogs.enable | Optional | false | Set this value to true to export audit log data from NetScaler. | +| analyticsConfig.timeseries.events.enable | Optional | false | Set this value to true to export events from the NetScaler. | +| analyticsConfig.transactions.enable | Optional | false | Set this value to true to export transactions from NetScaler. | +| analyticsConfig.transactions.port | Optional | 30001 | Specify the port used to expose analytics service outside cluster for transaction endpoint. | +| nsLbHashAlgo.required | Optional | false | Set this value to set the LB consistent hashing Algorithm | +| nsLbHashAlgo.hashFingers | Optional | 256 | Specifies the number of fingers to be used for hashing algorithm. Possible values are from 1 to 1024, Default value is 256 | +| nsLbHashAlgo.hashAlgorithm | Optional | 'default' | Specifies the supported algorithm. Supported algorithms are "default", "jarh", "prac", Default value is 'default' | +| extraVolumeMounts | Optional | [] | Specify the Additional VolumeMounts to be mounted in NSIC container | +| extraVolumes | Optional | [] | Specify the Additional Volumes for additional volumeMounts | +| rbacRole | Optional | false | To deploy NSIC with RBAC Role set rbacRole=true; by default NSIC gets installed with RBAC ClusterRole(rbacRole=false)) | +| nodeLabels | Optional | "" | If there are pods on nodes in the nodes with this nodeLabels, NSIC will configure NetScaler to advertises the VIP using BGP | +| bgpAdvertisement | Optional | False | To advertise VIP using BGP from NetScaler | +| enableLivenessProbe | Optional | True | Enable LivenessProbes settings for NetScaler Ingress Controller | +| enableReadinessProbe | Optional | True | Enable LivenessProbes settings for NetScaler Ingress Controller | +| readinessProbe | Optional | N/A | Set readinessProbe settings NetScaler Ingress Controller | +| livenessProbe| Optional | N/A | Set livenessPorbe settings for NetScaler Ingress Controller | + + +Alternatively, you can define a YAML file with the values for the parameters and pass the values while installing the chart. + +For example: + ``` + helm install my-release netscaler/netscaler-ingress-controller -f values.yaml + ``` + +> **Tip:** +> +> The [values.yaml](https://github.com/netscaler/netscaler-helm-charts/blob/master/netscaler-ingress-controller/values.yaml) contains the default values of the parameters. + +> **Note:** +> +> Please provide frontend-ip (VIP) in your application ingress yaml file. For more info refer [this](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/configure/annotations.md). + +## Route Addition in MPX/VPX +For seamless functioning of services deployed in the Kubernetes cluster, it is essential that Ingress NetScaler device should be able to reach the underlying overlay network over which Pods are running. +`feature-node-watch` knob of NetScaler Ingress Controller can be used for automatic route configuration on NetScaler towards the pod network. Refer [Static Route Configuration](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/network/staticrouting.md) for further details regarding the same. +By default, `feature-node-watch` is false. It needs to be explicitly set to true if auto route configuration is required. + +This can also be achieved by deploying [NetScaler Node Controller](https://github.com/netscaler/netscaler-k8s-node-controller). + +If your deployment uses one single NetScaler Device to loadbalance between multiple k8s clusters, there is a possibilty of CNI subnets to overlap, causing the above mentioned static routing to fail due to route conflicts. In such deployments [Policy Based Routing(PBR)] ( https://docs.netscaler.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) can be used instead. This would require you to provide one or more subnet IP Addresses unique for each kubernetes cluster either via Environment variable or Configmap, see [PBR Support](https://github.com/netscaler/netscaler-k8s-ingress-controller/tree/master/docs/how-to/pbr.md) + + Use the following command to provide subnet IPAddresses(SNIPs) to configure Policy Based Routes(PBR) on the NetScaler + + ``` + helm install my-release netscaler/netscaler-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,nsSNIPS='[\, \, ...]' + ``` + + [NetScaler Node Controller](https://github.com/netscaler/netscaler-k8s-node-controller) by default also adds static routes while creating the VXLAN tunnel. To use [Policy Based Routing(PBR)] ( https://docs.netscaler.com/en-us/citrix-adc/current-release/networking/ip-routing/configuring-policy-based-routes/configuring-policy-based-routes-pbrs-for-ipv4-traffic.html) to avoid static route clash, both NetScaler Node Controller and NetScaler Ingress Controller has to work in conjunction and has to be started with specific arguments. For more details refer [NSNC-PBR-SUPPORT](https://github.com/netscaler/netscaler-k8s-ingress-controller/blob/master/docs/network/pbr.md#configure-pbr-using-the-citrix-node-controller). + + Use the following command to inform NetScaler Ingress Controller that NetScaler Node Controller is configuring Policy Based Routes(PBR) on the NetScaler + + ``` + helm install my-release netscaler/netscaler-ingress-controller --set nsIP=,license.accept=yes,adcCredentialSecret=,clusterName=,nsncPbr= + ``` + +For configuring static routes manually on NetScaler VPX or MPX to reach the pods inside the cluster follow: +### For Kubernetes: +1. Obtain podCIDR using below options: + ``` + kubectl get nodes -o yaml | grep podCIDR + ``` + * podCIDR: 10.244.0.0/24 + * podCIDR: 10.244.1.0/24 + * podCIDR: 10.244.2.0/24 + +2. Log on to the NetScaler instance. + +3. Add Route in Netscaler VPX/MPX + ``` + add route + ``` +4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which K8S nodes communicate with each other. Usually eth0 IP is from this network). + + Example: + * Node1 IP = 192.0.2.1 + * podCIDR = 10.244.1.0/24 + * add route 10.244.1.0 255.255.255.0 192.0.2.1 + +### For OpenShift: +1. Use the following command to get the information about host names, host IP addresses, and subnets for static route configuration. + ``` + oc get hostsubnet + ``` + +2. Log on to the NetScaler instance. + +3. Add the route on the NetScaler instance using the following command. + ```add route ``` + +4. Ensure that Ingress MPX/VPX has a SNIP present in the host-network (i.e. network over which OpenShift nodes communicate with each other. Usually eth0 IP is from this network). + + For example, if the output of the `oc get hostsubnet` is as follows: + * oc get hostsubnet + + NAME HOST HOST IP SUBNET + os.example.com os.example.com 192.0.2.1 10.1.1.0/24 + + * The required static route is as follows: + + add route 10.1.1.0 255.255.255.0 192.0.2.1 + +## Uninstalling the Chart +To uninstall/delete the ```my-release``` deployment: + + ``` + helm delete my-release + ``` + +The command removes all the Kubernetes components associated with the chart and deletes the release. + +## Related documentation + +- [NetScaler ingress controller Documentation](https://docs.netscaler.com/en-us/citrix-k8s-ingress-controller/) +- [NetScaler ingress controller GitHub](https://github.com/netscaler/netscaler-k8s-ingress-controller) diff --git a/charts/netscaler/netscaler-ingress-controller/2.2.10/app-readme.md b/charts/netscaler/netscaler-ingress-controller/2.2.10/app-readme.md new file mode 100644 index 000000000..07cb91739 --- /dev/null +++ b/charts/netscaler/netscaler-ingress-controller/2.2.10/app-readme.md @@ -0,0 +1,5 @@ +# NetScaler Ingress Controller + +[NetScaler Ingress Controller](https://github.com/netscaler/netscaler-k8s-ingress-controller) is an ingress controller for NetScaler MPX (hardware), NetScaler VPX (virtualized), and NetScaler CPX (containerized) for bare metal and cloud deployments. It is built around Kubernetes Ingress and automatically configures NetScaler based on the Ingress resource configuration. + +This chart bootstraps standalone NetScaler Ingress Controller which can be used to configure NetScaler MPX or VPX. diff --git a/charts/netscaler/netscaler-ingress-controller/2.2.10/crds/crds.yaml b/charts/netscaler/netscaler-ingress-controller/2.2.10/crds/crds.yaml new file mode 100644 index 000000000..9db6a9972 --- /dev/null +++ b/charts/netscaler/netscaler-ingress-controller/2.2.10/crds/crds.yaml @@ -0,0 +1,2706 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: rewritepolicies.citrix.com +spec: + group: citrix.com + names: + kind: rewritepolicy + plural: rewritepolicies + singular: rewritepolicy + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + rewrite-policies: + type: array + items: + type: object + properties: + servicenames: + description: 'Name of the services that needs to be binded to rewrite policy.' + type: array + items: + type: string + maxLength: 127 + goto-priority-expression: + description: 'Expression or other value specifying the next policy to be + evaluated if the current policy evaluates to TRUE. + Specify one of the following values: + * NEXT - Evaluate the policy with the next higher priority number. + * END - End policy evaluation. + Default value of goto-priority-expression: END' + type: string + maxLength: 1499 + logpackets: + type: object + description: 'Adds an audit message action. + The action specifies whether to log the message, and to which log.' + properties: + logexpression: + description: 'Default-syntax expression that defines the format and content of the log message.' + type: string + maxLength: 7991 + loglevel: + description: 'Audit log level, which specifies the severity level of the log message being generated.' + type: string + enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] + required: [logexpression, loglevel] + rewrite-policy: + type: object + properties: + rewrite-criteria: + description: 'Expression against which traffic is evaluated.' + type: string + maxLength: 1299 + default-action: + description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). + An UNDEF event indicates an internal error condition.' + type: string + maxLength: 77 + enum: ['NOREWRITE', 'RESET', 'DROP'] + operation: + description: 'Type of user-defined rewrite action.' + type: string + enum: ["noop", "delete", "insert_http_header", "delete_http_header", + "corrupt_http_header", "insert_before", "insert_after", "replace", + "replace_http_res", "delete_all", "replace_all", "insert_before_all", + "insert_after_all", "clientless_vpn_encode", "clientless_vpn_encode_all", + "clientless_vpn_decode", "clientless_vpn_decode_all", "insert_sip_header", + "delete_sip_header", "corrupt_sip_header", "replace_sip_res", "replace_diameter_header_field", + "replace_dns_header_field", "replace_dns_answer_section"] + target: + description: 'Default syntax expression that specifies which part of the request or response to rewrite.' + type: string + maxLength: 1229 + modify-expression: + description: 'Default syntax expression that specifies the content to insert into the request + or response at the specified location, or that replaces the specified string.' + type: string + maxLength: 7991 + multiple-occurence-modify: + description: 'Search facility that is used to match multiple strings in the request or response.' + type: string + maxLength: 171 + additional-multiple-occurence-modify: + description: 'Specify additional criteria to refine the results of the search. + Always starts with the "extend(m,n)" operation, where "m" specifies number of bytes to the left of selected data + and "n" specifies number of bytes to the right of selected data. + You can use refineSearch only on body expressions, and only when rewrite-criteria is any one of this: + INSERT_BEFORE_ALL, INSERT_AFTER_ALL, REPLACE_ALL, and DELETE_ALL.' + type: string + maxLength: 1299 + direction: + description: 'Bind point to which to bind the policy.' + type: string + enum: ["REQUEST","RESPONSE"] + comment: + description: 'Any comments to preserve information about this rewrite policy.' + type: string + maxLength: 255 + required: [rewrite-criteria, operation, target, direction] + required: [rewrite-policy] + + responder-policies: + type: array + items: + type: object + properties: + servicenames: + description: 'Name of the services that needs to be binded to responder policy.' + type: array + items: + type: string + maxLength: 127 + goto-priority-expression: + description: 'Expression or other value specifying the next policy to be + evaluated if the current policy evaluates to TRUE. + Specify one of the following values: + * NEXT - Evaluate the policy with the next higher priority number. + * END - End policy evaluation. + Default value of goto-priority-expression: END' + type: string + maxLength: 1499 + logpackets: + type: object + description: 'Adds an audit message action. + The action specifies whether to log the message, and to which log.' + properties: + logexpression: + description: 'Default-syntax expression that defines the format and content of the log message.' + type: string + maxLength: 7991 + loglevel: + description: 'Audit log level, which specifies the severity level of the log message being generated.' + type: string + enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", + "NOTICE", "INFORMATIONAL", "DEBUG"] + required: [logexpression, loglevel] + responder-policy: + type: object + properties: + redirect: + type: object + description: 'Use this option when you want to Redirect the request when request matches to policy.' + properties: + url: + description: 'URL on which you want to redirect the request.' + type: string + maxLength: 7991 + redirect-status-code: + description: 'HTTP response status code, for example 200, 302, 404, etc.' + type: integer + minimum: 100 + maximum: 599 + redirect-reason: + description: 'Expression specifying the reason for redirecting the request.' + type: string + maxLength: 7991 + required: [url] + respondwith: + type: object + description: 'Use this parameter when you want to respond to the request when request matches to policy.' + properties: + http-payload-string: + description: 'Expression that you want to sent as response to the request.' + type: string + maxLength: 7991 + required: [http-payload-string] + noop: + type: string + description: 'Use this option when you want to send the request to the protected server instead of + responding to it when request matches to policy.' + properties: + target: + description: 'Default syntax expression that specifies to perform noop operation on' + type: string + maxLength: 1229 + reset: + type: string + description: 'Use this option when you want to Reset the client connection by closing it when request matches to policy.' + properties: + drop: + type: string + description: 'Use this option when you want to drop the request without sending a response to the user when request matches to policy.' + properties: + respond-criteria: + description: 'Default syntax expression that the policy uses to determine whether to respond to the specified request.' + type: string + maxLength: 1299 + default-action: + description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). + An UNDEF event indicates an internal error condition.' + type: string + maxLength: 77 + enum: ['NOOP', 'RESET', 'DROP'] + comment: + description: 'Any comments to preserve information about this responder policy.' + type: string + maxLength: 255 + required: [respond-criteria] + oneOf: [required: [redirect], required: [respondwith], required: [noop], required: [reset], required: [drop]] + required: [responder-policy] + + dataset: + type: array + items: + type: object + properties: + name: + description: 'Name of the dataset.' + type: string + maxLength: 32 + type: + description: 'Type of value to bind to the dataset.' + type: string + enum: ["ipv4", "number", "ipv6", "ulong", "double", "mac"] + comment: + description: 'Any comments to preserve information about this dataset.' + type: string + maxLength: 255 + values: + description: 'Value of the specified type that is associated with this dataset.' + type: array + items: + type: string + required: [name, type, values] + + patset: + type: array + items: + type: object + properties: + name: + description: 'Name of the Patset.' + type: string + maxLength: 32 + comment: + description: 'Any comments to preserve information about this patset.' + type: string + maxLength: 255 + values: + description: 'String of characters that constitutes a pattern and is associated with this patset.' + type: array + items: + type: string + required: [name, values] + + stringmap: + type: array + items: + type: object + properties: + name: + description: 'Name of the Stringmap.' + type: string + maxLength: 32 + comment: + description: 'Any comments to preserve information about this stringmap.' + type: string + maxLength: 255 + values: + description: 'List of (key,value) pairs to be bound to this string map.' + type: array + items: + type: object + properties: + key: + description: 'Character string constituting the key to be bound to this string map.' + type: string + maxLength: 2047 + value: + description: 'Character string constituting the value associated with the key.' + type: string + maxLength: 2047 + required: [name, values] + + httpcallout_policy: + type: array + items: + type: object + properties: + name: + description: 'httpcallout name' + type: string + maxLength: 32 + server_ip: + description: 'IP Address of the server(callout agent) to which the callout is sent.' + type: string + server_port: + description: 'Port of the server(callout agent) to which the callout is sent.' + type: integer + minimum: 1 + maximum: 65535 + http_method: + description: |+ + 'Method used in the HTTP request that this callout sends. + Default http method is GET' + type: string + enum: ['GET', 'POST'] + host_expr: + description: |+ + 'String expression to configure the Host header. Can contain a literal value + (for example, 10.101.10.11) or a derived value (for example, http.req.header("Host")). + The literal value can be an IP address or a fully qualified domain name. Mutually + exclusive with the full HTTP request expression.' + type: string + maxLength: 255 + url_stem_expr: + description: |+ + 'String expression for generating the URL stem. Can contain a literal string + (for example, "/mysite/index.html") or an expression that derives the value + (for example, http.req.url).' + type: string + maxLength: 8191 + headers: + type: array + description: |+ + 'One or more headers to insert into the HTTP request. Each header is represented by + name and expr, where expr is an expression that is evaluated at runtime to provide + the value for the named header. You can configure a maximum of eight headers for + an HTTP callout.' + items: + type: object + properties: + name: + description: 'header name' + type: string + expr: + description: 'header expression' + type: string + parameters: + type: array + description: |+ + 'One or more query parameters to insert into the HTTP request URL (for a GET request) + or into the request body (for a POST request). Each parameter is represented by + name and expr, where expr is an expression that is evaluated at run time to provide + the value for the named parameter (name=value). The parameter values are URL encoded.' + items: + type: object + properties: + name: + description: 'parameter name' + type: string + expr: + description: 'parameter expression' + type: string + body_expr: + description: |+ + 'An advanced string expression for generating the body of the request. + The expression can contain a literal string or an expression that derives + the value (for example, client.ip.src).' + type: string + full_req_expr: + description: |+ + 'Exact HTTP request, in the form of an expression, which the NetScaler sends + to the callout agent. The request expression is constrained by the feature + for which the callout is used. For example, an HTTP.RES expression cannot be + used in a request-time policy bank or in a TCP content switching policy bank.' + type: string + scheme: + description: |+ + 'Type of scheme for the callout server. + Default scheme is HTTP' + type: string + enum: ['HTTP', 'HTTPS'] + cache_for_secs: + description: |+ + 'Duration, in seconds, for which the callout response is cached. + The cached responses are stored in an integrated caching content + group named "calloutContentGroup". If no duration is configured, + the callout responses will not be cached unless normal caching + configuration is used to cache them. This parameter takes precedence over any + normal caching configuration that would otherwise apply to these responses.' + type: integer + minimum: 1 + maximum: 31536000 + return_type: + description: |+ + 'Type of data that the target callout agent returns in response to the callout + Available settings function as follows: + * TEXT - Treat the returned value as a text string. + * NUM - Treat the returned value as a number. + * BOOL - Treat the returned value as a Boolean value.' + type: string + enum: ['TEXT', 'NUM', 'BOOL'] + result_expr: + description: |+ + 'Expression that extracts the callout results from the response sent by the HTTP callout + agent. Must be a response based expression, that is, it must begin with HTTP.RES. The + operations in this expression must match the return type. For example, if you configure + a return type of TEXT, the result expression must be a text based expression. If the + return type is NUM, the result expression (resultExpr) must return a numeric value, + as in the following example: http.res.body(10000).length.' + type: string + maxLength: 8191 + comment: + description: 'Any comments to preserve information about this HTTP callout.' + type: string + maxLength: 255 + allOf: + - properties: + required: [name, server_ip, server_port] + - properties: + oneOf: + - properties: + required: [full_req_expr] + - properties: + anyOf: + - properties: + required: [http_method] + - properties: + required: [host_expr] + - properties: + required: [url_stem_expr] + - properties: + required: [headers] + - properties: + required: [parameters] + - properties: + required: [body_expr] + anyOf: [required: [rewrite-policies], required: [responder-policies]] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ratelimits.citrix.com +spec: + group: citrix.com + names: + kind: ratelimit + plural: ratelimits + singular: ratelimit + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: 'Name of the services to which the ratelimit policies are applied.' + type: array + items: + type: string + maxLength: 127 + selector_keys: + type: object + description: 'Traffic match criteria to which apply above rate-limit/throttling. All keys are applied as AND condition. If no keys are specified, rate-limit applies at service level' + properties: + basic: + type: object + description: "Basic traffic stream selection criteria to which to apply the ratelimit" + properties: + path: + type: array + description: "api resource path prefix match. e.g. /api/v1/products" + items: + type: string + method: + type: array + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + header_name: + description: "HTTP header that identifies the unique API client for e.g. X-apikey" + type: string + per_client_ip: + description: "Setting this applies the throttling limit to each unique Client IP address accessing the API resource" + type: boolean + req_threshold: + description: 'Max requests per timeslice units to be allowed' + type: integer + timeslice: + description: 'Timeslice in miliseconds in multiple of 10. Defaults to 1000 miliseconds' + type: integer + limittype: + description: "Burst mode or smooth. Defaults to smooth limittype if not specified" + type: string + enum: ['BURSTY','SMOOTH'] + throttle_action: + type: string + enum: ['DROP', 'RESET','REDIRECT', 'RESPOND'] + description: "Drop will drop the requests exceeding limits, RESET will reset the client connection, Redirect will redirect to specified URL, respond will respond with 429 'Exceeded allowed rate of requests'" + redirect_url: + type: string + description: "Redirect-URL" + logpackets: + type: object + description: 'Adds an audit message action. The action specifies whether to log the message, and to which log.' + properties: + logexpression: + description: 'Default-syntax expression that defines the format and content of the log message.' + type: string + maxLength: 7991 + loglevel: + description: 'Audit log level, which specifies the severity level of the log message being generated.' + type: string + enum: ["EMERGENCY", "ALERT", "CRITICAL", "ERROR", "WARNING", "NOTICE", "INFORMATIONAL", "DEBUG"] + required: [logexpression, loglevel] + required: [req_threshold] +--- +#Sample CRD instance + +#apiVersion: citrix.com/v1 +#description: VIP for apache service +#kind: vip +#metadata: +# name: service-apache +# namespace: default +#spec: +# description: VIP for the apache Service +# ipaddress: 10.99.98.90 +# kind: service +# name: apache + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: vips.citrix.com +spec: + group: citrix.com + names: + kind: vip + plural: vips + singular: vip + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.ipaddress + name: VIP + type: string + - name: Age + type: date + jsonPath: .metadata.creationTimestamp + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + ipaddress: + type: string + name: + type: string + kind: + type: string + enum: ["service", "ingress", "listener"] + description: + type: string + range-name: + type: string + multicluster: + description: "The setting of this indicates that the VIP/csvserver IP address is shared by multiple netscaler ingress controllers on the VPX/MPX. For CPX, this field is not applicable" + type: boolean +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: authpolicies.citrix.com +spec: + group: citrix.com + names: + kind: authpolicy + plural: authpolicies + singular: authpolicy + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: 'Current Status of the CRD' + jsonPath: .status.state + - name: Message + type: string + description: 'Status Message' + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: |+ + 'Name of the services for which the policies applied' + type: array + items: + type: string + maxLength: 63 + authentication_mechanism: + type: object + description: |+ + 'Authentication mechanism. Options: using forms or using request header. + Default is Authentication using request header, when no option is specified' + properties: + using_request_header: + description: |+ + 'Enable user authentication using request header. Use when the credentials + or api keys are passed in a header. For example, when using Basic, Digest, + Bearer authentication or api keys. + When authentication using forms is provided, this is set to OFF' + + type: string + using_forms: + type: object + description: 'Enables authentication using forms. Use with user/web authentication.' + properties: + authentication_host: + description: |+ + 'Fully qualified domain name (FQDN) for authentication. + This FQDN should be unique and should resolve to frontend IP of + NetScaler with Ingress/service type LoadBalancer (or) vip of Listener CRD' + type: string + maxLength: 255 + authentication_host_cert: + description: |+ + 'Name of the SSL certificate to be used with authentication_host. + This certificate is mandatory while using_forms' + type: object + properties: + tls_secret: + type: string + description: 'Name of the Kubernetes Secret of type tls referring to Certificate' + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + preconfigured: + type: string + maxLength: 63 + description: |+ + 'Preconfigured SSL certkey name on NetScaler with the + certificate and key already added on NetScaler' + oneOf: + - properties: + required: [tls_secret] + - properties: + required: [preconfigured] + ingress_name: + description: |+ + 'Ingress name for which the authentication using forms + is applicable.' + type: string + maxLength: 63 + lb_service_name: + description: |+ + 'Service of type LoadBalancer for which the authentication using forms + is applicable.' + type: string + maxLength: 63 + listener_name: + description: |+ + 'Listener CRD name for which the authentication using forms is applicable.' + type: string + maxLength: 63 + vip: + description: |+ + 'Frontend IP of ingress for which the authentication + using forms is applicable. This refers to frontend-ip provided + with Ingress. It is suggested to use vip, if more than one Ingress + resource use the same frontend-ip' + type: string + required: [authentication_host, authentication_host_cert] + oneOf: + - properties: + required: [ingress_name] + - properties: + required: [lb_service_name] + - properties: + required: [listener_name] + - properties: + required: [vip] + oneOf: + - properties: + using_request_header: + enum: ['ON'] + required: [using_request_header] + - properties: + required: [using_forms] + + authentication_providers: + description: |+ + 'Authentication Configuration for required authentication providers/schemes. + One or more of these can be created' + type: array + items: + description: 'Create config for a single authentication provider of a particular type' + type: object + properties: + name: + description: 'Name for this provider, has to be unique, referenced by authentication policies' + type: string + maxLength: 127 + + oauth: + description: 'Authentication provided by external oAuth provider' + type: object + properties: + issuer: + description: 'Identity of the server whose tokens are to be accepted' + type: string + maxLength: 127 + audience: + description: 'Audience for which token sent by Authorization server is applicable' + type: array + items: + type: string + maxLength: 127 + jwks_uri: + description: |+ + 'URL of the endpoint that contains JWKs (Json Web Key) for + JWT (Json Web Token) verification' + type: string + maxLength: 127 + introspect_url: + description: ' URL of the introspection server' + type: string + maxLength: 127 + client_credentials: + description: |+ + 'secrets object that contains Client Id and secret as known + to Introspection server' + type: string + maxLength: 253 + token_in_hdr: + description: |+ + 'custom header name where token is present, + default is Authorization header' + type: array + items: + type: string + maxLength: 127 + maxItems: 2 + token_in_param: + description: 'query parameter name where token is present' + type: array + items: + type: string + maxLength: 127 + maxItems: 2 + signature_algorithms: + description: 'list of allowed signature algorithms, by default HS256, RS256, RS512 are allowed' + type: array + items: + type: string + enum: ['HS256', 'RS256', 'RS512'] + claims_to_save: + description: 'list of claims to be saved, used to create authorization policies' + type: array + items: + type: string + maxLength: 127 + metadata_url: + description: 'URL used to get OAUTH/OIDC provider metadata' + type: string + maxLength: 255 + user_field: + description: |+ + 'Attribute in the token from which username should be extracted. + by default, NetScaler looks at email attribute for user id' + type: string + maxLength: 127 + default_group: + description: |+ + 'group assigned to the request if authentication succeeds, + this is in addition to any extracted groups from token' + type: string + maxLength: 63 + grant_type: + description: 'used to specify the type of flow to the token end point, defaults to CODE' + type: array + items: + type: string + enum: ['CODE','PASSWORD'] + pkce: + description: 'specify whether to enable Proof Key Code Exchange, defaults to ENABLED' + type: string + enum: ['ENABLED', 'DISABLED'] + token_ep_auth_method: + description: |+ + 'authentication method to be used with token end point, + defaults to client_secret_post' + type: string + enum: ['client_secret_post', 'client_secret_jwt'] + + anyOf: + - properties: + required : [jwks_uri] + - properties: + required : [introspect_url, client_credentials] + - properties: + required : [metadata_url] + + ldap: + description: 'LDAP authentication provider' + type: object + properties: + server_ip: + description: 'IP address assigned to the LDAP server' + type: string + server_name: + description: 'LDAP server name as a FQDN' + type: string + maxLength: 127 + server_port: + description: 'Port on which the LDAP server accepts connections. Default is 389' + type: integer + minimum: 1 + maximum: 65535 + base: + description: |+ + 'Base (node) from which to start LDAP searches. If the LDAP server is + running locally, the default value of base is dc=netscaler, dc=com' + type: string + maxLength: 127 + server_login_credentials: + description: |+ + 'Kubernetes secret object providing credentials to login to LDAP server, + The secret data should have username and password' + type: string + login_name: + description: |+ + 'LDAP login name attribute. The NetScaler uses the LDAP login name + to query external LDAP servers or Active Directories' + type: string + maxLength: 127 + security_type: + description: |+ + 'Type of security used for communications between the NetScaler + and the LDAP server. Default is TLS' + type: string + enum: ['PLAINTEXT', 'TLS', 'SSL'] + validate_server_cert: + description: 'Validate LDAP Server certs. Default is NO' + type: string + enum: ['YES', 'NO'] + hostname: + description: |+ + 'Hostname for the LDAP server. If validate_server_cert is ON, + this must be the host name on the certificate from the LDAP + A hostname mismatch will cause a connection failure' + type: string + maxLength: 127 + sub_attribute_name: + description: 'LDAP group sub-attribute name. Used for group extraction from the LDAP server.' + type: string + maxLength: 31 + group_attribute_name: + description: 'LDAP group attribute name. Used for group extraction on the LDAP server.' + type: string + maxLength: 31 + search_filter: + description: |+ + 'String to be combined with the default LDAP user search string to form the + search value. For example, if the search filter "vpnallowed=true" is combined + with the LDAP login name "samaccount" and the user-supplied username is "bob", + the result is the LDAP search string ""(&(vpnallowed=true)(samaccount=bob)"" + (Be sure to enclose the search string in two sets of double quotation marks)' + type: string + maxLength: 255 + auth_timeout: + description: |+ + 'Number of seconds the NetScaler waits for a response from the server + Default is 3' + type: integer + minimum: 1 + maximum: 4294967295 + password_change: + description: 'Allow password change requests. Default is DISABLED' + type: string + enum: ['ENABLED', 'DISABLED'] + attributes_to_save: + description: |+ + 'List of attribute names separated by comma which needs to be fetched + from LDAP server and stored as key-value pair for the session on NetScaler' + type: string + maxLength: 2047 + oneOf: + - properties: + required: [server_ip] + - properties: + required: [server_name] + + saml: + description: |+ + 'SAML authentication provider. + Currently SAML is supported only with authentication mechanism using forms' + type: object + properties: + metadata_url: + description: 'URL is used for obtaining saml metadata.' + type: string + maxLength: 255 + metadata_refresh_interval: + description: |+ + 'Interval in minutes for fetching metadata from specified metadata URL. + Default is 36000' + type: integer + minimum: 1 + maximum: 4294967295 + signing_cert: + description: 'SSL certificate to sign requests from SP to IDP' + type: object + properties: + tls_secret: + type: string + description: 'Name of the Kubernetes Secret of type tls referring to Certificate' + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + preconfigured: + type: string + maxLength: 63 + description: |+ + 'Preconfigured SSL certkey name on NetScaler with the + certificate and key already added on NetScaler' + oneOf: + - properties: + required: [tls_secret] + - properties: + required: [preconfigured] + audience: + description: 'Audience for which assertion sent by IdP is applicable' + type: string + maxLength: 127 + issuer_name: + description: 'The name to be used in requests sent from SP to IDP to identify NetScaler' + type: string + maxLength: 63 + binding: + description: 'Specifies the transport mechanism of saml message. Default is POST' + type: string + enum: ['REDIRECT', 'POST', 'ARTIFACT'] + artifact_resolution_service_url: + description: 'URL of the Artifact Resolution Service on IdP' + type: string + maxLength: 255 + logout_binding: + description: 'Specifies the transport mechanism of saml logout. Default is POST' + type: string + enum: ['REDIRECT', 'POST'] + reject_unsigned_assertion: + description: |+ + 'Reject unsigned SAML assertions. ON, rejects assertion without signature. + STRICT ensure that both Response and Assertion are signed. Default is ON' + type: string + enum: ['ON', 'OFF', 'STRICT'] + user_field: + description: 'SAML user ID, as given in the SAML assertion' + type: string + maxLength: 63 + default_authentication_group: + description: |+ + 'This is the default group that is chosen when the authentication + succeeds in addition to extracted groups' + type: string + maxLength: 63 + skew_time: + description: |+ + 'Allowed clock skew in number of minutes on an incoming assertion. + Default is 5' + type: integer + minimum: 1 + attributes_to_save: + description: |+ + 'List of attribute names separated by comma which needs to be extracted + and stored as key-value pair for the session on NetScaler' + type: string + maxLength: 2047 + required: + - metadata_url + + basic_local_db: + type: object + description: |+ + 'Basic HTTP authentication supported by NetScaler, user data in local DB of NetScaler. + Users needs to be added on NetScaler' + properties: + use_local_auth: + description: 'Use NetScaler authentication' + type: string + enum: ['YES'] + + required: + - name + + authentication_policies: + description: 'Authentication policies' + type: array + items: + type: object + description: 'Authentication policy' + properties: + resource: + type: object + description: 'endpoint/resource selection criteria' + properties: + path: + description: 'api resource path e.g. /products. ' + type: array + items: + type: string + maxLength: 511 + method: + type: array + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + required: + - path + expression: + description: 'NetScaler syntax expression for authentication' + type: string + maxLength: 1229 + provider: + description: 'name of the authentication provider for the policy, empty if no authentication required' + type: array + items: + type: string + maxLength: 127 + maxItems: 1 + oneOf: + - required: [resource, provider] + - required: [expression, provider] + + authorization_policies: + description: 'Authorization policies' + type: array + items: + type: object + description: 'Authorization policy' + properties: + resource: + type: object + description: 'endpoint/resource selection criteria' + properties: + path: + description: 'api resource path e.g. /products. ' + type: array + items: + type: string + maxLength: 511 + method: + description: ' http method' + type: array + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + claims: + description: 'authorization scopes required for selected resource saved as claims or attributes' + type: array + items: + type: object + properties: + name: + description: 'name of the claim/attribute to check' + type: string + maxLength: 127 + values: + description: 'list of claim values required for the request' + type: array + items: + type: string + maxLength: 127 + minItems: 1 + required: + - name + - values + required: + - claims + expression: + description: 'NetScaler syntax expression for authorization' + type: string + maxLength: 1229 + oneOf: + - required: [resource] + - required: [expression] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: listeners.citrix.com +spec: + group: citrix.com + names: + kind: Listener + plural: listeners + singular: listener + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + required: [spec] + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + required: [protocol] + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + multicluster: + description: "The setting of this indicates that the VIP/csvserver IP address is shared by multiple netscaler ingress controllers on the VPX/MPX. For CPX, this field is not applicable" + type: boolean + protocol: + type: string + enum: ["udp", "tcp", "https", "http"] + description: "Protocol for this listener" + vip: + type: string + description: "VIP address, Optional for CPX, required for Tier-1 deployments" + secondaryVips: + type: array + description: "An array of Secondary VIPs. All the VIPs will be part of an ipset" + minItems: 1 + items: + type: string + redirectPort: + type: integer + minimum: 1 + maximum: 65535 + description: "Port from which http traffic should be redirected to https" + port: + type: integer + minimum: 1 + maximum: 65535 + certificates: + type: array + description: "certificates attached to the endpoints - Not applicable for HTTP" + minItems: 1 + items: + type: object + properties: + preconfigured: + type: string + description: "Preconfigured Certificate name on NetScaler " + secret: + type: object + description: "Kuberentes secret object" + required: [name] + properties: + name: + type: string + description: "name of the Kubernetes Secret object where Cert is located" + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + type: string + description: "Namespace of the kubernetes secret object; Default is same namespace where the Listener object is located" + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + default: + type: boolean + description: "Only one of the certificate can be marked as default which will be presented if none of the cert matches with the hostname" + oneOf: + - required: ["preconfigured"] + - required: ["secret"] + policies: + type: object + description: "Policies attached to the Listener" + properties: + httpprofile: + type: object + description: "HTTP profile configurations for the Listener, HTTP level configurations" + properties: + preconfigured: + type: string + description: "Preconfigured or Built-in HTTP profile name" + config: + type: object + description: "HTTP profile configuration for the listener. For individual fields, refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/ns/nshttpprofile Name field is auto populated" + additionalProperties: + type: string + oneOf: + - required: ["preconfigured"] + - required: ["config"] + tcpprofile: + type: object + description: "TCP level configurations, uses ns tcpprofile of NetScaler" + properties: + preconfigured: + description: "Preconfigured or Built-in TCP profile name" + type: string + config: + type: object + description: "TCPprofile configurations for the listener. For individual fields refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/ns/nstcpprofile ; Name field is auto populated" + additionalProperties: + type: string + oneOf: + - required: ["preconfigured"] + - required: ["config"] + csvserverConfig: + type: object + description: "CS Vserver configuration for the listener" + additionalProperties: + type: string + sslprofile: + type: object + description: "SSL profile configuration" + properties: + preconfigured: + type: string + description: "SSL profile which is preconfigured in NetScaler. Ciphers bound to the profile is not overriden" + config: + description: "NetScaler frontend SSL profile configurations. Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/ssl/sslprofile.html for all configurations; Name field is auto generated" + type: object + additionalProperties: + type: string + oneOf: + - required: ["preconfigured"] + - required: ["config"] + sslciphers: + type: array + description: "List of ciphers to be bound to the ssl profile for the listener. Priority is as per the order in the list. A cipher suite, predefined cipher group or User created cipher group can be mentioned" + minItems: 1 + items: + type: string + description: "Cipher suite, cipher group name" + analyticsprofile: + type: object + description: "Analytics profile configuration" + properties: + preconfigured: + type: array + description: "Preconfigured Analytics profile that needs to be bound to the vserver" + minItems: 1 + items: + type: string + description: "Name of the analytics profile preconfigured that will be bound to the Vserver" + config: + type: array + description: "An array of analytics to be enabled" + minItems: 1 + items: + type: object + description: "Anlytics to be enabled" + required: ['type'] + properties: + type: + description: "Analytics profile to be enabled, you can enable one or more of the webinsight, tcpinsight, securityinsight, videoinsight, hdxinsight, gatewayinsight, timeseries, lsninsight, botinsight " + type: string + enum: ["webinsight", "tcpinsight", "securityinsight", "videoinsight", "hdxinsight", "gatewayinsight", "timeseries", "lsninsight", "botinsight"] + parameters: + type: object + description: "Additional parameters for analytics profile. Please refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/analytics/analyticsprofile/" + additionalProperties: + type: string + oneOf: + - required: ["preconfigured"] + - required: ["config"] + routes: + type: array + description: "List of route objects attached to the listener" + minItems: 1 + items: + type: object + properties: + name: + type: string + description: "Name of the HTTPRoute object" + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + type: string + description: "Namespace of the HTTPRoute object" + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + labelSelector: + description: "Labels key value pair, if the route carries the same labels, it is automatically attached" + type: object + additionalProperties: + type: string + oneOf: + - required: [name, namespace] + - required: [labelSelector] + defaultAction: + type: object + description: "Default action for the listener: One of Backend or Redirect" + properties: + backend: + type: object + oneOf: + - required: [kube] + properties: + kube: + type: object + required: [service, port] + properties: + service: + description: "Name of the backend service" + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + port: + description: "Service port" + type: integer + minimum: 1 + maximum: 65535 + namespace: + description: "Service namespace" + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + backendConfig: + description: "General backend service options" + type: object + properties: + secure_backend: + description: "Use Secure communications to the backends" + type: boolean + lbConfig: + description: "NetScaler LB vserver configurations for the backend. Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/lb/lbvserver.html for all configurations" + type: object + additionalProperties: + type: string + servicegroupConfig: + description: "NetScaler service group configurations for the backend; Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/basic/servicegroup.html for all configurations" + type: object + additionalProperties: + type: string + redirect: + type: object + oneOf: + - required: [targetExpression] + - required: [hostRedirect] + - required: [httpsRedirect] + properties: + httpsRedirect: + description: "Change the scheme from http to https keeping URL intact" + type: boolean + hostRedirect: + description: "Host name specified is used for redirection with URL intact" + type: string + targetExpression: + description: "A target can be specified using NetScaler policy expression" + type: string + responseCode: + description: "Default response code is 302, which can be customised using this attribute" + type: integer + minimum: 100 + maximum: 599 + oneOf: + - required: ["backend"] + - required: ["redirect"] + subresources: + # status enables the status subresource. + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: httproutes.citrix.com +spec: + group: citrix.com + names: + kind: HTTPRoute + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + required: [rules] + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + hostname: + type: array + description: "List of domain names that share the same route, default is '*'" + minItems: 1 + items: + type: string + description: "Domain name" + rules: + type: array + description: "List Content routing rules with an action defined" + minItems: 1 + items: + type: object + required: [name, action] + properties: + name: + type: string + description: "A name to represent the rule, this is used as an identifier in content routing policy name in NetScaler" + minLength: 1 + maxLength: 20 + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + match: + type: array + description: "List of rules with same action" + minItems: 1 + items: + type: object + anyOf: + - required: [path] + - required: [headers] + - required: [cookies] + - required: [queryParams] + - required: [method] + - required: [policyExpression] + properties: + path: + type: object + description: "URL Path based content routing" + properties: + prefix: + type: string + description: "URL path matches the prefix expression" + exact: + type: string + description: "URL Path must match exact path" + regex: + type: string + description: "PCRE based regex expression for path matching" + headers: + type: array + description: "List of header for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" + minItems: 1 + items: + type: object + description: "Header details for content routing, Check for existence of a header or header name-value match" + properties: + headerName: + type: object + description: "Header name based content routing, Here existence of header is used for routing" + properties: + exact: + type: string + description: "Header Name - treated as exact must exist" + contains: + type: string + description: "Header Name - A header must exist that contain the string the name" + regex: + type: string + description: "header Name - treated as PCRE regex expression" + not: + type: boolean + description: "Default False, if present, rules are inverted. I.e header name must not exist" + oneOf: + - required: [exact] + - required: [contains] + - required: [regex] + headerValue: + type: object + description: "Header Name and Value based match" + properties: + name: + type: string + description: "Header name that must match the value" + exact: + type: string + description: "Header value - treated as exact" + contains: + type: string + description: "Header value - treated as contains" + regex: + type: string + description: "header value - treated as PCRE regex expression" + not: + type: boolean + description: "Default False, if present, rules are inverted. I.e header if present must not match the value" + oneOf: + - required: [name, exact] + - required: [name, contains] + - required: [name, regex] + queryParams: + type: array + description: "List of Query parameters for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" + minItems: 1 + items: + type: object + description: "Query parameters Name and Value based match" + properties: + name: + type: string + description: "Query name that must match the value. If no value is specified, matches with any value" + exact: + type: string + description: "Query value - Exact match" + contains: + type: string + description: "Query value - value must have the string(substring)" + regex: + type: string + description: "Query value - Value must match this regex patterm" + not: + type: boolean + description: "Default False, if present, rules are inverted. I.e query if present must not match the value" + anyOf: + - required: [name] + - oneOf: + - required: [name, exact] + - required: [name, contains] + - required: [name, regex] + cookies: + type: array + description: "List of Cookie params for content routing - Must match all the rules- Treated as AND condition if more than 1 rule" + minItems: 1 + items: + type: object + description: "Cookie based routing" + properties: + name: + type: string + description: "cookie name that must match the value. If no value specified, it matches with any value" + exact: + type: string + description: "cookie value - treated as exact" + contains: + type: string + description: "cookie value - treated as substring" + regex: + type: string + description: "cookie value - treated as PCRE regex expression" + not: + type: boolean + description: "Default False, if present, rules are inverted. I.e cookie if present must not match the value" + anyOf: + - required: [name] + - oneOf: + - required: [name, exact] + - required: [name, contains] + - required: [name, regex] + method: + type: string + description: "HTTP method for content routing eg: POST, PUT, DELETE etc" + policyExpression: + type: string + description: "NetScaler policy expressions; refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/policy/policyexpression.html" + action: + type: object + description: "Action for the matched rule" + properties: + backend: + type: object + oneOf: + - required: [kube] + properties: + kube: + type: object + required: [service, port] + properties: + service: + description: "Name of the backend service" + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + port: + description: "Service port" + type: integer + minimum: 1 + maximum: 65535 + backendConfig: + type: object + description: "General backend service options" + properties: + secureBackend: + description: "Use Secure communications to the backends" + type: boolean + lbConfig: + description: "NetScaler LB vserver configurations for the backend. Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/lb/lbvserver.html for all configurations" + type: object + additionalProperties: + type: string + servicegroupConfig: + description: "NetScaler service group configurations for the backend; Refer: https://developer-docs.netscaler.com/en-us/adc-nitro-api/current-release/configuration/basic/servicegroup.html for all configurations" + type: object + additionalProperties: + type: string + redirect: + type: object + oneOf: + - required: [targetExpression] + - required: [hostRedirect] + - required: [httpsRedirect] + properties: + httpsRedirect: + description: "Change the scheme from http to https keeping URL intact" + type: boolean + hostRedirect: + description: "Host name specified is used for redirection with URL intact" + type: string + targetExpression: + description: "A target can be specified using NetScaler policy expression" + type: string + responseCode: + description: "Default response code is 302, which can be customised using this attribute" + type: integer + minimum: 100 + maximum: 599 + oneOf: + - required: ["backend"] + - required: ["redirect"] + subresources: + # status enables the status subresource. + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + # name must match the spec fields below, and be in the form: . + name: continuousdeployments.citrix.com +spec: + group: citrix.com + names: + kind: continuousdeployment + plural: continuousdeployments + singular: continuousdeployment + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + cronSpec: + type: integer + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: wafs.citrix.com +spec: + group: citrix.com + names: + kind: waf + plural: wafs + singular: waf + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: 'Name of the services to which the waf policies are applied.' + type: array + items: + type: string + maxLength: 127 + application_type: + description: 'Type of applications to protect' + type: array + items: + type: string + enum: ['HTML', 'JSON', 'XML'] + signatures: + description: 'Location of external signature file' + type: string + redirect_url: + description: 'When a URL is blocked/down, redirect_url represents the alternate URL where the client requests should be sent.' + type: string + html_error_object: + description: 'Location of customized error page to respond when html or common violation are hit' + type: string + xml_error_object: + description: 'Location of customized error page to respond when xml violations are hit' + type: string + json_error_object: + description: 'Location of customized error page to respond when json violations are hit' + type: string + ip_reputation: + type: object + x-kubernetes-preserve-unknown-fields: true + description: 'Enabling IP reputation feature' + target: + description: 'To control what traffic to be inspected by Web Application Firewall. If you do not provide the target, everything will be inspected by default' + type: object + properties: + path: + type: array + description: "List of http urls to inspect" + items: + type: string + description: "URL path" + method: + type: array + description: "List of http methods to inspect" + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + header: + type: array + description: "List of http headers to inspect" + items: + type: string + description: "header name" + security_checks: + description: 'To enable/disable application firewall security checks' + type: object + properties: + common: + type: object + x-kubernetes-preserve-unknown-fields: true + html: + type: object + x-kubernetes-preserve-unknown-fields: true + json: + type: object + x-kubernetes-preserve-unknown-fields: true + xml: + type: object + x-kubernetes-preserve-unknown-fields: true + settings: + description: 'To fine tune application firewall security checks default settings' + type: object + properties: + common: + type: object + x-kubernetes-preserve-unknown-fields: true + html: + type: object + x-kubernetes-preserve-unknown-fields: true + json: + type: object + x-kubernetes-preserve-unknown-fields: true + xml: + type: object + x-kubernetes-preserve-unknown-fields: true + relaxations: + description: 'Section which contains relaxation rules for known traffic and false positives' + type: object + properties: + common: + type: object + x-kubernetes-preserve-unknown-fields: true + html: + type: object + x-kubernetes-preserve-unknown-fields: true + json: + type: object + x-kubernetes-preserve-unknown-fields: true + xml: + type: object + x-kubernetes-preserve-unknown-fields: true + enforcements: + description: 'Section which contains enforcement or restriction rules' + type: object + properties: + common: + type: object + x-kubernetes-preserve-unknown-fields: true + html: + type: object + x-kubernetes-preserve-unknown-fields: true + json: + type: object + x-kubernetes-preserve-unknown-fields: true + xml: + type: object + x-kubernetes-preserve-unknown-fields: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: bots.citrix.com +spec: + group: citrix.com + names: + kind: bot + plural: bots + singular: bot + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: 'Name of the services to which the bot policies are applied.' + type: array + items: + type: string + maxLength: 127 + signatures: + description: 'Location of external bot signature file' + type: string + redirect_url: + description: 'url to redirect when bot violation is hit' + type: string + target: + description: 'To control what traffic to be inspected by BOT. If you do not provide the target, everything will be inspected by default' + type: object + properties: + path: + type: array + description: "List of http urls to inspect" + items: + type: string + description: "URL path" + method: + type: array + description: "List of http methods to inspect" + items: + type: string + enum: ['GET', 'PUT', 'POST', 'DELETE', 'HEAD', 'OPTIONS', 'TRACE', 'CONNECT','PATCH', 'UNKNOWN_METHOD'] + header: + type: array + description: "List of http headers to inspect" + items: + type: string + description: "header name" + security_checks: + description: 'To enable/disable bot ecurity checks' + type: object + properties: + allow_list: + type: string + enum: ['ON', 'OFF'] + block_list: + type: string + enum: ['ON', 'OFF'] + device_fingerprint: + type: string + enum: ['ON', 'OFF'] + device_fingerprint_action: + type: object + x-kubernetes-preserve-unknown-fields: true + headless_browser: + type: string + enum: ['ON','OFF'] + reputation: + type: string + enum: ['ON', 'OFF'] + ratelimit: + type: string + enum: ['ON', 'OFF'] + tps: + type: string + enum: ['ON', 'OFF'] + trap: + type: object + x-kubernetes-preserve-unknown-fields: true + bindings: + description: 'Section which contains binding rules for bot security checks' + type: object + properties: + allow_list: + type: array + items: + type: object + properties: + subnet: + type: object + x-kubernetes-preserve-unknown-fields: true + ip: + type: object + x-kubernetes-preserve-unknown-fields: true + ipv6: + type: object + x-kubernetes-preserve-unknown-fields: true + ipv6_subnet: + type: object + x-kubernetes-preserve-unknown-fields: true + expression: + type: object + x-kubernetes-preserve-unknown-fields: true + + block_list: + type: array + items: + type: object + properties: + subnet: + type: object + x-kubernetes-preserve-unknown-fields: true + ip: + type: object + x-kubernetes-preserve-unknown-fields: true + ipv6: + type: object + x-kubernetes-preserve-unknown-fields: true + ipv6_subnet: + type: object + x-kubernetes-preserve-unknown-fields: true + expression: + type: object + x-kubernetes-preserve-unknown-fields: true + ratelimit: + type: array + items: + type: object + properties: + url: + type: object + x-kubernetes-preserve-unknown-fields: true + ip: + type: object + x-kubernetes-preserve-unknown-fields: true + cookie: + type: object + x-kubernetes-preserve-unknown-fields: true + geolocation: + type: object + x-kubernetes-preserve-unknown-fields: true + reputation: + type: object + x-kubernetes-preserve-unknown-fields: true + captcha: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + logexp: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + kbmexpr: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + properties: + tps: + type: object + properties: + geolocation: + type: object + x-kubernetes-preserve-unknown-fields: true + host: + type: object + x-kubernetes-preserve-unknown-fields: true + ip: + type: object + x-kubernetes-preserve-unknown-fields: true + url: + type: object + x-kubernetes-preserve-unknown-fields: true + trapinsertion: + type: object + x-kubernetes-preserve-unknown-fields: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: apigatewaypolicies.citrix.com +spec: + group: citrix.com + names: + kind: apigatewaypolicy + plural: apigatewaypolicies + singular: apigatewaypolicy + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + subresources: + status: {} + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + api_definition: + type: object + properties: + repository: + type: string + branch: + type: string + oas_secret_ref: + type: string + files: + type: array + items: + type: string + maxLength: 127 + api_proxy: + type: object + properties: + ipaddress: + type: string + port: + type: integer + protocol: + type: string + secret: + type: string + policies: + type: array + items: + type: object + properties: + name: + type: string + selector: + type: array + items: + type: object + properties: + tags: + type: array + items: + type: string + api: + type: string + method: + type: array + items: + type: string + maxLength: 127 + upstream: + type: object + properties: + service: + type: string + port: + type: integer + policy_bindings: + type: object + properties: + ratelimit: + type: object + properties: + name: + type: string + waf: + type: object + properties: + name: + type: string + rewritepolicy: + type: object + properties: + name: + type: string + bot: + type: object + properties: + name: + type: string + aaa: + type: array + items: + type: object + properties: + crd_name: + type: string + mappings: + type: array + items: + type: object + properties: + petstore_auth: + type: string + api_key: + type: string +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: corspolicies.citrix.com +spec: + group: citrix.com + names: + kind: corspolicy + plural: corspolicies + singular: corspolicy + shortNames: + - cp + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: 'Current Status of the CRD' + jsonPath: .status.state + - name: Message + type: string + description: 'Status Message' + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + type: string + description: "Ingress class, if not specified then all NetScaler Ingress Controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + servicenames: + description: 'The list of Kubernetes services to which you want to apply the cors policies.' + type: array + items: + type: string + maxLength: 63 + allow_origin: + description: 'Represents list of allowed origins, it is used to screen the “origin” in the cors pre flight request' + type: array + items: + type: string + maxLength: 2083 + allow_methods: + description: 'Indicates which methods are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Methods in the pre-flight cors response.' + type: array + items: + type: string + maxLength: 127 + allow_headers: + description: 'Indicates which headers are supported by the response’s URL for the purposes of the CORS protocol. This variable will be used to set Access-Control-Allow-Headers in the pre-flight cors response.' + type: array + items: + type: string + maxLength: 127 + max_age: + description: 'Indicates the number of seconds (5 by default) the information provided by the `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` headers can be cached. This variable will be used to set Access-Control-Max-Age in the pre-flight cors response.' + type: integer + allow_credentials: + description: 'Indicates whether the response can be shared when the request’s credentials mode is "include". This variable will be set to Access-Control-Allow-Credentials in the rewrite action.' + type: boolean + required: [servicenames, allow_origin, allow_methods, allow_headers] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: appqoepolicies.citrix.com +spec: + group: citrix.com + names: + kind: appqoepolicy + plural: appqoepolicies + singular: appqoepolicy + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + appqoe-policies: + type: array + items: + type: object + properties: + servicenames: + description: 'Name of the services that needs to be binded to appqoe policy.' + type: array + items: + type: string + maxLength: 127 + appqoe-policy: + type: object + properties: + operation-retry: + type: object + properties: + on-reset: + description: "To set Retry on Connection Reset or Not" + type: string + enum: ['YES','NO'] + on-timeout: + description: "Time in milliseconds for retry" + type: integer + minimum: 30 + maximum: 2000 + number-of-retries: + description: "To set number of retries" + type: integer + minimum: 1 + maximum: 7 + required: [operation-retry] + appqoe-criteria: + description: 'Expression against which traffic is evaluated.' + type: string + maxLength: 1299 + direction: + description: 'Bind point to which to bind the policy.' + type: string + enum: ["REQUEST","RESPONSE"] + required: [appqoe-criteria, operation-retry] + required: [appqoe-policy] +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: wildcarddnsentries.citrix.com +spec: + group: citrix.com + names: + kind: wildcarddnsentry + plural: wildcarddnsentries + singular: wildcarddnsentry + scope: Namespaced + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: Current Status of the CRD + jsonPath: .status.state + - name: Message + type: string + description: Status Message + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + zone: + type: object + description: DNS configuration for a zone + properties: + domain: + type: string + description: Domain name + dnsaddrec: + type: object + description: DNS Address record + properties: + domain-ip: + type: string + description: IPv4 addresses to assign to the domain name + ttl: + type: integer + description: >- + TTL is the time for which the record must be cached + by DNS proxies + dnsaaaarec: + type: object + description: DNS AAAA record + properties: + domain-ip: + type: string + description: IPv6 addresses to assign to the domain name + ttl: + type: integer + description: >- + TTL is the time for which the record must be cached + by DNS proxies + soarec: + type: object + description: SOA record + properties: + origin-server: + type: string + description: Origin server domain + contact: + type: string + description: Admin contact + serial: + type: integer + description: >- + The secondary server uses this parameter to + determine whether it requires a zone transfer from + the primary server. + refresh: + type: integer + description: >- + Time, in seconds, for which a secondary server must + wait between successive checks on the value of the + serial number. + retry: + type: integer + description: >- + Time, in seconds, between retries if a secondary server's + attempt to contact the primary server for a zone refresh fails. + expire: + type: integer + description: >- + Time, in seconds, after which the zone data on a secondary + nameserver can no longer be considered authoritative because + all refresh and retry attempts made during the period have failed." + nsrec: + type: object + description: Name server record + properties: + nameserver: + type: string + description: Host name of the name server to add to the domain. + ttl: + type: integer + description: >- + Time to Live (TTL), in seconds, for the record. TTL + is the time for which the record must be cached by + DNS proxies. The specified TTL is applied to all the + resource records that are of the same record type + and belong to the specified domain name +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: icappolicies.citrix.com +spec: + group: citrix.com + names: + kind: icappolicy + plural: icappolicies + singular: icappolicy + scope: Namespaced + versions: + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + additionalPrinterColumns: + - name: Status + type: string + description: "Current Status of the CRD" + jsonPath: .status.state + - name: Message + type: string + description: "Status Message" + jsonPath: .status.status_message + schema: + openAPIV3Schema: + type: object + properties: + status: + type: object + properties: + state: + type: string + status_message: + type: string + spec: + type: object + properties: + ingressclass: + description: "Ingress class, if not specified then all NetScaler ingress controllers in the cluster will process the resource otherwise only the controller with that ingress class will process this resource" + type: string + maxLength: 127 + services: + type: array + description: 'Name of the services for which the icap policy needs to be bound' + items: + type: string + icap-servers: + type: object + description: "ICAP service for the ICAP server that will be part of the load balancing setup. The service that you add provides the ICAP connection between the NetScaler appliance and load balancing virtual servers." + properties: + servers: + type: array + items: + type: object + properties: + ip: + type: string + description: 'IP of the ICAP Server' + format: ipv4 + port: + type: integer + description: 'Port number of the ICAP Server.' + minimum: 1 + maximum: 65535 + required: + - ip + - port + server-type: + type: string + description: 'Type of ICAP Server.' + enum: ['TCP', 'SSL_TCP'] + default: 'SSL_TCP' + server_host_cert: + description: |+ + 'Name of the SSL certificate to be used with ICAP server. + This certificate is mandatory for server-type SSL_TCP' + type: object + properties: + tls_secret: + type: string + description: 'Name of the Kubernetes Secret of type tls referring to Certificate' + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + preconfigured: + type: string + maxLength: 63 + description: |+ + 'Preconfigured SSL certkey name on NetScaler with the + certificate and key already added on NetScaler' + oneOf: + - required: [tls_secret] + - required: [preconfigured] + required: + - servers + icap: + type: array + items: + type: object + properties: + preconfigured-profile: + description: 'Names of the preconfigured ICAP profile.' + type: string + maxLength: 127 + direction: + description: 'ICAP Mode of operation. It is a mandatory argument while creating an icapprofile.' + type: string + enum: ['REQUEST','RESPONSE'] + profile: + type: object + description: 'ICAP profile(s) of the NetScaler.' + properties: + preview: + description: 'Enable or Disable preview header with ICAP request. This feature allows an ICAP server to see the beginning of a transaction, then decide if it wants to opt-out of the transaction early instead of receiving the remainder of the request message.' + type: string + enum: ["ENABLED", "DISABLED"] + preview-length: + description: 'Value of Preview Header field. NetScaler uses the minimum of this set value and the preview size received on OPTIONS' + type: integer + minimum: 0 + maximum: 4294967294 + uri: + description: 'URI representing icap service. It is a mandatory argument while creating an icapprofile.' + type: string + maxLength: 511 + host-header: + description: 'ICAP Host Header.' + type: string + maxLength: 255 + user-agent-header: + description: 'ICAP User Agent Header' + type: string + maxLength: 255 + query-params: + description: 'Query parameters to be included with ICAP request URI. Entered values should be in arg=value format. For more than one parameters, add & separated values. e.g.: arg1=val1&arg2=val2' + type: string + maxLength: 511 + connection-keep-alive: + description: 'Enable or Disable sending Allow: 204 header in ICAP request.' + type: string + enum: ["ENABLED", "DISABLED"] + insert-icap-headers: + description: 'Insert custom ICAP headers in the ICAP request to send to ICAP server. The headers can be static or can be dynamically constructed using PI Policy Expression. For example, to send static user agent and Client''s IP address, the expression can be specified as "User-Agent: NS-ICAP-Client/V1.0r0-Client-IP: "+CLIENT.IP.SRC+"r0. The NetScaler does not check the validity of the specified header name-value. You must manually validate the specified header syntax.' + type: string + maxLength: 8191 + insert-http-request: + description: 'Exact HTTP request, in the form of an expression, which the NetScaler encapsulates and sends to the ICAP server. If you set this parameter, the ICAP request is sent using only this header. This can be used when the HTTP header is not available to send or ICAP server only needs part of the incoming HTTP request. The request expression is constrained by the feature for which it is used. The NetScaler does not check the validity of this request. You must manually validate the request.' + type: string + maxLength: 8191 + req-timeout: + description: 'Time, in seconds, within which the remote server should respond to the ICAP-request. If the Netscaler does not receive full response with this time, the specified request timeout action is performed. Zero value disables this timeout functionality.' + type: integer + minimum: 0 + maximum: 86400 + req-timeout-action: + description: 'Name of the action to perform if the Vserver/Server representing the remote service does not respond with any response within the timeout value configured. The Supported actions are * BYPASS - This Ignores the remote server response and sends the request/response to Client/Server. * If the ICAP response with Encapsulated headers is not received within the request-timeout value configured, this Ignores the remote ICAP server response and sends the Full request/response to Server/Client' + type: string + enum: ['BYPASS', 'DROP', 'RESET'] + log-action: + description: 'Name of the audit message action which would be evaluated on receiving the ICAP response to emit the logs' + type: string + maxLength: 127 + required: + - uri + content-inspection-criteria: + description: 'Expression that the policy uses to determine whether to execute the specified action.' + type: string + maxLength: 1499 + default-action: + description: 'Action to perform if the result of policy evaluation is undefined (UNDEF). An UNDEF event indicates an internal error condition. Only the above built-in actions can be used' + type: string + maxLength: 127 + log-action: + description: 'Name of the messagelog action to use for requests that match this policy.' + type: string + maxLength: 127 + goto-priority-expression: + description: 'Expression or other value specifying the next policy to be evaluated if the current policy evaluates to TRUE.Specify one of the following values:* NEXT - Evaluate the policy with the next higher priority number.* END - End policy evaluation.Default value of goto-priority-expression: END' + type: string + operation: + description: 'Type of operation this action is going to perform. following actions are available to configure: * ICAP - forward the incoming request or response to an ICAP server for modification. * INLINEINSPECTION - forward the incoming or outgoing packets to IPS server for Intrusion Prevention. * MIRROR - Forwards cloned packets for Intrusion Detection. * NOINSPECTION - This does not forward incoming and outgoing packets to the Inspection device. * NSTRACE - capture current and further incoming packets on this transaction.' + type: string + enum: ['ICAP', 'INLINEINSPECTION', 'MIRROR', 'NOINSPECTION'] + server-failure-action: + description: 'Name of the action to perform if the Vserver representing the remote service is not UP. This is not supported for NOINSPECTION Type. The Supported actions are: * RESET - Reset the client connection by closing it. The client program, such as a browser, will handle this and may inform the user. The client may then resend the request if desired. * DROP - Drop the request without sending a response to the user. * CONTINUE - It bypasses the ContentIsnpection and Continues/resumes the Traffic-Flow to Client/Server.' + type: string + enum: ['CONTINUE', 'DROP', 'RESET'] + oneOf: + - required: [preconfigured-profile] + - required: [profile] + required: + - direction + - content-inspection-criteria + - operation + required: + - ingressclass + - services + - icap-servers + - icap +--- diff --git a/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/NOTES.txt b/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/NOTES.txt new file mode 100644 index 000000000..1bab5db5c --- /dev/null +++ b/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/NOTES.txt @@ -0,0 +1,15 @@ +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }}. + + +To learn more about the release, try: + + $ helm status {{ .Release.Name }} + $ helm get {{ .Release.Name }} + + +To delete : + helm delete {{ .Release.Name }} + + diff --git a/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/_helpers.tpl b/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/_helpers.tpl new file mode 100644 index 000000000..4f3942e48 --- /dev/null +++ b/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "netscaler-ingress-controller.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "netscaler-ingress-controller.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "exporter.fullname" -}} +{{- $name := default .Chart.Name "exporter" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "servicemonitor.fullname" -}} +{{- $name := default .Chart.Name "netscaler-adc-servicemonitor" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "servicemonitorlabel" -}} +{{- $name := default .Chart.Name "netscaler-adc-svcmon" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{- define "nsicconfigmap.fullname" -}} +{{- $name := default .Chart.Name "nsic-configmap" .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "netscaler-ingress-controller.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "netscaler-ingress-controller.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "netscaler-ingress-controller.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} diff --git a/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/configmap.yaml b/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/configmap.yaml new file mode 100644 index 000000000..0a721801b --- /dev/null +++ b/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/configmap.yaml @@ -0,0 +1,82 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "nsicconfigmap.fullname" . }} + namespace: {{ .Release.Namespace }} +data: + LOGLEVEL: {{ .Values.logLevel | quote | lower }} + JSONLOG: {{ .Values.jsonLog | quote | lower }} + NS_PROTOCOL: {{ .Values.nsProtocol | quote | lower }} + NS_PORT: {{ .Values.nsPort | quote }} +{{- if .Values.nsSNIPS }} + NS_SNIPS: {{ .Values.nsSNIPS | toJson}} +{{- end }} +{{- if and .Values.analyticsConfig.required .Values.nsEnableLabel }} + NS_ENABLE_LABELS: {{ .Values.nsEnableLabel | quote}} +{{- end }} +{{- if .Values.podIPsforServiceGroupMembers }} + POD_IPS_FOR_SERVICEGROUP_MEMBERS: {{ .Values.podIPsforServiceGroupMembers | quote }} +{{- end }} +{{- if .Values.ignoreNodeExternalIP }} + IGNORE_NODE_EXTERNAL_IP: {{ .Values.ignoreNodeExternalIP | quote }} +{{- end }} + +{{- if ne (upper .Values.nsHTTP2ServerSide) "OFF" }} + NS_HTTP2_SERVER_SIDE: {{ .Values.nsHTTP2ServerSide | quote }} +{{- end }} +{{- if ne (toString .Values.nsCookieVersion) "0" }} + NS_COOKIE_VERSION: {{ .Values.nsCookieVersion | quote }} +{{- end }} +{{- if .Values.nsDnsNameserver }} + NS_DNS_NAMESERVER: {{ .Values.nsDnsNameserver }} +{{- end }} + +{{- if .Values.analyticsConfig.required }} + NS_ANALYTICS_CONFIG: | + distributed_tracing: + enable: {{ .Values.analyticsConfig.distributedTracing.enable | quote }} + samplingrate: {{ .Values.analyticsConfig.distributedTracing.samplingrate }} + endpoint: + {{- if not .Values.analyticsConfig.timeseries.metrics.enableNativeScrape }} + metrics: + service: {{ .Values.analyticsConfig.endpoint.metrics.service | quote }} + {{- end }} + transactions: + service: {{ .Values.analyticsConfig.endpoint.transactions.service | quote }} + timeseries: + port: {{ .Values.analyticsConfig.timeseries.port }} + metrics: + enable: {{ .Values.analyticsConfig.timeseries.metrics.enable | quote }} + mode: {{ .Values.analyticsConfig.timeseries.metrics.mode | quote }} + export_frequency: {{ .Values.analyticsConfig.timeseries.metrics.exportFrequency }} + schema_file: {{ .Values.analyticsConfig.timeseries.metrics.schemaFile | quote }} + enable_native_scrape: {{ .Values.analyticsConfig.timeseries.metrics.enableNativeScrape | quote }} + auditlogs: + enable: {{ .Values.analyticsConfig.timeseries.auditlogs.enable | quote }} + events: + enable: {{ .Values.analyticsConfig.timeseries.events.enable | quote }} + transactions: + enable: {{ .Values.analyticsConfig.transactions.enable | quote }} + port: {{ .Values.analyticsConfig.transactions.port }} +{{- end }} + +{{- if .Values.nsLbHashAlgo.required }} + NS_LB_HASH_ALGO: | + hashFingers: {{ .Values.nsLbHashAlgo.hashFingers }} + hashAlgorithm: {{ .Values.nsLbHashAlgo.hashAlgorithm | quote }} +{{- end }} + +{{- if .Values.profileSslFrontend }} + FRONTEND_SSL_PROFILE: | + {{- toYaml .Values.profileSslFrontend | nindent 4 }} +{{- end }} + +{{- if .Values.profileTcpFrontend }} + FRONTEND_TCP_PROFILE: | + {{- toYaml .Values.profileTcpFrontend | nindent 4 }} +{{- end }} + +{{- if .Values.profileHttpFrontend }} + FRONTEND_HTTP_PROFILE: | + {{- toYaml .Values.profileHttpFrontend | nindent 4 }} +{{- end }} diff --git a/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/deployment.yaml b/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/deployment.yaml new file mode 100644 index 000000000..68513bbbd --- /dev/null +++ b/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/deployment.yaml @@ -0,0 +1,282 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "netscaler-ingress-controller.fullname" . }} + namespace: {{ .Release.Namespace }} +spec: + selector: + matchLabels: +{{- if .Values.openshift }} + router: {{ include "netscaler-ingress-controller.fullname" . }} +{{- else }} + app: {{ include "netscaler-ingress-controller.fullname" . }} +{{- end }} + replicas: 1 + template: + metadata: + name: nsic + labels: +{{- if .Values.openshift }} + router: {{ include "netscaler-ingress-controller.fullname" . }} +{{- else }} + app: {{ include "netscaler-ingress-controller.fullname" . }} +{{- end }} + annotations: +{{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} +{{- end }} + spec: + serviceAccountName: {{ include "netscaler-ingress-controller.serviceAccountName" . }} + containers: + - name: nsic + image: "{{ tpl .Values.image . }}" + imagePullPolicy: {{ .Values.pullPolicy }} +{{- if .Values.enableReadinessProbe }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 10 }} +{{- end }} +{{- if .Values.enableLivenessProbe }} + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 10 }} +{{- end }} + args: + - --configmap + {{ .Release.Namespace }}/{{ include "nsicconfigmap.fullname" . }} +{{- if .Values.defaultSSLCertSecret }} + - --default-ssl-certificate + {{ .Release.Namespace }}/{{ .Values.defaultSSLCertSecret }} +{{- end }} +{{- if .Values.defaultSSLSNICertSecret }} + - --default-ssl-sni-certificate + {{ .Release.Namespace }}/{{ .Values.defaultSSLSNICertSecret }} +{{- end }} +{{- if .Values.ingressClass }} + - --ingress-classes +{{- range .Values.ingressClass}} + {{.}} +{{- end }} +{{- end }} +{{- if .Values.serviceClass }} + - --service-classes +{{- range .Values.serviceClass}} + {{.}} +{{- end }} +{{- end }} + - --feature-node-watch + {{ .Values.nodeWatch }} + - --enable-cnc-pbr + {{ .Values.nsncPbr }} +{{- if .Values.ipam }} + - --ipam + citrix-ipam-controller +{{- end }} +{{- if .Values.disableAPIServerCertVerify }} + - --disable-apiserver-cert-verify + {{ .Values.disableAPIServerCertVerify }} +{{- end }} +{{- if .Values.updateIngressStatus }} + - --update-ingress-status + yes +{{- end }} + env: + - name: "NS_IP" + value: "{{ .Values.nsIP }}" +{{- if .Values.nsVIP }} + - name: "NS_VIP" + value: "{{ .Values.nsVIP }}" +{{- end }} +{{- if .Values.rbacRole }} + - name: "SCOPE" + value: "local" +{{- end }} +{{- if .Values.nitroReadTimeout }} + - name: "NS_NITRO_READ_TIMEOUT" + value: "{{ .Values.nitroReadTimeout }}" +{{- end }} +{{- if .Values.enableLivenessProbe }} + - name: "LIVENESS_FILE_PATH" + value: '/tmp/liveness_path.log' +{{- end }} + - name: "ENABLE_LIVENESS_PROBE" + value: {{ .Values.enableLivenessProbe | quote }} + - name: "NS_USER" + {{- if and .Values.secretStore.enabled .Values.secretStore.username}} + {{- toYaml .Values.secretStore.username | nindent 10 }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.adcCredentialSecret }} + key: username + {{- end }} + - name: "NS_PASSWORD" + {{- if and .Values.secretStore.enabled .Values.secretStore.password}} + {{- toYaml .Values.secretStore.password | nindent 10 }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.adcCredentialSecret }} + key: password + {{- end }} + - name: "EULA" + value: "{{ .Values.license.accept }}" +{{- if and .Values.openshift .Values.routeLabels }} + - name: "ROUTE_LABELS" + value: {{ .Values.routeLabels | quote}} +{{- end }} +{{- if and .Values.openshift .Values.namespaceLabels }} + - name: "NAMESPACE_LABELS" + value: {{ .Values.namespaceLabels | quote }} +{{- end }} + - name: "NS_APPS_NAME_PREFIX" + value: {{ .Values.entityPrefix | default "k8s"| quote }} + - name: "NS_MC_PREFIX" + value: {{ .Values.multiClusterPrefix | default "mc"| quote }} +{{- if .Values.kubernetesURL }} + - name: "kubernetes_url" + value: "{{ .Values.kubernetesURL }}" +{{- end }} +{{- if .Values.clusterName }} + - name: "CLUSTER_NAME" + value: "{{ .Values.clusterName }}" +{{- end }} +{{- if .Values.logProxy }} + - name: "NS_LOGPROXY" + value: "{{ .Values.logProxy }}" +{{- end }} +{{- if .Values.disableOpenshiftRoutes }} + - name: "DISABLE_OPENSHIFT_ROUTES" + value: "{{ .Values.disableOpenshiftRoutes }}" +{{- end }} +{{- if .Values.nsConfigDnsRec }} + - name: "NS_CONFIG_DNS_REC" + value: "{{ .Values.nsConfigDnsRec }}" +{{- end }} +{{- if .Values.nsSvcLbDnsRec }} + - name: "NS_SVC_LB_DNS_REC" + value: "{{ .Values.nsSvcLbDnsRec }}" +{{- end }} +{{- if .Values.optimizeEndpointBinding }} + - name: "OPTIMIZE_ENDPOINT_BINDING" + value: "{{ .Values.optimizeEndpointBinding }}" +{{- end }} +{{- if .Values.nodeLabels }} + - name: "NODE_LABELS" + value: "{{ .Values.nodeLabels }}" +{{- end }} +{{- if .Values.openshift }} + - name: "PLATFORM" + value: "OPENSHIFT" +{{- else }} + - name: "PLATFORM" + value: "KUBERNETES" +{{- end }} + - name: "BGP_ADVERTISEMENT" + value: {{ .Values.bgpAdvertisement | quote }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- if ne (len .Values.extraVolumeMounts) 0 }} + volumeMounts: +{{- toYaml .Values.extraVolumeMounts | nindent 8 }} + {{- end }} +{{- if .Values.exporter.required }} + - name: exporter + image: "{{ tpl .Values.exporter.image . }}" + imagePullPolicy: {{ .Values.exporter.pullPolicy }} + args: + - "--target-nsip={{ .Values.nsIP }}" + - "--port={{ .Values.exporter.ports.containerPort }}" + env: + - name: "NS_USER" + {{- if and .Values.secretStore.enabled .Values.secretStore.username}} + {{- toYaml .Values.secretStore.username | nindent 10 }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.adcCredentialSecret }} + key: username + {{- end }} + - name: "NS_PASSWORD" + {{- if and .Values.secretStore.enabled .Values.secretStore.password}} + {{- toYaml .Values.secretStore.password | nindent 10 }} + {{- else }} + valueFrom: + secretKeyRef: + name: {{ .Values.adcCredentialSecret }} + key: password + {{- end }} + {{- if ne (len .Values.exporter.extraVolumeMounts) 0 }} + volumeMounts: + {{- toYaml .Values.exporter.extraVolumeMounts | nindent 8 }} + {{- end }} + resources: +{{- toYaml .Values.exporter.resources | nindent 12 }} +{{- end }} +{{- if or (and .Values.extraVolumeMounts .Values.extraVolumes) (and .Values.exporter.extraVolumeMounts .Values.extraVolumes) }} + volumes: +{{- end }} +{{- if ne (len .Values.extraVolumes) 0 }} +{{ toYaml .Values.extraVolumes | indent 6 }} +{{- end }} +{{- if and .Values.nodeSelector.key .Values.nodeSelector.value }} + nodeSelector: + {{ .Values.nodeSelector.key }}: {{ .Values.nodeSelector.value }} +{{- end }} +{{- if .Values.tolerations }} + tolerations: {{ .Values.tolerations | toYaml | nindent 8 }} +{{- end }} +{{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} +{{- end }} + +--- + +{{- if .Values.exporter.required }} + + +apiVersion: v1 +kind: Service +metadata: + name: {{ include "exporter.fullname" . }} + labels: + app: {{ include "exporter.fullname" . }} + service-type: {{ include "servicemonitorlabel" . }} +spec: + type: ClusterIP + ports: + - port: {{ .Values.exporter.ports.containerPort }} + targetPort: {{ .Values.exporter.ports.containerPort }} + name: exporter-port + selector: +{{- if .Values.openshift }} + router: {{ include "netscaler-ingress-controller.fullname" . }} +{{- else }} + app: {{ include "netscaler-ingress-controller.fullname" . }} +{{- end }} + +--- + +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "servicemonitor.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + servicemonitor: netscaler + {{- with .Values.exporter.serviceMonitorExtraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + endpoints: + - interval: 30s + port: exporter-port + selector: + matchLabels: + service-type: {{ include "servicemonitorlabel" . }} + namespaceSelector: + matchNames: + - monitoring + - default + - {{ .Release.Namespace }} + +{{- end }} diff --git a/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/ingressclass.yaml b/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/ingressclass.yaml new file mode 100644 index 000000000..da86715cc --- /dev/null +++ b/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/ingressclass.yaml @@ -0,0 +1,18 @@ +{{- $default := .Values.setAsDefaultIngressClass -}} +{{- if semverCompare ">=1.19.0-0" .Capabilities.KubeVersion.GitVersion }} +{{- if .Values.ingressClass }} +{{- range .Values.ingressClass }} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ . | quote }} +{{- if $default }} + annotations: + ingressclass.kubernetes.io/is-default-class: "true" +{{- end }} +spec: + controller: citrix.com/ingress-controller +--- +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/rbac.yaml b/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/rbac.yaml new file mode 100644 index 000000000..42dd7e9d7 --- /dev/null +++ b/charts/netscaler/netscaler-ingress-controller/2.2.10/templates/rbac.yaml @@ -0,0 +1,106 @@ +{{- if not .Values.rbacRole }} +kind: ClusterRole +{{- else }} +kind: Role +{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "netscaler-ingress-controller.serviceAccountName" . }} +{{- if .Values.rbacRole }} + namespace: {{ .Release.Namespace }} +{{- end }} +rules: + - apiGroups: [""] +{{- if .Values.openshift }} + resources: ["endpoints", "pods", "secrets", "routes", "tokenreviews", "subjectaccessreviews", "nodes", "namespaces", "configmaps", "services"] +{{- else }} + resources: ["endpoints", "pods", "secrets", "routes", "nodes", "namespaces", "configmaps", "services"] +{{- end }} + verbs: ["get", "list", "watch"] + # services/status is needed to update the loadbalancer IP in service status for integrating + # service of type LoadBalancer with external-dns + - apiGroups: [""] + resources: ["services/status"] + verbs: ["patch"] + - apiGroups: [""] + resources: ["events"] + verbs: ["create"] + - apiGroups: ["extensions", "networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["extensions","networking.k8s.io"] + resources: ["ingresses/status"] + verbs: ["patch"] + - apiGroups: ["networking.k8s.io"] + resources: ["ingressclasses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "watch"] + - apiGroups: ["citrix.com"] + resources: ["rewritepolicies", "icappolicies", "continuousdeployments", "authpolicies", "ratelimits", "listeners", "httproutes", "wafs", "apigatewaypolicies", "bots", "corspolicies", "appqoepolicies", "wildcarddnsentries"] + verbs: ["get", "list", "watch", "create", "delete", "patch"] + - apiGroups: ["citrix.com"] + resources: ["rewritepolicies/status", "icappolicies/status", "continuousdeployments/status", "authpolicies/status", "ratelimits/status", "listeners/status", "httproutes/status", "wafs/status", "apigatewaypolicies/status", "bots/status", "corspolicies/status", "appqoepolicies/status", "wildcarddnsentries/status"] + verbs: ["patch"] + - apiGroups: ["citrix.com"] + resources: ["vips"] + verbs: ["get", "list", "watch", "create", "delete"] + - apiGroups: ["crd.projectcalico.org"] + resources: ["ipamblocks"] + verbs: ["get", "list", "watch"] +{{- if .Values.openshift }} + - apiGroups: ["route.openshift.io"] + resources: ["routes"] + verbs: ["get", "list", "watch"] + - apiGroups: ["network.openshift.io"] + resources: ["hostsubnets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["config.openshift.io"] + resources: ["networks"] + verbs: ["get", "list"] +{{- end }} + +--- + +{{- if not .Values.rbacRole }} +kind: ClusterRoleBinding +{{- else }} +kind: RoleBinding +{{- end }} +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "netscaler-ingress-controller.serviceAccountName" . }} +{{- if .Values.rbacRole }} + namespace: {{ .Release.Namespace }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io +{{- if not .Values.rbacRole }} + kind: ClusterRole +{{- else }} + kind: Role +{{- end }} + name: {{ include "netscaler-ingress-controller.serviceAccountName" . }} +subjects: +- kind: ServiceAccount + name: {{ include "netscaler-ingress-controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "netscaler-ingress-controller.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- if .Values.imagePullSecrets }} +imagePullSecrets: +{{- range .Values.imagePullSecrets }} +- name: {{.}} +{{- end }} +{{- end }} + diff --git a/charts/netscaler/netscaler-ingress-controller/2.2.10/values.yaml b/charts/netscaler/netscaler-ingress-controller/2.2.10/values.yaml new file mode 100644 index 000000000..4f6c0f59e --- /dev/null +++ b/charts/netscaler/netscaler-ingress-controller/2.2.10/values.yaml @@ -0,0 +1,230 @@ +# Default values for netscaler-ingress-controller. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# NetScaler Ingress Controller config details +imageRegistry: quay.io +imageRepository: netscaler/netscaler-k8s-ingress-controller +imageTag: 2.2.10 +image: "{{ .Values.imageRegistry }}/{{ .Values.imageRepository }}:{{ .Values.imageTag }}" +pullPolicy: IfNotPresent +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" +openshift: false +adcCredentialSecret: "" # K8s Secret Name +# Enable secretStore to implement CSI Secret Provider classes for holding the nslogin credentials +secretStore: + enabled: false + username: {} + #valueFrom: + # configMapKeyRef: + # name: test1 + # key: username + password: {} + #valueFrom: + # configMapKeyRef: + # name: test1 + # key: password +nsIP: "" +nsVIP: "" +nsSNIPS: [] +license: + accept: no +nsPort: 443 +nsProtocol: HTTPS +nsEnableLabel: true +# nitroReadTimeout is timeout value in seconds for nitro api read timeout(default is 20) +nitroReadTimeout: 20 +logLevel: INFO +jsonLog: false +multiClusterPrefix: +entityPrefix: "" +kubernetesURL: "" +clusterName: "" +ingressClass: [] +setAsDefaultIngressClass: False +serviceClass: [] +defaultSSLCertSecret: "" +defaultSSLSNICertSecret: "" +podIPsforServiceGroupMembers: False +ignoreNodeExternalIP: False +ipam: False +# API server Cert verification can be disabled, while communicating with API Server, if disableAPIServerCertVerify set to True +disableAPIServerCertVerify: False +logProxy: "" +nodeWatch: false +nsncPbr: False +nodeSelector: + key: "" + value: "" +tolerations: [] +updateIngressStatus: True +nsHTTP2ServerSide: "OFF" +nsCookieVersion: "0" +nsConfigDnsRec: False +nsSvcLbDnsRec: False +nsDnsNameserver: "" +optimizeEndpointBinding: False +routeLabels: "" +namespaceLabels: "" +disableOpenshiftRoutes: False +profileSslFrontend: {} + # preconfigured: my_ssl_profile + # OR + # config: + # tls13: 'ENABLED' + # hsts: 'ENABLED' +profileHttpFrontend: {} + # preconfigured: my_http_profile + # OR + # config: + # dropinvalreqs: 'ENABLED' + # websocket: 'ENABLED' +profileTcpFrontend: {} + # preconfigured: my_tcp_profile + # OR + # config: + # sack: 'ENABLED' + # nagle: 'ENABLED' + +# Exporter config details +exporter: + required: false + imageRegistry: quay.io + imageRepository: netscaler/netscaler-adc-metrics-exporter + imageTag: 1.4.9 + image: "{{ .Values.exporter.imageRegistry }}/{{ .Values.exporter.imageRepository }}:{{ .Values.exporter.imageTag }}" + pullPolicy: IfNotPresent + ports: + containerPort: 8888 + resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + extraVolumeMounts: [] + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. + #- name: github-key + # mountPath: /etc/config/keys/ + # readOnly: true + #- name: agent-init-scripts + # mountPath: /docker-entrypoint.d/ + + serviceMonitorExtraLabels: {} + +# Enable RBAC role (so called local role), by default NSIC deployed with ClusterRole. +# below variable to deploy NSIC with RBAC role, only ingress service supported with this config +rbacRole: False + +# Config required to be done by NetScaler Ingress Controller for sending metrics to NetScaler Observability Exporter +analyticsConfig: + required: false + distributedTracing: + enable: false + samplingrate: 100 + endpoint: + metrics: + service: "" + transactions: + service: "" + timeseries: + port: 30002 + metrics: + enable: false + mode: 'avro' + exportFrequency: 30 + schemaFile: schema.json + enableNativeScrape: false + auditlogs: + enable: false + events: + enable: false + transactions: + enable: false + port: 30001 + +nsLbHashAlgo: + required: false + hashFingers: 256 + hashAlgorithm: 'DEFAULT' + +# Specifies whether a ServiceAccount should be created +serviceAccount: + create: true + # The name of the ServiceAccount to use. + # If not set and `create` is true, a name is generated using the fullname template + # name: + +podAnnotations: {} + +resources: + requests: + cpu: 32m + memory: 128Mi + # Following values depends on no of ingresses configured by Ingress Controllers, so it is + # advised to test with maximum no of ingresses to set these values. + # limits: + # cpu: 1000m + # memory: 1000Mi + limits: {} + # Following values depends on no of ingresses configured by Ingress Controllers, so it is + # advised to test with maximum no of ingresses to set these values. + # limits: + # cpu: 1000m + # memory: 1000Mi + +affinity: {} + +bgpAdvertisement: False +nodeLabels: "" +enableReadinessProbe: True +readinessProbe: + exec: + command: + - cat + - /tmp/readiness + initialDelaySeconds: 10 + periodSeconds: 60 + failureThreshold: 3 + successThreshold: 1 + +enableLivenessProbe: True +livenessProbe: + exec: + command: + - /bin/sh + - -c + - | + FILE_PATH="$LIVENESS_FILE_PATH" + [ -f "$FILE_PATH" ] && [ $(( $(date +%s) - $(stat -c %Y "$FILE_PATH") )) -lt 60 ] && exit 0 || exit 1 + initialDelaySeconds: 30 + periodSeconds: 60 + +extraVolumeMounts: [] + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. + #- name: github-key + # mountPath: /etc/config/keys/ + # readOnly: true + #- name: agent-init-scripts + # mountPath: /docker-entrypoint.d/ + +extraVolumes: [] + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. + #- name: agent-init-scripts + # configMap: + # name: agent-init-scripts + # defaultMode: 0755 + #- name: github-key + # secret: + # secretName: github-key + # defaultMode: 0744 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/.helmignore b/charts/trilio/k8s-triliovault-operator/5.0.0/.helmignore new file mode 100644 index 000000000..be86b789d --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +# Helm files +OWNERS diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/BUILD.bazel b/charts/trilio/k8s-triliovault-operator/5.0.0/BUILD.bazel new file mode 100644 index 000000000..c578eb034 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/BUILD.bazel @@ -0,0 +1,9 @@ +load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar") + +pkg_tar( + name = "helm-tar", + files = glob(["**"]), + package_dir = "/opt/tvk/k8s-triliovault-operator/", + strip_prefix = "./", + visibility = ["//visibility:public"], +) diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/Chart.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/Chart.yaml new file mode 100644 index 000000000..99ed11c1f --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/Chart.yaml @@ -0,0 +1,24 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: k8s-triliovault-operator +apiVersion: v2 +appVersion: 5.0.0 +dependencies: +- condition: observability.enabled + name: observability + repository: file://charts/observability + version: ^0.1.0 +description: K8s-TrilioVault-Operator is an operator designed to manage the K8s-TrilioVault + Application Lifecycle. +home: https://github.com/trilioData/k8s-triliovault-operator +icon: file://assets/icons/k8s-triliovault-operator.png +kubeVersion: '>=1.19.0-0' +maintainers: +- email: prafull.ladha@trilio.io + name: prafull11 +name: k8s-triliovault-operator +sources: +- https://github.com/trilioData/k8s-triliovault-operator +version: 5.0.0 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/LICENSE b/charts/trilio/k8s-triliovault-operator/5.0.0/LICENSE new file mode 100644 index 000000000..76b559d3b --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/LICENSE @@ -0,0 +1 @@ +# Placeholder for the License if we decide to provide one diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/README.md b/charts/trilio/k8s-triliovault-operator/5.0.0/README.md new file mode 100644 index 000000000..1c8cb3841 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/README.md @@ -0,0 +1,206 @@ +# K8s-TrilioVault-Operator +This operator is to manage the lifecycle of TrilioVault Backup/Recovery solution. This operator install, updates and manage the TrilioVault application. + +## Introduction + +## Prerequisites + +- Kubernetes 1.19+ +- PV provisioner support +- CSI driver should be installed + +### One Click Installation + +In one click install for upstream operator, a cluster scope TVM custom resource `triliovault-manager` is created. + +```shell script +helm repo add trilio-vault-operator https://charts.k8strilio.net/trilio-stable/k8s-triliovault-operator +helm install tvm trilio-vault-operator/k8s-triliovault-operator +``` + +#### One click install with preflight Configuration + +The following table lists the configuration parameter of the upstream operator one click install feature as well as preflight check flags, their default values and usage. + +| Parameter | Description | Default | Example | +|--------------------------------------------------------------------|---------------------------------------------------------------------------------------------------|------------|-------------------------| +| `installTVK.enabled` | 1 click install feature is enabled | true | | +| `installTVK.applicationScope` | scope of TVK application created | Cluster | | +| `installTVK.tvkInstanceName` | tvk instance name | "" | "tvk-instance" | +| `installTVK.ingressConfig.host` | host of the ingress resource created | "" | | +| `installTVK.ingressConfig.tlsSecretName` | tls secret name which contains ingress certs | "" | | +| `installTVK.ingressConfig.annotations` | annotations to be added on ingress resource | "" | | +| `installTVK.ingressConfig.ingressClass` | ingress class name for the ingress resource | "" | | +| `installTVK.ComponentConfiguration.ingressController.enabled` | TVK ingress controller should be deployed | true | | +| `installTVK.ComponentConfiguration.ingressController.service.type` | TVK ingress controller service type | "NodePort" | | +| `preflight.enabled` | enables preflight check for tvk | false | | +| `preflight.storageClass` | Name of storage class to use for preflight checks (Required) | "" | | +| `preflight.cleanupOnFailure` | Cleanup the resources on cluster if preflight checks fail (Optional) | false | | +| `preflight.imagePullSecret` | Name of the secret for authentication while pulling the images from the local registry (Optional) | "" | | +| `preflight.limits` | Pod memory and cpu resource limits for DNS and volume snapshot preflight check (Optional) | "" | "cpu=600m,memory=256Mi" | +| `preflight.localRegistry` | Name of the local registry from where the images will be pulled (Optional) | "" | | +| `preflight.nodeSelector` | Node selector labels for pods to schedule on a specific nodes of cluster (Optional) | "" | "key=value" | +| `preflight.pvcStorageRequest` | PVC storage request for volume snapshot preflight check (Optional) | "" | "2Gi" | +| `preflight.requests` | Pod memory and cpu resource requests for DNS and volume snapshot preflight check (Optional) | "" | "cpu=300m,memory=128Mi" | +| `preflight.volumeSnapshotClass` | Name of volume snapshot class to use for preflight checks (Optional) | "" | | +| `preflight.logLevel` | Log Level for the preflight run (Default: "INFO") | "" | | +| `preflight.imageTag` | Image tag to use for the preflight image (Default: latest) | "" | | +| `nodeSelector` | Node selection constraints for scheduling Pods of this application. | {} | | +| `affinity` | Affinity rules for scheduling the Pod of this application. | {} | | +| `tolerations` | Taints to be tolerated by Pods of this application. | [] | | + + +Check the TVM CR configuration by running following command: + +``` +kubectl get triliovaultmanagers.triliovault.trilio.io triliovault-manager -o yaml +``` + +Once the operator pod is in running state, the TVK pods getting spawned. Confirm the [TVK pods are up](#Check-TVK-Install). + +#### Note: + +If preflight check is enabled and helm install fails, check pre-install helm hook pod logs for any failure in preflight check. Do the following steps: + +First, run this command: +``` +kubectl get pods -n +``` + +The pod name should start with `-preflight-job-preinstall-hook`. Check the logs of the pod by the following command: +``` +kubectl logs -f -n +``` + +#### The failed preflight job is not cleaned up automatically right after failure. If the user cluster version is 1.21 and above, the job will be cleaned up after 1 hour so user should collect any failure logs within 1 hr of job failure. For cluster version below 1.21, user has to clean up failed preflight job manually. + +To delete the job manually, run the following command: +``` +kubectl delete job -f -n +``` + +where job name should also start with `-preflight-job-preinstall-hook` + +Also, due to a bug at helm side where auto deletion of resources upon failure doesn't work, user needs to clean the following resources left behind to be able to run preflight again, until the bug is fixed from their side, after which this step will be handled automatically. Run the following command to clean up the temporary resources: + +1. Cleanup Service Account: + ``` + kubectl delete sa -preflight-service-account -n + ``` +2. Cleanup Cluster Role Binding: + ``` + kubectl delete clusterrolebinding --preflight-rolebinding + ``` +3. Cleanup Cluster Role: + ``` + kubectl delete clusterrole --preflight-role + ``` + +## Manual Installation + +To install the operator on local setup just run the latest helm charts inside this repo + +```shell script +helm repo add trilio-vault-operator https://charts.k8strilio.net/trilio-stable/k8s-triliovault-operator +helm install tvm trilio-vault-operator/k8s-triliovault-operator +``` + +Now, create a TrilioVaultManager CR to install the TrilioVault for Kubernetes. You can provide the custom configurations for the TVK resources as follows: + +``` +apiVersion: triliovault.trilio.io/v1 +kind: TrilioVaultManager +metadata: + labels: + triliovault: k8s + name: tvk +spec: + trilioVaultAppVersion: latest + applicationScope: Cluster + # User can configure tvk instance name + tvkInstanceName: tvk-instance + # User can configure the ingress hosts, annotations and TLS secret through the ingressConfig section + ingressConfig: + host: "trilio.co.in" + tlsSecretName: "secret-name" + # TVK components configuration, currently supports control-plane, web, exporter, web-backend, ingress-controller, admission-webhook. + # User can configure resources for all componentes and can configure service type and host for the ingress-controller + componentConfiguration: + web-backend: + resources: + requests: + memory: "400Mi" + cpu: "200m" + limits: + memory: "2584Mi" + cpu: "1000m" + ingress-controller: + enabled: true + service: + type: LoadBalancer +``` + +### Apply the Custom Resource + +Apply `TVM.yaml`: + +```shell +kubectl create -f TVM.yaml +``` + +### Check TVK Install + +Check that the pods were created: + +``` +kubectl get pods +``` + +``` +NAME READY STATUS RESTARTS AGE +k8s-triliovault-admission-webhook-6ff5f98c8-qwmfc 1/1 Running 0 81s +k8s-triliovault-backend-6f66b6b8d5-gxtmz 1/1 Running 0 81s +k8s-triliovault-control-plane-6c464c5d78-ftk6g 1/1 Running 0 81s +k8s-triliovault-exporter-59566f97dd-gs4xc 1/1 Running 0 81s +k8s-triliovault-ingress-nginx-controller-867c764cd5-qhpx6 1/1 Running 0 18s +k8s-triliovault-web-967c8475-m7pc6 1/1 Running 0 81s +tvm-k8s-triliovault-operator-66bd7d86d5-dvhzb 1/1 Running 0 6m48s +``` + +Check that ingress controller service is of type LoadBalancer: +``` +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE +k8s-triliovault-admission-webhook ClusterIP 10.7.243.24 443/TCP 129m +k8s-triliovault-ingress-nginx-controller LoadBalancer 10.7.246.193 35.203.155.148 80:30362/TCP,443:32327/TCP 129m +k8s-triliovault-ingress-nginx-controller-admission ClusterIP 10.7.250.31 443/TCP 129m +k8s-triliovault-web ClusterIP 10.7.254.41 80/TCP 129m +k8s-triliovault-web-backend ClusterIP 10.7.252.146 80/TCP 129m +tvm-k8s-triliovault-operator-webhook-service ClusterIP 10.7.248.163 443/TCP 130m 123m +``` + +Check that ingress resources has the host defined by the user: +``` +NAME CLASS HOSTS ADDRESS PORTS AGE +k8s-triliovault k8s-triliovault-default-nginx * 35.203.155.148 80 129m +``` + +You can access the TVK UI by hitting this address in your browser: https://35.203.155.148 + +## Delete + +```shell +kubectl delete -f TVM.yaml +``` + +## Uninstall + +To uninstall/delete the operator helm chart : + +```bash +helm uninstall tvm +``` + +## TrilioVaultManager compatibility + +We maintain the version parity between the TrilioVaultManager(upstream operator) and TrilioVault for Kubernetes. Whenever +user wants to upgrade to the new version, should use the same version for upstream operator and Triliovault for Kubernetes. diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/Chart.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/Chart.yaml new file mode 100644 index 000000000..4df538147 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +appVersion: 0.1.0 +dependencies: +- name: visualization + repository: file://charts/visualization + version: ^0.1.0 +- name: logging + repository: file://charts/logging + version: ^0.1.0 +- name: monitoring + repository: file://charts/monitoring + version: ^0.1.0 +description: Observability Stack is designed to manage the K8s-TrilioVault Application's + Logging, Monitoring and Visualization. +icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png +kubeVersion: '>=1.19.0-0' +maintainers: +- email: support@trilio.io + name: Trilio +name: observability +version: 0.1.0 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/Chart.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/Chart.yaml new file mode 100644 index 000000000..411d5b0fd --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/Chart.yaml @@ -0,0 +1,18 @@ +apiVersion: v2 +appVersion: 0.1.0 +dependencies: +- condition: loki.enabled + name: loki + repository: https://grafana.github.io/helm-charts + version: ^2.15.2 +- condition: promtail.enabled + name: promtail + repository: https://grafana.github.io/helm-charts + version: ^6.7.4 +description: Logging Stack designed to manage the K8s-TrilioVault Application's Logs. +icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png +maintainers: +- email: support@trilio.io + name: Trilio +name: logging +version: 0.1.0 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/Chart.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/Chart.yaml new file mode 100644 index 000000000..c10bab260 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/Chart.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +appVersion: v2.6.1 +description: 'Loki: like Prometheus, but for logs.' +home: https://grafana.com/loki +icon: https://raw.githubusercontent.com/grafana/loki/master/docs/sources/logo.png +kubeVersion: ^1.10.0-0 +maintainers: +- email: support@trilio.io + name: Trilio +name: loki +sources: +- https://github.com/grafana/loki +version: 2.16.0 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/NOTES.txt b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/NOTES.txt new file mode 100644 index 000000000..abe023a70 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/NOTES.txt @@ -0,0 +1,3 @@ +Verify the application is working by running these commands: + kubectl --namespace {{ .Release.Namespace }} port-forward service/{{ include "loki.fullname" . }} {{ .Values.service.port }} + curl http://127.0.0.1:{{ .Values.service.port }}/api/prom/label diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/_helpers.tpl b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/_helpers.tpl new file mode 100644 index 000000000..1ff9b632a --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/_helpers.tpl @@ -0,0 +1,99 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "loki.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "loki.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "loki.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account +*/}} +{{- define "loki.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "loki.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the app name of loki clients. Defaults to the same logic as "loki.fullname", and default client expects "promtail". +*/}} +{{- define "client.name" -}} +{{- if .Values.client.name -}} +{{- .Values.client.name -}} +{{- else if .Values.client.fullnameOverride -}} +{{- .Values.client.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default "promtail" .Values.client.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Generate a right Ingress apiVersion +*/}} +{{- define "ingress.apiVersion" -}} +{{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion -}} +networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +networking.k8s.io/v1beta1 +{{- else -}} +extensions/v1 +{{- end }} +{{- end -}} + +{{/* +Handle backwards compatible api versions for: + - podDisruptionBudget (policy/v1beta1) + - podSecurityPolicy (policy/v1beta1) +*/}} +{{- define "loki.podDisruptionBudget.apiVersion" -}} +{{ if $.Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudgets" -}} +{{- print "policy/v1" -}} +{{- else -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{- end -}} + + +{{/* +Common labels +*/}} +{{- define "loki.labels" -}} +app: {{ template "loki.name" . }} +chart: {{ template "loki.chart" . }} +release: {{ .Release.Name }} +heritage: {{ .Release.Service }} +{{- end }} + diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/configmap-alert.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/configmap-alert.yaml new file mode 100644 index 000000000..45d72d8aa --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/configmap-alert.yaml @@ -0,0 +1,14 @@ +{{- if or (.Values.useExistingAlertingGroup.enabled) (gt (len .Values.alerting_groups) 0) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "loki.fullname" . }}-alerting-rules + namespace: {{ .Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +data: + {{ template "loki.fullname" . }}-alerting-rules.yaml: |- + groups: + {{- toYaml .Values.alerting_groups | nindent 6 }} +{{- end }} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/ingress.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/ingress.yaml new file mode 100644 index 000000000..b12551437 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/ingress.yaml @@ -0,0 +1,52 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "loki.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- $apiVersion := include "ingress.apiVersion" . -}} +apiVersion: {{ $apiVersion }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} +{{- end }} +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ . }} + {{- if eq $apiVersion "networking.k8s.io/v1" }} + pathType: Prefix + {{- end }} + backend: + {{- if eq $apiVersion "networking.k8s.io/v1" }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/networkpolicy.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/networkpolicy.yaml new file mode 100644 index 000000000..b9349ba9d --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/networkpolicy.yaml @@ -0,0 +1,23 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "loki.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + name: {{ template "loki.fullname" . }} + app: {{ template "loki.name" . }} + release: {{ .Release.Name }} + ingress: + - from: + - podSelector: + matchLabels: + app: {{ template "client.name" . }} + release: {{ .Release.Name }} + - ports: + - port: {{ .Values.service.port }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/pdb.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/pdb.yaml new file mode 100644 index 000000000..68dd619b7 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.podDisruptionBudget -}} +apiVersion: {{ include "loki.podDisruptionBudget.apiVersion" . }} +kind: PodDisruptionBudget +metadata: + name: {{ template "loki.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +spec: + selector: + matchLabels: + app: {{ template "loki.name" . }} +{{ toYaml .Values.podDisruptionBudget | indent 2 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/podsecuritypolicy.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..c30ab49c1 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/podsecuritypolicy.yaml @@ -0,0 +1,40 @@ +{{- if .Values.rbac.pspEnabled }} +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "loki.fullname" . }} + labels: + {{- include "loki.labels" . | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + volumes: + - 'configMap' + - 'emptyDir' + - 'persistentVolumeClaim' + - 'secret' + - 'projected' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/prometheusrule.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/prometheusrule.yaml new file mode 100644 index 000000000..d1ed09be5 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/prometheusrule.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.serviceMonitor.enabled .Values.serviceMonitor.prometheusRule.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ template "loki.fullname" . }} +{{- if .Values.serviceMonitor.prometheusRule.namespace }} + namespace: {{ .Values.serviceMonitor.prometheusRule.namespace | quote }} +{{- end }} + labels: + {{- include "loki.labels" . | nindent 4 }} + {{- if .Values.serviceMonitor.prometheusRule.additionalLabels }} + {{- toYaml .Values.serviceMonitor.prometheusRule.additionalLabels | nindent 4 }} + {{- end }} +spec: +{{- if .Values.serviceMonitor.prometheusRule.rules }} + groups: + - name: {{ template "loki.fullname" . }} + rules: {{- toYaml .Values.serviceMonitor.prometheusRule.rules | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/role.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/role.yaml new file mode 100644 index 000000000..03b9da608 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/role.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "loki.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +{{- if .Values.rbac.pspEnabled }} +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ template "loki.fullname" . }}] +{{- end }} +{{- end }} + diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/rolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/rolebinding.yaml new file mode 100644 index 000000000..099111de3 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if .Values.rbac.create }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "loki.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "loki.fullname" . }} +subjects: +- kind: ServiceAccount + name: {{ template "loki.serviceAccountName" . }} +{{- end }} + diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/secret.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/secret.yaml new file mode 100644 index 000000000..b4bee6a68 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/secret.yaml @@ -0,0 +1,11 @@ +{{- if not .Values.config.existingSecret -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "loki.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +data: + loki.yaml: {{ tpl (toYaml .Values.config) . | b64enc}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/service-headless.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/service-headless.yaml new file mode 100644 index 000000000..d97c36a20 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/service-headless.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "loki.fullname" . }}-headless + namespace: {{ .Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{ template "loki.name" . }} + {{- include "k8s-triliovault-operator.observability" . | nindent 4 }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + variant: headless +spec: + clusterIP: None + ports: + - port: {{ .Values.service.port }} + protocol: TCP + name: http-metrics + targetPort: {{ .Values.service.targetPort }} +{{- if .Values.extraPorts }} +{{ toYaml .Values.extraPorts | indent 4}} +{{- end }} + selector: + app: {{ template "loki.name" . }} + release: {{ .Release.Name }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/service-memberlist.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/service-memberlist.yaml new file mode 100644 index 000000000..27a885785 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/service-memberlist.yaml @@ -0,0 +1,21 @@ +{{- if .Values.config.memberlist -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "loki.fullname" . }}-memberlist + namespace: {{ .Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} +spec: + type: ClusterIP + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: http + port: {{ .Values.config.memberlist.bind_port | default 7946 }} + targetPort: memberlist-port + protocol: TCP + selector: + app: {{ template "loki.name" . }} + release: {{ .Release.Name }} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/service.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/service.yaml new file mode 100644 index 000000000..1a8877924 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/service.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "loki.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} + {{- with .Values.service.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + {{- toYaml .Values.service.annotations | nindent 4 }} +spec: +{{- if .Values.service.loadBalancerSourceRanges }} + externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} +{{- end }} + type: {{ .Values.service.type }} +{{- if (and (eq .Values.service.type "ClusterIP") (not (empty .Values.service.clusterIP))) }} + clusterIP: {{ .Values.service.clusterIP }} +{{- end }} +{{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} +{{- end }} +{{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - port: {{ .Values.service.port }} + protocol: TCP + name: http-metrics + targetPort: {{ .Values.service.targetPort }} +{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} + nodePort: {{ .Values.service.nodePort }} +{{- end }} +{{- if .Values.extraPorts }} +{{ toYaml .Values.extraPorts | indent 4}} +{{- end }} + selector: + app: {{ template "loki.name" . }} + release: {{ .Release.Name }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/serviceaccount.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/serviceaccount.yaml new file mode 100644 index 000000000..6db005d14 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "loki.labels" . | nindent 4 }} + annotations: + {{- toYaml .Values.serviceAccount.annotations | nindent 4 }} + name: {{ template "loki.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} + diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/servicemonitor.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/servicemonitor.yaml new file mode 100644 index 000000000..dd84a3a45 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/servicemonitor.yaml @@ -0,0 +1,42 @@ +{{- if .Values.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "loki.fullname" . }} + labels: + {{- include "loki.labels" . | nindent 4 }} + {{- if .Values.serviceMonitor.additionalLabels }} +{{ toYaml .Values.serviceMonitor.additionalLabels | indent 4 }} + {{- end }} + {{- if .Values.serviceMonitor.annotations }} + annotations: +{{ toYaml .Values.serviceMonitor.annotations | indent 4 }} + {{- end }} +spec: + selector: + matchLabels: + app: {{ template "loki.name" . }} + release: {{ .Release.Name | quote }} + variant: headless + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} + endpoints: + - port: http-metrics + {{- if .Values.serviceMonitor.interval }} + interval: {{ .Values.serviceMonitor.interval }} + {{- end }} + {{- if .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.serviceMonitor.path }} + path: {{ .Values.serviceMonitor.path }} + {{- end }} + {{- with .Values.serviceMonitor.scheme }} + scheme: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/statefulset.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/statefulset.yaml new file mode 100644 index 000000000..9e1a49ca1 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/templates/statefulset.yaml @@ -0,0 +1,180 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "loki.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "loki.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- include "k8s-triliovault-operator.observability" . | nindent 4 }} + annotations: + {{- toYaml .Values.annotations | nindent 4 }} +spec: + podManagementPolicy: {{ .Values.podManagementPolicy }} + replicas: {{ .Values.replicas }} + selector: + matchLabels: + app: {{ template "loki.name" . }} + release: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- include "k8s-triliovault-operator.observability" . | nindent 6 }} + serviceName: {{ template "loki.fullname" . }}-headless + updateStrategy: + {{- toYaml .Values.updateStrategy | nindent 4 }} + template: + metadata: + labels: + app: {{ template "loki.name" . }} + name: {{ template "loki.fullname" . }} + release: {{ .Release.Name }} + app.kubernetes.io/instance: {{ .Release.Name }} + {{- include "k8s-triliovault-operator.observability" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + annotations: + {{- if not .Values.config.existingSecret }} + checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- end }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "loki.serviceAccountName" . }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + securityContext: + {{- toYaml .Values.securityContext | nindent 8 }} + initContainers: + {{- toYaml .Values.initContainers | nindent 8 }} + {{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range .Values.image.pullSecrets }} + - name: {{ . }} + {{- end}} + {{- end }} + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - "-config.file=/etc/loki/loki.yaml" + {{- range $key, $value := .Values.extraArgs }} + - "-{{ $key }}={{ $value }}" + {{- end }} + volumeMounts: + - name: tmp + mountPath: /tmp + {{- if .Values.extraVolumeMounts }} + {{ toYaml .Values.extraVolumeMounts | nindent 12}} + {{- end }} + - name: config + mountPath: /etc/loki + - name: storage + mountPath: "/data" + subPath: {{ .Values.persistence.subPath }} + {{- if or (.Values.useExistingAlertingGroup.enabled) (gt (len .Values.alerting_groups) 0) }} + - name: rules + mountPath: /rules/fake + {{- end }} + ports: + - name: http-metrics + containerPort: {{ .Values.config.server.http_listen_port | default 3100 }} + protocol: TCP + - name: grpc + containerPort: {{ .Values.config.server.grpc_listen_port | default 9095 }} + protocol: TCP + {{- if .Values.config.memberlist }} + - name: memberlist-port + containerPort: {{ .Values.config.memberlist.bind_port | default 7946 }} + protocol: TCP + {{- end }} + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 12 }} + env: + {{- if .Values.env }} + {{- toYaml .Values.env | nindent 12 }} + {{- end }} + {{- if .Values.tracing.jaegerAgentHost }} + - name: JAEGER_AGENT_HOST + value: "{{ .Values.tracing.jaegerAgentHost }}" + {{- end }} + {{- with .Values.extraEnvFrom }} + envFrom: + {{- toYaml . | nindent 12 }} + {{- end }} +{{- if .Values.extraContainers }} +{{ toYaml .Values.extraContainers | indent 8}} +{{- end }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- if .Values.topologySpreadConstraints.enabled }} + topologySpreadConstraints: + - maxSkew: {{ .Values.topologySpreadConstraints.maxSkew | default 1 }} + topologyKey: {{ .Values.topologySpreadConstraints.topologyKey | default "topology.kubernetes.io/zone" }} + whenUnsatisfiable: {{ .Values.topologySpreadConstraints.whenUnsatisfiable | default "ScheduleAnyway" }} + matchLabels: + app: {{ template "loki.name" . }} + release: {{ .Release.Name }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + volumes: + - name: tmp + emptyDir: {} + {{- if or (.Values.useExistingAlertingGroup.enabled) (gt (len .Values.alerting_groups) 0) }} + - name: rules + configMap: + {{- if .Values.useExistingAlertingGroup.enabled }} + name: {{ .Values.useExistingAlertingGroup.configmapName }} + {{- else }} + name: {{ template "loki.fullname" . }}-alerting-rules + {{- end }} + {{- end }} + - name: config + secret: + {{- if .Values.config.existingSecret }} + secretName: {{ .Values.config.existingSecret }} + {{- else }} + secretName: {{ template "loki.fullname" . }} + {{- end }} +{{- if .Values.extraVolumes }} +{{ toYaml .Values.extraVolumes | indent 8}} +{{- end }} + {{- if not .Values.persistence.enabled }} + - name: storage + emptyDir: {} + {{- else if .Values.persistence.existingClaim }} + - name: storage + persistentVolumeClaim: + claimName: {{ .Values.persistence.existingClaim }} + {{- else }} + volumeClaimTemplates: + - metadata: + name: storage + labels: + {{- toYaml .Values.persistence.labels | nindent 8 }} + annotations: + {{- toYaml .Values.persistence.annotations | nindent 8 }} + spec: + accessModes: + {{- toYaml .Values.persistence.accessModes | nindent 8 }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + storageClassName: {{ .Values.persistence.storageClassName }} + {{- if .Values.persistence.selector }} + selector: + {{- toYaml .Values.persistence.selector | nindent 8 }} + {{- end }} + {{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/values.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/values.yaml new file mode 100644 index 000000000..731c4d906 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/loki/values.yaml @@ -0,0 +1,346 @@ +image: + registry: docker.io + repository: grafana/loki + tag: 2.6.1 + pullPolicy: IfNotPresent + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistryKeySecretName + +ingress: + enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: [] + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +## Affinity for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +affinity: {} +# podAntiAffinity: +# requiredDuringSchedulingIgnoredDuringExecution: +# - labelSelector: +# matchExpressions: +# - key: app +# operator: In +# values: +# - loki +# topologyKey: "kubernetes.io/hostname" + +## StatefulSet annotations +annotations: {} + +# enable tracing for debug, need install jaeger and specify right jaeger_agent_host +tracing: + jaegerAgentHost: + +config: + # existingSecret: + auth_enabled: false + + memberlist: + join_members: + # the value must be defined as string to be evaluated when secret manifest is being generating + - '{{ include "loki.fullname" . }}-memberlist' + + ingester: + chunk_idle_period: 3m + chunk_block_size: 262144 + chunk_retain_period: 1m + max_transfer_retries: 0 + wal: + dir: /data/loki/wal + lifecycler: + ring: + replication_factor: 1 + + ## Different ring configs can be used. E.g. Consul + # ring: + # store: consul + # replication_factor: 1 + # consul: + # host: "consul:8500" + # prefix: "" + # http_client_timeout: "20s" + # consistent_reads: true + limits_config: + enforce_metric_name: false + reject_old_samples: true + reject_old_samples_max_age: 168h + max_entries_limit_per_query: 5000 + max_query_length: 0h + schema_config: + configs: + - from: 2020-10-24 + store: boltdb-shipper + object_store: filesystem + schema: v11 + index: + prefix: index_ + period: 24h + server: + http_listen_port: 3100 + grpc_listen_port: 9095 + storage_config: + boltdb_shipper: + active_index_directory: /data/loki/boltdb-shipper-active + cache_location: /data/loki/boltdb-shipper-cache + cache_ttl: 24h # Can be increased for faster performance over longer query periods, uses more disk space + shared_store: filesystem + filesystem: + directory: /data/loki/chunks + chunk_store_config: + max_look_back_period: 0s + table_manager: + retention_deletes_enabled: true + retention_period: 168h + compactor: + working_directory: /data/loki/boltdb-shipper-compactor + shared_store: filesystem +# Needed for Alerting: https://grafana.com/docs/loki/latest/rules/ +# This is just a simple example, for more details: https://grafana.com/docs/loki/latest/configuration/#ruler_config +# ruler: +# storage: +# type: local +# local: +# directory: /rules +# rule_path: /tmp/scratch +# alertmanager_url: http://alertmanager.svc.namespace:9093 +# ring: +# kvstore: +# store: inmemory +# enable_api: true + +## Additional Loki container arguments, e.g. log level (debug, info, warn, error) +extraArgs: {} + # log.level: debug + +extraEnvFrom: [] + +livenessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + +## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/ +networkPolicy: + enabled: false + +## The app name of loki clients +client: {} + # name: + +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +nodeSelector: {} + +## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/ +## If you set enabled as "True", you need : +## - create a pv which above 10Gi and has same namespace with loki +## - keep storageClassName same with below setting +persistence: + enabled: false + accessModes: + - ReadWriteOnce + size: 10Gi + labels: {} + annotations: {} + # selector: + # matchLabels: + # app.kubernetes.io/name: loki + # subPath: "" + # existingClaim: + # storageClassName: + +## Pod Labels +podLabels: {} + +## Pod Annotations +podAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "http-metrics" + +podManagementPolicy: OrderedReady + +## Assign a PriorityClassName to pods if set +# priorityClassName: + +rbac: + create: true + pspEnabled: false + +readinessProbe: + httpGet: + path: /ready + port: http-metrics + initialDelaySeconds: 45 + +replicas: 1 + +resources: + limits: + cpu: 400m + memory: 512Mi + requests: + cpu: 100m + memory: 128Mi + +securityContext: + fsGroup: 10001 + runAsGroup: 10001 + runAsNonRoot: true + runAsUser: 10001 + +containerSecurityContext: + readOnlyRootFilesystem: true + +service: + type: ClusterIP + nodePort: + port: 3100 + annotations: {} + labels: {} + targetPort: http-metrics + +serviceAccount: + create: true + name: + annotations: {} + automountServiceAccountToken: true + +terminationGracePeriodSeconds: 4800 + +## Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +## Topology spread constraint for multi-zone clusters +## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +topologySpreadConstraints: + enabled: false + +# The values to set in the PodDisruptionBudget spec +# If not set then a PodDisruptionBudget will not be created +podDisruptionBudget: {} +# minAvailable: 1 +# maxUnavailable: 1 + +updateStrategy: + type: RollingUpdate + +serviceMonitor: + enabled: false + interval: "" + additionalLabels: {} + annotations: {} + # scrapeTimeout: 10s + # path: /metrics + scheme: null + tlsConfig: {} + prometheusRule: + enabled: false + additionalLabels: {} + # namespace: + rules: [] + # Some examples from https://awesome-prometheus-alerts.grep.to/rules.html#loki + # - alert: LokiProcessTooManyRestarts + # expr: changes(process_start_time_seconds{job=~"loki"}[15m]) > 2 + # for: 0m + # labels: + # severity: warning + # annotations: + # summary: Loki process too many restarts (instance {{ $labels.instance }}) + # description: "A loki process had too many restarts (target {{ $labels.instance }})\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" + # - alert: LokiRequestErrors + # expr: 100 * sum(rate(loki_request_duration_seconds_count{status_code=~"5.."}[1m])) by (namespace, job, route) / sum(rate(loki_request_duration_seconds_count[1m])) by (namespace, job, route) > 10 + # for: 15m + # labels: + # severity: critical + # annotations: + # summary: Loki request errors (instance {{ $labels.instance }}) + # description: "The {{ $labels.job }} and {{ $labels.route }} are experiencing errors\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" + # - alert: LokiRequestPanic + # expr: sum(increase(loki_panic_total[10m])) by (namespace, job) > 0 + # for: 5m + # labels: + # severity: critical + # annotations: + # summary: Loki request panic (instance {{ $labels.instance }}) + # description: "The {{ $labels.job }} is experiencing {{ printf \"%.2f\" $value }}% increase of panics\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" + # - alert: LokiRequestLatency + # expr: (histogram_quantile(0.99, sum(rate(loki_request_duration_seconds_bucket{route!~"(?i).*tail.*"}[5m])) by (le))) > 1 + # for: 5m + # labels: + # severity: critical + # annotations: + # summary: Loki request latency (instance {{ $labels.instance }}) + # description: "The {{ $labels.job }} {{ $labels.route }} is experiencing {{ printf \"%.2f\" $value }}s 99th percentile latency\n VALUE = {{ $value }}\n LABELS = {{ $labels }}" + + +initContainers: [] +## Init containers to be added to the loki pod. +# - name: my-init-container +# image: busybox:latest +# command: ['sh', '-c', 'echo hello'] + +extraContainers: [] +## Additional containers to be added to the loki pod. +# - name: reverse-proxy +# image: angelbarrera92/basic-auth-reverse-proxy:dev +# args: +# - "serve" +# - "--upstream=http://localhost:3100" +# - "--auth-config=/etc/reverse-proxy-conf/authn.yaml" +# ports: +# - name: http +# containerPort: 11811 +# protocol: TCP +# volumeMounts: +# - name: reverse-proxy-auth-config +# mountPath: /etc/reverse-proxy-conf + + +extraVolumes: [] +## Additional volumes to the loki pod. +# - name: reverse-proxy-auth-config +# secret: +# secretName: reverse-proxy-auth-config + +## Extra volume mounts that will be added to the loki container +extraVolumeMounts: [] + +extraPorts: [] +## Additional ports to the loki services. Useful to expose extra container ports. +# - port: 11811 +# protocol: TCP +# name: http +# targetPort: http + +# Extra env variables to pass to the loki container +env: [] + +# Specify Loki Alerting rules based on this documentation: https://grafana.com/docs/loki/latest/rules/ +# When specified, you also need to add a ruler config section above. An example is shown in the rules docs. +alerting_groups: [] +# - name: example +# rules: +# - alert: HighThroughputLogStreams +# expr: sum by(container) (rate({job=~"loki-dev/.*"}[1m])) > 1000 +# for: 2m + +useExistingAlertingGroup: + enabled: false + configmapName: "" diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/Chart.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/Chart.yaml new file mode 100644 index 000000000..d69c5a044 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +appVersion: 2.7.2 +description: Promtail is an agent which ships the contents of local logs to a Loki + instance +home: https://grafana.com/loki +icon: https://raw.githubusercontent.com/grafana/loki/master/docs/sources/logo.png +maintainers: +- email: support@trilio.io + name: Trilio +name: promtail +sources: +- https://github.com/grafana/loki +- https://grafana.com/oss/loki/ +- https://grafana.com/docs/loki/latest/ +type: application +version: 6.8.2 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/NOTES.txt b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/NOTES.txt new file mode 100644 index 000000000..01bf66b7f --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/NOTES.txt @@ -0,0 +1,15 @@ +*********************************************************************** + Welcome to Grafana Promtail + Chart version: {{ .Chart.Version }} + Promtail version: {{ .Values.image.tag | default .Chart.AppVersion }} +*********************************************************************** + +Verify the application is working by running these commands: + +{{- if .Values.daemonset.enabled }} +* kubectl --namespace {{ .Release.Namespace }} port-forward daemonset/{{ include "promtail.fullname" . }} {{ .Values.config.serverPort }} +{{- end }} +{{- if .Values.deployment.enabled }} +* kubectl --namespace {{ .Release.Namespace }} port-forward deployment/{{ include "promtail.fullname" . }} {{ .Values.config.serverPort }} +{{- end }} +* curl http://127.0.0.1:{{ .Values.config.serverPort }}/metrics diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/_helpers.tpl b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/_helpers.tpl new file mode 100644 index 000000000..59053c253 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/_helpers.tpl @@ -0,0 +1,102 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "promtail.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "promtail.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "promtail.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "promtail.labels" -}} +helm.sh/chart: {{ include "promtail.chart" . }} +{{ include "promtail.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "promtail.selectorLabels" -}} +app.kubernetes.io/name: {{ include "promtail.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{ include "k8s-triliovault-operator.observability" .}} +{{- end }} + +{{/* +Create the name of the namespace +*/}} +{{- define "promtail.namespaceName" -}} +{{- default .Release.Namespace .Values.namespace }} +{{- end }} + +{{/* +Create the name of the service account +*/}} +{{- define "promtail.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "promtail.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +The service name to connect to Loki. Defaults to the same logic as "loki.fullname" +*/}} +{{- define "loki.serviceName" -}} +{{- if .Values.loki.serviceName }} +{{- .Values.loki.serviceName }} +{{- else if .Values.loki.fullnameOverride }} +{{- .Values.loki.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default "loki" .Values.loki.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Configure enableServiceLinks in pod +*/}} +{{- define "promtail.enableServiceLinks" -}} +{{- if semverCompare ">=1.13-0" .Capabilities.KubeVersion.GitVersion }} +{{- if or (.Values.enableServiceLinks) (eq (.Values.enableServiceLinks | toString) "") }} +{{- printf "enableServiceLinks: true" }} +{{- else }} +{{- printf "enableServiceLinks: false" }} +{{- end }} +{{- end }} +{{- end }} + diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/_pod.tpl b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/_pod.tpl new file mode 100644 index 000000000..d5a14b411 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/_pod.tpl @@ -0,0 +1,118 @@ +{{/* +Pod template used in Daemonset and Deployment +*/}} +{{- define "promtail.podTemplate" -}} +metadata: + labels: + {{- include "promtail.selectorLabels" . | nindent 4 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + checksum/config: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + serviceAccountName: {{ include "promtail.serviceAccountName" . }} + {{- include "promtail.enableServiceLinks" . | nindent 2 }} + {{- with .Values.priorityClassName }} + priorityClassName: {{ . }} + {{- end }} + {{- with .Values.initContainer }} + initContainers: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 4 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 4 }} + containers: + - name: promtail + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - "-config.file=/etc/promtail/promtail.yaml" + {{- with .Values.extraArgs }} + {{- toYaml . | nindent 8 }} + {{- end }} + volumeMounts: + - name: config + mountPath: /etc/promtail + {{- with .Values.defaultVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.extraVolumeMounts }} + {{- toYaml . | nindent 8 }} + {{- end }} + env: + - name: HOSTNAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + {{- with .Values.extraEnv }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.extraEnvFrom }} + envFrom: + {{- toYaml . | nindent 8 }} + {{- end }} + ports: + - name: http-metrics + containerPort: {{ .Values.config.serverPort }} + protocol: TCP + {{- range $key, $values := .Values.extraPorts }} + - name: {{ .name | default $key }} + containerPort: {{ $values.containerPort }} + protocol: {{ $values.protocol | default "TCP" }} + {{- end }} + securityContext: + {{- toYaml .Values.containerSecurityContext | nindent 8 }} + {{- with .Values.livenessProbe }} + livenessProbe: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.readinessProbe }} + readinessProbe: + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- if .Values.extraContainers }} + {{- range $name, $values := .Values.extraContainers }} + - name: {{ $name }} + {{ toYaml $values | nindent 6 }} + {{- end }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 4 }} + {{- end }} + volumes: + - name: config + {{- if .Values.configmap.enabled }} + configMap: + name: {{ include "promtail.fullname" . }} + {{- else }} + secret: + secretName: {{ include "promtail.fullname" . }} + {{- end }} + {{- with .Values.defaultVolumes }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.extraVolumes }} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/clusterrole.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/clusterrole.yaml new file mode 100644 index 000000000..4702e60d0 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if .Values.rbac.create }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "promtail.fullname" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - services + - endpoints + - pods + verbs: + - get + - watch + - list +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/clusterrolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..e92bf9a6d --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if .Values.rbac.create }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ include "promtail.fullname" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ include "promtail.serviceAccountName" . }} + namespace: {{ include "promtail.namespaceName" . }} +roleRef: + kind: ClusterRole + name: {{ include "promtail.fullname" . }} + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/configmap.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/configmap.yaml new file mode 100644 index 000000000..0785b1a60 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.configmap.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "promtail.fullname" . }} + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +data: + promtail.yaml: | + {{- tpl .Values.config.file . | nindent 4 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/daemonset.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/daemonset.yaml new file mode 100644 index 000000000..85a8aa031 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/daemonset.yaml @@ -0,0 +1,21 @@ +{{- if .Values.daemonset.enabled }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "promtail.fullname" . }} + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "promtail.selectorLabels" . | nindent 6 }} + updateStrategy: + {{- toYaml .Values.updateStrategy | nindent 4 }} + template: + {{- include "promtail.podTemplate" . | nindent 4 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/deployment.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/deployment.yaml new file mode 100644 index 000000000..26e7381a3 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/deployment.yaml @@ -0,0 +1,22 @@ +{{- if .Values.deployment.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "promtail.fullname" . }} + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if not .Values.deployment.autoscaling.enabled }} + replicas: {{ .Values.deployment.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "promtail.selectorLabels" . | nindent 6 }} + template: + {{- include "promtail.podTemplate" . | nindent 4 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/extra-manifests.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/extra-manifests.yaml new file mode 100644 index 000000000..a9bb3b6ba --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/hpa.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/hpa.yaml new file mode 100644 index 000000000..8a205fde9 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/hpa.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.deployment.enabled .Values.deployment.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "promtail.fullname" . }} + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "promtail.fullname" . }} + {{- with .Values.deployment.autoscaling }} + minReplicas: {{ .minReplicas }} + maxReplicas: {{ .maxReplicas }} + metrics: + {{- with .targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ . }} + {{- end }} + {{- with .targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ . }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/networkpolicy.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/networkpolicy.yaml new file mode 100644 index 000000000..9467df5de --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/networkpolicy.yaml @@ -0,0 +1,123 @@ +{{- if .Values.networkPolicy.enabled }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "promtail.name" . }}-namespace-only + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + egress: + - to: + - podSelector: {} + ingress: + - from: + - podSelector: {} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "promtail.name" . }}-egress-dns + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "promtail.selectorLabels" . | nindent 6 }} + policyTypes: + - Egress + egress: + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "promtail.name" . }}-egress-k8s-api + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "promtail.selectorLabels" . | nindent 6 }} + policyTypes: + - Egress + egress: + - ports: + - port: {{ .Values.networkPolicy.k8sApi.port }} + protocol: TCP + {{- if len .Values.networkPolicy.k8sApi.cidrs }} + to: + {{- range $cidr := .Values.networkPolicy.k8sApi.cidrs }} + - ipBlock: + cidr: {{ $cidr }} + {{- end }} + {{- end }} + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "promtail.name" . }}-ingress-metrics + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "promtail.selectorLabels" . | nindent 6 }} + policyTypes: + - Ingress + ingress: + - ports: + - port: http-metrics + protocol: TCP + {{- if len .Values.networkPolicy.metrics.cidrs }} + from: + {{- range $cidr := .Values.networkPolicy.metrics.cidrs }} + - ipBlock: + cidr: {{ $cidr }} + {{- end }} + {{- if .Values.networkPolicy.metrics.namespaceSelector }} + - namespaceSelector: + {{- toYaml .Values.networkPolicy.metrics.namespaceSelector | nindent 12 }} + {{- if .Values.networkPolicy.metrics.podSelector }} + podSelector: + {{- toYaml .Values.networkPolicy.metrics.podSelector | nindent 12 }} + {{- end }} + {{- end }} + {{- end }} + +{{- if .Values.extraPorts }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "promtail.name" . }}-egress-extra-ports + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "promtail.selectorLabels" . | nindent 6 }} + policyTypes: + - Egress + egress: + - ports: + {{- range $extraPortConfig := .Values.extraPorts }} + - port: {{ $extraPortConfig.containerPort }} + protocol: {{ $extraPortConfig.protocol }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/podsecuritypolicy.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..a22938826 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/podsecuritypolicy.yaml @@ -0,0 +1,10 @@ +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.rbac.create .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "promtail.fullname" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +spec: + {{- toYaml .Values.podSecurityPolicy | nindent 2 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/prometheus-rules.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/prometheus-rules.yaml new file mode 100644 index 000000000..6ec3f26a9 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/prometheus-rules.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.serviceMonitor.enabled .Values.serviceMonitor.prometheusRule.enabled -}} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "promtail.fullname" . }} + {{- with .Values.serviceMonitor.prometheusRule.namespace }} + namespace: {{ . | quote }} + {{- end }} + labels: + {{- include "promtail.labels" . | nindent 4 }} + {{- with .Values.serviceMonitor.prometheusRule.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.serviceMonitor.prometheusRule.rules }} + groups: + - name: {{ template "promtail.fullname" . }} + rules: + {{- toYaml .Values.serviceMonitor.prometheusRule.rules | nindent 4 }} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/role.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/role.yaml new file mode 100644 index 000000000..a193b3f5b --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/role.yaml @@ -0,0 +1,18 @@ +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.rbac.create .Values.rbac.pspEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "promtail.fullname" . }}-psp + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ include "promtail.fullname" . }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/rolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/rolebinding.yaml new file mode 100644 index 000000000..0527fdc55 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/rolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") .Values.rbac.create .Values.rbac.pspEnabled }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "promtail.fullname" . }}-psp + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "promtail.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ include "promtail.serviceAccountName" . }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/secret.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/secret.yaml new file mode 100644 index 000000000..f5d61ace3 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/secret.yaml @@ -0,0 +1,19 @@ +{{- if not .Values.configmap.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "promtail.fullname" . }} + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} + {{- with .Values.secret.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.secret.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +stringData: + promtail.yaml: | + {{- tpl .Values.config.file . | nindent 4 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/service-extra.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/service-extra.yaml new file mode 100644 index 000000000..7257e6894 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/service-extra.yaml @@ -0,0 +1,52 @@ +{{- range $key, $values := .Values.extraPorts }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "promtail.fullname" $ }}-{{ $key | lower }} + namespace: {{ include "promtail.namespaceName" $ }} + labels: + {{- include "promtail.labels" $ | nindent 4 }} + {{- with .labels }} + {{- toYaml $ | nindent 4 }} + {{- end }} + {{- with .annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with $values.service }} + type: {{ .type | default "ClusterIP" }} + {{- with .clusterIP }} + clusterIP: {{ . }} + {{- end }} + {{- with .loadBalancerIP }} + loadBalancerIP: {{ . }} + {{- end }} + {{- with .loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .externalIPs }} + externalIPs: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .externalTrafficPolicy }} + externalTrafficPolicy: {{ . }} + {{- end }} + {{- end }} + ports: + - name: {{ .name | default $key }} + targetPort: {{ .name | default $key }} + protocol: {{ $values.protocol | default "TCP" }} + {{- if $values.service }} + port: {{ $values.service.port | default $values.containerPort }} + {{- if $values.service.nodePort }} + nodePort: {{ $values.service.nodePort }} + {{- end }} + {{- else }} + port: {{ $values.containerPort }} + {{- end }} + selector: + {{- include "promtail.selectorLabels" $ | nindent 4 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/service-metrics.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/service-metrics.yaml new file mode 100644 index 000000000..4948ceecf --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/service-metrics.yaml @@ -0,0 +1,18 @@ +{{- if .Values.serviceMonitor.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "promtail.fullname" . }}-metrics + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} +spec: + clusterIP: None + ports: + - name: http-metrics + port: {{ .Values.config.serverPort }} + targetPort: http-metrics + protocol: TCP + selector: + {{- include "promtail.selectorLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/serviceaccount.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/serviceaccount.yaml new file mode 100644 index 000000000..658c2012f --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "promtail.serviceAccountName" . }} + namespace: {{ include "promtail.namespaceName" . }} + labels: + {{- include "promtail.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- with .Values.serviceAccount.imagePullSecrets }} +imagePullSecrets: + {{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/servicemonitor.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/servicemonitor.yaml new file mode 100644 index 000000000..f43964931 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/templates/servicemonitor.yaml @@ -0,0 +1,58 @@ +{{- with .Values.serviceMonitor }} +{{- if .enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "promtail.fullname" $ }} + {{- with .namespace }} + namespace: {{ . }} + {{- end }} + {{- with .annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} + labels: + {{- include "promtail.labels" $ | nindent 4 }} + {{- with .labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- with .namespaceSelector }} + namespaceSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "promtail.selectorLabels" $ | nindent 6 }} + endpoints: + - port: http-metrics + {{- with $.Values.httpPathPrefix }} + path: {{ printf "%s/metrics" . }} + {{- end }} + {{- with .interval }} + interval: {{ . }} + {{- end }} + {{- with .scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + {{- with .relabelings }} + relabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .metricRelabelings }} + metricRelabelings: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .scheme }} + scheme: {{ . }} + {{- end }} + {{- with .tlsConfig }} + tlsConfig: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .targetLabels }} + targetLabels: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/values.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/values.yaml new file mode 100644 index 000000000..58d7752ea --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/charts/promtail/values.yaml @@ -0,0 +1,534 @@ +# -- Overrides the chart's name +nameOverride: null + +# -- Overrides the chart's computed fullname +fullnameOverride: null + +daemonset: + # -- Deploys Promtail as a DaemonSet + enabled: true + +deployment: + # -- Deploys Promtail as a Deployment + enabled: false + replicaCount: 1 + autoscaling: + # -- Creates a HorizontalPodAutoscaler for the deployment + enabled: false + minReplicas: 1 + maxReplicas: 10 + targetCPUUtilizationPercentage: 80 + targetMemoryUtilizationPercentage: + +secret: + # -- Labels for the Secret + labels: {} + # -- Annotations for the Secret + annotations: {} + +configmap: + # -- If enabled, promtail config will be created as a ConfigMap instead of a secret + enabled: false + +initContainer: [] + # # -- Specifies whether the init container for setting inotify max user instances is to be enabled + # - name: init + # # -- Docker registry, image and tag for the init container image + # image: docker.io/busybox:1.33 + # # -- Docker image pull policy for the init container image + # imagePullPolicy: IfNotPresent + # # -- The inotify max user instances to configure + # command: + # - sh + # - -c + # - sysctl -w fs.inotify.max_user_instances=128 + # securityContext: + # privileged: true + +image: + # -- The Docker registry + registry: docker.io + # -- Docker image repository + repository: grafana/promtail + # -- Overrides the image tag whose default is the chart's appVersion + tag: null + # -- Docker image pull policy + pullPolicy: IfNotPresent + +# -- Image pull secrets for Docker images +imagePullSecrets: [] + +# -- Annotations for the DaemonSet +annotations: + ignore-check.kube-linter.io/run-as-non-root: "This deployment needs to run as root user to modify log files" + ignore-check.kube-linter.io/writable-host-mount: "This deployment needs writable volume mount on host to capture logs" + +# -- The update strategy for the DaemonSet +updateStrategy: + type: RollingUpdate + +# -- Pod labels +podLabels: {} + +# -- Pod annotations +podAnnotations: {} +# prometheus.io/scrape: "true" +# prometheus.io/port: "http-metrics" + +# -- The name of the PriorityClass +priorityClassName: null + +# -- Liveness probe +livenessProbe: {} + +# -- Readiness probe +# @default -- See `values.yaml` +readinessProbe: + failureThreshold: 5 + httpGet: + path: "{{ printf `%s/ready` .Values.httpPathPrefix }}" + port: http-metrics + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + +# -- Resource requests and limits +resources: + limits: + cpu: 200m + memory: 128Mi + requests: + cpu: 100m + memory: 128Mi + +# -- The security context for pods +podSecurityContext: + runAsUser: 0 + runAsGroup: 0 + +# -- The security context for containers +containerSecurityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + allowPrivilegeEscalation: false + +rbac: + # -- Specifies whether RBAC resources are to be created + create: true + # -- Specifies whether a PodSecurityPolicy is to be created + pspEnabled: false + +# -- The name of the Namespace to deploy +# If not set, `.Release.Namespace` is used +namespace: null + +serviceAccount: + # -- Specifies whether a ServiceAccount should be created + create: true + # -- The name of the ServiceAccount to use. + # If not set and `create` is true, a name is generated using the fullname template + name: null + # -- Image pull secrets for the service account + imagePullSecrets: [] + # -- Annotations for the service account + annotations: {} + +# -- Node selector for pods +nodeSelector: {} + +# -- Affinity configuration for pods +affinity: {} + +# -- Tolerations for pods. By default, pods will be scheduled on master/control-plane nodes. +tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + +# -- Default volumes that are mounted into pods. In most cases, these should not be changed. +# Use `extraVolumes`/`extraVolumeMounts` for additional custom volumes. +# @default -- See `values.yaml` +defaultVolumes: + - name: run + hostPath: + path: /run/promtail + - name: containers + hostPath: + path: /var/lib/docker/containers + - name: pods + hostPath: + path: /var/log/pods + +# -- Default volume mounts. Corresponds to `volumes`. +# @default -- See `values.yaml` +defaultVolumeMounts: + - name: run + mountPath: /run/promtail + - name: containers + mountPath: /var/lib/docker/containers + readOnly: true + - name: pods + mountPath: /var/log/pods + readOnly: true + +# Extra volumes to be added in addition to those specified under `defaultVolumes`. +extraVolumes: [] + +# Extra volume mounts together. Corresponds to `extraVolumes`. +extraVolumeMounts: [] + +# Extra args for the Promtail container. +extraArgs: [] +# -- Example: +# -- extraArgs: +# -- - -client.external-labels=hostname=$(HOSTNAME) + +# -- Extra environment variables +extraEnv: [] + +# -- Extra environment variables from secrets or configmaps +extraEnvFrom: [] + +# -- Configure enableServiceLinks in pod +enableServiceLinks: true + +# ServiceMonitor configuration +serviceMonitor: + # -- If enabled, ServiceMonitor resources for Prometheus Operator are created + enabled: false + # -- Alternative namespace for ServiceMonitor resources + namespace: null + # -- Namespace selector for ServiceMonitor resources + namespaceSelector: {} + # -- ServiceMonitor annotations + annotations: {} + # -- Additional ServiceMonitor labels + labels: {} + # -- ServiceMonitor scrape interval + interval: null + # -- ServiceMonitor scrape timeout in Go duration format (e.g. 15s) + scrapeTimeout: null + # -- ServiceMonitor relabel configs to apply to samples before scraping + # https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + # (defines `relabel_configs`) + relabelings: [] + # -- ServiceMonitor relabel configs to apply to samples as the last + # step before ingestion + # https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig + # (defines `metric_relabel_configs`) + metricRelabelings: [] + # --ServiceMonitor will add labels from the service to the Prometheus metric + # https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitorspec + targetLabels: [] + # -- ServiceMonitor will use http by default, but you can pick https as well + scheme: http + # -- ServiceMonitor will use these tlsConfig settings to make the health check requests + tlsConfig: null + # -- Prometheus rules will be deployed for alerting purposes + prometheusRule: + enabled: false + additionalLabels: {} + # namespace: + rules: [] + # - alert: PromtailRequestErrors + # expr: 100 * sum(rate(promtail_request_duration_seconds_count{status_code=~"5..|failed"}[1m])) by (namespace, job, route, instance) / sum(rate(promtail_request_duration_seconds_count[1m])) by (namespace, job, route, instance) > 10 + # for: 5m + # labels: + # severity: critical + # annotations: + # description: | + # The {{ $labels.job }} {{ $labels.route }} is experiencing + # {{ printf \"%.2f\" $value }} errors. + # VALUE = {{ $value }} + # LABELS = {{ $labels }} + # summary: Promtail request errors (instance {{ $labels.instance }}) + # - alert: PromtailRequestLatency + # expr: histogram_quantile(0.99, sum(rate(promtail_request_duration_seconds_bucket[5m])) by (le)) > 1 + # for: 5m + # labels: + # severity: critical + # annotations: + # summary: Promtail request latency (instance {{ $labels.instance }}) + # description: | + # The {{ $labels.job }} {{ $labels.route }} is experiencing + # {{ printf \"%.2f\" $value }}s 99th percentile latency. + # VALUE = {{ $value }} + # LABELS = {{ $labels }} + +# Extra containers created as part of a Promtail Deployment resource +# - spec for Container: +# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core +# +# Note that the key is used as the `name` field, i.e. below will create a +# container named `promtail-proxy`. +extraContainers: {} + # promtail-proxy: + # image: nginx + # ... + +# -- Configure additional ports and services. For each configured port, a corresponding service is created. +# See values.yaml for details +extraPorts: {} +# syslog: +# name: tcp-syslog +# containerPort: 1514 +# protocol: TCP +# service: +# type: ClusterIP +# clusterIP: null +# port: 1514 +# externalIPs: [] +# nodePort: null +# annotations: {} +# labels: {} +# loadBalancerIP: null +# loadBalancerSourceRanges: [] +# externalTrafficPolicy: null + +# -- PodSecurityPolicy configuration. +# @default -- See `values.yaml` +podSecurityPolicy: + privileged: true + allowPrivilegeEscalation: true + volumes: + - 'secret' + - 'hostPath' + - 'downwardAPI' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'RunAsAny' + fsGroup: + rule: 'RunAsAny' + readOnlyRootFilesystem: true + requiredDropCapabilities: + - ALL + +# -- Section for crafting Promtails config file. The only directly relevant value is `config.file` +# which is a templated string that references the other values and snippets below this key. +# @default -- See `values.yaml` +config: + # -- The log level of the Promtail server + # Must be reference in `config.file` to configure `server.log_level` + # See default config in `values.yaml` + logLevel: info + # -- The port of the Promtail server + # Must be reference in `config.file` to configure `server.http_listen_port` + # See default config in `values.yaml` + serverPort: 3101 + # -- The config of clients of the Promtail server + # Must be reference in `config.file` to configure `clients` + # @default -- See `values.yaml` + clients: + - url: http://{{ .Release.Name }}-loki:3100/loki/api/v1/push + # -- A section of reusable snippets that can be reference in `config.file`. + # Custom snippets may be added in order to reduce redundancy. + # This is especially helpful when multiple `kubernetes_sd_configs` are use which usually have large parts in common. + # @default -- See `values.yaml` + snippets: + pipelineStages: + - cri: {} + - match: + selector: '{app="k8s-triliovault"}' + stages: + - json: + expressions: + level: level + service_type: service_type + pvc_name: pvc_name + transaction_type: transaction_type + transaction_resource_name: transaction_resource_name + transaction_resource_namespace: transaction_resource_namespace + child_transaction_type: child_transaction_type + child_transaction_resource_name: child_transaction_resource_name + child_transaction_resource_namespace: child_transaction_resource_namespace + tvk_instance_id: tvk_instance_id + - labels: + level: + service_type: + pvc_name: + transaction_type: + transaction_resource_name: + transaction_resource_namespace: + child_transaction_type: + child_transaction_resource_name: + child_transaction_resource_namespace: + tvk_instance_id: + common: + - action: replace + source_labels: + - __meta_kubernetes_pod_node_name + target_label: node_name + - action: replace + source_labels: + - __meta_kubernetes_namespace + target_label: namespace + - action: replace + replacement: $1 + separator: / + source_labels: + - namespace + - app + target_label: job + - action: replace + source_labels: + - __meta_kubernetes_pod_name + target_label: pod + - action: replace + source_labels: + - __meta_kubernetes_pod_container_name + target_label: container + - action: replace + replacement: /var/log/pods/*$1/*.log + separator: / + source_labels: + - __meta_kubernetes_pod_uid + - __meta_kubernetes_pod_container_name + target_label: __path__ + - action: replace + replacement: /var/log/pods/*$1/*.log + regex: true/(.*) + separator: / + source_labels: + - __meta_kubernetes_pod_annotationpresent_kubernetes_io_config_hash + - __meta_kubernetes_pod_annotation_kubernetes_io_config_hash + - __meta_kubernetes_pod_container_name + target_label: __path__ + + # If set to true, adds an additional label for the scrape job. + # This helps debug the Promtail config. + addScrapeJobLabel: false + + # -- You can put here any keys that will be directly added to the config file's 'limits_config' block. + # @default -- empty + extraLimitsConfig: "" + + # -- You can put here any keys that will be directly added to the config file's 'server' block. + # @default -- empty + extraServerConfigs: "" + + # -- You can put here any additional scrape configs you want to add to the config file. + # @default -- empty + extraScrapeConfigs: "" + + # -- You can put here any additional relabel_configs to "kubernetes-pods" job + extraRelabelConfigs: [] + + scrapeConfigs: | + # See also https://github.com/grafana/loki/blob/master/production/ksonnet/promtail/scrape_config.libsonnet for reference + - job_name: kubernetes-pods + pipeline_stages: + {{- toYaml .Values.config.snippets.pipelineStages | nindent 4 }} + kubernetes_sd_configs: + - role: pod + relabel_configs: + - source_labels: + - __meta_kubernetes_pod_controller_name + regex: ([0-9a-z-.]+?)(-[0-9a-f]{8,10})? + action: replace + target_label: __tmp_controller_name + - source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_name + - __meta_kubernetes_pod_label_app + - __tmp_controller_name + - __meta_kubernetes_pod_name + regex: ^;*([^;]+)(;.*)?$ + action: replace + target_label: app + - source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_instance + - __meta_kubernetes_pod_label_release + regex: ^;*([^;]+)(;.*)?$ + action: replace + target_label: instance + - source_labels: + - __meta_kubernetes_pod_label_app_kubernetes_io_component + - __meta_kubernetes_pod_label_component + regex: ^;*([^;]+)(;.*)?$ + action: replace + target_label: component + - action: keep + source_labels: + - app + - instance + - component + regex: '(k8s-trilio).*' + {{- if .Values.config.snippets.addScrapeJobLabel }} + - replacement: kubernetes-pods + target_label: scrape_job + {{- end }} + {{- toYaml .Values.config.snippets.common | nindent 4 }} + {{- with .Values.config.snippets.extraRelabelConfigs }} + {{- toYaml . | nindent 4 }} + {{- end }} + + # -- Config file contents for Promtail. + # Must be configured as string. + # It is templated so it can be assembled from reusable snippets in order to avoid redundancy. + # @default -- See `values.yaml` + file: | + server: + log_level: {{ .Values.config.logLevel }} + http_listen_port: {{ .Values.config.serverPort }} + {{- with .Values.httpPathPrefix }} + http_path_prefix: {{ . }} + {{- end }} + {{- tpl .Values.config.snippets.extraServerConfigs . | nindent 2 }} + + clients: + {{- tpl (toYaml .Values.config.clients) . | nindent 2 }} + + positions: + filename: /run/promtail/positions.yaml + + scrape_configs: + {{- tpl .Values.config.snippets.scrapeConfigs . | nindent 2 }} + {{- tpl .Values.config.snippets.extraScrapeConfigs . | nindent 2 }} + + limits_config: + {{- tpl .Values.config.snippets.extraLimitsConfig . | nindent 2 }} + +networkPolicy: + # -- Specifies whether Network Policies should be created + enabled: false + metrics: + # -- Specifies the Pods which are allowed to access the metrics port. + # As this is cross-namespace communication, you also neeed the namespaceSelector. + podSelector: {} + # -- Specifies the namespaces which are allowed to access the metrics port + namespaceSelector: {} + # -- Specifies specific network CIDRs which are allowed to access the metrics port. + # In case you use namespaceSelector, you also have to specify your kubelet networks here. + # The metrics ports are also used for probes. + cidrs: [] + k8sApi: + # -- Specify the k8s API endpoint port + port: 8443 + # -- Specifies specific network CIDRs you want to limit access to + cidrs: [] + +# -- Base path to server all API routes fro +httpPathPrefix: "" + +# -- Extra K8s manifests to deploy +extraObjects: [] + # - apiVersion: "kubernetes-client.io/v1" + # kind: ExternalSecret + # metadata: + # name: promtail-secrets + # spec: + # backendType: gcpSecretsManager + # data: + # - key: promtail-oauth2-creds + # name: client_secret diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/templates/_helpers.tpl b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/templates/_helpers.tpl new file mode 100644 index 000000000..9fb468f83 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/templates/_helpers.tpl @@ -0,0 +1,50 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "logging.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "logging.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "logging.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +The service name to connect to Loki. Defaults to the same logic as "loki.fullname" +*/}} +{{- define "loki.serviceName" -}} +{{- if .Values.loki.serviceName -}} +{{- .Values.loki.serviceName -}} +{{- else if .Values.loki.fullnameOverride -}} +{{- .Values.loki.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default "loki" .Values.loki.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/templates/datasources.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/templates/datasources.yaml new file mode 100644 index 000000000..f5ca78f23 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/logging/templates/datasources.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "logging.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "logging.name" . }} + chart: {{ template "logging.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + app.kubernetes.io/instance: {{ template "logging.name" . }} + {{- include "k8s-triliovault-operator.observability" . | nindent 4 }} + grafana_datasource: "1" +data: + logging-datasource.yaml: |- + apiVersion: 1 + datasources: +{{- if .Values.loki.enabled }} + - name: Loki + type: loki + access: proxy + url: http://{{(include "loki.serviceName" .)}}:{{ .Values.loki.service.port }} + version: 1 +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/Chart.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/Chart.yaml new file mode 100644 index 000000000..13ffa6d15 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +appVersion: 0.1.0 +dependencies: +- condition: prometheus.enabled + name: prometheus + repository: https://prometheus-community.github.io/helm-charts + version: ^15.8.7 +description: Monitoring Stack designed to manage the K8s-TrilioVault Application's + Monitoring. +icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png +kubeVersion: '>=1.19.0-0' +maintainers: +- email: support@trilio.io + name: Trilio +name: monitoring +version: 0.1.0 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/Chart.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/Chart.yaml new file mode 100644 index 000000000..609fb7386 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +appVersion: 2.34.0 +dependencies: +- condition: kubeStateMetrics.enabled + name: kube-state-metrics + repository: https://prometheus-community.github.io/helm-charts + version: 4.7.* +description: Prometheus is a monitoring system and time series database. +home: https://prometheus.io/ +icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png +maintainers: +- email: support@trilio.io + name: Trilio +name: prometheus +sources: +- https://github.com/prometheus/alertmanager +- https://github.com/prometheus/prometheus +- https://github.com/prometheus/pushgateway +- https://github.com/prometheus/node_exporter +- https://github.com/kubernetes/kube-state-metrics +type: application +version: 15.8.7 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/Chart.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/Chart.yaml new file mode 100644 index 000000000..83d0685a1 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +appVersion: 2.4.1 +description: Install kube-state-metrics to generate and expose cluster-level metrics +home: https://github.com/kubernetes/kube-state-metrics/ +keywords: +- metric +- monitoring +- prometheus +- kubernetes +maintainers: +- email: support@trilio.io + name: Trilio +name: kube-state-metrics +sources: +- https://github.com/kubernetes/kube-state-metrics/ +type: application +version: 4.7.0 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/NOTES.txt b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/NOTES.txt new file mode 100644 index 000000000..5a646e0cc --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/NOTES.txt @@ -0,0 +1,10 @@ +kube-state-metrics is a simple service that listens to the Kubernetes API server and generates metrics about the state of the objects. +The exposed metrics can be found here: +https://github.com/kubernetes/kube-state-metrics/blob/master/docs/README.md#exposed-metrics + +The metrics are exported on the HTTP endpoint /metrics on the listening port. +In your case, {{ template "kube-state-metrics.fullname" . }}.{{ template "kube-state-metrics.namespace" . }}.svc.cluster.local:{{ .Values.service.port }}/metrics + +They are served either as plaintext or protobuf depending on the Accept header. +They are designed to be consumed either by Prometheus itself or by a scraper that is compatible with scraping a Prometheus client endpoint. + diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/_helpers.tpl b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/_helpers.tpl new file mode 100644 index 000000000..976b27337 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/_helpers.tpl @@ -0,0 +1,82 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "kube-state-metrics.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "kube-state-metrics.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "kube-state-metrics.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "kube-state-metrics.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "kube-state-metrics.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "kube-state-metrics.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Generate basic labels +*/}} +{{- define "kube-state-metrics.labels" }} +helm.sh/chart: {{ template "kube-state-metrics.chart" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/component: metrics +app.kubernetes.io/part-of: {{ template "kube-state-metrics.name" . }} +{{- include "kube-state-metrics.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +{{- if .Values.customLabels }} +{{ toYaml .Values.customLabels }} +{{- end }} +{{- if .Values.releaseLabel }} +release: {{ .Release.Name }} +{{- end }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "kube-state-metrics.selectorLabels" }} +app.kubernetes.io/name: {{ include "kube-state-metrics.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/clusterrolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..cf9f628d0 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.rbac.create .Values.rbac.useClusterRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: {{ template "kube-state-metrics.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- if .Values.rbac.useExistingRole }} + name: {{ .Values.rbac.useExistingRole }} +{{- else }} + name: {{ template "kube-state-metrics.fullname" . }} +{{- end }} +subjects: +- kind: ServiceAccount + name: {{ template "kube-state-metrics.serviceAccountName" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml new file mode 100644 index 000000000..ac5387f10 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/deployment.yaml @@ -0,0 +1,156 @@ +apiVersion: apps/v1 +{{- if .Values.autosharding.enabled }} +kind: StatefulSet +{{- else }} +kind: Deployment +{{- end }} +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +spec: + selector: + matchLabels: + {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} + replicas: {{ .Values.replicas }} + {{- if .Values.autosharding.enabled }} + serviceName: {{ template "kube-state-metrics.fullname" . }} + updateStrategy: + type: RollingUpdate + volumeClaimTemplates: [] + {{- else }} + strategy: + type: RollingUpdate + {{- end }} + template: + metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 8 }} + {{- if .Values.podAnnotations }} + annotations: +{{ toYaml .Values.podAnnotations | indent 8 }} + {{- end }} + spec: + hostNetwork: {{ .Values.hostNetwork }} + serviceAccountName: {{ template "kube-state-metrics.serviceAccountName" . }} + {{- if .Values.securityContext.enabled }} + securityContext: + fsGroup: {{ .Values.securityContext.fsGroup }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + runAsUser: {{ .Values.securityContext.runAsUser }} + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + {{- if .Values.autosharding.enabled }} + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + {{- end }} + args: + {{- if .Values.extraArgs }} + {{- range .Values.extraArgs }} + - {{ . }} + {{- end }} + {{- end }} + {{- if .Values.service.port }} + - --port={{ .Values.service.port | default 8080}} + {{- end }} + {{- if .Values.collectors }} + - --resources={{ .Values.collectors | join "," }} + {{- end }} + {{- if .Values.metricLabelsAllowlist }} + - --metric-labels-allowlist={{ .Values.metricLabelsAllowlist | join "," }} + {{- end }} + {{- if .Values.metricAnnotationsAllowList }} + - --metric-annotations-allowlist={{ .Values.metricAnnotationsAllowList | join "," }} + {{- end }} + {{- if .Values.metricAllowlist }} + - --metric-allowlist={{ .Values.metricAllowlist | join "," }} + {{- end }} + {{- if .Values.metricDenylist }} + - --metric-denylist={{ .Values.metricDenylist | join "," }} + {{- end }} + {{- if .Values.namespaces }} + - --namespaces={{ tpl (.Values.namespaces | join ",") $ }} + {{- end }} + {{- if .Values.namespacesDenylist }} + - --namespaces-denylist={{ tpl (.Values.namespacesDenylist | join ",") $ }} + {{- end }} + {{- if .Values.autosharding.enabled }} + - --pod=$(POD_NAME) + - --pod-namespace=$(POD_NAMESPACE) + {{- end }} + {{- if .Values.kubeconfig.enabled }} + - --kubeconfig=/opt/k8s/.kube/config + {{- end }} + {{- if .Values.selfMonitor.telemetryHost }} + - --telemetry-host={{ .Values.selfMonitor.telemetryHost }} + {{- end }} + - --telemetry-port={{ .Values.selfMonitor.telemetryPort | default 8081 }} + {{- if .Values.kubeconfig.enabled }} + volumeMounts: + - name: kubeconfig + mountPath: /opt/k8s/.kube/ + readOnly: true + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + ports: + - containerPort: {{ .Values.service.port | default 8080}} + name: "http" + {{- if .Values.selfMonitor.enabled }} + - containerPort: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + name: "metrics" + {{- end }} + livenessProbe: + httpGet: + path: /healthz + port: {{ .Values.service.port | default 8080}} + initialDelaySeconds: 5 + timeoutSeconds: 5 + readinessProbe: + httpGet: + path: / + port: {{ .Values.service.port | default 8080}} + initialDelaySeconds: 5 + timeoutSeconds: 5 + {{- if .Values.resources }} + resources: +{{ toYaml .Values.resources | indent 10 }} +{{- end }} +{{- if .Values.containerSecurityContext }} + securityContext: +{{ toYaml .Values.containerSecurityContext | indent 10 }} +{{- end }} +{{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + {{- if .Values.kubeconfig.enabled}} + volumes: + - name: kubeconfig + secret: + secretName: {{ template "kube-state-metrics.fullname" . }}-kubeconfig + {{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/kubeconfig-secret.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/kubeconfig-secret.yaml new file mode 100644 index 000000000..6af008450 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/kubeconfig-secret.yaml @@ -0,0 +1,12 @@ +{{- if .Values.kubeconfig.enabled -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kube-state-metrics.fullname" . }}-kubeconfig + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +type: Opaque +data: + config: '{{ .Values.kubeconfig.secret }}' +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/pdb.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/pdb.yaml new file mode 100644 index 000000000..cbcf3a37e --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.podDisruptionBudget -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "kube-state-metrics.name" . }} +{{ toYaml .Values.podDisruptionBudget | indent 2 }} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..3299056ab --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/podsecuritypolicy.yaml @@ -0,0 +1,39 @@ +{{- if .Values.podSecurityPolicy.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +{{- if .Values.podSecurityPolicy.annotations }} + annotations: +{{ toYaml .Values.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + volumes: + - 'secret' +{{- if .Values.podSecurityPolicy.additionalVolumes }} +{{ toYaml .Values.podSecurityPolicy.additionalVolumes | indent 4 }} +{{- end }} + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrole.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrole.yaml new file mode 100644 index 000000000..69047d4ff --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrole.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.podSecurityPolicy.enabled .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: psp-{{ template "kube-state-metrics.fullname" . }} +rules: +{{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }} +{{- if semverCompare "> 1.15.0-0" $kubeTargetVersion }} +- apiGroups: ['policy'] +{{- else }} +- apiGroups: ['extensions'] +{{- end }} + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "kube-state-metrics.fullname" . }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml new file mode 100644 index 000000000..03c56d575 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/psp-clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.podSecurityPolicy.enabled .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: psp-{{ template "kube-state-metrics.fullname" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: psp-{{ template "kube-state-metrics.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kube-state-metrics.serviceAccountName" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/role.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/role.yaml new file mode 100644 index 000000000..e514e3c01 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/role.yaml @@ -0,0 +1,187 @@ +{{- if and (eq .Values.rbac.create true) (not .Values.rbac.useExistingRole) -}} +{{- range (ternary (split "," .Values.namespaces) (list "") (eq $.Values.rbac.useClusterRole false)) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +{{- if eq $.Values.rbac.useClusterRole false }} +kind: Role +{{- else }} +kind: ClusterRole +{{- end }} +metadata: + labels: + {{- include "kube-state-metrics.labels" $ | indent 4 }} + name: {{ template "kube-state-metrics.fullname" $ }} +{{- if eq $.Values.rbac.useClusterRole false }} + namespace: {{ . }} +{{- end }} +rules: +{{ if has "certificatesigningrequests" $.Values.collectors }} +- apiGroups: ["certificates.k8s.io"] + resources: + - certificatesigningrequests + verbs: ["list", "watch"] +{{ end -}} +{{ if has "configmaps" $.Values.collectors }} +- apiGroups: [""] + resources: + - configmaps + verbs: ["list", "watch"] +{{ end -}} +{{ if has "cronjobs" $.Values.collectors }} +- apiGroups: ["batch"] + resources: + - cronjobs + verbs: ["list", "watch"] +{{ end -}} +{{ if has "daemonsets" $.Values.collectors }} +- apiGroups: ["extensions", "apps"] + resources: + - daemonsets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "deployments" $.Values.collectors }} +- apiGroups: ["extensions", "apps"] + resources: + - deployments + verbs: ["list", "watch"] +{{ end -}} +{{ if has "endpoints" $.Values.collectors }} +- apiGroups: [""] + resources: + - endpoints + verbs: ["list", "watch"] +{{ end -}} +{{ if has "horizontalpodautoscalers" $.Values.collectors }} +- apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: ["list", "watch"] +{{ end -}} +{{ if has "ingresses" $.Values.collectors }} +- apiGroups: ["extensions", "networking.k8s.io"] + resources: + - ingresses + verbs: ["list", "watch"] +{{ end -}} +{{ if has "jobs" $.Values.collectors }} +- apiGroups: ["batch"] + resources: + - jobs + verbs: ["list", "watch"] +{{ end -}} +{{ if has "limitranges" $.Values.collectors }} +- apiGroups: [""] + resources: + - limitranges + verbs: ["list", "watch"] +{{ end -}} +{{ if has "mutatingwebhookconfigurations" $.Values.collectors }} +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - mutatingwebhookconfigurations + verbs: ["list", "watch"] +{{ end -}} +{{ if has "namespaces" $.Values.collectors }} +- apiGroups: [""] + resources: + - namespaces + verbs: ["list", "watch"] +{{ end -}} +{{ if has "networkpolicies" $.Values.collectors }} +- apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: ["list", "watch"] +{{ end -}} +{{ if has "nodes" $.Values.collectors }} +- apiGroups: [""] + resources: + - nodes + verbs: ["list", "watch"] +{{ end -}} +{{ if has "persistentvolumeclaims" $.Values.collectors }} +- apiGroups: [""] + resources: + - persistentvolumeclaims + verbs: ["list", "watch"] +{{ end -}} +{{ if has "persistentvolumes" $.Values.collectors }} +- apiGroups: [""] + resources: + - persistentvolumes + verbs: ["list", "watch"] +{{ end -}} +{{ if has "poddisruptionbudgets" $.Values.collectors }} +- apiGroups: ["policy"] + resources: + - poddisruptionbudgets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "pods" $.Values.collectors }} +- apiGroups: [""] + resources: + - pods + verbs: ["list", "watch"] +{{ end -}} +{{ if has "replicasets" $.Values.collectors }} +- apiGroups: ["extensions", "apps"] + resources: + - replicasets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "replicationcontrollers" $.Values.collectors }} +- apiGroups: [""] + resources: + - replicationcontrollers + verbs: ["list", "watch"] +{{ end -}} +{{ if has "resourcequotas" $.Values.collectors }} +- apiGroups: [""] + resources: + - resourcequotas + verbs: ["list", "watch"] +{{ end -}} +{{ if has "secrets" $.Values.collectors }} +- apiGroups: [""] + resources: + - secrets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "services" $.Values.collectors }} +- apiGroups: [""] + resources: + - services + verbs: ["list", "watch"] +{{ end -}} +{{ if has "statefulsets" $.Values.collectors }} +- apiGroups: ["apps"] + resources: + - statefulsets + verbs: ["list", "watch"] +{{ end -}} +{{ if has "storageclasses" $.Values.collectors }} +- apiGroups: ["storage.k8s.io"] + resources: + - storageclasses + verbs: ["list", "watch"] +{{ end -}} +{{ if has "validatingwebhookconfigurations" $.Values.collectors }} +- apiGroups: ["admissionregistration.k8s.io"] + resources: + - validatingwebhookconfigurations + verbs: ["list", "watch"] +{{ end -}} +{{ if has "volumeattachments" $.Values.collectors }} +- apiGroups: ["storage.k8s.io"] + resources: + - volumeattachments + verbs: ["list", "watch"] +{{ end -}} +{{ if has "verticalpodautoscalers" $.Values.collectors }} +- apiGroups: ["autoscaling.k8s.io"] + resources: + - verticalpodautoscalers + verbs: ["list", "watch"] +{{ end -}} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/rolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/rolebinding.yaml new file mode 100644 index 000000000..135094f7b --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/rolebinding.yaml @@ -0,0 +1,24 @@ +{{- if and (eq .Values.rbac.create true) (eq .Values.rbac.useClusterRole false) -}} +{{- range (split "," $.Values.namespaces) }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + {{- include "kube-state-metrics.labels" $ | indent 4 }} + name: {{ template "kube-state-metrics.fullname" $ }} + namespace: {{ . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- if (not $.Values.rbac.useExistingRole) }} + name: {{ template "kube-state-metrics.fullname" $ }} +{{- else }} + name: {{ $.Values.rbac.useExistingRole }} +{{- end }} +subjects: +- kind: ServiceAccount + name: {{ template "kube-state-metrics.serviceAccountName" $ }} + namespace: {{ template "kube-state-metrics.namespace" $ }} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/service.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/service.yaml new file mode 100644 index 000000000..5a2d8eab0 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/service.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + annotations: + {{- if .Values.prometheusScrape }} + prometheus.io/scrape: '{{ .Values.prometheusScrape }}' + {{- end }} + {{- if .Values.service.annotations }} + {{- toYaml .Values.service.annotations | nindent 4 }} + {{- end }} +spec: + type: "{{ .Values.service.type }}" + ports: + - name: "http" + protocol: TCP + port: {{ .Values.service.port | default 8080}} + {{- if .Values.service.nodePort }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + targetPort: {{ .Values.service.port | default 8080}} + {{ if .Values.selfMonitor.enabled }} + - name: "metrics" + protocol: TCP + port: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + targetPort: {{ .Values.selfMonitor.telemetryPort | default 8081 }} + {{ end }} +{{- if .Values.service.loadBalancerIP }} + loadBalancerIP: "{{ .Values.service.loadBalancerIP }}" +{{- end }} +{{- if .Values.service.clusterIP }} + clusterIP: "{{ .Values.service.clusterIP }}" +{{- end }} + selector: + {{- include "kube-state-metrics.selectorLabels" . | indent 4 }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml new file mode 100644 index 000000000..e1229eb95 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/serviceaccount.yaml @@ -0,0 +1,15 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + name: {{ template "kube-state-metrics.serviceAccountName" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +{{- if .Values.serviceAccount.annotations }} + annotations: +{{ toYaml .Values.serviceAccount.annotations | indent 4 }} +{{- end }} +imagePullSecrets: +{{ toYaml .Values.serviceAccount.imagePullSecrets | indent 2 }} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml new file mode 100644 index 000000000..93a5870f6 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/servicemonitor.yaml @@ -0,0 +1,66 @@ +{{- if .Values.prometheus.monitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} + {{- with .Values.prometheus.monitor.additionalLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + jobLabel: {{ default "app.kubernetes.io/name" .Values.prometheus.monitor.jobLabel }} + selector: + matchLabels: + {{- if .Values.prometheus.monitor.selectorOverride -}} + {{ toYaml .Values.prometheus.monitor.selectorOverride | nindent 6 }} + {{ else }} + {{- include "kube-state-metrics.selectorLabels" . | indent 6 }} + {{- end }} + endpoints: + - port: http + {{- if .Values.prometheus.monitor.interval }} + interval: {{ .Values.prometheus.monitor.interval }} + {{- end }} + {{- if .Values.prometheus.monitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.prometheus.monitor.scrapeTimeout }} + {{- end }} + {{- if .Values.prometheus.monitor.proxyUrl }} + proxyUrl: {{ .Values.prometheus.monitor.proxyUrl}} + {{- end }} + {{- if .Values.prometheus.monitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if .Values.prometheus.monitor.metricRelabelings }} + metricRelabelings: + {{- toYaml .Values.prometheus.monitor.metricRelabelings | nindent 8 }} + {{- end }} + {{- if .Values.prometheus.monitor.relabelings }} + relabelings: + {{- toYaml .Values.prometheus.monitor.relabelings | nindent 8 }} + {{- end }} + {{- if .Values.selfMonitor.enabled }} + - port: metrics + {{- if .Values.prometheus.monitor.interval }} + interval: {{ .Values.prometheus.monitor.interval }} + {{- end }} + {{- if .Values.prometheus.monitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.prometheus.monitor.scrapeTimeout }} + {{- end }} + {{- if .Values.prometheus.monitor.proxyUrl }} + proxyUrl: {{ .Values.prometheus.monitor.proxyUrl}} + {{- end }} + {{- if .Values.prometheus.monitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if .Values.prometheus.monitor.metricRelabelings }} + metricRelabelings: + {{- toYaml .Values.prometheus.monitor.metricRelabelings | nindent 8 }} + {{- end }} + {{- if .Values.prometheus.monitor.relabelings }} + relabelings: + {{- toYaml .Values.prometheus.monitor.relabelings | nindent 8 }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-role.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-role.yaml new file mode 100644 index 000000000..489de147c --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-role.yaml @@ -0,0 +1,26 @@ +{{- if and .Values.autosharding.enabled .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get +- apiGroups: + - apps + resourceNames: + - {{ template "kube-state-metrics.fullname" . }} + resources: + - statefulsets + verbs: + - get + - list + - watch +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-rolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-rolebinding.yaml new file mode 100644 index 000000000..73b37a4f6 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/templates/stsdiscovery-rolebinding.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.autosharding.enabled .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} + labels: + {{- include "kube-state-metrics.labels" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: stsdiscovery-{{ template "kube-state-metrics.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kube-state-metrics.serviceAccountName" . }} + namespace: {{ template "kube-state-metrics.namespace" . }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/values.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/values.yaml new file mode 100644 index 000000000..3feb6b501 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/charts/kube-state-metrics/values.yaml @@ -0,0 +1,233 @@ +# Default values for kube-state-metrics. +prometheusScrape: true +image: + registry: k8s.gcr.io + repository: kube-state-metrics/kube-state-metrics + tag: v2.4.1 + pullPolicy: IfNotPresent + +imagePullSecrets: [] +# - name: "image-pull-secret" + +# If set to true, this will deploy kube-state-metrics as a StatefulSet and the data +# will be automatically sharded across <.Values.replicas> pods using the built-in +# autodiscovery feature: https://github.com/kubernetes/kube-state-metrics#automated-sharding +# This is an experimental feature and there are no stability guarantees. +autosharding: + enabled: false + +replicas: 1 + +# List of additional cli arguments to configure kube-state-metrics +# for example: --enable-gzip-encoding, --log-file, etc. +# all the possible args can be found here: https://github.com/kubernetes/kube-state-metrics/blob/master/docs/cli-arguments.md +extraArgs: [] + +service: + port: 8080 + # Default to clusterIP for backward compatibility + type: ClusterIP + nodePort: 0 + loadBalancerIP: "" + clusterIP: "" + annotations: {} + +## Additional labels to add to all resources +customLabels: {} + # app: kube-state-metrics + +## set to true to add the release label so scraping of the servicemonitor with kube-prometheus-stack works out of the box +releaseLabel: false + +hostNetwork: false + +rbac: + # If true, create & use RBAC resources + create: true + + # Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to it, rolename set here. + # useExistingRole: your-existing-role + + # If set to false - Run without Cluteradmin privs needed - ONLY works if namespace is also set (if useExistingRole is set this name is used as ClusterRole or Role to bind to) + useClusterRole: true + +serviceAccount: + # Specifies whether a ServiceAccount should be created, require rbac true + create: true + # The name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template + name: + # Reference to one or more secrets to be used when pulling images + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + imagePullSecrets: [] + # ServiceAccount annotations. + # Use case: AWS EKS IAM roles for service accounts + # ref: https://docs.aws.amazon.com/eks/latest/userguide/specify-service-account-role.html + annotations: {} + +prometheus: + monitor: + enabled: false + additionalLabels: {} + namespace: "" + jobLabel: "" + interval: "" + scrapeTimeout: "" + proxyUrl: "" + selectorOverride: {} + honorLabels: false + metricRelabelings: [] + relabelings: [] + +## Specify if a Pod Security Policy for kube-state-metrics must be created +## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## +podSecurityPolicy: + enabled: false + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + additionalVolumes: [] + +securityContext: + enabled: true + runAsGroup: 65534 + runAsUser: 65534 + fsGroup: 65534 + +## Specify security settings for a Container +## Allows overrides and additional options compared to (Pod) securityContext +## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container +containerSecurityContext: {} + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +nodeSelector: {} + +## Affinity settings for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ +affinity: {} + +## Tolerations for pod assignment +## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +# Annotations to be added to the pod +podAnnotations: {} + +## Assign a PriorityClassName to pods if set +# priorityClassName: "" + +# Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +podDisruptionBudget: {} + +updateStrategy: + type: RollingUpdate + +# Comma-separated list of metrics to be exposed. +# This list comprises of exact metric names and/or regex patterns. +# The allowlist and denylist are mutually exclusive. +metricAllowlist: [] + +# Comma-separated list of metrics not to be enabled. +# This list comprises of exact metric names and/or regex patterns. +# The allowlist and denylist are mutually exclusive. +metricDenylist: [] + +# Comma-separated list of additional Kubernetes label keys that will be used in the resource's +# labels metric. By default the metric contains only name and namespace labels. +# To include additional labels, provide a list of resource names in their plural form and Kubernetes +# label keys you would like to allow for them (Example: '=namespaces=[k8s-label-1,k8s-label-n,...],pods=[app],...)'. +# A single '*' can be provided per resource instead to allow any labels, but that has +# severe performance implications (Example: '=pods=[*]'). +metricLabelsAllowlist: [] + # - namespaces=[k8s-label-1,k8s-label-n] + +# Comma-separated list of Kubernetes annotations keys that will be used in the resource' +# labels metric. By default the metric contains only name and namespace labels. +# To include additional annotations provide a list of resource names in their plural form and Kubernetes +# annotation keys you would like to allow for them (Example: '=namespaces=[kubernetes.io/team,...],pods=[kubernetes.io/team],...)'. +# A single '*' can be provided per resource instead to allow any annotations, but that has +# severe performance implications (Example: '=pods=[*]'). +metricAnnotationsAllowList: [] + # - pods=[k8s-annotation-1,k8s-annotation-n] + +# Available collectors for kube-state-metrics. +# By default, all available resources are enabled, comment out to disable. +collectors: + - certificatesigningrequests + - configmaps + - cronjobs + - daemonsets + - deployments + - endpoints + - horizontalpodautoscalers + - ingresses + - jobs + - limitranges + - mutatingwebhookconfigurations + - namespaces + - networkpolicies + - nodes + - persistentvolumeclaims + - persistentvolumes + - poddisruptionbudgets + - pods + - replicasets + - replicationcontrollers + - resourcequotas + - secrets + - services + - statefulsets + - storageclasses + - validatingwebhookconfigurations + - volumeattachments + # - verticalpodautoscalers # not a default resource, see also: https://github.com/kubernetes/kube-state-metrics#enabling-verticalpodautoscalers + +# Enabling kubeconfig will pass the --kubeconfig argument to the container +kubeconfig: + enabled: false + # base64 encoded kube-config file + secret: + +# Comma-separated list of namespaces to be enabled for collecting resources. By default all namespaces are collected. +namespaces: "" + +# Comma-separated list of namespaces not to be enabled. If namespaces and namespaces-denylist are both set, +# only namespaces that are excluded in namespaces-denylist will be used. +namespacesDenylist: "" + +## Override the deployment namespace +## +namespaceOverride: "" + +resources: + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + limits: + cpu: 500m + memory: 128Mi + requests: + cpu: 100m + memory: 64Mi + +## Provide a k8s version to define apiGroups for podSecurityPolicy Cluster Role. +## For example: kubeTargetVersionOverride: 1.14.9 +## +kubeTargetVersionOverride: "" + +# Enable self metrics configuration for service and Service Monitor +# Default values for telemetry configuration can be overridden +selfMonitor: + enabled: false + # telemetryHost: 0.0.0.0 + # telemetryPort: 8081 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/NOTES.txt b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/NOTES.txt new file mode 100644 index 000000000..0e8868f0b --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/NOTES.txt @@ -0,0 +1,112 @@ +{{- if .Values.server.enabled -}} +The Prometheus server can be accessed via port {{ .Values.server.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.server.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.server.ingress.enabled -}} +From outside the cluster, the server URL(s) are: +{{- range .Values.server.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the Prometheus server URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.server.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.server.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.server.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.server.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.server.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.server.service.servicePort }} +{{- else if contains "ClusterIP" .Values.server.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.server.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9090 +{{- end }} +{{- end }} + +{{- if .Values.server.persistentVolume.enabled }} +{{- else }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the Server pod is terminated. ##### +################################################################################# +{{- end }} +{{- end }} + +{{ if .Values.alertmanager.enabled }} +The Prometheus alertmanager can be accessed via port {{ .Values.alertmanager.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.alertmanager.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.alertmanager.ingress.enabled -}} +From outside the cluster, the alertmanager URL(s) are: +{{- range .Values.alertmanager.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the Alertmanager URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.alertmanager.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.alertmanager.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.alertmanager.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.alertmanager.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.alertmanager.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.alertmanager.service.servicePort }} +{{- else if contains "ClusterIP" .Values.alertmanager.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.alertmanager.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9093 +{{- end }} +{{- end }} + +{{- if .Values.alertmanager.persistentVolume.enabled }} +{{- else }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the AlertManager pod is terminated. ##### +################################################################################# +{{- end }} +{{- end }} + +{{- if .Values.nodeExporter.podSecurityPolicy.enabled }} +{{- else }} +################################################################################# +###### WARNING: Pod Security Policy has been moved to a global property. ##### +###### use .Values.podSecurityPolicy.enabled with pod-based ##### +###### annotations ##### +###### (e.g. .Values.nodeExporter.podSecurityPolicy.annotations) ##### +################################################################################# +{{- end }} + +{{ if .Values.pushgateway.enabled }} +The Prometheus PushGateway can be accessed via port {{ .Values.pushgateway.service.servicePort }} on the following DNS name from within your cluster: +{{ template "prometheus.pushgateway.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local + +{{ if .Values.pushgateway.ingress.enabled -}} +From outside the cluster, the pushgateway URL(s) are: +{{- range .Values.pushgateway.ingress.hosts }} +http://{{ . }} +{{- end }} +{{- else }} +Get the PushGateway URL by running these commands in the same shell: +{{- if contains "NodePort" .Values.pushgateway.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "prometheus.pushgateway.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.pushgateway.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "prometheus.pushgateway.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "prometheus.pushgateway.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.pushgateway.service.servicePort }} +{{- else if contains "ClusterIP" .Values.pushgateway.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "prometheus.name" . }},component={{ .Values.pushgateway.name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 9091 +{{- end }} +{{- end }} +{{- end }} + +For more information on running Prometheus, visit: +https://prometheus.io/ diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/_helpers.tpl b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/_helpers.tpl new file mode 100644 index 000000000..2d93181bb --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/_helpers.tpl @@ -0,0 +1,288 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "prometheus.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "prometheus.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create unified labels for prometheus components +*/}} +{{- define "prometheus.common.matchLabels" -}} +app: {{ template "prometheus.name" . }} +release: {{ .Release.Name }} +{{ include "k8s-triliovault-operator.observability" . }} +{{- end -}} + +{{- define "prometheus.common.metaLabels" -}} +chart: {{ template "prometheus.chart" . }} +heritage: {{ .Release.Service }} +{{ include "k8s-triliovault-operator.observability" . }} +{{- end -}} + +{{- define "prometheus.alertmanager.labels" -}} +{{ include "prometheus.alertmanager.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.alertmanager.matchLabels" -}} +component: {{ .Values.alertmanager.name | quote }} +app.kubernetes.io/instance: {{ .Values.alertmanager.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{- define "prometheus.nodeExporter.labels" -}} +{{ include "prometheus.nodeExporter.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.nodeExporter.matchLabels" -}} +component: {{ .Values.nodeExporter.name | quote }} +app.kubernetes.io/instance: {{ .Values.nodeExporter.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{- define "prometheus.pushgateway.labels" -}} +{{ include "prometheus.pushgateway.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.pushgateway.matchLabels" -}} +component: {{ .Values.pushgateway.name | quote }} +app.kubernetes.io/instance: {{ .Values.pushgateway.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{- define "prometheus.server.labels" -}} +{{ include "prometheus.server.matchLabels" . }} +{{ include "prometheus.common.metaLabels" . }} +{{- end -}} + +{{- define "prometheus.server.matchLabels" -}} +component: {{ .Values.server.name | quote }} +app.kubernetes.io/instance: {{ .Values.server.name | quote }} +{{ include "prometheus.common.matchLabels" . }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified alertmanager name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} + +{{- define "prometheus.alertmanager.fullname" -}} +{{- if .Values.alertmanager.fullnameOverride -}} +{{- .Values.alertmanager.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.alertmanager.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.alertmanager.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified node-exporter name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.nodeExporter.fullname" -}} +{{- if .Values.nodeExporter.fullnameOverride -}} +{{- .Values.nodeExporter.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.nodeExporter.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified Prometheus server name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.server.fullname" -}} +{{- if .Values.server.fullnameOverride -}} +{{- .Values.server.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.server.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified pushgateway name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "prometheus.pushgateway.fullname" -}} +{{- if .Values.pushgateway.fullnameOverride -}} +{{- .Values.pushgateway.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- printf "%s-%s" .Release.Name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s-%s" .Release.Name $name .Values.pushgateway.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Get KubeVersion removing pre-release information. +*/}} +{{- define "prometheus.kubeVersion" -}} + {{- default .Capabilities.KubeVersion.Version (regexFind "v[0-9]+\\.[0-9]+\\.[0-9]+" .Capabilities.KubeVersion.Version) -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "prometheus.deployment.apiVersion" -}} +{{- print "apps/v1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for daemonset. +*/}} +{{- define "prometheus.daemonset.apiVersion" -}} +{{- print "apps/v1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "prometheus.networkPolicy.apiVersion" -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for podsecuritypolicy. +*/}} +{{- define "prometheus.podSecurityPolicy.apiVersion" -}} +{{- print "policy/v1beta1" -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for rbac. +*/}} +{{- define "rbac.apiVersion" -}} +{{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- end -}} +{{- end -}} +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19.x" (include "prometheus.kubeVersion" .)) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "ingress.isStable" -}} + {{- eq (include "ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "ingress.supportsIngressClassName" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}} +{{- end -}} +{{/* +Return if ingress supports pathType. +*/}} +{{- define "ingress.supportsPathType" -}} + {{- or (eq (include "ingress.isStable" .) "true") (and (eq (include "ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18.x" (include "prometheus.kubeVersion" .))) -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the alertmanager component +*/}} +{{- define "prometheus.serviceAccountName.alertmanager" -}} +{{- if .Values.serviceAccounts.alertmanager.create -}} + {{ default (include "prometheus.alertmanager.fullname" .) .Values.serviceAccounts.alertmanager.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.alertmanager.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the nodeExporter component +*/}} +{{- define "prometheus.serviceAccountName.nodeExporter" -}} +{{- if .Values.serviceAccounts.nodeExporter.create -}} + {{ default (include "prometheus.nodeExporter.fullname" .) .Values.serviceAccounts.nodeExporter.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.nodeExporter.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the pushgateway component +*/}} +{{- define "prometheus.serviceAccountName.pushgateway" -}} +{{- if .Values.serviceAccounts.pushgateway.create -}} + {{ default (include "prometheus.pushgateway.fullname" .) .Values.serviceAccounts.pushgateway.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.pushgateway.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the service account to use for the server component +*/}} +{{- define "prometheus.serviceAccountName.server" -}} +{{- if .Values.serviceAccounts.server.create -}} + {{ default (include "prometheus.server.fullname" .) .Values.serviceAccounts.server.name }} +{{- else -}} + {{ default "default" .Values.serviceAccounts.server.name }} +{{- end -}} +{{- end -}} + +{{/* +Define the prometheus.namespace template if set with forceNamespace or .Release.Namespace is set +*/}} +{{- define "prometheus.namespace" -}} +{{- if .Values.forceNamespace -}} +{{ printf "namespace: %s" .Values.forceNamespace }} +{{- else -}} +{{ printf "namespace: %s" .Release.Namespace }} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/clusterrole.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/clusterrole.yaml new file mode 100644 index 000000000..c732ff4e5 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole (not .Values.alertmanager.useExistingRole) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +rules: +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.alertmanager.fullname" . }} +{{- else }} + [] +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml new file mode 100644 index 000000000..6f13e98b5 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.alertmanager.useClusterRole -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{ include "prometheus.namespace" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +{{- if (not .Values.alertmanager.useExistingRole) }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{- else }} + name: {{ .Values.alertmanager.useExistingRole }} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/cm.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/cm.yaml new file mode 100644 index 000000000..cb09bf067 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/cm.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.alertmanager.enabled (and (empty .Values.alertmanager.configMapOverrideName) (empty .Values.alertmanager.configFromSecret)) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +data: +{{- $root := . -}} +{{- range $key, $value := .Values.alertmanagerFiles }} + {{- if $key | regexMatch ".*\\.ya?ml$" }} + {{ $key }}: | +{{ toYaml $value | default "{}" | indent 4 }} + {{- else }} + {{ $key }}: {{ toYaml $value | indent 4 }} + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/deploy.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/deploy.yaml new file mode 100644 index 000000000..8a51d250a --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/deploy.yaml @@ -0,0 +1,208 @@ +{{- if and .Values.alertmanager.enabled (not .Values.alertmanager.statefulSet.enabled) -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.alertmanager.deploymentAnnotations }} + annotations: + {{ toYaml .Values.alertmanager.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + replicas: {{ .Values.alertmanager.replicaCount }} + {{- if .Values.alertmanager.strategy }} + strategy: +{{ toYaml .Values.alertmanager.strategy | trim | indent 4 }} + {{ if eq .Values.alertmanager.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.alertmanager.podAnnotations }} + annotations: + {{ toYaml .Values.alertmanager.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 8 }} + {{- if .Values.alertmanager.podLabels}} + {{ toYaml .Values.alertmanager.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.alertmanager.schedulerName }} + schedulerName: "{{ .Values.alertmanager.schedulerName }}" +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }} + {{- if .Values.alertmanager.extraInitContainers }} + initContainers: +{{ toYaml .Values.alertmanager.extraInitContainers | indent 8 }} + {{- end }} +{{- if .Values.alertmanager.priorityClassName }} + priorityClassName: "{{ .Values.alertmanager.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }} + image: "{{ .Values.alertmanager.image.registry }}/{{ .Values.alertmanager.image.repository }}:{{ .Values.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.alertmanager.image.pullPolicy }}" + env: + {{- range $key, $value := .Values.alertmanager.extraEnv }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + args: + - --config.file=/etc/config/{{ .Values.alertmanager.configFileName }} + - --storage.path={{ .Values.alertmanager.persistentVolume.mountPath }} + {{- if .Values.alertmanager.service.enableMeshPeer }} + - --cluster.listen-address=0.0.0.0:6783 + - --cluster.advertise-address=[$(POD_IP)]:6783 + {{- else }} + - --cluster.listen-address= + {{- end }} + {{- range $key, $value := .Values.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.alertmanager.baseURL }} + - --web.external-url={{ .Values.alertmanager.baseURL }} + {{- end }} + {{- range .Values.alertmanager.clusterPeers }} + - --cluster.peer={{ . }} + {{- end }} + + ports: + - containerPort: 9093 + readinessProbe: + httpGet: + path: {{ .Values.alertmanager.prefixURL }}/-/ready + port: 9093 + {{- if .Values.alertmanager.probeHeaders }} + httpHeaders: + {{- range .Values.alertmanager.probeHeaders }} + - name: {{ .name }} + value: {{ .value }} + {{- end }} + {{- end }} + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: +{{ toYaml .Values.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: "{{ .Values.alertmanager.persistentVolume.mountPath }}" + subPath: "{{ .Values.alertmanager.persistentVolume.subPath }}" + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.alertmanager.extraConfigmapMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + + {{- if .Values.configmapReload.alertmanager.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }} + image: "{{ .Values.configmapReload.alertmanager.image.registry }}/{{ .Values.configmapReload.alertmanager.image.repository }}:{{ .Values.configmapReload.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9093{{ .Values.alertmanager.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.configmapReload.alertmanager.extraVolumeDirs }} + - --volume-dir={{ . }} + {{- end }} + {{- if .Values.configmapReload.alertmanager.containerPort }} + ports: + - containerPort: {{ .Values.configmapReload.alertmanager.containerPort }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.configmapReload.alertmanager.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.alertmanager.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.alertmanager.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.alertmanager.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.securityContext }} + securityContext: +{{ toYaml .Values.alertmanager.securityContext | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.tolerations }} + tolerations: +{{ toYaml .Values.alertmanager.tolerations | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.affinity }} + affinity: +{{ toYaml .Values.alertmanager.affinity | indent 8 }} + {{- end }} + volumes: + - name: config-volume + {{- if empty .Values.alertmanager.configFromSecret }} + configMap: + name: {{ if .Values.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.alertmanager.configFromSecret }} + {{- end }} + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.alertmanager.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.configmapReload.alertmanager.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.alertmanager.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + - name: storage-volume + {{- if .Values.alertmanager.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.alertmanager.persistentVolume.existingClaim }}{{ .Values.alertmanager.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + emptyDir: + {{- if .Values.alertmanager.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.alertmanager.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} + {{- end -}} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/headless-svc.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/headless-svc.yaml new file mode 100644 index 000000000..8c402c408 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/headless-svc.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.alertmanager.statefulSet.headless.annotations }} + annotations: +{{ toYaml .Values.alertmanager.statefulSet.headless.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- if .Values.alertmanager.statefulSet.headless.labels }} +{{ toYaml .Values.alertmanager.statefulSet.headless.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }}-headless +{{ include "prometheus.namespace" . | indent 2 }} +spec: + clusterIP: None + ports: + - name: http + port: {{ .Values.alertmanager.statefulSet.headless.servicePort }} + protocol: TCP + targetPort: 9093 +{{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} + - name: meshpeer + port: 6783 + protocol: TCP + targetPort: 6783 +{{- end }} + selector: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/ingress.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/ingress.yaml new file mode 100644 index 000000000..2a7b67c08 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/ingress.yaml @@ -0,0 +1,57 @@ +{{- if and .Values.alertmanager.enabled .Values.alertmanager.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.alertmanager.fullname" . }} +{{- $servicePort := .Values.alertmanager.service.servicePort -}} +{{- $ingressPath := .Values.alertmanager.ingress.path -}} +{{- $ingressPathType := .Values.alertmanager.ingress.pathType -}} +{{- $extraPaths := .Values.alertmanager.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.alertmanager.ingress.annotations }} + annotations: +{{ toYaml .Values.alertmanager.ingress.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- range $key, $value := .Values.alertmanager.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.alertmanager.ingress.ingressClassName }} + ingressClassName: {{ .Values.alertmanager.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.alertmanager.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.alertmanager.ingress.tls }} + tls: +{{ toYaml .Values.alertmanager.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/netpol.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/netpol.yaml new file mode 100644 index 000000000..e44ade60e --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/netpol.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.alertmanager.enabled .Values.networkPolicy.enabled -}} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + ingress: + - from: + - podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 12 }} + - ports: + - port: 9093 +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/pdb.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/pdb.yaml new file mode 100644 index 000000000..41a92f364 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alertmanager.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.alertmanager.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "prometheus.alertmanager.labels" . | nindent 6 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/psp.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/psp.yaml new file mode 100644 index 000000000..64fb13003 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/psp.yaml @@ -0,0 +1,46 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.alertmanager.fullname" . }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + annotations: +{{- if .Values.alertmanager.podSecurityPolicy.annotations }} +{{ toYaml .Values.alertmanager.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'secret' + allowedHostPaths: + - pathPrefix: /etc + readOnly: true + - pathPrefix: {{ .Values.alertmanager.persistentVolume.mountPath }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/pvc.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/pvc.yaml new file mode 100644 index 000000000..160e296a5 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/pvc.yaml @@ -0,0 +1,37 @@ +{{- if not .Values.alertmanager.statefulSet.enabled -}} +{{- if and .Values.alertmanager.enabled .Values.alertmanager.persistentVolume.enabled -}} +{{- if not .Values.alertmanager.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.alertmanager.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + accessModes: +{{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 4 }} +{{- if .Values.alertmanager.persistentVolume.storageClass }} +{{- if (eq "-" .Values.alertmanager.persistentVolume.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}" +{{- end }} +{{- end }} +{{- if .Values.alertmanager.persistentVolume.volumeBindingMode }} + volumeBindingMode: "{{ .Values.alertmanager.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.alertmanager.persistentVolume.size }}" +{{- if .Values.alertmanager.persistentVolume.selector }} + selector: + {{- toYaml .Values.alertmanager.persistentVolume.selector | nindent 4 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/role.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/role.yaml new file mode 100644 index 000000000..ce60eaf0a --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/role.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) (not .Values.alertmanager.useExistingRole) -}} +{{- range $.Values.alertmanager.namespaces }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: Role +metadata: + labels: + {{- include "prometheus.alertmanager.labels" $ | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" $ }} + namespace: {{ . }} +rules: +{{- if $.Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.alertmanager.fullname" $ }} +{{- else }} + [] +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/rolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/rolebinding.yaml new file mode 100644 index 000000000..906d6522d --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/rolebinding.yaml @@ -0,0 +1,23 @@ +{{- if and .Values.alertmanager.enabled .Values.rbac.create (eq .Values.alertmanager.useClusterRole false) -}} +{{ range $.Values.alertmanager.namespaces }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: RoleBinding +metadata: + labels: + {{- include "prometheus.alertmanager.labels" $ | nindent 4 }} + name: {{ template "prometheus.alertmanager.fullname" $ }} + namespace: {{ . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.alertmanager" $ }} +{{ include "prometheus.namespace" $ | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- if (not $.Values.alertmanager.useExistingRole) }} + name: {{ template "prometheus.alertmanager.fullname" $ }} +{{- else }} + name: {{ $.Values.alertmanager.useExistingRole }} +{{- end }} +{{- end }} +{{ end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/service.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/service.yaml new file mode 100644 index 000000000..9edc9ac65 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/service.yaml @@ -0,0 +1,53 @@ +{{- if .Values.alertmanager.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.alertmanager.service.annotations }} + annotations: +{{ toYaml .Values.alertmanager.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} +{{- if .Values.alertmanager.service.labels }} +{{ toYaml .Values.alertmanager.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.alertmanager.service.clusterIP }} + clusterIP: {{ .Values.alertmanager.service.clusterIP }} +{{- end }} +{{- if .Values.alertmanager.service.externalIPs }} + externalIPs: +{{ toYaml .Values.alertmanager.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.alertmanager.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.alertmanager.service.loadBalancerIP }} +{{- end }} +{{- if .Values.alertmanager.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.alertmanager.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.alertmanager.service.servicePort }} + protocol: TCP + targetPort: 9093 + {{- if .Values.alertmanager.service.nodePort }} + nodePort: {{ .Values.alertmanager.service.nodePort }} + {{- end }} +{{- if .Values.alertmanager.service.enableMeshPeer }} + - name: meshpeer + port: 6783 + protocol: TCP + targetPort: 6783 +{{- end }} + selector: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 4 }} +{{- if .Values.alertmanager.service.sessionAffinity }} + sessionAffinity: {{ .Values.alertmanager.service.sessionAffinity }} +{{- end }} + type: "{{ .Values.alertmanager.service.type }}" +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/serviceaccount.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/serviceaccount.yaml new file mode 100644 index 000000000..a5d996a85 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.alertmanager.enabled .Values.serviceAccounts.alertmanager.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.alertmanager.annotations | indent 4 }} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/sts.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/sts.yaml new file mode 100644 index 000000000..b978108ac --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/alertmanager/sts.yaml @@ -0,0 +1,188 @@ +{{- if and .Values.alertmanager.enabled .Values.alertmanager.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: +{{- if .Values.alertmanager.statefulSet.annotations }} + annotations: + {{ toYaml .Values.alertmanager.statefulSet.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 4 }} + {{- if .Values.alertmanager.statefulSet.labels}} + {{ toYaml .Values.alertmanager.statefulSet.labels | nindent 4 }} + {{- end}} + name: {{ template "prometheus.alertmanager.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + serviceName: {{ template "prometheus.alertmanager.fullname" . }}-headless + selector: + matchLabels: + {{- include "prometheus.alertmanager.matchLabels" . | nindent 6 }} + replicas: {{ .Values.alertmanager.replicaCount }} + podManagementPolicy: {{ .Values.alertmanager.statefulSet.podManagementPolicy }} + template: + metadata: + {{- if .Values.alertmanager.podAnnotations }} + annotations: + {{ toYaml .Values.alertmanager.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.alertmanager.labels" . | nindent 8 }} + {{- if .Values.alertmanager.podLabels}} + {{ toYaml .Values.alertmanager.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.alertmanager.affinity }} + affinity: +{{ toYaml .Values.alertmanager.affinity | indent 8 }} +{{- end }} +{{- if .Values.alertmanager.schedulerName }} + schedulerName: "{{ .Values.alertmanager.schedulerName }}" +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.alertmanager" . }} +{{- if .Values.alertmanager.priorityClassName }} + priorityClassName: "{{ .Values.alertmanager.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }} + image: "{{ .Values.alertmanager.image.registry }}/{{ .Values.alertmanager.image.repository }}:{{ .Values.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.alertmanager.image.pullPolicy }}" + env: + {{- range $key, $value := .Values.alertmanager.extraEnv }} + - name: {{ $key }} + value: {{ $value }} + {{- end }} + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + args: + - --config.file=/etc/config/alertmanager.yml + - --storage.path={{ .Values.alertmanager.persistentVolume.mountPath }} + {{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} + - --cluster.advertise-address=[$(POD_IP)]:6783 + - --cluster.listen-address=0.0.0.0:6783 + {{- range $n := until (.Values.alertmanager.replicaCount | int) }} + - --cluster.peer={{ template "prometheus.alertmanager.fullname" $ }}-{{ $n }}.{{ template "prometheus.alertmanager.fullname" $ }}-headless:6783 + {{- end }} + {{- else }} + - --cluster.listen-address= + {{- end }} + {{- range $key, $value := .Values.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.alertmanager.baseURL }} + - --web.external-url={{ .Values.alertmanager.baseURL }} + {{- end }} + + ports: + - containerPort: 9093 + {{- if .Values.alertmanager.statefulSet.headless.enableMeshPeer }} + - containerPort: 6783 + {{- end }} + readinessProbe: + httpGet: + path: {{ .Values.alertmanager.prefixURL }}/#/status + port: 9093 + initialDelaySeconds: 30 + timeoutSeconds: 30 + resources: +{{ toYaml .Values.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: "{{ .Values.alertmanager.persistentVolume.mountPath }}" + subPath: "{{ .Values.alertmanager.persistentVolume.subPath }}" + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.configmapReload.alertmanager.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.alertmanager.name }}-{{ .Values.configmapReload.alertmanager.name }} + image: "{{ .Values.configmapReload.alertmanager.image.registry }}/{{ .Values.configmapReload.alertmanager.image.repository }}:{{ .Values.configmapReload.alertmanager.image.tag }}" + imagePullPolicy: "{{ .Values.configmapReload.alertmanager.image.pullPolicy }}" + args: + - --volume-dir=/etc/config + - --webhook-url=http://localhost:9093{{ .Values.alertmanager.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.alertmanager.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.configmapReload.alertmanager.port }} + ports: + - containerPort: {{ .Values.configmapReload.alertmanager.port }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.alertmanager.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.nodeSelector }} + nodeSelector: +{{ toYaml .Values.alertmanager.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.securityContext }} + securityContext: +{{ toYaml .Values.alertmanager.securityContext | indent 8 }} + {{- end }} + {{- if .Values.alertmanager.tolerations }} + tolerations: +{{ toYaml .Values.alertmanager.tolerations | indent 8 }} + {{- end }} + volumes: + - name: config-volume + {{- if empty .Values.alertmanager.configFromSecret }} + configMap: + name: {{ if .Values.alertmanager.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.alertmanager.configMapOverrideName }}{{- else }}{{ template "prometheus.alertmanager.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.alertmanager.configFromSecret }} + {{- end }} + {{- range .Values.alertmanager.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.alertmanager.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: storage-volume + {{- if .Values.alertmanager.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.alertmanager.persistentVolume.annotations | indent 10 }} + {{- end }} + spec: + accessModes: +{{ toYaml .Values.alertmanager.persistentVolume.accessModes | indent 10 }} + resources: + requests: + storage: "{{ .Values.alertmanager.persistentVolume.size }}" + {{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.alertmanager.persistentVolume.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: storage-volume + emptyDir: + {{- if .Values.alertmanager.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.alertmanager.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/daemonset.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/daemonset.yaml new file mode 100644 index 000000000..010f790a9 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/daemonset.yaml @@ -0,0 +1,150 @@ +{{- if .Values.nodeExporter.enabled -}} +apiVersion: {{ template "prometheus.daemonset.apiVersion" . }} +kind: DaemonSet +metadata: +{{- if .Values.nodeExporter.deploymentAnnotations }} + annotations: +{{ toYaml .Values.nodeExporter.deploymentAnnotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + name: {{ template "prometheus.nodeExporter.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + matchLabels: + {{- include "prometheus.nodeExporter.matchLabels" . | nindent 6 }} + {{- if .Values.nodeExporter.updateStrategy }} + updateStrategy: +{{ toYaml .Values.nodeExporter.updateStrategy | indent 4 }} + {{- end }} + template: + metadata: + {{- if .Values.nodeExporter.podAnnotations }} + annotations: +{{ toYaml .Values.nodeExporter.podAnnotations | indent 8 }} + {{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 8 }} +{{- if .Values.nodeExporter.pod.labels }} +{{ toYaml .Values.nodeExporter.pod.labels | indent 8 }} +{{- end }} + spec: + serviceAccountName: {{ template "prometheus.serviceAccountName.nodeExporter" . }} + {{- if .Values.nodeExporter.extraInitContainers }} + initContainers: +{{ toYaml .Values.nodeExporter.extraInitContainers | indent 8 }} + {{- end }} +{{- if .Values.nodeExporter.priorityClassName }} + priorityClassName: "{{ .Values.nodeExporter.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.nodeExporter.name }} + image: "{{ .Values.nodeExporter.image.registry }}/{{ .Values.nodeExporter.image.repository }}:{{ .Values.nodeExporter.image.tag }}" + imagePullPolicy: "{{ .Values.nodeExporter.image.pullPolicy }}" + args: + - --path.procfs=/host/proc + - --path.sysfs=/host/sys + {{- if .Values.nodeExporter.hostRootfs }} + - --path.rootfs=/host/root + {{- end }} + {{- if .Values.nodeExporter.hostNetwork }} + - --web.listen-address=:{{ .Values.nodeExporter.service.hostPort }} + {{- end }} + {{- range $key, $value := .Values.nodeExporter.extraArgs }} + {{- if $value }} + - --{{ $key }}={{ $value }} + {{- else }} + - --{{ $key }} + {{- end }} + {{- end }} + ports: + - name: metrics + {{- if .Values.nodeExporter.hostNetwork }} + containerPort: {{ .Values.nodeExporter.service.hostPort }} + {{- else }} + containerPort: 9100 + {{- end }} + hostPort: {{ .Values.nodeExporter.service.hostPort }} + resources: +{{ toYaml .Values.nodeExporter.resources | indent 12 }} + {{- if .Values.nodeExporter.container.securityContext }} + securityContext: +{{ toYaml .Values.nodeExporter.container.securityContext | indent 12 }} + {{- end }} + volumeMounts: + - name: proc + mountPath: /host/proc + readOnly: true + - name: sys + mountPath: /host/sys + readOnly: true + {{- if .Values.nodeExporter.hostRootfs }} + - name: root + mountPath: /host/root + mountPropagation: HostToContainer + readOnly: true + {{- end }} + {{- range .Values.nodeExporter.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- if .mountPropagation }} + mountPropagation: {{ .mountPropagation }} + {{- end }} + {{- end }} + {{- range .Values.nodeExporter.extraConfigmapMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.nodeExporter.hostNetwork }} + hostNetwork: true + {{- end }} + {{- if .Values.nodeExporter.hostPID }} + hostPID: true + {{- end }} + {{- if .Values.nodeExporter.tolerations }} + tolerations: +{{ toYaml .Values.nodeExporter.tolerations | indent 8 }} + {{- end }} + {{- if .Values.nodeExporter.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeExporter.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.nodeExporter.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.nodeExporter.securityContext }} + securityContext: +{{ toYaml .Values.nodeExporter.securityContext | indent 8 }} + {{- end }} + volumes: + - name: proc + hostPath: + path: /proc + - name: sys + hostPath: + path: /sys + {{- if .Values.nodeExporter.hostRootfs }} + - name: root + hostPath: + path: / + {{- end }} + {{- range .Values.nodeExporter.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.nodeExporter.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/psp.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/psp.yaml new file mode 100644 index 000000000..bd9c73bee --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/psp.yaml @@ -0,0 +1,55 @@ +{{- if and .Values.nodeExporter.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + annotations: +{{- if .Values.nodeExporter.podSecurityPolicy.annotations }} +{{ toYaml .Values.nodeExporter.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'hostPath' + - 'secret' + allowedHostPaths: + - pathPrefix: /proc + readOnly: true + - pathPrefix: /sys + readOnly: true + - pathPrefix: / + readOnly: true + {{- range .Values.nodeExporter.extraHostPathMounts }} + - pathPrefix: {{ .hostPath }} + readOnly: {{ .readOnly }} + {{- end }} + hostNetwork: {{ .Values.nodeExporter.hostNetwork }} + hostPID: {{ .Values.nodeExporter.hostPID }} + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + hostPorts: + - min: 1 + max: 65535 +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/role.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/role.yaml new file mode 100644 index 000000000..d8ef3ed90 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/role.yaml @@ -0,0 +1,17 @@ +{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} +{{- if or (default .Values.nodeExporter.podSecurityPolicy.enabled false) (.Values.podSecurityPolicy.enabled) }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{ include "prometheus.namespace" . | indent 2 }} +rules: +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ template "prometheus.nodeExporter.fullname" . }} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/rolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/rolebinding.yaml new file mode 100644 index 000000000..06914b70a --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/rolebinding.yaml @@ -0,0 +1,19 @@ +{{- if and .Values.nodeExporter.enabled .Values.rbac.create }} +{{- if .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ template "prometheus.nodeExporter.fullname" . }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{ include "prometheus.namespace" . | indent 2 }} +roleRef: + kind: Role + name: {{ template "prometheus.nodeExporter.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} +{{ include "prometheus.namespace" . | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/serviceaccount.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/serviceaccount.yaml new file mode 100644 index 000000000..0cf91afba --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.nodeExporter.enabled .Values.serviceAccounts.nodeExporter.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.nodeExporter" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.nodeExporter.annotations | indent 4 }} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/svc.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/svc.yaml new file mode 100644 index 000000000..26d1eaa21 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/node-exporter/svc.yaml @@ -0,0 +1,47 @@ +{{- if .Values.nodeExporter.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.nodeExporter.service.annotations }} + annotations: +{{ toYaml .Values.nodeExporter.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.nodeExporter.labels" . | nindent 4 }} +{{- if .Values.nodeExporter.service.labels }} +{{ toYaml .Values.nodeExporter.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.nodeExporter.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.nodeExporter.service.clusterIP }} + clusterIP: {{ .Values.nodeExporter.service.clusterIP }} +{{- end }} +{{- if .Values.nodeExporter.service.externalIPs }} + externalIPs: +{{ toYaml .Values.nodeExporter.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.nodeExporter.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.nodeExporter.service.loadBalancerIP }} +{{- end }} +{{- if .Values.nodeExporter.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.nodeExporter.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: metrics + {{- if .Values.nodeExporter.hostNetwork }} + port: {{ .Values.nodeExporter.service.hostPort }} + protocol: TCP + targetPort: {{ .Values.nodeExporter.service.hostPort }} + {{- else }} + port: {{ .Values.nodeExporter.service.servicePort }} + protocol: TCP + targetPort: 9100 + {{- end }} + selector: + {{- include "prometheus.nodeExporter.matchLabels" . | nindent 4 }} + type: "{{ .Values.nodeExporter.service.type }}" +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/clusterrole.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/clusterrole.yaml new file mode 100644 index 000000000..76ecf053f --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/clusterrole.yaml @@ -0,0 +1,21 @@ +{{- if and .Values.pushgateway.enabled .Values.rbac.create -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +rules: +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.pushgateway.fullname" . }} +{{- else }} + [] +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml new file mode 100644 index 000000000..15770ee50 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.pushgateway.enabled .Values.rbac.create -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.pushgateway" . }} +{{ include "prometheus.namespace" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "prometheus.pushgateway.fullname" . }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/deploy.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/deploy.yaml new file mode 100644 index 000000000..9314a1f45 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/deploy.yaml @@ -0,0 +1,119 @@ +{{- if .Values.pushgateway.enabled -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.pushgateway.deploymentAnnotations }} + annotations: + {{ toYaml .Values.pushgateway.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + {{- if .Values.schedulerName }} + schedulerName: "{{ .Values.schedulerName }}" + {{- end }} + matchLabels: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }} + replicas: {{ .Values.pushgateway.replicaCount }} + {{- if .Values.pushgateway.strategy }} + strategy: +{{ toYaml .Values.pushgateway.strategy | trim | indent 4 }} + {{ if eq .Values.pushgateway.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.pushgateway.podAnnotations }} + annotations: + {{ toYaml .Values.pushgateway.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 8 }} + {{- if .Values.pushgateway.podLabels }} + {{ toYaml .Values.pushgateway.podLabels | nindent 8 }} + {{- end }} + spec: + serviceAccountName: {{ template "prometheus.serviceAccountName.pushgateway" . }} + {{- if .Values.pushgateway.extraInitContainers }} + initContainers: +{{ toYaml .Values.pushgateway.extraInitContainers | indent 8 }} + {{- end }} +{{- if .Values.pushgateway.priorityClassName }} + priorityClassName: "{{ .Values.pushgateway.priorityClassName }}" +{{- end }} + containers: + - name: {{ template "prometheus.name" . }}-{{ .Values.pushgateway.name }} + image: "{{ .Values.pushgateway.image.registry }}/{{ .Values.pushgateway.image.repository }}:{{ .Values.pushgateway.image.tag }}" + imagePullPolicy: "{{ .Values.pushgateway.image.pullPolicy }}" + args: + {{- range $key, $value := .Values.pushgateway.extraArgs }} + {{- $stringvalue := toString $value }} + {{- if eq $stringvalue "true" }} + - --{{ $key }} + {{- else }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- end }} + ports: + - containerPort: 9091 + livenessProbe: + httpGet: + {{- if (index .Values "pushgateway" "extraArgs" "web.route-prefix") }} + path: /{{ index .Values "pushgateway" "extraArgs" "web.route-prefix" }}/-/healthy + {{- else }} + path: /-/healthy + {{- end }} + port: 9091 + initialDelaySeconds: 10 + timeoutSeconds: 10 + readinessProbe: + httpGet: + {{- if (index .Values "pushgateway" "extraArgs" "web.route-prefix") }} + path: /{{ index .Values "pushgateway" "extraArgs" "web.route-prefix" }}/-/ready + {{- else }} + path: /-/ready + {{- end }} + port: 9091 + initialDelaySeconds: 10 + timeoutSeconds: 10 + resources: +{{ toYaml .Values.pushgateway.resources | indent 12 }} + {{- if .Values.pushgateway.persistentVolume.enabled }} + volumeMounts: + - name: storage-volume + mountPath: "{{ .Values.pushgateway.persistentVolume.mountPath }}" + subPath: "{{ .Values.pushgateway.persistentVolume.subPath }}" + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.nodeSelector }} + nodeSelector: +{{ toYaml .Values.pushgateway.nodeSelector | indent 8 }} + {{- end }} + {{- with .Values.pushgateway.dnsConfig }} + dnsConfig: +{{ toYaml . | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.securityContext }} + securityContext: +{{ toYaml .Values.pushgateway.securityContext | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.tolerations }} + tolerations: +{{ toYaml .Values.pushgateway.tolerations | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.affinity }} + affinity: +{{ toYaml .Values.pushgateway.affinity | indent 8 }} + {{- end }} + {{- if .Values.pushgateway.persistentVolume.enabled }} + volumes: + - name: storage-volume + persistentVolumeClaim: + claimName: {{ if .Values.pushgateway.persistentVolume.existingClaim }}{{ .Values.pushgateway.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.pushgateway.fullname" . }}{{- end }} + {{- end -}} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/ingress.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/ingress.yaml new file mode 100644 index 000000000..2ff72abd5 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/ingress.yaml @@ -0,0 +1,54 @@ +{{- if and .Values.pushgateway.enabled .Values.pushgateway.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.pushgateway.fullname" . }} +{{- $servicePort := .Values.pushgateway.service.servicePort -}} +{{- $ingressPath := .Values.pushgateway.ingress.path -}} +{{- $ingressPathType := .Values.pushgateway.ingress.pathType -}} +{{- $extraPaths := .Values.pushgateway.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.pushgateway.ingress.annotations }} + annotations: +{{ toYaml .Values.pushgateway.ingress.annotations | indent 4}} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.pushgateway.ingress.ingressClassName }} + ingressClassName: {{ .Values.pushgateway.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.pushgateway.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.pushgateway.ingress.tls }} + tls: +{{ toYaml .Values.pushgateway.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/netpol.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/netpol.yaml new file mode 100644 index 000000000..c8d1fb37e --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/netpol.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.pushgateway.enabled .Values.networkPolicy.enabled -}} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 6 }} + ingress: + - from: + - podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 12 }} + - ports: + - port: 9091 +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/pdb.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/pdb.yaml new file mode 100644 index 000000000..50beb486d --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.pushgateway.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.pushgateway.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "prometheus.pushgateway.labels" . | nindent 6 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/psp.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/psp.yaml new file mode 100644 index 000000000..1ca3267f8 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/psp.yaml @@ -0,0 +1,42 @@ +{{- if and .Values.pushgateway.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.pushgateway.fullname" . }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + annotations: +{{- if .Values.pushgateway.podSecurityPolicy.annotations }} +{{ toYaml .Values.pushgateway.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'persistentVolumeClaim' + - 'secret' + allowedHostPaths: + - pathPrefix: {{ .Values.pushgateway.persistentVolume.mountPath }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: true +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/pvc.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/pvc.yaml new file mode 100644 index 000000000..d5d64ddcc --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/pvc.yaml @@ -0,0 +1,31 @@ +{{- if .Values.pushgateway.persistentVolume.enabled -}} +{{- if not .Values.pushgateway.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.pushgateway.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.pushgateway.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + accessModes: +{{ toYaml .Values.pushgateway.persistentVolume.accessModes | indent 4 }} +{{- if .Values.pushgateway.persistentVolume.storageClass }} +{{- if (eq "-" .Values.pushgateway.persistentVolume.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.pushgateway.persistentVolume.storageClass }}" +{{- end }} +{{- end }} +{{- if .Values.pushgateway.persistentVolume.volumeBindingMode }} + volumeBindingMode: "{{ .Values.pushgateway.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.pushgateway.persistentVolume.size }}" +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/service.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/service.yaml new file mode 100644 index 000000000..f05f17c42 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/service.yaml @@ -0,0 +1,41 @@ +{{- if .Values.pushgateway.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.pushgateway.service.annotations }} + annotations: +{{ toYaml .Values.pushgateway.service.annotations | indent 4}} +{{- end }} + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} +{{- if .Values.pushgateway.service.labels }} +{{ toYaml .Values.pushgateway.service.labels | indent 4}} +{{- end }} + name: {{ template "prometheus.pushgateway.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.pushgateway.service.clusterIP }} + clusterIP: {{ .Values.pushgateway.service.clusterIP }} +{{- end }} +{{- if .Values.pushgateway.service.externalIPs }} + externalIPs: +{{ toYaml .Values.pushgateway.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.pushgateway.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.pushgateway.service.loadBalancerIP }} +{{- end }} +{{- if .Values.pushgateway.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.pushgateway.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.pushgateway.service.servicePort }} + protocol: TCP + targetPort: 9091 + selector: + {{- include "prometheus.pushgateway.matchLabels" . | nindent 4 }} + type: "{{ .Values.pushgateway.service.type }}" +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/serviceaccount.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/serviceaccount.yaml new file mode 100644 index 000000000..8c0b876f3 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/serviceaccount.yaml @@ -0,0 +1,11 @@ +{{- if and .Values.pushgateway.enabled .Values.serviceAccounts.pushgateway.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.pushgateway" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.pushgateway.annotations | indent 4 }} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/vpa.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/vpa.yaml new file mode 100644 index 000000000..0ac54f9fe --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/pushgateway/vpa.yaml @@ -0,0 +1,20 @@ +{{- if .Values.pushgateway.enabled -}} +{{- if .Values.pushgateway.verticalAutoscaler.enabled -}} +apiVersion: autoscaling.k8s.io/v1beta2 +kind: VerticalPodAutoscaler +metadata: + labels: + {{- include "prometheus.pushgateway.labels" . | nindent 4 }} + name: {{ template "prometheus.pushgateway.fullname" . }}-vpa +{{ include "prometheus.namespace" . | indent 2 }} +spec: + targetRef: + apiVersion: "apps/v1" + kind: Deployment + name: {{ template "prometheus.pushgateway.fullname" . }} + updatePolicy: + updateMode: {{ .Values.pushgateway.verticalAutoscaler.updateMode | default "Off" | quote }} + resourcePolicy: + containerPolicies: {{ .Values.pushgateway.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} +{{- end -}} {{/* if .Values.pushgateway.verticalAutoscaler.enabled */}} +{{- end -}} {{/* .Values.pushgateway.enabled */}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/clusterrole.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/clusterrole.yaml new file mode 100644 index 000000000..2520235ab --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/clusterrole.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.server.enabled .Values.rbac.create (empty .Values.server.useExistingClusterRoleName) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRole +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +rules: +{{- if .Values.podSecurityPolicy.enabled }} + - apiGroups: + - extensions + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "prometheus.server.fullname" . }} +{{- end }} + - apiGroups: + - "" + resources: + - nodes + - nodes/proxy + - nodes/metrics + - services + - endpoints + - pods + - ingresses + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + - "networking.k8s.io" + resources: + - ingresses/status + - ingresses + verbs: + - get + - list + - watch + - nonResourceURLs: + - "/metrics" + verbs: + - get +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/clusterrolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/clusterrolebinding.yaml new file mode 100644 index 000000000..5a79611ff --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/clusterrolebinding.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.server.enabled .Values.rbac.create (empty .Values.server.namespaces) (empty .Values.server.useExistingClusterRoleName) -}} +apiVersion: {{ template "rbac.apiVersion" . }} +kind: ClusterRoleBinding +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.server" . }} +{{ include "prometheus.namespace" . | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "prometheus.server.fullname" . }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/cm.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/cm.yaml new file mode 100644 index 000000000..a0a813ae2 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/cm.yaml @@ -0,0 +1,85 @@ +{{- if .Values.server.enabled -}} +{{- if (empty .Values.server.configMapOverrideName) -}} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +data: +{{- $root := . -}} +{{- range $key, $value := .Values.ruleFiles }} + {{ $key }}: {{- toYaml $value | indent 2 }} +{{- end }} +{{- range $key, $value := .Values.serverFiles }} + {{ $key }}: | +{{- if eq $key "prometheus.yml" }} + global: +{{ $root.Values.server.global | toYaml | trimSuffix "\n" | indent 6 }} +{{- if $root.Values.server.remoteWrite }} + remote_write: +{{ $root.Values.server.remoteWrite | toYaml | indent 4 }} +{{- end }} +{{- if $root.Values.server.remoteRead }} + remote_read: +{{ $root.Values.server.remoteRead | toYaml | indent 4 }} +{{- end }} +{{- end }} +{{- if eq $key "alerts" }} +{{- if and (not (empty $value)) (empty $value.groups) }} + groups: +{{- range $ruleKey, $ruleValue := $value }} + - name: {{ $ruleKey -}}.rules + rules: +{{ $ruleValue | toYaml | trimSuffix "\n" | indent 6 }} +{{- end }} +{{- else }} +{{ toYaml $value | indent 4 }} +{{- end }} +{{- else }} +{{ toYaml $value | default "{}" | indent 4 }} +{{- end }} +{{- if eq $key "prometheus.yml" -}} +{{- if $root.Values.extraScrapeConfigs }} +{{ tpl $root.Values.extraScrapeConfigs $root | indent 4 }} +{{- end -}} +{{- if or ($root.Values.alertmanager.enabled) ($root.Values.server.alertmanagers) }} + alerting: +{{- if $root.Values.alertRelabelConfigs }} +{{ $root.Values.alertRelabelConfigs | toYaml | trimSuffix "\n" | indent 6 }} +{{- end }} + alertmanagers: +{{- if $root.Values.server.alertmanagers }} +{{ toYaml $root.Values.server.alertmanagers | indent 8 }} +{{- else }} + - kubernetes_sd_configs: + - role: pod + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + {{- if $root.Values.alertmanager.prefixURL }} + path_prefix: {{ $root.Values.alertmanager.prefixURL }} + {{- end }} + relabel_configs: + - source_labels: [__meta_kubernetes_namespace] + regex: {{ $root.Release.Namespace }} + action: keep + - source_labels: [__meta_kubernetes_pod_label_app] + regex: {{ template "prometheus.name" $root }} + action: keep + - source_labels: [__meta_kubernetes_pod_label_component] + regex: alertmanager + action: keep + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_probe] + regex: {{ index $root.Values.alertmanager.podAnnotations "prometheus.io/probe" | default ".*" }} + action: keep + - source_labels: [__meta_kubernetes_pod_container_port_number] + regex: "9093" + action: keep +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/deploy.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/deploy.yaml new file mode 100644 index 000000000..22808929e --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/deploy.yaml @@ -0,0 +1,324 @@ +{{- if .Values.server.enabled -}} +{{- if not .Values.server.statefulSet.enabled -}} +apiVersion: {{ template "prometheus.deployment.apiVersion" . }} +kind: Deployment +metadata: +{{- if .Values.server.deploymentAnnotations }} + annotations: + {{ toYaml .Values.server.deploymentAnnotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + replicas: {{ .Values.server.replicaCount }} + {{- if .Values.server.strategy }} + strategy: +{{ toYaml .Values.server.strategy | trim | indent 4 }} + {{ if eq .Values.server.strategy.type "Recreate" }}rollingUpdate: null{{ end }} +{{- end }} + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: + {{ toYaml .Values.server.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 8 }} + {{- if .Values.server.podLabels}} + {{ toYaml .Values.server.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.server.priorityClassName }} + priorityClassName: "{{ .Values.server.priorityClassName }}" +{{- end }} +{{- if .Values.server.schedulerName }} + schedulerName: "{{ .Values.server.schedulerName }}" +{{- end }} +{{- if semverCompare ">=1.13-0" .Capabilities.KubeVersion.GitVersion }} + {{- if or (.Values.server.enableServiceLinks) (eq (.Values.server.enableServiceLinks | toString) "") }} + enableServiceLinks: true + {{- else }} + enableServiceLinks: false + {{- end }} +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} + {{- if .Values.server.extraInitContainers }} + initContainers: +{{ toYaml .Values.server.extraInitContainers | indent 8 }} + {{- end }} + containers: + {{- if .Values.configmapReload.prometheus.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} + image: "{{ .Values.configmapReload.prometheus.image.registry }}/{{ .Values.configmapReload.prometheus.image.repository }}:{{ .Values.configmapReload.prometheus.image.tag }}" + imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090{{ .Values.server.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.prometheus.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} + - --volume-dir={{ . }} + {{- end }} + {{- if .Values.configmapReload.prometheus.containerPort }} + ports: + - containerPort: {{ .Values.configmapReload.prometheus.containerPort }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.prometheus.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} + image: "{{ .Values.server.image.registry }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}" + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + {{- if .Values.server.env }} + env: +{{ toYaml .Values.server.env | indent 12}} + {{- end }} + args: + {{- if .Values.server.defaultFlagsOverride }} + {{ toYaml .Values.server.defaultFlagsOverride | nindent 12}} + {{- else }} + {{- if .Values.server.retention }} + - --storage.tsdb.retention.time={{ .Values.server.retention }} + {{- end }} + - --config.file={{ .Values.server.configPath }} + {{- if .Values.server.storagePath }} + - --storage.tsdb.path={{ .Values.server.storagePath }} + {{- else }} + - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} + {{- end }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + {{- range .Values.server.extraFlags }} + - --{{ . }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.server.prefixURL }} + - --web.route-prefix={{ .Values.server.prefixURL }} + {{- end }} + {{- if .Values.server.baseURL }} + - --web.external-url={{ .Values.server.baseURL }} + {{- end }} + {{- end }} + ports: + - containerPort: 9090 + {{- if .Values.server.hostPort }} + hostPort: {{ .Values.server.hostPort }} + {{- end }} + readinessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/ready + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- if .Values.server.probeHeaders }} + httpHeaders: + {{- range .Values.server.probeHeaders}} + - name: {{ .name }} + value: {{ .value }} + {{- end }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.readinessProbeInitialDelay }} + periodSeconds: {{ .Values.server.readinessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.readinessProbeTimeout }} + failureThreshold: {{ .Values.server.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.server.readinessProbeSuccessThreshold }} + livenessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- if .Values.server.probeHeaders }} + httpHeaders: + {{- range .Values.server.probeHeaders}} + - name: {{ .name }} + value: {{ .value }} + {{- end }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.livenessProbeInitialDelay }} + periodSeconds: {{ .Values.server.livenessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.livenessProbeTimeout }} + failureThreshold: {{ .Values.server.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.server.livenessProbeSuccessThreshold }} + {{- if .Values.server.startupProbe.enabled }} + startupProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- if .Values.server.probeHeaders }} + httpHeaders: + {{- range .Values.server.probeHeaders}} + - name: {{ .name }} + value: {{ .value }} + {{- end }} + {{- end }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + failureThreshold: {{ .Values.server.startupProbe.failureThreshold }} + periodSeconds: {{ .Values.server.startupProbe.periodSeconds }} + timeoutSeconds: {{ .Values.server.startupProbe.timeoutSeconds }} + {{- end }} + resources: +{{ toYaml .Values.server.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: "{{ .Values.server.persistentVolume.subPath }}" + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.server.extraVolumeMounts }} + {{ toYaml .Values.server.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.server.containerSecurityContext }} + securityContext: + {{- toYaml .Values.server.containerSecurityContext | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecarContainers }} + {{- range $name, $spec := .Values.server.sidecarContainers }} + - name: {{ $name }} + {{- if kindIs "string" $spec }} + {{- tpl $spec $ | nindent 10 }} + {{- else }} + {{- toYaml $spec | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- if .Values.server.dnsPolicy }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.server.hostAliases }} + hostAliases: +{{ toYaml .Values.server.hostAliases | indent 8 }} + {{- end }} + {{- if .Values.server.dnsConfig }} + dnsConfig: +{{ toYaml .Values.server.dnsConfig | indent 8 }} + {{- end }} + {{- if .Values.server.securityContext }} + securityContext: +{{ toYaml .Values.server.securityContext | indent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: +{{ toYaml .Values.server.tolerations | indent 8 }} + {{- end }} + {{- if .Values.server.affinity }} + affinity: +{{ toYaml .Values.server.affinity | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + volumes: + - name: config-volume + {{- if empty .Values.server.configFromSecret }} + configMap: + name: {{ if .Values.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.server.configFromSecret }} + {{- end }} + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.server.extraVolumes }} +{{ toYaml .Values.server.extraVolumes | indent 8}} +{{- end }} + - name: storage-volume + {{- if .Values.server.persistentVolume.enabled }} + persistentVolumeClaim: + claimName: {{ if .Values.server.persistentVolume.existingClaim }}{{ .Values.server.persistentVolume.existingClaim }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + emptyDir: + {{- if .Values.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/extra-manifests.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/extra-manifests.yaml new file mode 100644 index 000000000..e46d4d8b9 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.server.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/headless-svc.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/headless-svc.yaml new file mode 100644 index 000000000..d519f4e0e --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/headless-svc.yaml @@ -0,0 +1,37 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.statefulSet.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.server.statefulSet.headless.annotations }} + annotations: +{{ toYaml .Values.server.statefulSet.headless.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- if .Values.server.statefulSet.headless.labels }} +{{ toYaml .Values.server.statefulSet.headless.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }}-headless +{{ include "prometheus.namespace" . | indent 2 }} +spec: + clusterIP: None + ports: + - name: http + port: {{ .Values.server.statefulSet.headless.servicePort }} + protocol: TCP + targetPort: 9090 + {{- if .Values.server.statefulSet.headless.gRPC.enabled }} + - name: grpc + port: {{ .Values.server.statefulSet.headless.gRPC.servicePort }} + protocol: TCP + targetPort: 10901 + {{- if .Values.server.statefulSet.headless.gRPC.nodePort }} + nodePort: {{ .Values.server.statefulSet.headless.gRPC.nodePort }} + {{- end }} + {{- end }} + + selector: + {{- include "prometheus.server.matchLabels" . | nindent 4 }} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/ingress.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/ingress.yaml new file mode 100644 index 000000000..000f39cab --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/ingress.yaml @@ -0,0 +1,59 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "ingress.supportsPathType" .) "true" -}} +{{- $releaseName := .Release.Name -}} +{{- $serviceName := include "prometheus.server.fullname" . }} +{{- $servicePort := .Values.server.service.servicePort -}} +{{- $ingressPath := .Values.server.ingress.path -}} +{{- $ingressPathType := .Values.server.ingress.pathType -}} +{{- $extraPaths := .Values.server.ingress.extraPaths -}} +apiVersion: {{ template "ingress.apiVersion" . }} +kind: Ingress +metadata: +{{- if .Values.server.ingress.annotations }} + annotations: +{{ toYaml .Values.server.ingress.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- range $key, $value := .Values.server.ingress.extraLabels }} + {{ $key }}: {{ $value }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.server.ingress.ingressClassName }} + ingressClassName: {{ .Values.server.ingress.ingressClassName }} + {{- end }} + rules: + {{- range .Values.server.ingress.hosts }} + {{- $url := splitList "/" . }} + - host: {{ first $url }} + http: + paths: +{{ if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $serviceName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $serviceName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end -}} +{{- if .Values.server.ingress.tls }} + tls: +{{ toYaml .Values.server.ingress.tls | indent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/netpol.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/netpol.yaml new file mode 100644 index 000000000..c8870e9ff --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/netpol.yaml @@ -0,0 +1,18 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.networkPolicy.enabled }} +apiVersion: {{ template "prometheus.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +spec: + podSelector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + ingress: + - ports: + - port: 9090 +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/pdb.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/pdb.yaml new file mode 100644 index 000000000..364cb5b49 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/pdb.yaml @@ -0,0 +1,14 @@ +{{- if .Values.server.podDisruptionBudget.enabled }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +spec: + maxUnavailable: {{ .Values.server.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + {{- include "prometheus.server.labels" . | nindent 6 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/psp.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/psp.yaml new file mode 100644 index 000000000..e2b885f16 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/psp.yaml @@ -0,0 +1,51 @@ +{{- if and .Values.server.enabled .Values.rbac.create .Values.podSecurityPolicy.enabled }} +apiVersion: {{ template "prometheus.podSecurityPolicy.apiVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "prometheus.server.fullname" . }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + annotations: +{{- if .Values.server.podSecurityPolicy.annotations }} +{{ toYaml .Values.server.podSecurityPolicy.annotations | indent 4 }} +{{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + allowedCapabilities: + - 'CHOWN' + volumes: + - 'configMap' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'secret' + - 'hostPath' + allowedHostPaths: + - pathPrefix: /etc + readOnly: true + - pathPrefix: {{ .Values.server.persistentVolume.mountPath }} + {{- range .Values.server.extraHostPathMounts }} + - pathPrefix: {{ .hostPath }} + readOnly: {{ .readOnly }} + {{- end }} + hostNetwork: false + hostPID: false + hostIPC: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/pvc.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/pvc.yaml new file mode 100644 index 000000000..a7355365c --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/pvc.yaml @@ -0,0 +1,39 @@ +{{- if .Values.server.enabled -}} +{{- if not .Values.server.statefulSet.enabled -}} +{{- if .Values.server.persistentVolume.enabled -}} +{{- if not .Values.server.persistentVolume.existingClaim -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + {{- if .Values.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.server.persistentVolume.annotations | indent 4 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + accessModes: +{{ toYaml .Values.server.persistentVolume.accessModes | indent 4 }} +{{- if .Values.server.persistentVolume.storageClass }} +{{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" +{{- else }} + storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" +{{- end }} +{{- end }} +{{- if .Values.server.persistentVolume.volumeBindingMode }} + volumeBindingMode: "{{ .Values.server.persistentVolume.volumeBindingMode }}" +{{- end }} + resources: + requests: + storage: "{{ .Values.server.persistentVolume.size }}" +{{- if .Values.server.persistentVolume.selector }} + selector: + {{- toYaml .Values.server.persistentVolume.selector | nindent 4 }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/rolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/rolebinding.yaml new file mode 100644 index 000000000..93ce3ee13 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.server.enabled .Values.rbac.create .Values.server.useExistingClusterRoleName .Values.server.namespaces -}} +{{ range $.Values.server.namespaces -}} +--- +apiVersion: {{ template "rbac.apiVersion" $ }} +kind: RoleBinding +metadata: + labels: + {{- include "prometheus.server.labels" $ | nindent 4 }} + name: {{ template "prometheus.server.fullname" $ }} + namespace: {{ . }} +subjects: + - kind: ServiceAccount + name: {{ template "prometheus.serviceAccountName.server" $ }} +{{ include "prometheus.namespace" $ | indent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ $.Values.server.useExistingClusterRoleName }} +{{ end -}} +{{ end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/service.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/service.yaml new file mode 100644 index 000000000..01c5a4a8a --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/service.yaml @@ -0,0 +1,60 @@ +{{- if and .Values.server.enabled .Values.server.service.enabled -}} +apiVersion: v1 +kind: Service +metadata: +{{- if .Values.server.service.annotations }} + annotations: +{{ toYaml .Values.server.service.annotations | indent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} +{{- if .Values.server.service.labels }} +{{ toYaml .Values.server.service.labels | indent 4 }} +{{- end }} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: +{{- if .Values.server.service.clusterIP }} + clusterIP: {{ .Values.server.service.clusterIP }} +{{- end }} +{{- if .Values.server.service.externalIPs }} + externalIPs: +{{ toYaml .Values.server.service.externalIPs | indent 4 }} +{{- end }} +{{- if .Values.server.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.server.service.loadBalancerIP }} +{{- end }} +{{- if .Values.server.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .Values.server.service.loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} +{{- end }} + ports: + - name: http + port: {{ .Values.server.service.servicePort }} + protocol: TCP + targetPort: 9090 + {{- if .Values.server.service.nodePort }} + nodePort: {{ .Values.server.service.nodePort }} + {{- end }} + {{- if .Values.server.service.gRPC.enabled }} + - name: grpc + port: {{ .Values.server.service.gRPC.servicePort }} + protocol: TCP + targetPort: 10901 + {{- if .Values.server.service.gRPC.nodePort }} + nodePort: {{ .Values.server.service.gRPC.nodePort }} + {{- end }} + {{- end }} + selector: + {{- if and .Values.server.statefulSet.enabled .Values.server.service.statefulsetReplica.enabled }} + statefulset.kubernetes.io/pod-name: {{ template "prometheus.server.fullname" . }}-{{ .Values.server.service.statefulsetReplica.replica }} + {{- else -}} + {{- include "prometheus.server.matchLabels" . | nindent 4 }} +{{- if .Values.server.service.sessionAffinity }} + sessionAffinity: {{ .Values.server.service.sessionAffinity }} +{{- end }} + {{- end }} + type: "{{ .Values.server.service.type }}" +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/serviceaccount.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/serviceaccount.yaml new file mode 100644 index 000000000..9c0502ab7 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.serviceAccounts.server.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.serviceAccountName.server" . }} +{{ include "prometheus.namespace" . | indent 2 }} + annotations: +{{ toYaml .Values.serviceAccounts.server.annotations | indent 4 }} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/sts.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/sts.yaml new file mode 100644 index 000000000..3f76fa9ba --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/sts.yaml @@ -0,0 +1,302 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.statefulSet.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: +{{- if .Values.server.statefulSet.annotations }} + annotations: + {{ toYaml .Values.server.statefulSet.annotations | nindent 4 }} +{{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + {{- if .Values.server.statefulSet.labels}} + {{ toYaml .Values.server.statefulSet.labels | nindent 4 }} + {{- end}} + name: {{ template "prometheus.server.fullname" . }} +{{ include "prometheus.namespace" . | indent 2 }} +spec: + serviceName: {{ template "prometheus.server.fullname" . }}-headless + selector: + matchLabels: + {{- include "prometheus.server.matchLabels" . | nindent 6 }} + replicas: {{ .Values.server.replicaCount }} + podManagementPolicy: {{ .Values.server.statefulSet.podManagementPolicy }} + template: + metadata: + {{- if .Values.server.podAnnotations }} + annotations: + {{ toYaml .Values.server.podAnnotations | nindent 8 }} + {{- end }} + labels: + {{- include "prometheus.server.labels" . | nindent 8 }} + {{- if .Values.server.podLabels}} + {{ toYaml .Values.server.podLabels | nindent 8 }} + {{- end}} + spec: +{{- if .Values.server.priorityClassName }} + priorityClassName: "{{ .Values.server.priorityClassName }}" +{{- end }} +{{- if .Values.server.schedulerName }} + schedulerName: "{{ .Values.server.schedulerName }}" +{{- end }} +{{- if semverCompare ">=1.13-0" .Capabilities.KubeVersion.GitVersion }} + {{- if or (.Values.server.enableServiceLinks) (eq (.Values.server.enableServiceLinks | toString) "") }} + enableServiceLinks: true + {{- else }} + enableServiceLinks: false + {{- end }} +{{- end }} + serviceAccountName: {{ template "prometheus.serviceAccountName.server" . }} + {{- if .Values.server.extraInitContainers }} + initContainers: +{{ toYaml .Values.server.extraInitContainers | indent 8 }} + {{- end }} + containers: + {{- if .Values.configmapReload.prometheus.enabled }} + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }}-{{ .Values.configmapReload.prometheus.name }} + image: "{{ .Values.configmapReload.prometheus.image.registry }}/{{ .Values.configmapReload.prometheus.image.repository }}:{{ .Values.configmapReload.prometheus.image.tag }}" + imagePullPolicy: "{{ .Values.configmapReload.prometheus.image.pullPolicy }}" + args: + - --volume-dir=/etc/config + - --webhook-url=http://127.0.0.1:9090{{ .Values.server.prefixURL }}/-/reload + {{- range $key, $value := .Values.configmapReload.prometheus.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraVolumeDirs }} + - --volume-dir={{ . }} + {{- end }} + {{- if .Values.configmapReload.prometheus.containerPort }} + ports: + - containerPort: {{ .Values.configmapReload.prometheus.containerPort }} + {{- end }} + resources: +{{ toYaml .Values.configmapReload.prometheus.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + readOnly: true + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- end }} + + - name: {{ template "prometheus.name" . }}-{{ .Values.server.name }} + image: "{{ .Values.server.image.registry }}/{{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}" + imagePullPolicy: "{{ .Values.server.image.pullPolicy }}" + {{- if .Values.server.env }} + env: +{{ toYaml .Values.server.env | indent 12}} + {{- end }} + args: + {{- if .Values.server.defaultFlagsOverride }} + {{ toYaml .Values.server.defaultFlagsOverride | nindent 12}} + {{- else }} + {{- if .Values.server.prefixURL }} + - --web.route-prefix={{ .Values.server.prefixURL }} + {{- end }} + {{- if .Values.server.retention }} + - --storage.tsdb.retention.time={{ .Values.server.retention }} + {{- end }} + - --config.file={{ .Values.server.configPath }} + {{- if .Values.server.storagePath }} + - --storage.tsdb.path={{ .Values.server.storagePath }} + {{- else }} + - --storage.tsdb.path={{ .Values.server.persistentVolume.mountPath }} + {{- end }} + - --web.console.libraries=/etc/prometheus/console_libraries + - --web.console.templates=/etc/prometheus/consoles + {{- range .Values.server.extraFlags }} + - --{{ . }} + {{- end }} + {{- range $key, $value := .Values.server.extraArgs }} + - --{{ $key }}={{ $value }} + {{- end }} + {{- if .Values.server.baseURL }} + - --web.external-url={{ .Values.server.baseURL }} + {{- end }} + {{- end }} + ports: + - containerPort: 9090 + {{- if .Values.server.hostPort }} + hostPort: {{ .Values.server.hostPort }} + {{- end }} + readinessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/ready + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.readinessProbeInitialDelay }} + periodSeconds: {{ .Values.server.readinessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.readinessProbeTimeout }} + failureThreshold: {{ .Values.server.readinessProbeFailureThreshold }} + successThreshold: {{ .Values.server.readinessProbeSuccessThreshold }} + livenessProbe: + {{- if not .Values.server.tcpSocketProbeEnabled }} + httpGet: + path: {{ .Values.server.prefixURL }}/-/healthy + port: 9090 + scheme: {{ .Values.server.probeScheme }} + {{- else }} + tcpSocket: + port: 9090 + {{- end }} + initialDelaySeconds: {{ .Values.server.livenessProbeInitialDelay }} + periodSeconds: {{ .Values.server.livenessProbePeriodSeconds }} + timeoutSeconds: {{ .Values.server.livenessProbeTimeout }} + failureThreshold: {{ .Values.server.livenessProbeFailureThreshold }} + successThreshold: {{ .Values.server.livenessProbeSuccessThreshold }} + resources: +{{ toYaml .Values.server.resources | indent 12 }} + volumeMounts: + - name: config-volume + mountPath: /etc/config + - name: storage-volume + mountPath: {{ .Values.server.persistentVolume.mountPath }} + subPath: "{{ .Values.server.persistentVolume.subPath }}" + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath }} + readOnly: {{ .readOnly }} + {{- end }} + {{- if .Values.server.extraVolumeMounts }} + {{ toYaml .Values.server.extraVolumeMounts | nindent 12 }} + {{- end }} + {{- if .Values.server.sidecarContainers }} + {{- range $name, $spec := .Values.server.sidecarContainers }} + - name: {{ $name }} + {{- if kindIs "string" $spec }} + {{- tpl $spec $ | nindent 10 }} + {{- else }} + {{- toYaml $spec | nindent 10 }} + {{- end }} + {{- end }} + {{- end }} + hostNetwork: {{ .Values.server.hostNetwork }} + {{- if .Values.server.dnsPolicy }} + dnsPolicy: {{ .Values.server.dnsPolicy }} + {{- end }} + {{- if .Values.imagePullSecrets }} + imagePullSecrets: +{{ toYaml .Values.imagePullSecrets | indent 8 }} + {{- end }} + {{- if .Values.server.nodeSelector }} + nodeSelector: +{{ toYaml .Values.server.nodeSelector | indent 8 }} + {{- end }} + {{- if .Values.server.hostAliases }} + hostAliases: +{{ toYaml .Values.server.hostAliases | indent 8 }} + {{- end }} + {{- if .Values.server.dnsConfig }} + dnsConfig: +{{ toYaml .Values.server.dnsConfig | indent 8 }} + {{- end }} + {{- if .Values.server.securityContext }} + securityContext: +{{ toYaml .Values.server.securityContext | indent 8 }} + {{- end }} + {{- if .Values.server.tolerations }} + tolerations: +{{ toYaml .Values.server.tolerations | indent 8 }} + {{- end }} + {{- if .Values.server.affinity }} + affinity: +{{ toYaml .Values.server.affinity | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.server.terminationGracePeriodSeconds }} + volumes: + - name: config-volume + {{- if empty .Values.server.configFromSecret }} + configMap: + name: {{ if .Values.server.configMapOverrideName }}{{ .Release.Name }}-{{ .Values.server.configMapOverrideName }}{{- else }}{{ template "prometheus.server.fullname" . }}{{- end }} + {{- else }} + secret: + secretName: {{ .Values.server.configFromSecret }} + {{- end }} + {{- range .Values.server.extraHostPathMounts }} + - name: {{ .name }} + hostPath: + path: {{ .hostPath }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ $.Values.configmapReload.prometheus.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraConfigmapMounts }} + - name: {{ $.Values.server.name }}-{{ .name }} + configMap: + name: {{ .configMap }} + {{- end }} + {{- range .Values.server.extraSecretMounts }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} + {{- range .Values.configmapReload.prometheus.extraConfigmapMounts }} + - name: {{ .name }} + configMap: + name: {{ .configMap }} + {{- with .optional }} + optional: {{ . }} + {{- end }} + {{- end }} +{{- if .Values.server.extraVolumes }} +{{ toYaml .Values.server.extraVolumes | indent 8}} +{{- end }} +{{- if .Values.server.persistentVolume.enabled }} + volumeClaimTemplates: + - metadata: + name: storage-volume + {{- if .Values.server.persistentVolume.annotations }} + annotations: +{{ toYaml .Values.server.persistentVolume.annotations | indent 10 }} + {{- end }} + spec: + accessModes: +{{ toYaml .Values.server.persistentVolume.accessModes | indent 10 }} + resources: + requests: + storage: "{{ .Values.server.persistentVolume.size }}" + {{- if .Values.server.persistentVolume.storageClass }} + {{- if (eq "-" .Values.server.persistentVolume.storageClass) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.server.persistentVolume.storageClass }}" + {{- end }} + {{- end }} +{{- else }} + - name: storage-volume + emptyDir: + {{- if .Values.server.emptyDir.sizeLimit }} + sizeLimit: {{ .Values.server.emptyDir.sizeLimit }} + {{- else }} + {} + {{- end -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/vpa.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/vpa.yaml new file mode 100644 index 000000000..981a9b485 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/templates/server/vpa.yaml @@ -0,0 +1,24 @@ +{{- if .Values.server.enabled -}} +{{- if .Values.server.verticalAutoscaler.enabled -}} +apiVersion: autoscaling.k8s.io/v1beta2 +kind: VerticalPodAutoscaler +metadata: + labels: + {{- include "prometheus.server.labels" . | nindent 4 }} + name: {{ template "prometheus.server.fullname" . }}-vpa +{{ include "prometheus.namespace" . | indent 2 }} +spec: + targetRef: + apiVersion: "apps/v1" +{{- if .Values.server.statefulSet.enabled }} + kind: StatefulSet +{{- else }} + kind: Deployment +{{- end }} + name: {{ template "prometheus.server.fullname" . }} + updatePolicy: + updateMode: {{ .Values.server.verticalAutoscaler.updateMode | default "Off" | quote }} + resourcePolicy: + containerPolicies: {{ .Values.server.verticalAutoscaler.containerPolicies | default list | toYaml | trim | nindent 4 }} +{{- end -}} {{/* if .Values.server.verticalAutoscaler.enabled */}} +{{- end -}} {{/* .Values.server.enabled */}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/values.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/values.yaml new file mode 100644 index 000000000..680def88e --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/charts/prometheus/values.yaml @@ -0,0 +1,1861 @@ +rbac: + create: true + +podSecurityPolicy: + enabled: false + +imagePullSecrets: +# - name: "image-pull-secret" + +## Define serviceAccount names for components. Defaults to component's fully qualified name. +## +serviceAccounts: + alertmanager: + create: false + name: + annotations: {} + nodeExporter: + create: false + name: + annotations: {} + pushgateway: + create: false + name: + annotations: {} + server: + create: true + name: + annotations: {} + +alertmanager: + ## If false, alertmanager will not be installed + ## + enabled: true + + ## Use a ClusterRole (and ClusterRoleBinding) + ## - If set to false - we define a Role and RoleBinding in the defined namespaces ONLY + ## This makes alertmanager work - for users who do not have ClusterAdmin privs, but wants alertmanager to operate on their own namespaces, instead of clusterwide. + useClusterRole: true + + ## Set to a rolename to use existing role - skipping role creating - but still doing serviceaccount and rolebinding to the rolename set here. + useExistingRole: false + + ## alertmanager container name + ## + name: alertmanager + + ## alertmanager container image + ## + image: + registry: quay.io + repository: prometheus/alertmanager + tag: v0.23.0 + pullPolicy: IfNotPresent + + ## alertmanager priorityClassName + ## + priorityClassName: "" + + ## Custom HTTP headers for Readiness Probe + ## + ## Useful for providing HTTP Basic Auth to healthchecks + probeHeaders: [] + + ## Additional alertmanager container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access alertmanager + baseURL: "http://localhost:9093" + + ## Additional alertmanager container environment variable + ## For instance to add a http_proxy + ## + extraEnv: {} + + ## Additional alertmanager Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: alertmanager-secret-files + # readOnly: true + + ## Additional alertmanager Configmap mounts + extraConfigmapMounts: [] + # - name: template-files + # mountPath: /etc/config/templates.d + # configMap: alertmanager-template-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.alertmanager.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/alertmanager-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ## The name of a secret in the same kubernetes namespace which contains the Alertmanager config + ## Defining configFromSecret will cause templates/alertmanager-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configFromSecret: "" + + ## The configuration file name to be loaded to alertmanager + ## Must match the key within configuration loaded from ConfigMap/Secret + ## + configFileName: alertmanager.yml + + ingress: + ## If true, alertmanager Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## alertmanager Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## alertmanager Ingress additional labels + ## + extraLabels: {} + + ## alertmanager Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - alertmanager.domain.com + # - domain.com/alertmanager + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## alertmanager Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-alerts-tls + # hosts: + # - alertmanager.domain.com + + ## Alertmanager Deployment Strategy type + # strategy: + # type: Recreate + + ## Node tolerations for alertmanager scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for alertmanager pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + ## If true, alertmanager will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## alertmanager data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## alertmanager data Persistent Volume Claim annotations + ## + annotations: {} + + ## alertmanager data Persistent Volume existing claim name + ## Requires alertmanager.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## alertmanager data Persistent Volume mount root path + ## + mountPath: /data + + ## alertmanager data Persistent Volume size + ## + size: 2Gi + + ## alertmanager data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## alertmanager data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of alertmanager data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + ## Persistent Volume Claim Selector + ## Useful if Persistent Volumes have been provisioned in advance + ## Ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + ## + # selector: + # matchLabels: + # release: "stable" + # matchExpressions: + # - { key: environment, operator: In, values: [ dev ] } + + emptyDir: + ## alertmanager emptyDir volume size limit + ## + sizeLimit: "" + + ## Annotations to be added to alertmanager pods + ## + podAnnotations: {} + ## Tell prometheus to use a specific set of alertmanager pods + ## instead of all alertmanager pods found in the same namespace + ## Useful if you deploy multiple releases within the same namespace + ## + ## prometheus.io/probe: alertmanager-teamA + + ## Labels to be added to Prometheus AlertManager pods + ## + podLabels: {} + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + annotations: {} + labels: {} + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + + ## Enabling peer mesh service end points for enabling the HA alert manager + ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md + enableMeshPeer: false + + servicePort: 80 + + ## alertmanager resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 50m + memory: 50Mi + + # Custom DNS configuration to be added to alertmanager pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to alertmanager pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + + service: + annotations: {} + labels: {} + clusterIP: "" + + ## Enabling peer mesh service end points for enabling the HA alert manager + ## Ref: https://github.com/prometheus/alertmanager/blob/master/README.md + # enableMeshPeer : true + + ## List of IP addresses at which the alertmanager service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + # nodePort: 30000 + sessionAffinity: None + type: ClusterIP + + ## List of initial peers + ## Ref: https://github.com/prometheus/alertmanager/blob/main/README.md#high-availability + clusterPeers: [] + +## Monitors ConfigMap changes and POSTs to a URL +## Ref: https://github.com/jimmidyson/configmap-reload +## +configmapReload: + prometheus: + ## If false, the configmap-reload container will not be deployed + ## + enabled: true + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + registry: docker.io + repository: jimmidyson/configmap-reload + tag: v0.5.0 + pullPolicy: IfNotPresent + + # containerPort: 9533 + + ## Additional configmap-reload container arguments + ## + extraArgs: {} + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 50m + memory: 50Mi + alertmanager: + ## If false, the configmap-reload container will not be deployed + ## + enabled: true + + ## configmap-reload container name + ## + name: configmap-reload + + ## configmap-reload container image + ## + image: + registry: docker.io + repository: jimmidyson/configmap-reload + tag: v0.5.0 + pullPolicy: IfNotPresent + + # containerPort: 9533 + + ## Additional configmap-reload container arguments + ## + extraArgs: {} + ## Additional configmap-reload volume directories + ## + extraVolumeDirs: [] + + + ## Additional configmap-reload mounts + ## + extraConfigmapMounts: [] + # - name: prometheus-alerts + # mountPath: /etc/alerts.d + # subPath: "" + # configMap: prometheus-alerts + # readOnly: true + + + ## configmap-reload resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 50m + memory: 50Mi + +kubeStateMetrics: + ## If false, kube-state-metrics sub-chart will not be installed + ## + enabled: true + +## kube-state-metrics sub-chart configurable values +## Please see https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-state-metrics +## +# kube-state-metrics: + +nodeExporter: + ## If false, node-exporter will not be installed + ## + enabled: true + + ## If true, node-exporter pods share the host network namespace + ## + hostNetwork: true + + ## If true, node-exporter pods share the host PID namespace + ## + hostPID: true + + ## If true, node-exporter pods mounts host / at /host/root + ## + hostRootfs: true + + ## node-exporter container name + ## + name: node-exporter + + ## node-exporter container image + ## + image: + registry: quay.io + repository: prometheus/node-exporter + tag: v1.3.0 + pullPolicy: IfNotPresent + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## node-exporter priorityClassName + ## + priorityClassName: "" + + ## Custom Update Strategy + ## + updateStrategy: + type: RollingUpdate + + ## Additional node-exporter container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## Additional node-exporter hostPath mounts + ## + extraHostPathMounts: [] + # - name: textfile-dir + # mountPath: /srv/txt_collector + # hostPath: /var/lib/node-exporter + # readOnly: true + # mountPropagation: HostToContainer + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # configMap: certs-configmap + # readOnly: true + + ## Node tolerations for node-exporter scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for node-exporter pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to node-exporter pods + ## + podAnnotations: {} + + ## Labels to be added to node-exporter pods + ## + pod: + labels: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## node-exporter resource limits & requests + ## Ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + limits: + cpu: 500m + memory: 100Mi + requests: + cpu: 200m + memory: 50Mi + container: + securityContext: + allowPrivilegeEscalation: false + # Custom DNS configuration to be added to node-exporter pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to node-exporter pods + ## + securityContext: + fsGroup: 65534 + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + + service: + annotations: + prometheus.io/scrape: "true" + labels: {} + + # Exposed as a headless service: + # https://kubernetes.io/docs/concepts/services-networking/service/#headless-services + clusterIP: "" + + ## List of IP addresses at which the node-exporter service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + hostPort: 9100 + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9100 + type: ClusterIP + +server: + ## Prometheus server container name + ## + enabled: true + + ## Use a ClusterRole (and ClusterRoleBinding) + ## - If set to false - we define a RoleBinding in the defined namespaces ONLY + ## + ## NB: because we need a Role with nonResourceURL's ("/metrics") - you must get someone with Cluster-admin privileges to define this role for you, before running with this setting enabled. + ## This makes prometheus work - for users who do not have ClusterAdmin privs, but wants prometheus to operate on their own namespaces, instead of clusterwide. + ## + ## You MUST also set namespaces to the ones you have access to and want monitored by Prometheus. + ## + # useExistingClusterRoleName: nameofclusterrole + + ## namespaces to monitor (instead of monitoring all - clusterwide). Needed if you want to run without Cluster-admin privileges. + # namespaces: + # - yournamespace + + name: server + + # sidecarContainers - add more containers to prometheus server + # Key/Value where Key is the sidecar `- name: ` + # Example: + # sidecarContainers: + # webserver: + # image: nginx + sidecarContainers: {} + + # sidecarTemplateValues - context to be used in template for sidecarContainers + # Example: + # sidecarTemplateValues: *your-custom-globals + # sidecarContainers: + # webserver: |- + # {{ include "webserver-container-template" . }} + # Template for `webserver-container-template` might looks like this: + # image: "{{ .Values.server.sidecarTemplateValues.repository }}:{{ .Values.server.sidecarTemplateValues.tag }}" + # ... + # + sidecarTemplateValues: {} + + ## Prometheus server container image + ## + image: + registry: quay.io + repository: prometheus/prometheus + tag: v2.34.0 + pullPolicy: IfNotPresent + + ## prometheus server priorityClassName + ## + priorityClassName: "" + + ## EnableServiceLinks indicates whether information about services should be injected + ## into pod's environment variables, matching the syntax of Docker links. + ## WARNING: the field is unsupported and will be skipped in K8s prior to v1.13.0. + ## + enableServiceLinks: true + + ## The URL prefix at which the container can be accessed. Useful in the case the '-web.external-url' includes a slug + ## so that the various internal URLs are still able to access as they are in the default case. + ## (Optional) + prefixURL: "" + + ## External URL which can access prometheus + ## Maybe same with Ingress host name + baseURL: "" + + ## Additional server container environment variables + ## + ## You specify this manually like you would a raw deployment manifest. + ## This means you can bind in environment variables from secrets. + ## + ## e.g. static environment variable: + ## - name: DEMO_GREETING + ## value: "Hello from the environment" + ## + ## e.g. secret environment variable: + ## - name: USERNAME + ## valueFrom: + ## secretKeyRef: + ## name: mysecret + ## key: username + env: [] + + # List of flags to override default parameters, e.g: + # - --enable-feature=agent + # - --storage.agent.retention.max-time=30m + defaultFlagsOverride: [] + + extraFlags: + - web.enable-lifecycle + ## web.enable-admin-api flag controls access to the administrative HTTP API which includes functionality such as + ## deleting time series. This is disabled by default. + # - web.enable-admin-api + ## + ## storage.tsdb.no-lockfile flag controls BD locking + # - storage.tsdb.no-lockfile + ## + ## storage.tsdb.wal-compression flag enables compression of the write-ahead log (WAL) + # - storage.tsdb.wal-compression + + ## Path to a configuration file on prometheus server container FS + configPath: /etc/config/prometheus.yml + + ### The data directory used by prometheus to set --storage.tsdb.path + ### When empty server.persistentVolume.mountPath is used instead + storagePath: "" + + global: + ## How frequently to scrape targets by default + ## + scrape_interval: 1m + ## How long until a scrape request times out + ## + scrape_timeout: 10s + ## How frequently to evaluate rules + ## + evaluation_interval: 1m + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write + ## + remoteWrite: [] + ## https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_read + ## + remoteRead: [] + + ## Custom HTTP headers for Liveness/Readiness/Startup Probe + ## + ## Useful for providing HTTP Basic Auth to healthchecks + probeHeaders: [] + + ## Additional Prometheus server container arguments + ## + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ## Additional Prometheus server Volume mounts + ## + extraVolumeMounts: [] + + ## Additional Prometheus server Volumes + ## + extraVolumes: [] + + ## Additional Prometheus server hostPath mounts + ## + extraHostPathMounts: [] + # - name: certs-dir + # mountPath: /etc/kubernetes/certs + # subPath: "" + # hostPath: /etc/kubernetes/certs + # readOnly: true + + extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /prometheus + # subPath: "" + # configMap: certs-configmap + # readOnly: true + + ## Additional Prometheus server Secret mounts + # Defines additional mounts with secrets. Secrets must be manually created in the namespace. + extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # subPath: "" + # secretName: prom-secret-files + # readOnly: true + + ## ConfigMap override where fullname is {{.Release.Name}}-{{.Values.server.configMapOverrideName}} + ## Defining configMapOverrideName will cause templates/server-configmap.yaml + ## to NOT generate a ConfigMap resource + ## + configMapOverrideName: "" + + ingress: + ## If true, Prometheus server Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## Prometheus server Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## Prometheus server Ingress additional labels + ## + extraLabels: {} + + ## Prometheus server Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - prometheus.domain.com + # - domain.com/prometheus + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## Prometheus server Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-server-tls + # hosts: + # - prometheus.domain.com + + ## Server Deployment Strategy type + strategy: + type: RollingUpdate + + ## hostAliases allows adding entries to /etc/hosts inside the containers + hostAliases: [] + # - ip: "127.0.0.1" + # hostnames: + # - "example.com" + + ## Node tolerations for server scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for Prometheus server pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Pod affinity + ## + affinity: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + persistentVolume: + ## If true, Prometheus server will create/use a Persistent Volume Claim + ## If false, use emptyDir + ## + enabled: true + + ## Prometheus server data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## Prometheus server data Persistent Volume annotations + ## + annotations: {} + + ## Prometheus server data Persistent Volume existing claim name + ## Requires server.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## Prometheus server data Persistent Volume mount root path + ## + mountPath: /data + + ## Prometheus server data Persistent Volume size + ## + size: 8Gi + + ## Prometheus server data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## Prometheus server data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of Prometheus server data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + ## Persistent Volume Claim Selector + ## Useful if Persistent Volumes have been provisioned in advance + ## Ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/#selector + ## + # selector: + # matchLabels: + # release: "stable" + # matchExpressions: + # - { key: environment, operator: In, values: [ dev ] } + + emptyDir: + ## Prometheus server emptyDir volume size limit + ## + sizeLimit: "" + + ## Annotations to be added to Prometheus server pods + ## + podAnnotations: {} + # iam.amazonaws.com/role: prometheus + + ## Labels to be added to Prometheus server pods + ## + podLabels: {} + + ## Prometheus AlertManager configuration + ## + alertmanagers: [] + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + ## Use a StatefulSet if replicaCount needs to be greater than 1 (see below) + ## + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + statefulSet: + ## If true, use a statefulset instead of a deployment for pod management. + ## This allows to scale replicas to more than 1 pod + ## + enabled: false + + annotations: {} + labels: {} + podManagementPolicy: OrderedReady + + ## Alertmanager headless service to use for the statefulset + ## + headless: + annotations: {} + labels: {} + servicePort: 80 + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## Prometheus server readiness and liveness probe initial delay and timeout + ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/ + ## + tcpSocketProbeEnabled: false + probeScheme: HTTP + readinessProbeInitialDelay: 30 + readinessProbePeriodSeconds: 5 + readinessProbeTimeout: 4 + readinessProbeFailureThreshold: 3 + readinessProbeSuccessThreshold: 1 + livenessProbeInitialDelay: 30 + livenessProbePeriodSeconds: 15 + livenessProbeTimeout: 10 + livenessProbeFailureThreshold: 3 + livenessProbeSuccessThreshold: 1 + startupProbe: + enabled: false + periodSeconds: 5 + failureThreshold: 30 + timeoutSeconds: 10 + + ## Prometheus server resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + limits: + cpu: 1000m + memory: 512Mi + requests: + cpu: 500m + memory: 512Mi + + # Required for use in managed kubernetes clusters (such as AWS EKS) with custom CNI (such as calico), + # because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + ## + hostNetwork: false + + # When hostNetwork is enabled, you probably want to set this to ClusterFirstWithHostNet + dnsPolicy: ClusterFirst + + # Use hostPort + # hostPort: 9090 + + ## Vertical Pod Autoscaler config + ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler + verticalAutoscaler: + ## If true a VPA object will be created for the controller (either StatefulSet or Deployemnt, based on above configs) + enabled: false + # updateMode: "Auto" + # containerPolicies: + # - containerName: 'prometheus-server' + + # Custom DNS configuration to be added to prometheus server pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + ## Security context to be added to server pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + runAsGroup: 65534 + fsGroup: 65534 + + service: + ## If false, no Service will be created for the Prometheus server + ## + enabled: true + + annotations: {} + labels: {} + clusterIP: "" + + ## List of IP addresses at which the Prometheus server service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 80 + sessionAffinity: None + type: ClusterIP + + ## Enable gRPC port on service to allow auto discovery with thanos-querier + gRPC: + enabled: false + servicePort: 10901 + # nodePort: 10901 + + ## If using a statefulSet (statefulSet.enabled=true), configure the + ## service to connect to a specific replica to have a consistent view + ## of the data. + statefulsetReplica: + enabled: false + replica: 0 + + ## Prometheus server pod termination grace period + ## + terminationGracePeriodSeconds: 300 + + ## Prometheus data retention period (default if not specified is 15 days) + ## + retention: "15d" + + ## Array of extra Kubernetes manifests, if you want to deploy + extraObjects: [] + +pushgateway: + ## If false, pushgateway will not be installed + ## + enabled: true + + ## Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + # schedulerName: + + ## pushgateway container name + ## + name: pushgateway + + ## pushgateway container image + ## + image: + registry: docker.io + repository: prom/pushgateway + tag: v1.4.2 + pullPolicy: IfNotPresent + + ## pushgateway priorityClassName + ## + priorityClassName: "" + + ## Additional pushgateway container arguments + ## + ## for example: persistence.file: /data/pushgateway.data + extraArgs: {} + + ## Additional InitContainers to initialize the pod + ## + extraInitContainers: [] + + ingress: + ## If true, pushgateway Ingress will be created + ## + enabled: false + + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + + ## pushgateway Ingress annotations + ## + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: 'true' + + ## pushgateway Ingress hostnames with optional path + ## Must be provided if Ingress is enabled + ## + hosts: [] + # - pushgateway.domain.com + # - domain.com/pushgateway + + path: / + + # pathType is only for k8s >= 1.18 + pathType: Prefix + + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + + ## pushgateway Ingress TLS configuration + ## Secrets must be manually created in the namespace + ## + tls: [] + # - secretName: prometheus-alerts-tls + # hosts: + # - pushgateway.domain.com + + ## Node tolerations for pushgateway scheduling to nodes with taints + ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ + ## + tolerations: [] + # - key: "key" + # operator: "Equal|Exists" + # value: "value" + # effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)" + + ## Node labels for pushgateway pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + + ## Annotations to be added to pushgateway pods + ## + podAnnotations: {} + + ## Labels to be added to pushgateway pods + ## + podLabels: {} + + ## Specify if a Pod Security Policy for node-exporter must be created + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ + ## + podSecurityPolicy: + annotations: {} + ## Specify pod annotations + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#apparmor + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#seccomp + ## Ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#sysctl + ## + # seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' + # seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + # apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + + replicaCount: 1 + + ## Annotations to be added to deployment + ## + deploymentAnnotations: {} + + ## PodDisruptionBudget settings + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ + ## + podDisruptionBudget: + enabled: false + maxUnavailable: 1 + + ## pushgateway resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 50m + memory: 50Mi + + ## Vertical Pod Autoscaler config + ## Ref: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler + verticalAutoscaler: + ## If true a VPA object will be created for the controller + enabled: false + # updateMode: "Auto" + # containerPolicies: + # - containerName: 'prometheus-pushgateway' + + # Custom DNS configuration to be added to push-gateway pods + dnsConfig: {} + # nameservers: + # - 1.2.3.4 + # searches: + # - ns1.svc.cluster-domain.example + # - my.dns.search.suffix + # options: + # - name: ndots + # value: "2" + # - name: edns0 + + ## Security context to be added to push-gateway pods + ## + securityContext: + runAsUser: 65534 + runAsNonRoot: true + + service: + annotations: + prometheus.io/probe: pushgateway + labels: {} + clusterIP: "" + + ## List of IP addresses at which the pushgateway service is available + ## Ref: https://kubernetes.io/docs/user-guide/services/#external-ips + ## + externalIPs: [] + + loadBalancerIP: "" + loadBalancerSourceRanges: [] + servicePort: 9091 + type: ClusterIP + + ## pushgateway Deployment Strategy type + # strategy: + # type: Recreate + + persistentVolume: + ## If true, pushgateway will create/use a Persistent Volume Claim + ## + enabled: false + + ## pushgateway data Persistent Volume access modes + ## Must match those of existing PV or dynamic provisioner + ## Ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ + ## + accessModes: + - ReadWriteOnce + + ## pushgateway data Persistent Volume Claim annotations + ## + annotations: {} + + ## pushgateway data Persistent Volume existing claim name + ## Requires pushgateway.persistentVolume.enabled: true + ## If defined, PVC must be created manually before volume will be bound + existingClaim: "" + + ## pushgateway data Persistent Volume mount root path + ## + mountPath: /data + + ## pushgateway data Persistent Volume size + ## + size: 2Gi + + ## pushgateway data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" + + ## pushgateway data Persistent Volume Binding Mode + ## If defined, volumeBindingMode: + ## If undefined (the default) or set to null, no volumeBindingMode spec is + ## set, choosing the default mode. + ## + # volumeBindingMode: "" + + ## Subdirectory of pushgateway data Persistent Volume to mount + ## Useful if the volume's root directory is not empty + ## + subPath: "" + + +## alertmanager ConfigMap entries +## +alertmanagerFiles: + alertmanager.yml: + global: {} + # slack_api_url: '' + + receivers: + - name: default-receiver + # slack_configs: + # - channel: '@you' + # send_resolved: true + + route: + group_wait: 10s + group_interval: 5m + receiver: default-receiver + repeat_interval: 3h + +## Prometheus server ConfigMap entries for rule files (allow prometheus labels interpolation) +ruleFiles: {} + +## Prometheus server ConfigMap entries +## +serverFiles: + + ## Alerts configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/ + alerting_rules.yml: {} + # groups: + # - name: Instances + # rules: + # - alert: InstanceDown + # expr: up == 0 + # for: 5m + # labels: + # severity: page + # annotations: + # description: '{{ $labels.instance }} of job {{ $labels.job }} has been down for more than 5 minutes.' + # summary: 'Instance {{ $labels.instance }} down' + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use alerting_rules.yml + alerts: {} + + ## Records configuration + ## Ref: https://prometheus.io/docs/prometheus/latest/configuration/recording_rules/ + recording_rules.yml: {} + ## DEPRECATED DEFAULT VALUE, unless explicitly naming your files, please use recording_rules.yml + rules: {} + + prometheus.yml: + rule_files: + - /etc/config/recording_rules.yml + - /etc/config/alerting_rules.yml + ## Below two files are DEPRECATED will be removed from this default values file + - /etc/config/rules + - /etc/config/alerts + + scrape_configs: + - job_name: prometheus + static_configs: + - targets: + - localhost:9090 + + # A scrape configuration for running Prometheus on a Kubernetes cluster. + # This uses separate scrape configs for cluster components (i.e. API server, node) + # and services to allow each to use different authentication configs. + # + # Kubernetes labels will be added as Prometheus labels on metrics via the + # `labelmap` relabeling action. + + # Scrape config for API servers. + # + # Kubernetes exposes API servers as endpoints to the default/kubernetes + # service so this uses `endpoints` role and uses relabelling to only keep + # the endpoints associated with the default/kubernetes service using the + # default named port `https`. This works for single API server deployments as + # well as HA API server deployments. + - job_name: 'kubernetes-apiservers' + + kubernetes_sd_configs: + - role: endpoints + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + # Keep only the default/kubernetes service endpoints for the https port. This + # will add targets for each API server which Kubernetes adds an endpoint to + # the default/kubernetes service. + relabel_configs: + - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + action: keep + regex: default;kubernetes;https + + - job_name: 'kubernetes-nodes' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics + + + - job_name: 'kubernetes-nodes-cadvisor' + + # Default to scraping over https. If required, just disable this or change to + # `http`. + scheme: https + + # This TLS & bearer token file config is used to connect to the actual scrape + # endpoints for cluster components. This is separate to discovery auth + # configuration because discovery & scraping are two separate concerns in + # Prometheus. The discovery auth config is automatic if Prometheus runs inside + # the cluster. Otherwise, more config options have to be provided within the + # . + tls_config: + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + # If your node certificates are self-signed or use a different CA to the + # master CA, then disable certificate verification below. Note that + # certificate verification is an integral part of a secure infrastructure + # so this should only be disabled in a controlled environment. You can + # disable certificate verification by uncommenting the line below. + # + insecure_skip_verify: true + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + + kubernetes_sd_configs: + - role: node + + # This configuration will work only on kubelet 1.7.3+ + # As the scrape endpoints for cAdvisor have changed + # if you are using older version you need to change the replacement to + # replacement: /api/v1/nodes/$1:4194/proxy/metrics + # more info here https://github.com/coreos/prometheus-operator/issues/633 + relabel_configs: + - action: labelmap + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + regex: (.+) + target_label: __metrics_path__ + replacement: /api/v1/nodes/$1/proxy/metrics/cadvisor + + # Scrape config for service endpoints. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape`: Only scrape services that have a value of + # `true`, except if `prometheus.io/scrape-slow` is set to `true` as well. + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + # * `prometheus.io/param_`: If the metrics endpoint uses parameters + # then you can set any parameter + - job_name: 'kubernetes-service-endpoints' + honor_labels: true + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] + action: drop + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: service + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: node + + # Scrape config for slow service endpoints; same as above, but with a larger + # timeout and a larger interval + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape services that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: If the metrics are exposed on a different port to the + # service then set this appropriately. + # * `prometheus.io/param_`: If the metrics endpoint uses parameters + # then you can set any parameter + - job_name: 'kubernetes-service-endpoints-slow' + honor_labels: true + + scrape_interval: 5m + scrape_timeout: 30s + + kubernetes_sd_configs: + - role: endpoints + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + action: replace + target_label: __scheme__ + regex: (https?) + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + action: replace + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + - action: labelmap + regex: __meta_kubernetes_service_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_service_name] + action: replace + target_label: service + - source_labels: [__meta_kubernetes_pod_node_name] + action: replace + target_label: node + + - job_name: 'prometheus-pushgateway' + honor_labels: true + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: pushgateway + + # Example scrape config for probing services via the Blackbox Exporter. + # + # The relabeling allows the actual service scrape endpoint to be configured + # via the following annotations: + # + # * `prometheus.io/probe`: Only probe services that have a value of `true` + - job_name: 'kubernetes-services' + honor_labels: true + + metrics_path: /probe + params: + module: [http_2xx] + + kubernetes_sd_configs: + - role: service + + relabel_configs: + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe] + action: keep + regex: true + - source_labels: [__address__] + target_label: __param_target + - target_label: __address__ + replacement: blackbox + - source_labels: [__param_target] + target_label: instance + - action: labelmap + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + target_label: namespace + - source_labels: [__meta_kubernetes_service_name] + target_label: service + + # Example scrape config for pods + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape`: Only scrape pods that have a value of `true`, + # except if `prometheus.io/scrape-slow` is set to `true` as well. + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: 'kubernetes-pods' + honor_labels: true + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow] + action: drop + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + - source_labels: [__meta_kubernetes_pod_phase] + regex: Pending|Succeeded|Failed|Completed + action: drop + + # Example Scrape config for pods which should be scraped slower. An useful example + # would be stackriver-exporter which queries an API on every scrape of the pod + # + # The relabeling allows the actual pod scrape endpoint to be configured via the + # following annotations: + # + # * `prometheus.io/scrape-slow`: Only scrape pods that have a value of `true` + # * `prometheus.io/scheme`: If the metrics endpoint is secured then you will need + # to set this to `https` & most likely set the `tls_config` of the scrape config. + # * `prometheus.io/path`: If the metrics path is not `/metrics` override this. + # * `prometheus.io/port`: Scrape the pod on the indicated port instead of the default of `9102`. + - job_name: 'kubernetes-pods-slow' + honor_labels: true + + scrape_interval: 5m + scrape_timeout: 30s + + kubernetes_sd_configs: + - role: pod + + relabel_configs: + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape_slow] + action: keep + regex: true + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scheme] + action: replace + regex: (https?) + target_label: __scheme__ + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + action: replace + target_label: __metrics_path__ + regex: (.+) + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + action: replace + regex: ([^:]+)(?::\d+)?;(\d+) + replacement: $1:$2 + target_label: __address__ + - action: labelmap + regex: __meta_kubernetes_pod_annotation_prometheus_io_param_(.+) + replacement: __param_$1 + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + action: replace + target_label: namespace + - source_labels: [__meta_kubernetes_pod_name] + action: replace + target_label: pod + - source_labels: [__meta_kubernetes_pod_phase] + regex: Pending|Succeeded|Failed|Completed + action: drop + +# adds additional scrape configs to prometheus.yml +# must be a string so you have to add a | after extraScrapeConfigs: +# example adds prometheus-blackbox-exporter scrape config +extraScrapeConfigs: + # - job_name: 'prometheus-blackbox-exporter' + # metrics_path: /probe + # params: + # module: [http_2xx] + # static_configs: + # - targets: + # - https://example.com + # relabel_configs: + # - source_labels: [__address__] + # target_label: __param_target + # - source_labels: [__param_target] + # target_label: instance + # - target_label: __address__ + # replacement: prometheus-blackbox-exporter:9115 + +# Adds option to add alert_relabel_configs to avoid duplicate alerts in alertmanager +# useful in H/A prometheus with different external labels but the same alerts +alertRelabelConfigs: + # alert_relabel_configs: + # - source_labels: [dc] + # regex: (.+)\d+ + # target_label: dc + +networkPolicy: + ## Enable creation of NetworkPolicy resources. + ## + enabled: false + +# Force namespace of namespaced resources +forceNamespace: null diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/templates/_helpers.tpl b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/templates/_helpers.tpl new file mode 100644 index 000000000..4dae8715b --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/templates/_helpers.tpl @@ -0,0 +1,49 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "monitoring.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "monitoring.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "monitoring.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Override the naming defined by the prometheus chart. +Added as a fix for https://github.com/grafana/loki/issues/1169 +*/}} +{{- define "prometheus.fullname" -}} +{{- if .Values.prometheus.server.fullnameOverride -}} +{{- .Values.prometheus.server.fullnameOverride | trunc 63 -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/templates/datasources.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/templates/datasources.yaml new file mode 100644 index 000000000..3300d7aec --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/monitoring/templates/datasources.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "monitoring.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "monitoring.name" . }} + chart: {{ template "monitoring.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} + app.kubernetes.io/instance: {{ template "monitoring.name" . }} + {{- include "k8s-triliovault-operator.observability" . | nindent 4 }} + grafana_datasource: "1" +data: + monitoring-datasource.yaml: |- + apiVersion: 1 + datasources: +{{- if .Values.prometheus.enabled }} + - name: Prometheus + type: prometheus + access: proxy + isDefault: true + url: http://{{ include "prometheus.fullname" .}}:{{ .Values.prometheus.server.service.servicePort }}{{ .Values.prometheus.server.prefixURL }} + version: 1 +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/Chart.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/Chart.yaml new file mode 100644 index 000000000..12fa0fc95 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/Chart.yaml @@ -0,0 +1,16 @@ +apiVersion: v2 +appVersion: 0.1.0 +dependencies: +- condition: grafana.enabled + name: grafana + repository: https://grafana.github.io/helm-charts + version: ^6.29.2 +description: Visualization Stack designed to manage the K8s-TrilioVault Application's + Visualization. +icon: https://www.trilio.io/wp-content/uploads/2021/01/Trilio-2020-logo-RGB-gray-green.png +kubeVersion: '>=1.19.0-0' +maintainers: +- email: support@trilio.io + name: Trilio +name: visualization +version: 0.1.0 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/Chart.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/Chart.yaml new file mode 100644 index 000000000..5a3ffe454 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +appVersion: 8.5.0 +description: The leading tool for querying and visualizing time series and metrics. +home: https://grafana.net +icon: https://raw.githubusercontent.com/grafana/grafana/master/public/img/logo_transparent_400x.png +kubeVersion: ^1.8.0-0 +maintainers: +- email: support@trilio.io + name: Trilio +name: grafana +sources: +- https://github.com/grafana/grafana +type: application +version: 6.29.2 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/backup-detail.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/backup-detail.json new file mode 100644 index 000000000..cee756e93 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/backup-detail.json @@ -0,0 +1,926 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + }, + { + "name": "DS_LOKI", + "label": "Loki", + "description": "", + "type": "datasource", + "pluginId": "loki", + "pluginName": "Loki" + } + ], + "__elements": [], + "__requires": [ + { + "type": "panel", + "id": "gauge", + "name": "Gauge", + "version": "" + }, + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "panel", + "id": "logs", + "name": "Logs", + "version": "" + }, + { + "type": "datasource", + "id": "loki", + "name": "Loki", + "version": "1.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "table-old", + "name": "Table (old)", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:20", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12601, + "graphTooltip": 0, + "id": null, + "iteration": 1655448146244, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 2, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 31, + "options": { + "content": "

Backup Detail

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "dark-red", + "value": null + }, + { + "color": "rgb(255, 255, 255)", + "value": 1 + }, + { + "color": "dark-green", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 7, + "x": 0, + "y": 2 + }, + "id": 45, + "options": { + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_status_percentage{backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"Backup\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 1, + "w": 4, + "x": 8, + "y": 2 + }, + "id": 50, + "links": [], + "maxDataPoints": 100, + "options": { + "content": "", + "mode": "markdown" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_info{backup=~\"$Backup\",namespace=~\"$Namespace\",cluster=~\"$Cluster\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "text" + }, + { + "columns": [], + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fontSize": "100%", + "gridPos": { + "h": 14, + "w": 12, + "x": 12, + "y": 2 + }, + "id": 42, + "links": [], + "showHeader": true, + "sort": { + "col": 18, + "desc": true + }, + "styles": [ + { + "$$hashKey": "object:10447", + "alias": "Object Type", + "align": "auto", + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "link": true, + "linkTooltip": "Show Metadata Details", + "linkUrl": "/d/Metadata/metadata-detail?var-Backup=${Backup}&var-ObjectType=${__cell}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}", + "mappingType": 1, + "pattern": "objecttype", + "type": "string" + }, + { + "$$hashKey": "object:1072", + "alias": "Source", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "applicationtype", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "$$hashKey": "object:1249", + "alias": "Count", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "mappingType": 1, + "pattern": "Value", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "$$hashKey": "object:10448", + "alias": "", + "align": "right", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "decimals": 2, + "pattern": "/.*/", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "avg(trilio_backup_metadata_info{backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"Backup\"}) by (objecttype, applicationtype)", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Metadata Info", + "transform": "table", + "type": "table-old" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [ + { + "options": { + "0": { + "text": "InProgress" + }, + "1": { + "text": "Available" + }, + "-1": { + "text": "Failed" + }, + "-2": { + "text": "UnKnown" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "dark-red", + "value": -1 + }, + { + "color": "blue", + "value": 0 + }, + { + "color": "green", + "value": 1 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 5, + "x": 7, + "y": 3 + }, + "id": 46, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "fieldOptions": { + "calcs": [ + "mean" + ] + }, + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "value" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_info{backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"Backup\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 6 + }, + "id": 47, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^backup$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_info{ backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"Backup\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Name", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 6 + }, + "id": 36, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^backupplan$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_info{ backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"Backup\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Backup Plan", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "custom": { + "align": "left", + "displayMode": "auto", + "filterable": false, + "inspect": false + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "First" + }, + "properties": [ + { + "id": "displayName", + "value": "Value" + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 49, + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_info{ backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"Backup\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Details", + "transformations": [ + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "Time", + "applicationtype", + "backup_type", + "completion_ts", + "hook", + "size", + "start_ts", + "target", + "resource_namespace" + ] + } + } + }, + { + "id": "reduce", + "options": { + "reducers": [ + "first" + ] + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "description": "Backup Logs", + "gridPos": { + "h": 11, + "w": 24, + "x": 0, + "y": 16 + }, + "id": 52, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": false, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "expr": "{transaction_type=\"Backup\",transaction_resource_name=~\"$Backup\",service_type=~\"$service_type\",transaction_resource_namespace=~\"$Namespace\"}", + "refId": "A" + } + ], + "title": "Backup Logs", + "type": "logs" + } + ], + "refresh": "30s", + "schemaVersion": 36, + "style": "dark", + "tags": [ + "logging" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "Loki", + "value": "Loki" + }, + "description": "loki datasource", + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_LOKI", + "options": [], + "query": "loki", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 2, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_backup_info{cluster=~\"$Cluster\",install_namespace=~\"$Install_Namespace\",kind=\"Backup\"}", + "hide": 0, + "includeAll": false, + "label": "Backup", + "multi": false, + "name": "Backup", + "options": [], + "query": { + "query": "trilio_backup_info{cluster=~\"$Cluster\",install_namespace=~\"$Install_Namespace\",kind=\"Backup\"}", + "refId": "StandardVariableQuery" + }, + "refresh": 2, + "regex": "/.*backup=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=~\"Backup\",transaction_resource_name=~\"$Backup\"}, service_type)", + "description": "Service Type", + "hide": 0, + "includeAll": true, + "label": "Service Type", + "multi": false, + "name": "service_type", + "options": [], + "query": "label_values({transaction_type=~\"Backup\",transaction_resource_name=~\"$Backup\"}, service_type)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=~\"Backup\",transaction_resource_name=~\"$Backup\"},transaction_resource_namespace)", + "description": "Backup Namespace", + "hide": 0, + "includeAll": true, + "label": "Backup Namespace", + "multi": false, + "name": "Namespace", + "options": [], + "query": "label_values({transaction_type=~\"Backup\",transaction_resource_name=~\"$Backup\"},transaction_resource_namespace)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Backup Detail", + "uid": "Backup", + "version": 1, + "weekStart": "" +} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/backup-overview.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/backup-overview.json new file mode 100644 index 000000000..5d4c209c8 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/backup-overview.json @@ -0,0 +1,883 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": [], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:14091", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12600, + "graphTooltip": 0, + "id": null, + "iteration": 1655400242671, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 2, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 4, + "options": { + "content": "

Backups Overview

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(115, 181, 181)", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 2, + "y": 2 + }, + "id": 31, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "/^All$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_backup_info{install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) ", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "All", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "All", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 6, + "y": 2 + }, + "id": 34, + "links": [], + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "/^Available$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_backup_info{status=\"Available\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (status)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{status}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "Available", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 10, + "y": 2 + }, + "id": 33, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "/^Failed$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_backup_info{status=\"Failed\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (status)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{status}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "Failed", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 14, + "y": 2 + }, + "id": 32, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "/^InProgress$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_backup_info{status=\"InProgress\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (status)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{status}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "InProgress", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(129, 135, 135)", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 18, + "y": 2 + }, + "id": 37, + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "/^UnKnown$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_backup_info{status=\"UnKnown\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (status)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{status}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "UnKnown", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "auto", + "displayMode": "auto", + "filterable": false, + "inspect": false + }, + "links": [], + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "backup" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "links", + "value": [ + { + "targetBlank": false, + "title": "Backup Detail", + "url": "/d/${__data.fields.kind}/?refresh=5s&var-Backup=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "backupplan" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup Plan" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "completion_ts" + }, + "properties": [ + { + "id": "displayName", + "value": "Completion" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "unit", + "value": "time: YYYY-MM-DD HH:mm:ss.SSS" + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "target" + }, + "properties": [ + { + "id": "displayName", + "value": "Target" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "links", + "value": [ + { + "targetBlank": false, + "title": "Target Detail", + "url": "/d/TargetDetail/target-detail?refresh=5s&var-Target=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "size" + }, + "properties": [ + { + "id": "displayName", + "value": "Size" + }, + { + "id": "unit", + "value": "decbytes" + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value" + }, + "properties": [ + { + "id": "displayName", + "value": "Percentage" + }, + { + "id": "unit", + "value": "percent" + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "status" + }, + "properties": [ + { + "id": "displayName", + "value": "Status" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "backup_type" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup Type" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "kind" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup Kind" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + } + ] + }, + "gridPos": { + "h": 12, + "w": 24, + "x": 0, + "y": 5 + }, + "id": 29, + "options": { + "footer": { + "enablePagination": false, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "trilio_backup_status_percentage{status=~\"$Status\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "backup", + "backup_type", + "backupplan", + "completion_ts", + "size", + "status", + "target", + "Value", + "kind" + ] + } + } + } + ], + "type": "table" + } + ], + "refresh": "10s", + "schemaVersion": 36, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 1, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_backup_info", + "hide": 0, + "includeAll": true, + "label": "Status", + "multi": false, + "name": "Status", + "options": [], + "query": { + "query": "trilio_backup_info", + "refId": "Prometheus-Status-Variable-Query" + }, + "refresh": 1, + "regex": "/.*status=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Backup Overview", + "uid": "BackupOverview", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/backupplan-detail.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/backupplan-detail.json new file mode 100644 index 000000000..2295b2b09 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/backupplan-detail.json @@ -0,0 +1,1198 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + }, + { + "name": "DS_LOKI", + "label": "Loki", + "description": "", + "type": "datasource", + "pluginId": "loki", + "pluginName": "Loki" + } + ], + "__elements": [], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "panel", + "id": "logs", + "name": "Logs", + "version": "" + }, + { + "type": "datasource", + "id": "loki", + "name": "Loki", + "version": "1.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:4254", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12605, + "graphTooltip": 0, + "id": null, + "iteration": 1655401068331, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 2, + "w": 23, + "x": 0, + "y": 0 + }, + "id": 4, + "options": { + "content": "

Backup Plan Detail

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [ + { + "options": { + "0": { + "text": "InProgress" + }, + "1": { + "text": "Available" + }, + "-1": { + "text": "Failed" + }, + "-2": { + "text": "UnKnown" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "dark-red", + "value": -1 + }, + { + "color": "blue", + "value": 0 + }, + { + "color": "green", + "value": 1 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 5, + "x": 0, + "y": 2 + }, + "id": 16, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "fieldOptions": { + "calcs": [ + "mean" + ] + }, + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backupplan_info{backupplan=~\"$BackupPlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"BackupPlan\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "title": "Status", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 5, + "y": 2 + }, + "id": 9, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^applicationtype$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backupplan_info{ backupplan=~\"$BackupPlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"BackupPlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Application Type", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "False" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 9, + "y": 2 + }, + "id": 10, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^protected$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backupplan_info{ backupplan=~\"$BackupPlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"BackupPlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Protected", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "0" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 13, + "y": 2 + }, + "id": 13, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^backup_count$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backupplan_info{ backupplan=~\"$BackupPlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"BackupPlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Num of Backups", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 17, + "y": 2 + }, + "id": 14, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^target$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backupplan_info{ backupplan=~\"$BackupPlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"BackupPlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Target", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "auto", + "displayMode": "auto", + "inspect": false + }, + "decimals": 2, + "displayName": "", + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "backup" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "links", + "value": [ + { + "targetBlank": false, + "title": "Backup Detail", + "url": "/d/${__data.fields.kind}/?refresh=5s&var-Backup=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "completion_ts" + }, + "properties": [ + { + "id": "displayName", + "value": "Completion" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "size" + }, + "properties": [ + { + "id": "displayName", + "value": "Size" + }, + { + "id": "unit", + "value": "decbytes" + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "status" + }, + "properties": [ + { + "id": "displayName", + "value": "Status" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "backup_type" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup Type" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 5 + }, + "id": 12, + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_info{backupplan=~\"$BackupPlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"Backup\"}", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "title": "Backups", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "backup_type", + "status", + "backup", + "completion_ts", + "size", + "kind" + ] + } + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "description": "BackupPlan Logs", + "gridPos": { + "h": 14, + "w": 12, + "x": 12, + "y": 5 + }, + "id": 18, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": false, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "expr": "{transaction_type=\"BackupPlan\",transaction_resource_name=~\"$BackupPlan\",service_type=~\"$service_type\",transaction_resource_namespace=~\"$Namespace\"}", + "refId": "A" + } + ], + "title": "BackupPlan Logs", + "type": "logs" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "auto", + "displayMode": "auto", + "inspect": false + }, + "decimals": 2, + "displayName": "", + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "consistentset_count" + }, + "properties": [ + { + "id": "displayName", + "value": "ConsistentSet Count" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 0 + }, + { + "id": "links", + "value": [ + { + "targetBlank": false, + "title": "ConsistentSet Detail", + "url": "/d/ConsistentSet/?refresh=5s&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "continuousrestoreinstance" + }, + "properties": [ + { + "id": "displayName", + "value": "ContinuousRestore Instance" + }, + { + "id": "custom.align", + "value": "left" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "continuousrestoreplan" + }, + "properties": [ + { + "id": "displayName", + "value": "ContinuousRestorePlan" + }, + { + "id": "custom.align" + }, + { + "id": "links", + "value": [ + { + "title": "ContinuousRestorePlan Detail", + "url": "/d/ContinuousRestorePlan/?refresh=5s&var-ContinuousRestorePlan=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "cr_status" + }, + "properties": [ + { + "id": "displayName", + "value": "ContinuousRestore Status" + }, + { + "id": "custom.align", + "value": "left" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "ContinuousRestore Instance" + }, + "properties": [ + { + "id": "custom.width", + "value": 200 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "ConsistentSet" + }, + "properties": [ + { + "id": "custom.width", + "value": 112 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "ContinuousRestorePlan" + }, + "properties": [ + { + "id": "custom.width", + "value": 177 + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 12 + }, + "id": 19, + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true, + "sortBy": [ + { + "desc": false, + "displayName": "ConsistentSet" + } + ] + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backupplan_crstatus{backupplan=~\"$BackupPlan\",cluster=~\"$Cluster\",kind=\"BackupPlan\"}", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "title": "ContinuousRestore Info", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "consistentset_count", + "continuousrestoreinstance", + "continuousrestoreplan", + "cr_status" + ] + } + } + } + ], + "type": "table" + } + ], + "refresh": "10s", + "schemaVersion": 36, + "style": "dark", + "tags": [ + "logging" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "Loki", + "value": "Loki" + }, + "hide": 2, + "includeAll": false, + "label": "loki", + "multi": false, + "name": "DS_LOKI", + "options": [], + "query": "loki", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 2, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_backupplan_info{cluster=~\"$Cluster\",kind=\"BackupPlan\"}", + "hide": 0, + "includeAll": false, + "label": "BackupPlan", + "multi": false, + "name": "BackupPlan", + "options": [], + "query": { + "query": "trilio_backupplan_info{cluster=~\"$Cluster\",kind=\"BackupPlan\"}", + "refId": "StandardVariableQuery" + }, + "refresh": 2, + "regex": "/.*backupplan=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=\"BackupPlan\", transaction_resource_name=~\"$BackupPlan\"},transaction_resource_namespace)", + "description": "Backup Namespace", + "hide": 0, + "includeAll": true, + "label": "Backup Namespace", + "multi": false, + "name": "Namespace", + "options": [], + "query": "label_values({transaction_type=\"BackupPlan\", transaction_resource_name=~\"$BackupPlan\"},transaction_resource_namespace)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=\"BackupPlan\",transaction_resource_name=~\"$BackupPlan\"}, service_type)", + "description": "Service Type", + "hide": 0, + "includeAll": true, + "label": "Service Type", + "multi": false, + "name": "service_type", + "options": [], + "query": "label_values({transaction_type=\"BackupPlan\",transaction_resource_name=~\"$BackupPlan\"}, service_type)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "BackupPlan Detail", + "uid": "BackupPlan", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/backupplan-overview.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/backupplan-overview.json new file mode 100644 index 000000000..c780e0e67 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/backupplan-overview.json @@ -0,0 +1,883 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": [], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "panel", + "id": "grafana-piechart-panel", + "name": "Pie Chart (old)", + "version": "1.6.2" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:13226", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12604, + "graphTooltip": 0, + "id": null, + "iteration": 1655400668324, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 2, + "w": 23, + "x": 0, + "y": 0 + }, + "id": 4, + "options": { + "content": "

Backup Plan Overview

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(46, 122, 122)", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 2, + "y": 2 + }, + "id": 34, + "links": [], + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "/^Available$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "count(trilio_backupplan_info{install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (status)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "title": "All", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(105, 191, 145)", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 6, + "y": 2 + }, + "id": 35, + "links": [], + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "Helm", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_backupplan_info{applicationtype=\"Helm\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (applicationtype)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{applicationtype}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "Helm", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(105, 191, 145)", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 10, + "y": 2 + }, + "id": 36, + "links": [], + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "/^Operator$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_backupplan_info{applicationtype=\"Operator\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (applicationtype)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{applicationtype}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "Operator", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(105, 191, 145)", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 14, + "y": 2 + }, + "id": 37, + "links": [], + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "/^Custom$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_backupplan_info{applicationtype=\"Custom\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (applicationtype)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{applicationtype}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "Custom", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(105, 191, 145)", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 18, + "y": 2 + }, + "id": 40, + "links": [], + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "/^Namespace$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_backupplan_info{applicationtype=\"Namespace\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (applicationtype)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{applicationtype}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "Namespace", + "transparent": true, + "type": "stat" + }, + { + "aliasColors": {}, + "breakPoint": "50%", + "combine": { + "label": "Others", + "threshold": 0 + }, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fontSize": "80%", + "format": "short", + "gridPos": { + "h": 8, + "w": 7, + "x": 0, + "y": 5 + }, + "id": 39, + "legend": { + "header": "Protected", + "percentage": false, + "show": true, + "values": true + }, + "legendType": "Right side", + "links": [], + "maxDataPoints": 1, + "nullPointMode": "connected", + "pieType": "pie", + "strokeWidth": 1, + "targets": [ + { + "expr": "count(trilio_backupplan_info{applicationtype=~\"$ApplicationType\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (protected)", + "instant": true, + "interval": "", + "legendFormat": "{{protected}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "Protected Backup Plan", + "transparent": true, + "type": "grafana-piechart-panel", + "valueName": "current" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "auto", + "displayMode": "auto", + "inspect": false + }, + "decimals": 2, + "displayName": "", + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "backupplan" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup Plan" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "links", + "value": [ + { + "targetBlank": false, + "title": "Backup Plan Detail", + "url": "/d/${__data.fields.kind}/?refresh=5s&var-BackupPlan=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "applicationtype" + }, + "properties": [ + { + "id": "displayName", + "value": "Type" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "backup_count" + }, + "properties": [ + { + "id": "displayName", + "value": "Num of Backups" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "protected" + }, + "properties": [ + { + "id": "displayName", + "value": "Protected" + }, + { + "id": "unit", + "value": "decbytes" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "lastprotected" + }, + "properties": [ + { + "id": "displayName", + "value": "Last Protected" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "target" + }, + "properties": [ + { + "id": "displayName", + "value": "Target" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "links", + "value": [ + { + "targetBlank": false, + "title": "Target Detail", + "url": "/d/TargetDetail/target-detail?refresh=5s&var-Target=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "kind" + }, + "properties": [ + { + "id": "displayName", + "value": "BackupPlan Kind" + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 17, + "x": 7, + "y": 5 + }, + "id": 32, + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "trilio_backupplan_info{applicationtype=~\"$ApplicationType\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "applicationtype", + "backup_count", + "backupplan", + "kind", + "target", + "lastprotected", + "protected" + ] + } + } + } + ], + "type": "table" + } + ], + "refresh": "10s", + "schemaVersion": 36, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 1, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_backupplan_info", + "hide": 0, + "includeAll": true, + "label": "Application Type", + "multi": false, + "name": "ApplicationType", + "options": [], + "query": { + "query": "trilio_backupplan_info", + "refId": "Prometheus-ApplicationType-Variable-Query" + }, + "refresh": 1, + "regex": "/.*applicationtype=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "BackupPlan Overview", + "uid": "BackupPlanOverview", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/clusterbackup-detail.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/clusterbackup-detail.json new file mode 100644 index 000000000..3603eb6bd --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/clusterbackup-detail.json @@ -0,0 +1,820 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + }, + { + "name": "DS_LOKI", + "label": "Loki", + "description": "", + "type": "datasource", + "pluginId": "loki", + "pluginName": "Loki" + } + ], + "__elements": [], + "__requires": [ + { + "type": "panel", + "id": "gauge", + "name": "Gauge", + "version": "" + }, + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "panel", + "id": "logs", + "name": "Logs", + "version": "" + }, + { + "type": "datasource", + "id": "loki", + "name": "Loki", + "version": "1.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:20", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12601, + "graphTooltip": 0, + "id": null, + "iteration": 1655446898146, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 2, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 31, + "options": { + "content": "

Cluster Backup Detail

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "dark-red", + "value": null + }, + { + "color": "rgb(255, 255, 255)", + "value": 1 + }, + { + "color": "dark-green", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 7, + "x": 0, + "y": 2 + }, + "id": 45, + "options": { + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_status_percentage{backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterBackup\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 1, + "w": 4, + "x": 8, + "y": 2 + }, + "id": 50, + "links": [], + "maxDataPoints": 100, + "options": { + "content": "", + "mode": "markdown" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_info{backup=~\"$Backup\",namespace=~\"$Namespace\",cluster=~\"$Cluster\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "description": "Cluster Backup Logs", + "gridPos": { + "h": 16, + "w": 12, + "x": 12, + "y": 2 + }, + "id": 52, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": false, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "expr": "{transaction_type=\"ClusterBackup\",transaction_resource_name=\"$Backup\",service_type=~\"$service_type\",child_transaction_resource_namespace=\"$Namespace\"}", + "refId": "A" + } + ], + "title": "Cluster Backup Logs", + "type": "logs" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [ + { + "options": { + "0": { + "text": "InProgress" + }, + "1": { + "text": "Available" + }, + "-1": { + "text": "Failed" + }, + "-2": { + "text": "UnKnown" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "dark-red", + "value": -1 + }, + { + "color": "blue", + "value": 0 + }, + { + "color": "green", + "value": 1 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 5, + "x": 7, + "y": 3 + }, + "id": 46, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "fieldOptions": { + "calcs": [ + "mean" + ] + }, + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "value" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_info{backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterBackup\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 6 + }, + "id": 47, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^backup$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_info{ backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterBackup\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Name", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 6 + }, + "id": 36, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "center", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^backupplan$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_info{ backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterBackup\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Cluster Backup Plan", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "custom": { + "align": "left", + "displayMode": "auto", + "filterable": false, + "inspect": false + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "First" + }, + "properties": [ + { + "id": "displayName", + "value": "Value" + } + ] + } + ] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 49, + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_info{ backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterBackup\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Details", + "transformations": [ + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "Time", + "applicationtype", + "backup_type", + "completion_ts", + "hook", + "size", + "start_ts", + "target", + "resource_namespace" + ] + } + } + }, + { + "id": "reduce", + "options": { + "reducers": [ + "first" + ] + } + } + ], + "type": "table" + } + ], + "refresh": "10s", + "schemaVersion": 36, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "Loki", + "value": "Loki" + }, + "description": "loki datasource", + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_LOKI", + "options": [], + "query": "loki", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 2, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_backup_info{cluster=~\"$Cluster\",install_namespace=~\"$Install_Namespace\",kind=\"ClusterBackup\"}", + "hide": 0, + "includeAll": false, + "label": "Cluster Backup", + "multi": false, + "name": "Backup", + "options": [], + "query": { + "query": "trilio_backup_info{cluster=~\"$Cluster\",install_namespace=~\"$Install_Namespace\",kind=\"ClusterBackup\"}", + "refId": "StandardVariableQuery" + }, + "refresh": 2, + "regex": "/.*backup=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=\"ClusterBackup\",transaction_name=~\"$Backup\"},child_transaction_resource_namespace)", + "description": "Child Transaction Namespace", + "hide": 0, + "includeAll": true, + "label": "Backup Namespace", + "multi": false, + "name": "Namespace", + "options": [], + "query": "label_values({transaction_type=\"ClusterBackup\",transaction_name=~\"$Backup\"},child_transaction_resource_namespace)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=\"ClusterBackup\"},service_type)", + "description": "Service Type", + "hide": 0, + "includeAll": true, + "label": "Service Type", + "multi": false, + "name": "service_type", + "options": [], + "query": "label_values({transaction_type=\"ClusterBackup\"},service_type)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Cluster Backup Detail", + "uid": "ClusterBackup", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/clusterbackupplan-detail.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/clusterbackupplan-detail.json new file mode 100644 index 000000000..19b96b0a0 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/clusterbackupplan-detail.json @@ -0,0 +1,1234 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + }, + { + "name": "DS_LOKI", + "label": "Loki", + "description": "", + "type": "datasource", + "pluginId": "loki", + "pluginName": "Loki" + } + ], + "__elements": [], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "panel", + "id": "logs", + "name": "Logs", + "version": "" + }, + { + "type": "datasource", + "id": "loki", + "name": "Loki", + "version": "1.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:4254", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12605, + "graphTooltip": 0, + "id": null, + "iteration": 1655445890261, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 2, + "w": 23, + "x": 0, + "y": 0 + }, + "id": 4, + "options": { + "content": "

Backup Plan Detail

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [ + { + "options": { + "0": { + "text": "InProgress" + }, + "1": { + "text": "Available" + }, + "-1": { + "text": "Failed" + }, + "-2": { + "text": "UnKnown" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "dark-red", + "value": -1 + }, + { + "color": "blue", + "value": 0 + }, + { + "color": "green", + "value": 1 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 5, + "x": 0, + "y": 2 + }, + "id": 16, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "fieldOptions": { + "calcs": [ + "mean" + ] + }, + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backupplan_info{backupplan=~\"$BackupPlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterBackupPlan\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "title": "Status", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 5, + "y": 2 + }, + "id": 9, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^applicationtype$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backupplan_info{ backupplan=~\"$BackupPlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterBackupPlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Application Type", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "False" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 9, + "y": 2 + }, + "id": 10, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^protected$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backupplan_info{ backupplan=~\"$BackupPlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterBackupPlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Protected", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "0" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 13, + "y": 2 + }, + "id": 13, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^backup_count$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backupplan_info{ backupplan=~\"$BackupPlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterBackupPlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Num of Backups", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 17, + "y": 2 + }, + "id": 14, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^target$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backupplan_info{ backupplan=~\"$BackupPlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterBackupPlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Target", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "auto", + "displayMode": "auto", + "inspect": true, + "minWidth": 100 + }, + "decimals": 2, + "displayName": "", + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "backup" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "links", + "value": [ + { + "targetBlank": false, + "title": "Backup Detail", + "url": "/d/${__data.fields.kind}?refresh=5s&var-Backup=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "completion_ts" + }, + "properties": [ + { + "id": "displayName", + "value": "Completion" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "applicationtype" + }, + "properties": [ + { + "id": "displayName", + "value": "Type" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "size" + }, + "properties": [ + { + "id": "displayName", + "value": "Size" + }, + { + "id": "unit", + "value": "decbytes" + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "status" + }, + "properties": [ + { + "id": "displayName", + "value": "Status" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "backup_type" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup Type" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "kind" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup Kind" + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 5 + }, + "id": 12, + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backup_info{backupplan=~\"$BackupPlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterBackup\"}", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "title": "Backups", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "backup", + "backup_type", + "completion_ts", + "kind", + "size", + "status", + "target", + "applicationtype" + ] + } + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "description": "BackupPlan Logs", + "gridPos": { + "h": 14, + "w": 12, + "x": 12, + "y": 5 + }, + "id": 18, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": false, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "expr": "{transaction_type=\"ClusterBackupPlan\",transaction_resource_name=~\"$BackupPlan\",service_type=~\"$service_type\"}", + "refId": "A" + } + ], + "title": "BackupPlan Logs", + "type": "logs" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "auto", + "displayMode": "auto", + "inspect": false + }, + "decimals": 2, + "displayName": "", + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "consistentset_count" + }, + "properties": [ + { + "id": "displayName", + "value": "ConsistentSet" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 0 + }, + { + "id": "links", + "value": [ + { + "targetBlank": true, + "title": "ConsistentSet Detail", + "url": "/d/${__data.fields.kind}/?refresh=5s&var-ConsistentSet=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "continuousrestoreinstance" + }, + "properties": [ + { + "id": "displayName", + "value": "ContinuousRestore Instance" + }, + { + "id": "custom.align", + "value": "left" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "continuousrestoreplan" + }, + "properties": [ + { + "id": "displayName", + "value": "ContinuousRestorePlan" + }, + { + "id": "custom.align" + }, + { + "id": "links", + "value": [ + { + "title": "ContinuousRestorePlan Detail", + "url": "/d/${__data.fields.kind}/?refresh=5s&var-ContinuousRestorePlan=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "cr_status" + }, + "properties": [ + { + "id": "displayName", + "value": "ContinuousRestore Status" + }, + { + "id": "custom.align", + "value": "left" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "ContinuousRestore Instance" + }, + "properties": [ + { + "id": "custom.width", + "value": 200 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "ConsistentSet" + }, + "properties": [ + { + "id": "custom.width", + "value": 112 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "ContinuousRestorePlan" + }, + "properties": [ + { + "id": "custom.width", + "value": 177 + } + ] + } + ] + }, + "gridPos": { + "h": 7, + "w": 12, + "x": 0, + "y": 12 + }, + "id": 20, + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true, + "sortBy": [ + { + "desc": false, + "displayName": "ConsistentSet" + } + ] + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_backupplan_crstatus{backupplan=~\"$ClusterBackupPlan\",cluster=~\"$Cluster\",kind=\"ClusterBackupPlan\"}", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "title": "ContinuousRestore Info", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "consistentset_count", + "continuousrestoreinstance", + "continuousrestoreplan", + "cr_status" + ] + } + } + } + ], + "type": "table" + } + ], + "refresh": "30s", + "schemaVersion": 36, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "Loki", + "value": "Loki" + }, + "hide": 2, + "includeAll": false, + "label": "loki", + "multi": false, + "name": "DS_LOKI", + "options": [], + "query": "loki", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 2, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_backupplan_info{cluster=~\"$Cluster\",kind=\"ClusterBackupPlan\"}", + "hide": 0, + "includeAll": false, + "label": "Cluster Backup Plan", + "multi": false, + "name": "BackupPlan", + "options": [], + "query": { + "query": "trilio_backupplan_info{cluster=~\"$Cluster\",kind=\"ClusterBackupPlan\"}", + "refId": "StandardVariableQuery" + }, + "refresh": 2, + "regex": "/.*backupplan=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=\"ClusterBackupPlan\", transaction_resource_name=~\"$BackupPlan\"},child_transaction_resource_namespace)", + "description": "Backup Namespace", + "hide": 0, + "includeAll": true, + "label": "Backup Namespace", + "multi": false, + "name": "Namespace", + "options": [], + "query": "label_values({transaction_type=\"ClusterBackupPlan\", transaction_resource_name=~\"$BackupPlan\"},child_transaction_resource_namespace)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=\"ClusterBackupPlan\",transaction_resource_name=~\"$BackupPlan\"}, service_type)", + "description": "Service Type", + "hide": 0, + "includeAll": true, + "label": "Service Type", + "multi": false, + "name": "service_type", + "options": [], + "query": "label_values({transaction_type=\"ClusterBackupPlan\",transaction_resource_name=~\"$BackupPlan\"}, service_type)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "ClusterBackupPlan Detail", + "uid": "ClusterBackupPlan", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/clusterrestore-detail.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/clusterrestore-detail.json new file mode 100644 index 000000000..ce6851fd1 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/clusterrestore-detail.json @@ -0,0 +1,802 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + }, + { + "name": "DS_LOKI", + "label": "Loki", + "description": "", + "type": "datasource", + "pluginId": "loki", + "pluginName": "Loki" + } + ], + "__elements": [], + "__requires": [ + { + "type": "panel", + "id": "gauge", + "name": "Gauge", + "version": "" + }, + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "panel", + "id": "logs", + "name": "Logs", + "version": "" + }, + { + "type": "datasource", + "id": "loki", + "name": "Loki", + "version": "1.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:1512", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12603, + "graphTooltip": 0, + "id": null, + "iteration": 1655447850637, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 2, + "w": 23, + "x": 0, + "y": 0 + }, + "id": 4, + "options": { + "content": "

Restore Detail

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "dark-red", + "value": null + }, + { + "color": "rgb(255, 255, 255)", + "value": 1 + }, + { + "color": "dark-green", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 7, + "x": 0, + "y": 2 + }, + "id": 13, + "options": { + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_restore_status_percentage{restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterRestore\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 1, + "w": 4, + "x": 7, + "y": 2 + }, + "id": 17, + "options": { + "content": "", + "mode": "markdown" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "gridPos": { + "h": 15, + "w": 12, + "x": 12, + "y": 2 + }, + "id": 22, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": false, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "expr": "{transaction_type=\"ClusterRestore\",transaction_resource_name=~\"$Restore\",service_type=~\"$service_type\",child_transaction_resource_namespace=~\"$Namespace\"}", + "refId": "A" + } + ], + "title": "Restore Logs", + "type": "logs" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [ + { + "options": { + "0": { + "text": "InProgress" + }, + "1": { + "text": "Completed" + }, + "-1": { + "text": "Failed" + }, + "-2": { + "text": "UnKnown" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "dark-red", + "value": -1 + }, + { + "color": "blue", + "value": 0 + }, + { + "color": "green", + "value": 1 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 5, + "x": 7, + "y": 3 + }, + "id": 15, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "fieldOptions": { + "calcs": [ + "mean" + ] + }, + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "value" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_restore_info{restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterRestore\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 6 + }, + "id": 6, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^restore$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_restore_info{ restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterRestore\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Restore", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 6 + }, + "id": 20, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^backup$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_restore_info{ restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterRestore\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Backup", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "custom": { + "align": "left", + "displayMode": "auto", + "filterable": false, + "inspect": false + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "First" + }, + "properties": [ + { + "id": "displayName", + "value": "Value" + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 19, + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_restore_info{ restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ClusterRestore\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Details", + "transformations": [ + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "Time", + "completion_ts", + "size", + "start_ts", + "target", + "resource_namespace" + ] + } + } + }, + { + "id": "reduce", + "options": { + "reducers": [ + "first" + ] + } + } + ], + "type": "table" + } + ], + "refresh": "30s", + "schemaVersion": 36, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "Loki", + "value": "Loki" + }, + "hide": 2, + "includeAll": false, + "label": "loki", + "multi": false, + "name": "DS_LOKI", + "options": [], + "query": "loki", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 2, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": " ", + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_restore_info{cluster=~\"$Cluster\",kind=\"ClusterRestore\"}", + "hide": 0, + "includeAll": false, + "label": "Restore", + "multi": false, + "name": "Restore", + "options": [], + "query": { + "query": "trilio_restore_info{cluster=~\"$Cluster\",kind=\"ClusterRestore\"}", + "refId": "StandardVariableQuery" + }, + "refresh": 2, + "regex": "/.*restore=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=\"ClusterRestore\",transaction_resource_name=~\"$Restore\"},child_transaction_resource_namespace)", + "description": "Restore Namespace", + "hide": 0, + "includeAll": true, + "label": "Restore Namespace", + "multi": false, + "name": "Namespace", + "options": [], + "query": "label_values({transaction_type=\"ClusterRestore\",transaction_resource_name=~\"$Restore\"},child_transaction_resource_namespace)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=\"ClusterRestore\",transaction_resource_name=~\"$Restore\"}, service_type)", + "description": "Service Type", + "hide": 0, + "includeAll": true, + "label": "Service Type", + "multi": false, + "name": "service_type", + "options": [], + "query": "label_values({transaction_type=\"ClusterRestore\",transaction_resource_name=~\"$Restore\"}, service_type)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Cluster Restore Detail", + "uid": "ClusterRestore", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/consistentset-detail.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/consistentset-detail.json new file mode 100644 index 000000000..c7bee36c4 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/consistentset-detail.json @@ -0,0 +1,832 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + }, + { + "name": "DS_LOKI", + "label": "Loki", + "description": "", + "type": "datasource", + "pluginId": "loki", + "pluginName": "Loki" + } + ], + "__elements": [], + "__requires": [ + { + "type": "panel", + "id": "gauge", + "name": "Gauge", + "version": "" + }, + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "panel", + "id": "logs", + "name": "Logs", + "version": "" + }, + { + "type": "datasource", + "id": "loki", + "name": "Loki", + "version": "1.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:20", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12601, + "graphTooltip": 0, + "id": null, + "iteration": 1672672013297, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 2, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 31, + "options": { + "content": "

ConsistentSet Detail

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "dark-red", + "value": null + }, + { + "color": "rgb(255, 255, 255)", + "value": 1 + }, + { + "color": "dark-green", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 7, + "x": 0, + "y": 2 + }, + "id": 45, + "options": { + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_consistentset_status_percentage{consistentset=~\"$ConsistentSet\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ConsistentSet\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 1, + "w": 4, + "x": 8, + "y": 2 + }, + "id": 50, + "links": [], + "maxDataPoints": 100, + "options": { + "content": "", + "mode": "markdown" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_consistentset_info{consistentset=~\"$ConsistentSet\",cluster=~\"$Cluster\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "description": "ConsistentSet Logs", + "gridPos": { + "h": 16, + "w": 12, + "x": 12, + "y": 2 + }, + "id": 52, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": false, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "expr": "{child_transaction_resource_name=\"$ConsistentSet\",child_transaction_type=\"ConsistentSet\",transaction_resource_name=\"$ContinuousRestorePlan\",transaction_type=\"ContinuousRestorePlan\"}", + "refId": "A" + } + ], + "title": "ConsistentSet Logs", + "type": "logs" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [ + { + "options": { + "0": { + "text": "InProgress" + }, + "1": { + "text": "Available" + }, + "-1": { + "text": "Failed" + }, + "-2": { + "text": "UnKnown" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "dark-red", + "value": -1 + }, + { + "color": "blue", + "value": 0 + }, + { + "color": "green", + "value": 1 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 5, + "x": 7, + "y": 3 + }, + "id": 46, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "fieldOptions": { + "calcs": [ + "mean" + ] + }, + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "value" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_consistentset_info{consistentset=~\"$ConsistentSet\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ConsistentSet\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 6 + }, + "id": 47, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^consistentset$/", + "values": false + }, + "text": { + "valueSize": 10 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_consistentset_info{ consistentset=~\"$ConsistentSet\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ConsistentSet\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Name", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 6 + }, + "id": 36, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^continuousrestoreplan$/", + "values": false + }, + "text": { + "valueSize": 10 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_consistentset_info{consistentset=~\"$ConsistentSet\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ConsistentSet\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "ContinuousRestorePlan", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "custom": { + "align": "left", + "displayMode": "auto", + "filterable": false, + "inspect": false + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "First" + }, + "properties": [ + { + "id": "displayName", + "value": "Value" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Field" + }, + "properties": [ + { + "id": "displayName" + } + ] + } + ] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 49, + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_consistentset_info{ consistentset=~\"$ConsistentSet\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ConsistentSet\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Details", + "transformations": [ + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "Time", + "completion_ts", + "size", + "start_ts", + "sourcebackupplan", + "sourceinstanceinfo", + "backupName", + "backupNamespace", + "backupStatus" + ] + } + } + }, + { + "id": "reduce", + "options": { + "reducers": [ + "first" + ] + } + } + ], + "type": "table" + } + ], + "refresh": "10s", + "schemaVersion": 36, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "Loki", + "value": "Loki" + }, + "description": "loki datasource", + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_LOKI", + "options": [], + "query": "loki", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 2, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({child_transaction_resource_name=\"$ConsistentSet\",child_transaction_type=\"ConsistentSet\",transaction_resource_name=\"$ContinuousRestorePlan\",transaction_type=\"ContinuousRestorePlan\"}, service_type)", + "description": "Service Type", + "hide": 0, + "includeAll": true, + "label": "Service Type", + "multi": false, + "name": "service_type", + "options": [], + "query": "label_values({child_transaction_resource_name=\"$ConsistentSet\",child_transaction_type=\"ConsistentSet\",transaction_resource_name=\"$ContinuousRestorePlan\",transaction_type=\"ContinuousRestorePlan\"}, service_type)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_consistentset_info{cluster=~\"$Cluster\",install_namespace=~\"$Install_Namespace\",kind=\"ConsistentSet\"}", + "hide": 0, + "includeAll": false, + "label": "ConsistentSet", + "multi": false, + "name": "ConsistentSet", + "options": [], + "query": { + "query": "trilio_consistentset_info{cluster=~\"$Cluster\",install_namespace=~\"$Install_Namespace\",kind=\"ConsistentSet\"}", + "refId": "StandardVariableQuery" + }, + "refresh": 2, + "regex": "/.*consistentset=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_continuousrestoreplan_info{cluster=~\"$Cluster\",kind=\"ContinuousRestorePlan\"}", + "hide": 0, + "includeAll": false, + "label": "ContinuousRestorePlan", + "multi": false, + "name": "ContinuousRestorePlan", + "options": [], + "query": { + "query": "trilio_continuousrestoreplan_info{cluster=~\"$Cluster\",kind=\"ContinuousRestorePlan\"}", + "refId": "StandardVariableQuery" + }, + "refresh": 1, + "regex": "/.*continuousrestoreplan=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "ConsistentSet Detail", + "uid": "ConsistentSet", + "version": 1 +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/continuousrestoreplan-detail.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/continuousrestoreplan-detail.json new file mode 100644 index 000000000..02e201867 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/continuousrestoreplan-detail.json @@ -0,0 +1,1052 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + }, + { + "name": "DS_LOKI", + "label": "Loki", + "description": "", + "type": "datasource", + "pluginId": "loki", + "pluginName": "Loki" + } + ], + "__elements": [], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "panel", + "id": "logs", + "name": "Logs", + "version": "" + }, + { + "type": "datasource", + "id": "loki", + "name": "Loki", + "version": "1.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:4254", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12605, + "graphTooltip": 0, + "id": null, + "iteration": 1672673323255, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 2, + "w": 23, + "x": 0, + "y": 0 + }, + "id": 4, + "options": { + "content": "

ContinuousRestorePlan Detail

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [ + { + "options": { + "0": { + "text": "InProgress" + }, + "1": { + "text": "Available" + }, + "-1": { + "text": "Failed" + }, + "-2": { + "text": "UnKnown" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "dark-red", + "value": -1 + }, + { + "color": "blue", + "value": 0 + }, + { + "color": "green", + "value": 1 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 0, + "y": 2 + }, + "id": 16, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "fieldOptions": { + "calcs": [ + "mean" + ] + }, + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_continuousrestoreplan_info{continuousrestoreplan=~\"$ContinuousRestorePlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ContinuousRestorePlan\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "title": "Status", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 3, + "y": 2 + }, + "id": 19, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^sourcebackupplan$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_continuousrestoreplan_info{ continuousrestoreplan=~\"$ContinuousRestorePlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ContinuousRestorePlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Source BackupPlan", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 7, + "y": 2 + }, + "id": 21, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^sourceinstanceinfo$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_continuousrestoreplan_info{ continuousrestoreplan=~\"$ContinuousRestorePlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ContinuousRestorePlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Source Instance", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "0" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 11, + "y": 2 + }, + "id": 13, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^consistentsetcount$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_continuousrestoreplan_info{ continuousrestoreplan=~\"$ContinuousRestorePlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ContinuousRestorePlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Num of ConsistentSets", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 5, + "x": 14, + "y": 2 + }, + "id": 20, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^continuousrestorepolicy$/", + "values": false + }, + "text": { + "valueSize": 10 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_continuousrestoreplan_info{ continuousrestoreplan=~\"$ContinuousRestorePlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ContinuousRestorePlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "ContinuousRestorePolicy", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 5, + "x": 19, + "y": 2 + }, + "id": 14, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^target$/", + "values": false + }, + "text": { + "valueSize": 10 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_continuousrestoreplan_info{ continuousrestoreplan=~\"$ContinuousRestorePlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ContinuousRestorePlan\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Target", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "auto", + "displayMode": "auto", + "inspect": false + }, + "decimals": 2, + "displayName": "", + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "consistentset" + }, + "properties": [ + { + "id": "displayName", + "value": "ConsistentSet" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "links", + "value": [ + { + "targetBlank": false, + "title": "ConsistentSet Detail", + "url": "/d/${__data.fields.kind}/?refresh=5s&var-ConsistentSet=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + }, + { + "id": "custom.align", + "value": "left" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "consistentsetscope" + }, + "properties": [ + { + "id": "displayName", + "value": "ConsistentSet Scope" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align", + "value": "left" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "size" + }, + "properties": [ + { + "id": "displayName", + "value": "Size" + }, + { + "id": "unit", + "value": "decbytes" + }, + { + "id": "custom.align", + "value": "left" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "status" + }, + "properties": [ + { + "id": "displayName", + "value": "Status" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "sourcebackupplan" + }, + "properties": [ + { + "id": "displayName", + "value": "Source BackupPlan" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align", + "value": "left" + } + ] + } + ] + }, + "gridPos": { + "h": 12, + "w": 12, + "x": 0, + "y": 5 + }, + "id": 12, + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true, + "sortBy": [] + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_consistentset_info{continuousrestoreplan=~\"$ContinuousRestorePlan\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"ConsistentSet\"}", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "title": "ConsistentSets", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "consistentset", + "consistentsetscope", + "size", + "sourcebackupplan", + "status", + "kind" + ] + } + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "description": "ContinuousRestorePlan Logs", + "gridPos": { + "h": 12, + "w": 12, + "x": 12, + "y": 5 + }, + "id": 18, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": false, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "expr": "{transaction_type=\"ContinuousRestorePlan\",transaction_resource_name=~\"$ContinuousRestorePlan\",service_type=~\"$service_type\"}", + "refId": "A" + } + ], + "title": "ContinuousRestorePlan Logs", + "type": "logs" + } + ], + "refresh": "10s", + "schemaVersion": 36, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "Loki", + "value": "Loki" + }, + "hide": 2, + "includeAll": false, + "label": "loki", + "multi": false, + "name": "DS_LOKI", + "options": [], + "query": "loki", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 2, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=\"ContinuousRestorePlan\",transaction_resource_name=~\"$ContinuousRestorePlan\"}, service_type)", + "description": "Service Type", + "hide": 0, + "includeAll": true, + "label": "Service Type", + "multi": false, + "name": "service_type", + "options": [], + "query": "label_values({transaction_type=\"ContinuousRestorePlan\",transaction_resource_name=~\"$ContinuousRestorePlan\"}, service_type)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_continuousrestoreplan_info{cluster=~\"$Cluster\",kind=\"ContinuousRestorePlan\"}", + "hide": 0, + "includeAll": false, + "label": "ContinuousRestorePlan", + "multi": false, + "name": "ContinuousRestorePlan", + "options": [], + "query": { + "query": "trilio_continuousrestoreplan_info{cluster=~\"$Cluster\",kind=\"ContinuousRestorePlan\"}", + "refId": "StandardVariableQuery" + }, + "refresh": 2, + "regex": "/.*continuousrestoreplan=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "ContinuousRestorePlan Detail", + "uid": "ContinuousRestorePlan", + "version": 1 +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/logging-dashboard.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/logging-dashboard.json new file mode 100644 index 000000000..3eaae8683 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/logging-dashboard.json @@ -0,0 +1,212 @@ +{ + "__inputs": [ + { + "name": "DS_LOKI", + "label": "Loki", + "description": "", + "type": "datasource", + "pluginId": "loki", + "pluginName": "Loki" + } + ], + "__elements": [], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "panel", + "id": "logs", + "name": "Logs", + "version": "" + }, + { + "type": "datasource", + "id": "loki", + "name": "Loki", + "version": "1.0.0" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "description": "dashboard for logging", + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12611, + "graphTooltip": 0, + "id": null, + "iteration": 1655397917396, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "description": "Live logs is a like 'tail -f' in a real time", + "gridPos": { + "h": 19, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 2, + "options": { + "dedupStrategy": "exact", + "enableLogDetails": true, + "prettifyLogMessage": false, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "expr": "{service_type=~\"$service_type\"}", + "queryType": "range", + "refId": "A" + } + ], + "title": "Live logs", + "type": "logs" + } + ], + "refresh": "", + "schemaVersion": 36, + "style": "dark", + "tags": [ + "logging" + ], + "templating": { + "list": [ + { + "current": { + "selected": true, + "text": "All", + "value": "$__all" + }, + "hide": 0, + "includeAll": true, + "label": "Service Type", + "multi": false, + "name": "service_type", + "options": [ + { + "selected": true, + "text": "All", + "value": "$__all" + }, + { + "selected": false, + "text": "ControlPlane", + "value": "ControlPlane" + }, + { + "selected": false, + "text": "WebhookServer", + "value": "WebhookServer" + }, + { + "selected": false, + "text": "Exporter", + "value": "Exporter" + }, + { + "selected": false, + "text": "ResourceCleaner", + "value": "ResourceCleaner" + }, + { + "selected": false, + "text": "WebBackend", + "value": "WebBackend" + }, + { + "selected": false, + "text": "Analyzer", + "value": "Analyzer" + }, + { + "selected": false, + "text": "DexInit", + "value": "DexInit" + } + ], + "query": "ControlPlane,WebhookServer,Exporter,ResourceCleaner,WebBackend,Analyzer,DexInit", + "queryValue": "", + "skipUrlSync": false, + "type": "custom" + }, + { + "current": { + "selected": false, + "text": "Loki", + "value": "Loki" + }, + "description": "loki datasource", + "hide": 2, + "includeAll": false, + "label": "loki datasource", + "multi": false, + "name": "DS_LOKI", + "options": [], + "query": "loki", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + } + ] + }, + "time": { + "from": "now-30m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Logging Dashboard", + "uid": "logging", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/metadata-detail.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/metadata-detail.json new file mode 100644 index 000000000..02a6fb1cc --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/metadata-detail.json @@ -0,0 +1,889 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "7.2.1" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table-old", + "name": "Table (old)", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "7.1.0" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:20", + "builtIn": 1, + "datasource": "-- Grafana --", + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "type": "dashboard" + } + ] + }, + "editable": true, + "gnetId": 12607, + "graphTooltip": 0, + "id": null, + "iteration": 1617300281944, + "links": [], + "panels": [ + { + "content": "

Backup Metatdata

", + "datasource": "${DS_PROMETHEUS}", + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 12, + "x": 0, + "y": 0 + }, + "id": 58, + "mode": "html", + "options": { + "content": "

Backup Metatdata

", + "mode": "html" + }, + "pluginVersion": "7.1.0", + "timeFrom": null, + "timeShift": null, + "title": "", + "transparent": true, + "type": "text" + }, + { + "content": "

Restore Metatdata

", + "datasource": "${DS_PROMETHEUS}", + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 12, + "x": 12, + "y": 0 + }, + "id": 59, + "mode": "html", + "options": { + "content": "

Restore Metatdata

", + "mode": "html" + }, + "pluginVersion": "7.1.0", + "timeFrom": null, + "timeShift": null, + "title": "", + "transparent": true, + "type": "text" + }, + { + "datasource": "${DS_PROMETHEUS}", + "fieldConfig": { + "defaults": { + "custom": {}, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(191, 194, 191)", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 2, + "y": 2 + }, + "id": 53, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "7.2.1", + "targets": [ + { + "expr": "count(avg(trilio_backup_metadata_info{backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (objecttype))", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Total Component Type", + "type": "stat" + }, + { + "datasource": "${DS_PROMETHEUS}", + "fieldConfig": { + "defaults": { + "custom": {}, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(191, 194, 191)", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 6, + "y": 2 + }, + "id": 54, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "7.2.1", + "targets": [ + { + "expr": "count(avg(trilio_backup_metadata_info{backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (objectname))", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Total Components", + "type": "stat" + }, + { + "datasource": "${DS_PROMETHEUS}", + "fieldConfig": { + "defaults": { + "custom": {}, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(191, 194, 191)", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 14, + "y": 2 + }, + "id": 55, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "7.2.1", + "targets": [ + { + "expr": "count(avg(trilio_restore_metadata_info{restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (objecttype))", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Total Component Type", + "type": "stat" + }, + { + "datasource": "${DS_PROMETHEUS}", + "fieldConfig": { + "defaults": { + "custom": {}, + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(191, 194, 191)", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 18, + "y": 2 + }, + "id": 56, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "7.2.1", + "targets": [ + { + "expr": "count(avg(trilio_restore_metadata_info{restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (objectname))", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Total Components", + "type": "stat" + }, + { + "columns": [], + "datasource": "${DS_PROMETHEUS}", + "description": "", + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fontSize": "100%", + "gridPos": { + "h": 15, + "w": 12, + "x": 0, + "y": 5 + }, + "id": 42, + "links": [], + "pageSize": null, + "showHeader": true, + "sort": { + "col": 18, + "desc": true + }, + "styles": [ + { + "$$hashKey": "object:10447", + "alias": "Object Type", + "align": "auto", + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "link": false, + "linkTooltip": "Show Metadata Details", + "linkUrl": "/d/0aiPMQMGk/metadata-detail?refresh=5s&var-Backup=${Backup}&var-ObjectType=${__cell}", + "mappingType": 1, + "pattern": "objecttype", + "type": "string" + }, + { + "$$hashKey": "object:1072", + "alias": "Source", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "applicationtype", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "$$hashKey": "object:1249", + "alias": "API Version", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "apiversion", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "$$hashKey": "object:3063", + "alias": "Object Name", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "objectname", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "$$hashKey": "object:3158", + "alias": "", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "$$hashKey": "object:10448", + "alias": "", + "align": "right", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "decimals": 2, + "pattern": "/.*/", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "avg(trilio_backup_metadata_info{backup=~\"$Backup\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (objectname,objecttype, apiversion)", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Metadata Info", + "transform": "table", + "type": "table-old" + }, + { + "columns": [], + "datasource": "${DS_PROMETHEUS}", + "description": "", + "fieldConfig": { + "defaults": { + "custom": {} + }, + "overrides": [] + }, + "fontSize": "100%", + "gridPos": { + "h": 15, + "w": 12, + "x": 12, + "y": 5 + }, + "id": 60, + "links": [], + "pageSize": null, + "showHeader": true, + "sort": { + "col": 18, + "desc": true + }, + "styles": [ + { + "$$hashKey": "object:10447", + "alias": "Object Type", + "align": "auto", + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "link": false, + "linkTooltip": "Show Metadata Details", + "linkUrl": "/d/0aiPMQMGk/metadata-detail?refresh=5s&var-Backup=${Backup}&var-ObjectType=${__cell}", + "mappingType": 1, + "pattern": "objecttype", + "type": "string" + }, + { + "$$hashKey": "object:1072", + "alias": "Source", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "applicationtype", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "$$hashKey": "object:1249", + "alias": "API Version", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": null, + "mappingType": 1, + "pattern": "apiversion", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "$$hashKey": "object:3063", + "alias": "Object Name", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "objectname", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "$$hashKey": "object:3158", + "alias": "", + "align": "auto", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "$$hashKey": "object:10448", + "alias": "", + "align": "right", + "colorMode": null, + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "decimals": 2, + "pattern": "/.*/", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "expr": "avg(trilio_restore_metadata_info{restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (objectname,objecttype, apiversion)", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "Metadata Info", + "transform": "table", + "type": "table-old" + }, + { + "cacheTimeout": null, + "content": "", + "datasource": "${DS_PROMETHEUS}", + "fieldConfig": { + "defaults": { + "custom": {}, + "mappings": [ + { + "from": "", + "id": 0, + "operator": "", + "text": "Available", + "to": "", + "type": 1, + "value": "1" + }, + { + "from": "", + "id": 1, + "operator": "", + "text": "InProgress", + "to": "", + "type": 1, + "value": "0" + }, + { + "from": "", + "id": 2, + "operator": "", + "text": "Failed", + "to": "", + "type": 1, + "value": "-1" + }, + { + "from": "", + "id": 3, + "operator": "", + "text": "UnKnown", + "to": "", + "type": 1, + "value": "-2" + } + ], + "nullValueMode": "connected", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "dark-red", + "value": -1 + }, + { + "color": "blue", + "value": 0 + }, + { + "color": "green", + "value": 1 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 1, + "w": 4, + "x": 8, + "y": 20 + }, + "id": 50, + "interval": null, + "links": [], + "maxDataPoints": 100, + "mode": "markdown", + "options": { + "content": "", + "mode": "markdown" + }, + "pluginVersion": "7.1.0", + "targets": [ + { + "expr": "trilio_backup_info{backup=~\"$Backup\",namespace=~\"$Namespace\",cluster=~\"$Cluster\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "timeFrom": null, + "timeShift": null, + "title": "", + "transparent": true, + "type": "text" + } + ], + "refresh": "5s", + "schemaVersion": 26, + "style": "dark", + "tags": [ + "logging" + ], + "templating": { + "list": [ + { + "hide": 2, + "label": "datasource", + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "type": "datasource" + }, + { + "allValue": null, + "current": {}, + "datasource": "${DS_PROMETHEUS}", + "definition": "trilio_system_info", + "hide": 0, + "includeAll": false, + "label": null, + "multi": false, + "name": "Cluster", + "options": [], + "query": "trilio_system_info", + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "${DS_PROMETHEUS}", + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "label": null, + "multi": false, + "name": "Scope", + "options": [], + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "${DS_PROMETHEUS}", + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refresh": 1, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "${DS_PROMETHEUS}", + "definition": "trilio_backup_info{cluster=~\"$Cluster\",install_namespace=~\"$Install_Namespace\"}", + "hide": 0, + "includeAll": false, + "label": "Backup", + "multi": false, + "name": "Backup", + "options": [], + "query": "trilio_backup_info{cluster=~\"$Cluster\",install_namespace=~\"$Install_Namespace\"}", + "refresh": 1, + "regex": "/.*backup=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "allValue": null, + "current": {}, + "datasource": "${DS_PROMETHEUS}", + "definition": "trilio_restore_info{cluster=~\"$Cluster\",install_namespace=~\"$Install_Namespace\"}", + "hide": 0, + "includeAll": false, + "label": "Restore", + "multi": false, + "name": "Restore", + "options": [], + "query": "trilio_restore_info{cluster=~\"$Cluster\",install_namespace=~\"$Install_Namespace\"}", + "refresh": 1, + "regex": "/.*restore=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tags": [], + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Metadata Detail", + "uid": "Metadata", + "version": 1 +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/overview.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/overview.json new file mode 100644 index 000000000..785f63bdd --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/overview.json @@ -0,0 +1,1429 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": [], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "panel", + "id": "piechart", + "name": "Pie chart", + "version": "" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:4047", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12599, + "graphTooltip": 0, + "id": null, + "iteration": 1672675438573, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 5, + "w": 10, + "x": 0, + "y": 0 + }, + "id": 45, + "options": { + "content": "

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "mappings": [ + { + "options": { + "0": { + "color": "red", + "index": 1, + "text": "Not Ready" + }, + "1": { + "color": "green", + "index": 0, + "text": "Ready" + } + }, + "type": "value" + } + ] + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 7, + "x": 11, + "y": 0 + }, + "id": 47, + "options": { + "legend": { + "displayMode": "list", + "placement": "bottom" + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": false, + "expr": "trilio_component_status", + "instant": true, + "interval": "", + "legendFormat": "{{deployment}}-{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "piechart" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 3, + "x": 18, + "y": 0 + }, + "id": 42, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^tvk_version$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_system_info{ install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "TVK Version", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 5, + "w": 3, + "x": 21, + "y": 0 + }, + "id": 43, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^scope$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_system_info{ install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "TVK Scope", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "decimals": 0, + "mappings": [], + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Available" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#37872D", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Failed" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#C4162A", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "InProgress" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#FADE2A", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "UnKnown" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 36, 36)", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 5 + }, + "id": 34, + "links": [ + { + "title": "Show Backup Overview", + "url": "/d/BackupOverview/backup-overview?refresh=5s&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ], + "maxDataPoints": 1, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "bottom", + "values": [ + "value" + ] + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "count(trilio_backup_info{ install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (status)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "title": "Backup Summary", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "decimals": 0, + "mappings": [], + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Value" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#37872D", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 5 + }, + "id": 36, + "links": [ + { + "title": "Show Backup Plan Overview", + "url": "/d/BackupPlanOverview/backupplan-overview?refresh=5s&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ], + "maxDataPoints": 1, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "bottom", + "values": [ + "value" + ] + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "count(trilio_backupplan_info{install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (kind) or count(trilio_continuousrestoreplan_info{install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (kind)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "__auto", + "refId": "A" + } + ], + "title": " Plan Summary ", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "left", + "displayMode": "auto", + "inspect": false + }, + "decimals": 2, + "displayName": "", + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Value" + }, + "properties": [ + { + "id": "displayName", + "value": "Total Targets" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "custom.align", + "value": "left" + }, + { + "id": "decimals", + "value": 0 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "status" + }, + "properties": [ + { + "id": "displayName", + "value": "Health" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "vendorType" + }, + "properties": [ + { + "id": "displayName", + "value": "Vendor Type" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "eventTarget" + }, + "properties": [ + { + "id": "displayName", + "value": "Target Type" + }, + { + "id": "mappings", + "value": [ + { + "options": { + "false": { + "index": 1, + "text": "Data Target" + }, + "true": { + "index": 0, + "text": "Event Target" + } + }, + "type": "value" + } + ] + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "target" + }, + "properties": [ + { + "id": "displayName", + "value": "Target Name" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Target Type" + }, + "properties": [ + { + "id": "custom.width", + "value": 100 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Health" + }, + "properties": [ + { + "id": "custom.width", + "value": 84 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Target Name" + }, + "properties": [ + { + "id": "custom.width", + "value": 106 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Vendor Type" + }, + "properties": [ + { + "id": "custom.width", + "value": 96 + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 5 + }, + "id": 40, + "links": [ + { + "title": "Show Target Details", + "url": "/d/TargetDetail/target-detail?refresh=5s&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ], + "options": { + "footer": { + "fields": [ + "Value" + ], + "reducer": [ + "sum" + ], + "show": true + }, + "showHeader": true, + "sortBy": [] + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": false, + "expr": "trilio_target_info{install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Target Summary", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "status", + "vendorType", + "Value", + "target", + "eventTarget" + ] + } + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "decimals": 0, + "mappings": [], + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Available" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#37872D", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Failed" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#C4162A", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "InProgress" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#FADE2A", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "UnKnown" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "rgb(43, 36, 36)", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 0, + "y": 13 + }, + "id": 48, + "links": [ + { + "title": "Show ConsistentSet Overview", + "url": "/d/ConsistentSet/consistentset-detail?refresh=5s&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ], + "maxDataPoints": 1, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "bottom", + "values": [ + "value" + ] + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "count(trilio_consistentset_info{ install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (status)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "title": "ConsistentSet Summary", + "type": "piechart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + } + }, + "decimals": 0, + "mappings": [], + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Completed" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#37872D", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Failed" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#C4162A", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value #C" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "#E0B400", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 8, + "y": 13 + }, + "id": 35, + "links": [ + { + "title": "Show Restore Overview", + "url": "/d/RestoreOverview/restore-overview?refresh=5s&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ], + "maxDataPoints": 1, + "options": { + "legend": { + "calcs": [], + "displayMode": "table", + "placement": "bottom", + "values": [ + "value" + ] + }, + "pieType": "donut", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "tooltip": { + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "count(trilio_restore_info{ install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (status) ", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "title": "Restore Summary", + "type": "piechart" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "left", + "displayMode": "auto", + "inspect": false, + "width": 50 + }, + "decimals": 2, + "displayName": "", + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "deployment" + }, + "properties": [ + { + "id": "displayName", + "value": "Component" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value" + }, + "properties": [ + { + "id": "displayName", + "value": "Health" + }, + { + "id": "unit", + "value": "none" + }, + { + "id": "custom.displayMode", + "value": "color-background" + }, + { + "id": "custom.align", + "value": "left" + }, + { + "id": "thresholds", + "value": { + "mode": "absolute", + "steps": [ + { + "color": "#C4162A", + "value": null + }, + { + "color": "#C4162A", + "value": 0 + }, + { + "color": "rgba(50, 172, 45, 0.97)", + "value": 1 + } + ] + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "status" + }, + "properties": [ + { + "id": "displayName", + "value": "Status" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Component" + }, + "properties": [ + { + "id": "custom.width", + "value": 264 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Health" + }, + "properties": [ + { + "id": "custom.width", + "value": 134 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Status" + }, + "properties": [ + { + "id": "custom.width", + "value": 75 + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 8, + "x": 16, + "y": 13 + }, + "id": 32, + "links": [ + { + "targetBlank": false, + "title": "Logging Dashboard", + "url": "/d/logging/logging-dashboard?orgId=1" + } + ], + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true, + "sortBy": [] + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_component_status{install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "TVK Health", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "deployment", + "status", + "Value" + ] + } + } + } + ], + "type": "table" + } + ], + "refresh": "", + "schemaVersion": 36, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 0, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 1, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-5m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Overview", + "uid": "Overview", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/restore-detail.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/restore-detail.json new file mode 100644 index 000000000..aa3fcad9a --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/restore-detail.json @@ -0,0 +1,901 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + }, + { + "name": "DS_LOKI", + "label": "Loki", + "description": "", + "type": "datasource", + "pluginId": "loki", + "pluginName": "Loki" + } + ], + "__elements": [], + "__requires": [ + { + "type": "panel", + "id": "gauge", + "name": "Gauge", + "version": "" + }, + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "panel", + "id": "logs", + "name": "Logs", + "version": "" + }, + { + "type": "datasource", + "id": "loki", + "name": "Loki", + "version": "1.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "table-old", + "name": "Table (old)", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:1512", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12603, + "graphTooltip": 0, + "id": null, + "iteration": 1655448141180, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 2, + "w": 23, + "x": 0, + "y": 0 + }, + "id": 4, + "options": { + "content": "

Restore Detail

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [], + "max": 100, + "min": 0, + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "dark-red", + "value": null + }, + { + "color": "rgb(255, 255, 255)", + "value": 1 + }, + { + "color": "dark-green", + "value": 100 + } + ] + }, + "unit": "percent" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 7, + "x": 0, + "y": 2 + }, + "id": 13, + "options": { + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showThresholdLabels": false, + "showThresholdMarkers": false + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_restore_status_percentage{restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"Restore\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "gauge" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 1, + "w": 4, + "x": 7, + "y": 2 + }, + "id": 17, + "options": { + "content": "", + "mode": "markdown" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "columns": [], + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fontSize": "100%", + "gridPos": { + "h": 7, + "w": 12, + "x": 12, + "y": 2 + }, + "id": 11, + "showHeader": true, + "sort": { + "col": 0, + "desc": true + }, + "styles": [ + { + "$$hashKey": "object:2545", + "alias": "Object Type", + "align": "auto", + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "link": true, + "linkTooltip": "${__cell}", + "linkUrl": "/d/Metadata/metadata-detail?var-Restore=${Restore}&var-ObjectType=${__cell}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}", + "pattern": "objecttype", + "type": "string" + }, + { + "$$hashKey": "object:1086", + "alias": "Source", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "decimals": 2, + "mappingType": 1, + "pattern": "applicationtype", + "thresholds": [], + "type": "string", + "unit": "short" + }, + { + "$$hashKey": "object:1112", + "alias": "Count", + "align": "auto", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "dateFormat": "YYYY-MM-DD HH:mm:ss", + "mappingType": 1, + "pattern": "Value", + "thresholds": [], + "type": "number", + "unit": "short" + }, + { + "$$hashKey": "object:2546", + "alias": "", + "align": "right", + "colors": [ + "rgba(245, 54, 54, 0.9)", + "rgba(237, 129, 40, 0.89)", + "rgba(50, 172, 45, 0.97)" + ], + "decimals": 2, + "pattern": "/.*/", + "thresholds": [], + "type": "hidden", + "unit": "short" + } + ], + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "avg(trilio_restore_metadata_info{restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"Restore\"}) by (objecttype, applicationtype)", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Metadata Info", + "transform": "table", + "type": "table-old" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [ + { + "options": { + "0": { + "text": "InProgress" + }, + "1": { + "text": "Completed" + }, + "-1": { + "text": "Failed" + }, + "-2": { + "text": "UnKnown" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + }, + { + "color": "dark-red", + "value": -1 + }, + { + "color": "blue", + "value": 0 + }, + { + "color": "green", + "value": 1 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 2, + "w": 5, + "x": 7, + "y": 3 + }, + "id": 15, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "fieldOptions": { + "calcs": [ + "mean" + ] + }, + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "value" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_restore_info{restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"Restore\"}", + "format": "time_series", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{status}}", + "refId": "A" + } + ], + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 0, + "y": 6 + }, + "id": 6, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^restore$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_restore_info{ restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Restore", + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 6, + "x": 6, + "y": 6 + }, + "id": 20, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^backup$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_restore_info{ restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Backup", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "custom": { + "align": "left", + "displayMode": "auto", + "filterable": false, + "inspect": false + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "First" + }, + "properties": [ + { + "id": "displayName", + "value": "Value" + } + ] + } + ] + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 0, + "y": 9 + }, + "id": 19, + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": "${DS_PROMETHEUS}", + "expr": "trilio_restore_info{ restore=~\"$Restore\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\",kind=\"Restore\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Details", + "transformations": [ + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "Time", + "completion_ts", + "size", + "start_ts", + "target", + "resource_namespace" + ] + } + } + }, + { + "id": "reduce", + "options": { + "reducers": [ + "first" + ] + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "gridPos": { + "h": 8, + "w": 12, + "x": 12, + "y": 9 + }, + "id": 22, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": false, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "expr": "{transaction_type=\"Restore\",transaction_resource_name=~\"$Restore\",service_type=~\"$service_type\"}", + "refId": "A" + } + ], + "title": "Restore Logs", + "type": "logs" + } + ], + "refresh": "30s", + "schemaVersion": 36, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "Loki", + "value": "Loki" + }, + "hide": 2, + "includeAll": false, + "label": "loki", + "multi": false, + "name": "DS_LOKI", + "options": [], + "query": "loki", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 2, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_restore_info{cluster=~\"$Cluster\",kind=\"Restore\"}", + "hide": 0, + "includeAll": false, + "label": "Restore", + "multi": false, + "name": "Restore", + "options": [], + "query": { + "query": "trilio_restore_info{cluster=~\"$Cluster\",kind=\"Restore\"}", + "refId": "StandardVariableQuery" + }, + "refresh": 2, + "regex": "/.*restore=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=~\"Restore\",transaction_resource_name=~\"$Restore\"},transaction_resource_namespace)", + "description": "Restore Namespace", + "hide": 0, + "includeAll": true, + "label": "Restore Namespace", + "multi": false, + "name": "Namespace", + "options": [], + "query": "label_values({transaction_type=~\"Restore\",transaction_resource_name=~\"$Restore\"},transaction_resource_namespace)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=\"Restore\",transaction_resource_name=~\"$Restore\"}, service_type)", + "description": "Service Type", + "hide": 0, + "includeAll": true, + "label": "Service Type", + "multi": false, + "name": "service_type", + "options": [], + "query": "label_values({transaction_type=\"Restore\",transaction_resource_name=~\"$Restore\"}, service_type)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Restore Detail", + "uid": "Restore", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/restore-overview.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/restore-overview.json new file mode 100644 index 000000000..2072f9941 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/restore-overview.json @@ -0,0 +1,853 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": [], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:48276", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "limit": 100, + "name": "Annotations & Alerts", + "showIn": 0, + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12602, + "graphTooltip": 0, + "id": null, + "iteration": 1655396733765, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 2, + "w": 23, + "x": 1, + "y": 0 + }, + "id": 4, + "options": { + "content": "

Restores Overview

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(115, 181, 181)", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 2, + "y": 2 + }, + "id": 35, + "links": [], + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_restore_info{install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) ", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "All", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "All", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 6, + "y": 2 + }, + "id": 36, + "links": [], + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "/^Completed$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_restore_info{status=\"Completed\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (status)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{status}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "Completed", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 10, + "y": 2 + }, + "id": 39, + "links": [], + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "/^InProgress$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_restore_info{status=\"InProgress\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (status)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{status}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "InProgress", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "red", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 14, + "y": 2 + }, + "id": 38, + "links": [], + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "/^Failed$/", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_restore_info{status=\"Failed\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (status)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{status}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "Failed", + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "links": [], + "mappings": [], + "min": 0, + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "rgb(79, 145, 145)", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 18, + "y": 2 + }, + "id": 37, + "links": [], + "options": { + "colorMode": "background", + "graphMode": "none", + "justifyMode": "center", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "expr": "count(trilio_restore_info{status=\"UnKnown\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (status)", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "{{status}}", + "refId": "A", + "datasource": "${DS_PROMETHEUS}" + } + ], + "title": "UnKnown", + "transformations": [], + "transparent": true, + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "auto", + "displayMode": "auto", + "inspect": false + }, + "decimals": 2, + "displayName": "", + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "restore" + }, + "properties": [ + { + "id": "displayName", + "value": "Restore" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "links", + "value": [ + { + "targetBlank": false, + "title": "Show Restore Detail", + "url": "/d/${__data.fields.kind}/?refresh=5s&var-Restore=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "completion_ts" + }, + "properties": [ + { + "id": "displayName", + "value": "Completion" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "unit", + "value": "time: YYYY-MM-DD HH:mm:ss.SSS" + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Value" + }, + "properties": [ + { + "id": "displayName", + "value": "Percentage" + }, + { + "id": "unit", + "value": "percent" + }, + { + "id": "custom.align" + }, + { + "id": "decimals", + "value": 0 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "backup" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup" + }, + { + "id": "unit", + "value": "decbytes" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "links", + "value": [] + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "target" + }, + "properties": [ + { + "id": "displayName", + "value": "Target" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "links", + "value": [ + { + "targetBlank": false, + "title": "Show Target Detail", + "url": "/d/TargetDetail/target-detail?refresh=5s&var-Target=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "size" + }, + "properties": [ + { + "id": "displayName", + "value": "Size" + }, + { + "id": "unit", + "value": "decbytes" + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "status" + }, + "properties": [ + { + "id": "displayName", + "value": "Status" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "kind" + }, + "properties": [ + { + "id": "displayName", + "value": "Restore Kind" + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 24, + "x": 0, + "y": 5 + }, + "id": 29, + "options": { + "footer": { + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "expr": "trilio_restore_status_percentage{status=~\"$Status\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "", + "refId": "A" + } + ], + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "completion_ts", + "kind", + "restore", + "size", + "status", + "target", + "Value", + "backup" + ] + } + } + } + ], + "type": "table" + } + ], + "refresh": "5s", + "schemaVersion": 36, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 1, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_restore_info", + "hide": 0, + "includeAll": true, + "label": "status", + "multi": false, + "name": "Status", + "options": [], + "query": { + "query": "trilio_restore_info", + "refId": "Prometheus-Status-Variable-Query" + }, + "refresh": 1, + "regex": "/.*status=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Restore Overview", + "uid": "RestoreOverview", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/target-detail.json b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/target-detail.json new file mode 100644 index 000000000..5fa45353d --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/dashboards/target-detail.json @@ -0,0 +1,1327 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + }, + { + "name": "DS_LOKI", + "label": "Loki", + "description": "", + "type": "datasource", + "pluginId": "loki", + "pluginName": "Loki" + } + ], + "__elements": [], + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "8.5.0" + }, + { + "type": "panel", + "id": "logs", + "name": "Logs", + "version": "" + }, + { + "type": "datasource", + "id": "loki", + "name": "Loki", + "version": "1.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "text", + "name": "Text", + "version": "" + } + ], + "annotations": { + "list": [ + { + "$$hashKey": "object:63480", + "builtIn": 1, + "datasource": { + "type": "datasource", + "uid": "grafana" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "target": { + "limit": 100, + "matchAny": false, + "tags": [], + "type": "dashboard" + }, + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "gnetId": 12606, + "graphTooltip": 0, + "id": 14, + "iteration": 1655445162139, + "links": [], + "liveNow": false, + "panels": [ + { + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "gridPos": { + "h": 2, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 4, + "options": { + "content": "

Targets

", + "mode": "html" + }, + "pluginVersion": "8.5.0", + "transparent": true, + "type": "text" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [ + { + "options": { + "0": { + "text": "Unavailable" + }, + "1": { + "text": "Available" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#d44a3a", + "value": null + }, + { + "color": "dark-red", + "value": 0 + }, + { + "color": "#299c46", + "value": 1 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 0, + "y": 2 + }, + "id": 8, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "fieldOptions": { + "calcs": [ + "mean" + ] + }, + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": false, + "expr": "avg(trilio_target_info{target=~\"$Target\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"})", + "format": "time_series", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Health", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "false": { + "index": 1, + "text": "Data Target" + }, + "true": { + "index": 0, + "text": "Event Target" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 3, + "y": 2 + }, + "id": 43, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^eventTarget$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": false, + "expr": "trilio_target_info{ target=~\"$Target\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Target Type", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "false": { + "text": "False" + }, + "true": { + "text": "True" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 2, + "x": 7, + "y": 2 + }, + "id": 35, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^browsing$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": false, + "expr": "trilio_target_info{ target=~\"$Target\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Browsing", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "text": "N/A" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 9, + "y": 2 + }, + "id": 39, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^threshold_capacity$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": false, + "expr": "trilio_target_info{ target=~\"$Target\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Threshold Capacity", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "mappings": [], + "noValue": "0", + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "#c7d0d9", + "value": null + } + ] + }, + "unit": "decbytes" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 12, + "y": 2 + }, + "id": 38, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "value", + "fieldOptions": { + "calcs": [ + "mean" + ] + }, + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "sum" + ], + "fields": "", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": false, + "expr": "sum(trilio_backup_storage{target=~\"$Target\",status=~\"Available\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"})", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Total Capacity", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 3, + "x": 15, + "y": 2 + }, + "id": 36, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^vendorType$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": false, + "expr": "trilio_target_info{ target=~\"$Target\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Vendor Type", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 2, + "x": 18, + "y": 2 + }, + "id": 40, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^vendor$/", + "values": false + }, + "text": { + "valueSize": 30 + }, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": false, + "expr": "trilio_target_info{ target=~\"$Target\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Vendor ", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "match": "null", + "result": { + "text": "N/A" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "dateTimeAsIso" + }, + "overrides": [] + }, + "gridPos": { + "h": 3, + "w": 4, + "x": 20, + "y": 2 + }, + "id": 37, + "links": [], + "maxDataPoints": 100, + "options": { + "colorMode": "none", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "horizontal", + "reduceOptions": { + "calcs": [ + "first" + ], + "fields": "/^creation_ts$/", + "values": false + }, + "text": {}, + "textMode": "auto" + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": false, + "expr": "trilio_target_info{ target=~\"$Target\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}", + "format": "table", + "instant": true, + "interval": "", + "legendFormat": "", + "refId": "A" + } + ], + "title": "Creattion Timestamp", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "auto", + "displayMode": "auto", + "inspect": false, + "minWidth": 100 + }, + "decimals": 2, + "displayName": "", + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + }, + { + "color": "red", + "value": 80 + } + ] + }, + "unit": "short" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "backup" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "links", + "value": [ + { + "targetBlank": false, + "title": "Show Backup Detail", + "url": "/d/${__data.fields.kind}?refresh=5s&var-Backup=${__value.text}&var-Cluster=${Cluster}&var-Install_Namespace=${Install_Namespace}" + } + ] + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "backupplan" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup Plan" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "completion_ts" + }, + "properties": [ + { + "id": "displayName", + "value": "Completion " + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "size" + }, + "properties": [ + { + "id": "displayName", + "value": "Size" + }, + { + "id": "unit", + "value": "decbytes" + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "-" + }, + "properties": [ + { + "id": "displayName", + "value": "Average Data Transfer" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "target" + }, + "properties": [ + { + "id": "displayName", + "value": "Target" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "status" + }, + "properties": [ + { + "id": "displayName", + "value": "Status" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "backup_type" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup Type" + }, + { + "id": "unit", + "value": "short" + }, + { + "id": "decimals", + "value": 2 + }, + { + "id": "custom.align" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "kind" + }, + "properties": [ + { + "id": "displayName", + "value": "Backup KInd" + } + ] + } + ] + }, + "gridPos": { + "h": 18, + "w": 12, + "x": 0, + "y": 5 + }, + "id": 32, + "options": { + "footer": { + "enablePagination": false, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true + }, + "pluginVersion": "8.5.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "exemplar": false, + "expr": "topk(10,trilio_backup_info{target=~\"$Target\",install_namespace=~\"$Install_Namespace\",cluster=~\"$Cluster\"}) by (size)", + "format": "table", + "instant": true, + "interval": "", + "intervalFactor": 1, + "legendFormat": "{{backup}} {{status}}", + "refId": "A" + } + ], + "title": "Backups", + "transformations": [ + { + "id": "merge", + "options": { + "reducers": [] + } + }, + { + "id": "filterFieldsByName", + "options": { + "include": { + "names": [ + "backup", + "backup_type", + "backupplan", + "completion_ts", + "kind", + "size", + "status", + "target" + ] + } + } + } + ], + "type": "table" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "gridPos": { + "h": 18, + "w": 12, + "x": 12, + "y": 5 + }, + "id": 42, + "options": { + "dedupStrategy": "none", + "enableLogDetails": true, + "prettifyLogMessage": false, + "showCommonLabels": false, + "showLabels": false, + "showTime": true, + "sortOrder": "Descending", + "wrapLogMessage": false + }, + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "expr": "{transaction_type=\"Target\",transaction_resource_name=~\"$Target\",service_type=~\"$service_type\",transaction_resource_namespace=~\"$Namespace\"}", + "refId": "A" + } + ], + "title": "Target Logs ", + "type": "logs" + } + ], + "refresh": "30s", + "schemaVersion": 36, + "style": "dark", + "tags": [], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "Prometheus" + }, + "description": "prometheus datasource", + "hide": 2, + "includeAll": false, + "label": "datasource", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "Loki", + "value": "Loki" + }, + "description": "loki datasource", + "hide": 2, + "includeAll": false, + "label": "loki datasource", + "multi": false, + "name": "DS_LOKI", + "options": [], + "query": "loki", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Cluster", + "options": [], + "query": { + "query": "trilio_system_info", + "refId": "Prometheus-Cluster-Variable-Query" + }, + "refresh": 1, + "regex": "/.*cluster=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{cluster=~\"$Cluster\"}", + "hide": 2, + "includeAll": false, + "multi": false, + "name": "Scope", + "options": [], + "query": { + "query": "trilio_system_info{cluster=~\"$Cluster\"}", + "refId": "Prometheus-Scope-Variable-Query" + }, + "refresh": 1, + "regex": "/.*scope=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Install Namespace", + "multi": false, + "name": "Install_Namespace", + "options": [], + "query": { + "query": "trilio_system_info{scope=~\"$Scope\",cluster=~\"$Cluster\"}", + "refId": "Prometheus-Install_Namespace-Variable-Query" + }, + "refresh": 2, + "regex": "/.*install_namespace=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "uid": "${DS_PROMETHEUS}" + }, + "definition": "trilio_target_info{cluster=~\"$Cluster\"}", + "hide": 0, + "includeAll": false, + "label": "Target", + "multi": false, + "name": "Target", + "options": [], + "query": { + "query": "trilio_target_info{cluster=~\"$Cluster\"}", + "refId": "StandardVariableQuery" + }, + "refresh": 2, + "regex": "/.*target=\"([^\"]*).*/", + "skipUrlSync": false, + "sort": 0, + "tagValuesQuery": "", + "tagsQuery": "", + "type": "query", + "useTags": false + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=\"Target\",transaction_resource_name=~\"$Target\"},transaction_resource_namespace)", + "description": "Namespace", + "hide": 0, + "includeAll": true, + "label": "Namespace", + "multi": false, + "name": "Namespace", + "options": [], + "query": "label_values({transaction_type=\"Target\",transaction_resource_name=~\"$Target\"},transaction_resource_namespace)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "current": {}, + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "definition": "label_values({transaction_type=\"Target\"}, service_type)", + "description": "Service Type", + "hide": 0, + "includeAll": true, + "label": "Service Type", + "multi": false, + "name": "service_type", + "options": [], + "query": "label_values({transaction_type=\"Target\"}, service_type)", + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timepicker": { + "refresh_intervals": [ + "10s", + "30s", + "1m", + "5m", + "15m", + "30m", + "1h", + "2h", + "1d" + ] + }, + "timezone": "", + "title": "Target Detail", + "uid": "TargetDetail", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/NOTES.txt b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/NOTES.txt new file mode 100644 index 000000000..1fc8436d9 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/NOTES.txt @@ -0,0 +1,54 @@ +1. Get your '{{ .Values.adminUser }}' user password by running: + + kubectl get secret --namespace {{ template "grafana.namespace" . }} {{ template "grafana.fullname" . }} -o jsonpath="{.data.admin-password}" | base64 --decode ; echo + +2. The Grafana server can be accessed via port {{ .Values.service.port }} on the following DNS name from within your cluster: + + {{ template "grafana.fullname" . }}.{{ template "grafana.namespace" . }}.svc.cluster.local +{{ if .Values.ingress.enabled }} + If you bind grafana to 80, please update values in values.yaml and reinstall: + ``` + securityContext: + runAsUser: 0 + runAsGroup: 0 + fsGroup: 0 + + command: + - "setcap" + - "'cap_net_bind_service=+ep'" + - "/usr/sbin/grafana-server &&" + - "sh" + - "/run.sh" + ``` + Details refer to https://grafana.com/docs/installation/configuration/#http-port. + Or grafana would always crash. + + From outside the cluster, the server URL(s) are: +{{- range .Values.ingress.hosts }} + http://{{ . }} +{{- end }} +{{ else }} + Get the Grafana URL to visit by running these commands in the same shell: +{{ if contains "NodePort" .Values.service.type -}} + export NODE_PORT=$(kubectl get --namespace {{ template "grafana.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "grafana.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ template "grafana.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{ else if contains "LoadBalancer" .Values.service.type -}} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc --namespace {{ template "grafana.namespace" . }} -w {{ template "grafana.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ template "grafana.namespace" . }} {{ template "grafana.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + http://$SERVICE_IP:{{ .Values.service.port -}} +{{ else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ template "grafana.namespace" . }} -l "app.kubernetes.io/name={{ template "grafana.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + kubectl --namespace {{ template "grafana.namespace" . }} port-forward $POD_NAME 3000 +{{- end }} +{{- end }} + +3. Login with the password from step 1 and the username: {{ .Values.adminUser }} + +{{- if not .Values.persistence.enabled }} +################################################################################# +###### WARNING: Persistence is disabled!!! You will lose your data when ##### +###### the Grafana pod is terminated. ##### +################################################################################# +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/_helpers.tpl b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/_helpers.tpl new file mode 100644 index 000000000..e3a1fff46 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/_helpers.tpl @@ -0,0 +1,165 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "grafana.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "grafana.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "grafana.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account +*/}} +{{- define "grafana.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "grafana.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{- define "grafana.serviceAccountNameTest" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (print (include "grafana.fullname" .) "-test") .Values.serviceAccount.nameTest }} +{{- else -}} + {{ default "default" .Values.serviceAccount.nameTest }} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "grafana.namespace" -}} + {{- if .Values.namespaceOverride -}} + {{- .Values.namespaceOverride -}} + {{- else -}} + {{- .Release.Namespace -}} + {{- end -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "grafana.labels" -}} +helm.sh/chart: {{ include "grafana.chart" . }} +{{ include "grafana.selectorLabels" . }} +{{- if or .Chart.AppVersion .Values.image.tag }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- if .Values.extraLabels }} +{{ toYaml .Values.extraLabels }} +{{- end }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "grafana.selectorLabels" -}} +app.kubernetes.io/name: {{ include "grafana.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: k8s-triliovault-operator +app.kubernetes.io/part-of: k8s-triliovault-operator +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "grafana.imageRenderer.labels" -}} +helm.sh/chart: {{ include "grafana.chart" . }} +{{ include "grafana.imageRenderer.selectorLabels" . }} +{{- if or .Chart.AppVersion .Values.image.tag }} +app.kubernetes.io/version: {{ .Values.image.tag | default .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Selector labels ImageRenderer +*/}} +{{- define "grafana.imageRenderer.selectorLabels" -}} +app.kubernetes.io/name: {{ include "grafana.name" . }}-image-renderer +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} + +{{/* +Looks if there's an existing secret and reuse its password. If not it generates +new password and use it. +*/}} +{{- define "grafana.password" -}} +{{- $secret := (lookup "v1" "Secret" (include "grafana.namespace" .) (include "grafana.fullname" .) ) -}} + {{- if $secret -}} + {{- index $secret "data" "admin-password" -}} + {{- else -}} + {{- (randAlphaNum 40) | b64enc | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for rbac. +*/}} +{{- define "grafana.rbac.apiVersion" -}} + {{- if .Capabilities.APIVersions.Has "rbac.authorization.k8s.io/v1" }} + {{- print "rbac.authorization.k8s.io/v1" -}} + {{- else -}} + {{- print "rbac.authorization.k8s.io/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "grafana.ingress.apiVersion" -}} + {{- if and (.Capabilities.APIVersions.Has "networking.k8s.io/v1") (semverCompare ">= 1.19-0" .Capabilities.KubeVersion.Version) -}} + {{- print "networking.k8s.io/v1" -}} + {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}} + {{- print "networking.k8s.io/v1beta1" -}} + {{- else -}} + {{- print "extensions/v1beta1" -}} + {{- end -}} +{{- end -}} + +{{/* +Return if ingress is stable. +*/}} +{{- define "grafana.ingress.isStable" -}} + {{- eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1" -}} +{{- end -}} + +{{/* +Return if ingress supports ingressClassName. +*/}} +{{- define "grafana.ingress.supportsIngressClassName" -}} + {{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} +{{- end -}} + +{{/* +Return if ingress supports pathType. +*/}} +{{- define "grafana.ingress.supportsPathType" -}} + {{- or (eq (include "grafana.ingress.isStable" .) "true") (and (eq (include "grafana.ingress.apiVersion" .) "networking.k8s.io/v1beta1") (semverCompare ">= 1.18-0" .Capabilities.KubeVersion.Version)) -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/_pod.tpl b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/_pod.tpl new file mode 100644 index 000000000..af2c4036e --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/_pod.tpl @@ -0,0 +1,748 @@ + +{{- define "grafana.pod" -}} +{{- if .Values.schedulerName }} +schedulerName: "{{ .Values.schedulerName }}" +{{- end }} +serviceAccountName: {{ template "grafana.serviceAccountName" . }} +automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }} +{{- if .Values.securityContext }} +securityContext: +{{ toYaml .Values.securityContext | indent 2 }} +{{- end }} +{{- if .Values.hostAliases }} +hostAliases: +{{ toYaml .Values.hostAliases | indent 2 }} +{{- end }} +{{- if .Values.priorityClassName }} +priorityClassName: {{ .Values.priorityClassName }} +{{- end }} +{{- if ( or .Values.persistence.enabled .Values.dashboards .Values.sidecar.notifiers.enabled .Values.extraInitContainers (and .Values.sidecar.datasources.enabled .Values.sidecar.datasources.initDatasources)) }} +initContainers: +{{- end }} +{{- if ( and .Values.persistence.enabled .Values.initChownData.enabled ) }} + - name: init-chown-data + {{- if .Values.initChownData.image.sha }} + image: "{{ .Values.initChownData.image.registry }}/{{ .Values.initChownData.image.repository }}:{{ .Values.initChownData.image.tag }}@sha256:{{ .Values.initChownData.image.sha }}" + {{- else }} + image: "{{ .Values.initChownData.image.registry }}/{{ .Values.initChownData.image.repository }}:{{ .Values.initChownData.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.initChownData.image.pullPolicy }} + securityContext: + runAsNonRoot: false + runAsUser: 0 + command: ["chown", "-R", "{{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.runAsGroup }}", "/var/lib/grafana"] + resources: +{{ toYaml .Values.initChownData.resources | indent 6 }} + volumeMounts: + - name: storage + mountPath: "/var/lib/grafana" +{{- if .Values.persistence.subPath }} + subPath: {{ tpl .Values.persistence.subPath . }} +{{- end }} +{{- end }} +{{- if .Values.dashboards }} + - name: download-dashboards + {{- if .Values.downloadDashboardsImage.sha }} + image: "{{ .Values.downloadDashboardsImage.registry }}/{{ .Values.downloadDashboardsImage.repository }}:{{ .Values.downloadDashboardsImage.tag }}@sha256:{{ .Values.downloadDashboardsImage.sha }}" + {{- else }} + image: "{{ .Values.downloadDashboardsImage.registry }}/{{ .Values.downloadDashboardsImage.repository }}:{{ .Values.downloadDashboardsImage.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.downloadDashboardsImage.pullPolicy }} + command: ["/bin/sh"] + args: [ "-c", "mkdir -p /var/lib/grafana/dashboards/default && /bin/sh -x /etc/grafana/download_dashboards.sh" ] + resources: +{{ toYaml .Values.downloadDashboards.resources | indent 6 }} + env: +{{- range $key, $value := .Values.downloadDashboards.env }} + - name: "{{ $key }}" + value: "{{ $value }}" +{{- end }} +{{- if .Values.downloadDashboards.envFromSecret }} + envFrom: + - secretRef: + name: {{ tpl .Values.downloadDashboards.envFromSecret . }} +{{- end }} + volumeMounts: + - name: config + mountPath: "/etc/grafana/download_dashboards.sh" + subPath: download_dashboards.sh + - name: storage + mountPath: "/var/lib/grafana" +{{- if .Values.persistence.subPath }} + subPath: {{ tpl .Values.persistence.subPath . }} +{{- end }} + {{- range .Values.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + {{- end }} +{{- end }} +{{- if and .Values.sidecar.datasources.enabled .Values.sidecar.datasources.initDatasources }} + - name: {{ template "grafana.name" . }}-init-sc-datasources + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: "LIST" + - name: LABEL + value: "{{ .Values.sidecar.datasources.label }}" + {{- if .Values.sidecar.datasources.labelValue }} + - name: LABEL_VALUE + value: {{ quote .Values.sidecar.datasources.labelValue }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/datasources" + - name: RESOURCE + value: {{ quote .Values.sidecar.datasources.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.datasources.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.datasources.searchNamespace | join "," }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} +{{- if .Values.sidecar.securityContext }} + securityContext: +{{- toYaml .Values.sidecar.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: sc-datasources-volume + mountPath: "/etc/grafana/provisioning/datasources" +{{- end }} +{{- if .Values.sidecar.notifiers.enabled }} + - name: {{ template "grafana.name" . }}-sc-notifiers + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: LIST + - name: LABEL + value: "{{ .Values.sidecar.notifiers.label }}" + - name: FOLDER + value: "/etc/grafana/provisioning/notifiers" + - name: RESOURCE + value: {{ quote .Values.sidecar.notifiers.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.notifiers.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.notifiers.searchNamespace | join "," }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} +{{- if .Values.sidecar.livenessProbe }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 6 }} +{{- end }} +{{- if .Values.sidecar.readinessProbe }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 6 }} +{{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} +{{- if .Values.sidecar.securityContext }} + securityContext: +{{- toYaml .Values.sidecar.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: sc-notifiers-volume + mountPath: "/etc/grafana/provisioning/notifiers" +{{- end}} +{{- if .Values.extraInitContainers }} +{{ tpl (toYaml .Values.extraInitContainers) . | indent 2 }} +{{- end }} +{{- if .Values.image.pullSecrets }} +imagePullSecrets: +{{- $root := . }} +{{- range .Values.image.pullSecrets }} + - name: {{ tpl . $root }} +{{- end}} +{{- end }} +{{- if not .Values.enableKubeBackwardCompatibility }} +enableServiceLinks: {{ .Values.enableServiceLinks }} +{{- end }} +containers: +{{- if .Values.sidecar.dashboards.enabled }} + - name: {{ template "grafana.name" . }}-sc-dashboard + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.registry }}{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: {{ .Values.sidecar.dashboards.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.dashboards.label }}" + {{- if .Values.sidecar.dashboards.labelValue }} + - name: LABEL_VALUE + value: {{ quote .Values.sidecar.dashboards.labelValue }} + {{- end }} + - name: FOLDER + value: "{{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }}" + - name: RESOURCE + value: {{ quote .Values.sidecar.dashboards.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.dashboards.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.dashboards.searchNamespace | join "," }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} + {{- if .Values.sidecar.dashboards.folderAnnotation }} + - name: FOLDER_ANNOTATION + value: "{{ .Values.sidecar.dashboards.folderAnnotation }}" + {{- end }} + {{- if .Values.sidecar.dashboards.script }} + - name: SCRIPT + value: "{{ .Values.sidecar.dashboards.script }}" + {{- end }} + {{- if .Values.sidecar.dashboards.watchServerTimeout }} + - name: WATCH_SERVER_TIMEOUT + value: "{{ .Values.sidecar.dashboards.watchServerTimeout }}" + {{- end }} + {{- if .Values.sidecar.dashboards.watchClientTimeout }} + - name: WATCH_CLIENT_TIMEOUT + value: "{{ .Values.sidecar.dashboards.watchClientTimeout }}" + {{- end }} +{{- if .Values.sidecar.livenessProbe }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 6 }} +{{- end }} +{{- if .Values.sidecar.readinessProbe }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 6 }} +{{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} +{{- if .Values.sidecar.securityContext }} + securityContext: +{{- toYaml .Values.sidecar.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: sc-dashboard-volume + mountPath: {{ .Values.sidecar.dashboards.folder | quote }} + {{- if .Values.sidecar.dashboards.extraMounts }} + {{- toYaml .Values.sidecar.dashboards.extraMounts | trim | nindent 6}} + {{- end }} +{{- end}} +{{- if .Values.sidecar.datasources.enabled }} + - name: {{ template "grafana.name" . }}-sc-datasources + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: {{ .Values.sidecar.datasources.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.datasources.label }}" + {{- if .Values.sidecar.datasources.labelValue }} + - name: LABEL_VALUE + value: {{ quote .Values.sidecar.datasources.labelValue }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/datasources" + - name: RESOURCE + value: {{ quote .Values.sidecar.datasources.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.datasources.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.datasources.searchNamespace | join "," }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.sidecar.datasources.skipReload }} + - name: REQ_URL + value: {{ .Values.sidecar.datasources.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} +{{- if .Values.sidecar.livenessProbe }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 6 }} +{{- end }} +{{- if .Values.sidecar.readinessProbe }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 6 }} +{{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} +{{- if .Values.sidecar.securityContext }} + securityContext: +{{- toYaml .Values.sidecar.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: sc-datasources-volume + mountPath: "/etc/grafana/provisioning/datasources" +{{- end}} +{{- if .Values.sidecar.plugins.enabled }} + - name: {{ template "grafana.name" . }}-sc-plugins + {{- if .Values.sidecar.image.sha }} + image: "{{ .Values.sidecar.image.registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}@sha256:{{ .Values.sidecar.image.sha }}" + {{- else }} + image: "{{ .Values.sidecar.image.registry }}/{{ .Values.sidecar.image.repository }}:{{ .Values.sidecar.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.sidecar.imagePullPolicy }} + env: + - name: METHOD + value: {{ .Values.sidecar.plugins.watchMethod }} + - name: LABEL + value: "{{ .Values.sidecar.plugins.label }}" + {{- if .Values.sidecar.plugins.labelValue }} + - name: LABEL_VALUE + value: {{ quote .Values.sidecar.plugins.labelValue }} + {{- end }} + - name: FOLDER + value: "/etc/grafana/provisioning/plugins" + - name: RESOURCE + value: {{ quote .Values.sidecar.plugins.resource }} + {{- if .Values.sidecar.enableUniqueFilenames }} + - name: UNIQUE_FILENAMES + value: "{{ .Values.sidecar.enableUniqueFilenames }}" + {{- end }} + {{- if .Values.sidecar.plugins.searchNamespace }} + - name: NAMESPACE + value: "{{ .Values.sidecar.plugins.searchNamespace | join "," }}" + {{- end }} + {{- if .Values.sidecar.skipTlsVerify }} + - name: SKIP_TLS_VERIFY + value: "{{ .Values.sidecar.skipTlsVerify }}" + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_USERNAME + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: REQ_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if not .Values.sidecar.plugins.skipReload }} + - name: REQ_URL + value: {{ .Values.sidecar.plugins.reloadURL }} + - name: REQ_METHOD + value: POST + {{- end }} +{{- if .Values.sidecar.livenessProbe }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 6 }} +{{- end }} +{{- if .Values.sidecar.readinessProbe }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 6 }} +{{- end }} + resources: +{{ toYaml .Values.sidecar.resources | indent 6 }} +{{- if .Values.sidecar.securityContext }} + securityContext: +{{- toYaml .Values.sidecar.securityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: sc-plugins-volume + mountPath: "/etc/grafana/provisioning/plugins" +{{- end}} + - name: {{ .Chart.Name }} + {{- if .Values.image.sha }} + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}@sha256:{{ .Values.image.sha }}" + {{- else }} + image: "{{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if .Values.command }} + command: + {{- range .Values.command }} + - {{ . }} + {{- end }} + {{- end}} +{{- if .Values.containerSecurityContext }} + securityContext: +{{- toYaml .Values.containerSecurityContext | nindent 6 }} +{{- end }} + volumeMounts: + - name: config + mountPath: "/etc/grafana/grafana.ini" + subPath: grafana.ini + {{- if .Values.ldap.enabled }} + - name: ldap + mountPath: "/etc/grafana/ldap.toml" + subPath: ldap.toml + {{- end }} + {{- $root := . }} + {{- range .Values.extraConfigmapMounts }} + - name: {{ tpl .name $root }} + mountPath: {{ tpl .mountPath $root }} + subPath: {{ (tpl .subPath $root) | default "" }} + readOnly: {{ .readOnly }} + {{- end }} + - name: storage + mountPath: "/var/lib/grafana" +{{- if .Values.persistence.subPath }} + subPath: {{ tpl .Values.persistence.subPath . }} +{{- end }} +{{- if .Values.dashboards }} +{{- range $provider, $dashboards := .Values.dashboards }} +{{- range $key, $value := $dashboards }} +{{- if (or (hasKey $value "json") (hasKey $value "file")) }} + - name: dashboards-{{ $provider }} + mountPath: "/var/lib/grafana/dashboards/{{ $provider }}/{{ $key }}.json" + subPath: "{{ $key }}.json" +{{- end }} +{{- end }} +{{- end }} +{{- end -}} +{{- if .Values.dashboardsConfigMaps }} +{{- range (keys .Values.dashboardsConfigMaps | sortAlpha) }} + - name: dashboards-{{ . }} + mountPath: "/var/lib/grafana/dashboards/{{ . }}" +{{- end }} +{{- end }} +{{- if .Values.datasources }} +{{- range (keys .Values.datasources | sortAlpha) }} + - name: config + mountPath: "/etc/grafana/provisioning/datasources/{{ . }}" + subPath: {{ . | quote }} +{{- end }} +{{- end }} +{{- if .Values.notifiers }} +{{- range (keys .Values.notifiers | sortAlpha) }} + - name: config + mountPath: "/etc/grafana/provisioning/notifiers/{{ . }}" + subPath: {{ . | quote }} +{{- end }} +{{- end }} +{{- if .Values.dashboardProviders }} +{{- range (keys .Values.dashboardProviders | sortAlpha) }} + - name: config + mountPath: "/etc/grafana/provisioning/dashboards/{{ . }}" + subPath: {{ . | quote }} +{{- end }} +{{- end }} +{{- if .Values.sidecar.dashboards.enabled }} + - name: sc-dashboard-volume + mountPath: {{ .Values.sidecar.dashboards.folder | quote }} +{{ if .Values.sidecar.dashboards.SCProvider }} + - name: sc-dashboard-provider + mountPath: "/etc/grafana/provisioning/dashboards/sc-dashboardproviders.yaml" + subPath: provider.yaml +{{- end}} +{{- end}} +{{- if .Values.sidecar.datasources.enabled }} + - name: sc-datasources-volume + mountPath: "/etc/grafana/provisioning/datasources" +{{- end}} +{{- if .Values.sidecar.plugins.enabled }} + - name: sc-plugins-volume + mountPath: "/etc/grafana/provisioning/plugins" +{{- end}} +{{- if .Values.sidecar.notifiers.enabled }} + - name: sc-notifiers-volume + mountPath: "/etc/grafana/provisioning/notifiers" +{{- end}} + {{- range .Values.extraSecretMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + readOnly: {{ .readOnly }} + subPath: {{ .subPath | default "" }} + {{- end }} + {{- range .Values.extraVolumeMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + subPath: {{ .subPath | default "" }} + readOnly: {{ .readOnly }} + {{- end }} + {{- range .Values.extraEmptyDirMounts }} + - name: {{ .name }} + mountPath: {{ .mountPath }} + {{- end }} + ports: + - name: {{ .Values.service.portName }} + containerPort: {{ .Values.service.port }} + protocol: TCP + - name: {{ .Values.podPortName }} + containerPort: 3000 + protocol: TCP + env: + {{- if and (not .Values.env.GF_SECURITY_ADMIN_USER) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: GF_SECURITY_ADMIN_USER + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.userKey | default "admin-user" }} + {{- end }} + {{- if and (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + - name: GF_SECURITY_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: {{ (tpl .Values.admin.existingSecret .) | default (include "grafana.fullname" .) }} + key: {{ .Values.admin.passwordKey | default "admin-password" }} + {{- end }} + {{- if .Values.plugins }} + - name: GF_INSTALL_PLUGINS + valueFrom: + configMapKeyRef: + name: {{ template "grafana.fullname" . }} + key: plugins + {{- end }} + {{- if .Values.smtp.existingSecret }} + - name: GF_SMTP_USER + valueFrom: + secretKeyRef: + name: {{ .Values.smtp.existingSecret }} + key: {{ .Values.smtp.userKey | default "user" }} + - name: GF_SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.smtp.existingSecret }} + key: {{ .Values.smtp.passwordKey | default "password" }} + {{- end }} + {{- if .Values.imageRenderer.enabled }} + - name: GF_RENDERING_SERVER_URL + value: http://{{ template "grafana.fullname" . }}-image-renderer.{{ template "grafana.namespace" . }}:{{ .Values.imageRenderer.service.port }}/render + - name: GF_RENDERING_CALLBACK_URL + value: {{ .Values.imageRenderer.grafanaProtocol }}://{{ template "grafana.fullname" . }}.{{ template "grafana.namespace" . }}:{{ .Values.service.port }}/{{ .Values.imageRenderer.grafanaSubPath }} + {{- end }} + - name: GF_PATHS_DATA + value: {{ (get .Values "grafana.ini").paths.data }} + - name: GF_PATHS_LOGS + value: {{ (get .Values "grafana.ini").paths.logs }} + - name: GF_PATHS_PLUGINS + value: {{ (get .Values "grafana.ini").paths.plugins }} + - name: GF_PATHS_PROVISIONING + value: {{ (get .Values "grafana.ini").paths.provisioning }} + {{- range $key, $value := .Values.envValueFrom }} + - name: {{ $key | quote }} + valueFrom: +{{ tpl (toYaml $value) $ | indent 10 }} + {{- end }} +{{- range $key, $value := .Values.env }} + - name: "{{ tpl $key $ }}" + value: "{{ tpl (print $value) $ }}" +{{- end }} + {{- if or .Values.envFromSecret (or .Values.envRenderSecret .Values.envFromSecrets) .Values.envFromConfigMaps }} + envFrom: + {{- if .Values.envFromSecret }} + - secretRef: + name: {{ tpl .Values.envFromSecret . }} + {{- end }} + {{- if .Values.envRenderSecret }} + - secretRef: + name: {{ template "grafana.fullname" . }}-env + {{- end }} + {{- range .Values.envFromSecrets }} + - secretRef: + name: {{ tpl .name $ }} + optional: {{ .optional | default false }} + {{- end }} + {{- range .Values.envFromConfigMaps }} + - configMapRef: + name: {{ tpl .name $ }} + optional: {{ .optional | default false }} + {{- end }} + {{- end }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 6 }} + readinessProbe: +{{ toYaml .Values.readinessProbe | indent 6 }} +{{- if .Values.lifecycleHooks }} + lifecycle: {{ tpl (.Values.lifecycleHooks | toYaml) . | nindent 6 }} +{{- end }} + resources: +{{ toYaml .Values.resources | indent 6 }} +{{- with .Values.extraContainers }} +{{ tpl . $ | indent 2 }} +{{- end }} +{{- with .Values.nodeSelector }} +nodeSelector: +{{ toYaml . | indent 2 }} +{{- end }} +{{- $root := . }} +{{- with .Values.affinity }} +affinity: +{{ tpl (toYaml .) $root | indent 2 }} +{{- end }} +{{- with .Values.tolerations }} +tolerations: +{{ toYaml . | indent 2 }} +{{- end }} +volumes: + - name: config + configMap: + name: {{ template "grafana.fullname" . }} +{{- $root := . }} +{{- range .Values.extraConfigmapMounts }} + - name: {{ tpl .name $root }} + configMap: + name: {{ tpl .configMap $root }} +{{- end }} + {{- if .Values.dashboards }} + {{- range (keys .Values.dashboards | sortAlpha) }} + - name: dashboards-{{ . }} + configMap: + name: {{ template "grafana.fullname" $ }}-dashboards-{{ . }} + {{- end }} + {{- end }} + {{- if .Values.dashboardsConfigMaps }} + {{ $root := . }} + {{- range $provider, $name := .Values.dashboardsConfigMaps }} + - name: dashboards-{{ $provider }} + configMap: + name: {{ tpl $name $root }} + {{- end }} + {{- end }} + {{- if .Values.ldap.enabled }} + - name: ldap + secret: + {{- if .Values.ldap.existingSecret }} + secretName: {{ .Values.ldap.existingSecret }} + {{- else }} + secretName: {{ template "grafana.fullname" . }} + {{- end }} + items: + - key: ldap-toml + path: ldap.toml + {{- end }} +{{- if and .Values.persistence.enabled (eq .Values.persistence.type "pvc") }} + - name: storage + persistentVolumeClaim: + claimName: {{ tpl (.Values.persistence.existingClaim | default (include "grafana.fullname" .)) . }} +{{- else if and .Values.persistence.enabled (eq .Values.persistence.type "statefulset") }} +# nothing +{{- else }} + - name: storage +{{- if .Values.persistence.inMemory.enabled }} + emptyDir: + medium: Memory +{{- if .Values.persistence.inMemory.sizeLimit }} + sizeLimit: {{ .Values.persistence.inMemory.sizeLimit }} +{{- end -}} +{{- else }} + emptyDir: {} +{{- end -}} +{{- end -}} +{{- if .Values.sidecar.dashboards.enabled }} + - name: sc-dashboard-volume +{{- if .Values.sidecar.dashboards.sizeLimit }} + emptyDir: + sizeLimit: {{ .Values.sidecar.dashboards.sizeLimit }} +{{- else }} + emptyDir: {} +{{- end -}} +{{- if .Values.sidecar.dashboards.SCProvider }} + - name: sc-dashboard-provider + configMap: + name: {{ template "grafana.fullname" . }}-config-dashboards +{{- end }} +{{- end }} +{{- if .Values.sidecar.datasources.enabled }} + - name: sc-datasources-volume +{{- if .Values.sidecar.datasources.sizeLimit }} + emptyDir: + sizeLimit: {{ .Values.sidecar.datasources.sizeLimit }} +{{- else }} + emptyDir: {} +{{- end -}} +{{- end -}} +{{- if .Values.sidecar.plugins.enabled }} + - name: sc-plugins-volume +{{- if .Values.sidecar.plugins.sizeLimit }} + emptyDir: + sizeLimit: {{ .Values.sidecar.plugins.sizeLimit }} +{{- else }} + emptyDir: {} +{{- end -}} +{{- end -}} +{{- if .Values.sidecar.notifiers.enabled }} + - name: sc-notifiers-volume +{{- if .Values.sidecar.notifiers.sizeLimit }} + emptyDir: + sizeLimit: {{ .Values.sidecar.notifiers.sizeLimit }} +{{- else }} + emptyDir: {} +{{- end -}} +{{- end -}} +{{- range .Values.extraSecretMounts }} +{{- if .secretName }} + - name: {{ .name }} + secret: + secretName: {{ .secretName }} + defaultMode: {{ .defaultMode }} +{{- else if .projected }} + - name: {{ .name }} + projected: {{- toYaml .projected | nindent 6 }} +{{- else if .csi }} + - name: {{ .name }} + csi: {{- toYaml .csi | nindent 6 }} +{{- end }} +{{- end }} +{{- range .Values.extraVolumeMounts }} + - name: {{ .name }} + {{- if .existingClaim }} + persistentVolumeClaim: + claimName: {{ .existingClaim }} + {{- else if .hostPath }} + hostPath: + path: {{ .hostPath }} + {{- else }} + emptyDir: {} + {{- end }} +{{- end }} +{{- range .Values.extraEmptyDirMounts }} + - name: {{ .name }} + emptyDir: {} +{{- end -}} +{{- if .Values.extraContainerVolumes }} +{{ toYaml .Values.extraContainerVolumes | indent 2 }} +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/clusterrole.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/clusterrole.yaml new file mode 100644 index 000000000..f09e06563 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/clusterrole.yaml @@ -0,0 +1,25 @@ +{{- if and .Values.rbac.create (not .Values.rbac.namespaced) (not .Values.rbac.useExistingRole) }} +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + name: {{ template "grafana.fullname" . }}-clusterrole +{{- if or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.rbac.extraClusterRoleRules) }} +rules: +{{- if or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled }} +- apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] +{{- end}} +{{- with .Values.rbac.extraClusterRoleRules }} +{{ toYaml . | indent 0 }} +{{- end}} +{{- else }} +rules: [] +{{- end}} +{{- end}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/clusterrolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..4accbfac0 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/clusterrolebinding.yaml @@ -0,0 +1,24 @@ +{{- if and .Values.rbac.create (not .Values.rbac.namespaced) }} +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: {{ template "grafana.fullname" . }}-clusterrolebinding + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +subjects: + - kind: ServiceAccount + name: {{ template "grafana.serviceAccountName" . }} + namespace: {{ template "grafana.namespace" . }} +roleRef: + kind: ClusterRole +{{- if (not .Values.rbac.useExistingRole) }} + name: {{ template "grafana.fullname" . }}-clusterrole +{{- else }} + name: {{ .Values.rbac.useExistingRole }} +{{- end }} + apiGroup: rbac.authorization.k8s.io +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/configmap-dashboard-provider.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/configmap-dashboard-provider.yaml new file mode 100644 index 000000000..65d73858e --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/configmap-dashboard-provider.yaml @@ -0,0 +1,29 @@ +{{- if .Values.sidecar.dashboards.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} + name: {{ template "grafana.fullname" . }}-config-dashboards + namespace: {{ template "grafana.namespace" . }} +data: + provider.yaml: |- + apiVersion: 1 + providers: + - name: '{{ .Values.sidecar.dashboards.provider.name }}' + orgId: {{ .Values.sidecar.dashboards.provider.orgid }} + {{- if not .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} + folder: '{{ .Values.sidecar.dashboards.provider.folder }}' + {{- end}} + type: {{ .Values.sidecar.dashboards.provider.type }} + disableDeletion: {{ .Values.sidecar.dashboards.provider.disableDelete }} + allowUiUpdates: {{ .Values.sidecar.dashboards.provider.allowUiUpdates }} + updateIntervalSeconds: {{ .Values.sidecar.dashboards.provider.updateIntervalSeconds | default 30 }} + options: + foldersFromFilesStructure: {{ .Values.sidecar.dashboards.provider.foldersFromFilesStructure }} + path: {{ .Values.sidecar.dashboards.folder }}{{- with .Values.sidecar.dashboards.defaultFolderName }}/{{ . }}{{- end }} +{{- end}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/configmap.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/configmap.yaml new file mode 100644 index 000000000..401e2aaa6 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/configmap.yaml @@ -0,0 +1,88 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +data: +{{- if .Values.plugins }} + plugins: {{ join "," .Values.plugins }} +{{- end }} + grafana.ini: | +{{- range $key, $value := index .Values "grafana.ini" }} + [{{ $key }}] + {{- range $elem, $elemVal := $value }} + {{- if kindIs "invalid" $elemVal }} + {{ $elem }} = + {{- else if kindIs "string" $elemVal }} + {{ $elem }} = {{ tpl $elemVal $ }} + {{- else }} + {{ $elem }} = {{ $elemVal }} + {{- end }} + {{- end }} +{{- end }} + +{{- if .Values.datasources }} +{{ $root := . }} + {{- range $key, $value := .Values.datasources }} + {{ $key }}: | +{{ tpl (toYaml $value | indent 4) $root }} + {{- end -}} +{{- end -}} + +{{- if .Values.notifiers }} + {{- range $key, $value := .Values.notifiers }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} + +{{- if .Values.dashboardProviders }} + {{- range $key, $value := .Values.dashboardProviders }} + {{ $key }}: | +{{ toYaml $value | indent 4 }} + {{- end -}} +{{- end -}} + +{{- if .Values.dashboards }} + download_dashboards.sh: | + #!/usr/bin/env sh + set -euf + {{- if .Values.dashboardProviders }} + {{- range $key, $value := .Values.dashboardProviders }} + {{- range $value.providers }} + mkdir -p {{ .options.path }} + {{- end }} + {{- end }} + {{- end }} + {{ $dashboardProviders := .Values.dashboardProviders }} + {{- range $provider, $dashboards := .Values.dashboards }} + {{- range $key, $value := $dashboards }} + {{- if (or (hasKey $value "gnetId") (hasKey $value "url")) }} + curl -skf \ + --connect-timeout 60 \ + --max-time 60 \ + {{- if not $value.b64content }} + -H "Accept: application/json" \ + {{- if $value.token }} + -H "Authorization: token {{ $value.token }}" \ + {{- end }} + -H "Content-Type: application/json;charset=UTF-8" \ + {{ end }} + {{- $dpPath := "" -}} + {{- range $kd := (index $dashboardProviders "dashboardproviders.yaml").providers -}} + {{- if eq $kd.name $provider -}} + {{- $dpPath = $kd.options.path -}} + {{- end -}} + {{- end -}} + {{- if $value.url -}}"{{ $value.url }}"{{- else -}}"https://grafana.com/api/dashboards/{{ $value.gnetId }}/revisions/{{- if $value.revision -}}{{ $value.revision }}{{- else -}}1{{- end -}}/download"{{- end -}}{{ if $value.datasource }} | sed '/-- .* --/! s/"datasource":.*,/"datasource": "{{ $value.datasource }}",/g'{{ end }}{{- if $value.b64content -}} | base64 -d {{- end -}} \ + > "{{- if $dpPath -}}{{ $dpPath }}{{- else -}}/var/lib/grafana/dashboards/{{ $provider }}{{- end -}}/{{ $key }}.json" + {{- end }} + {{- end -}} + {{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/dashboards-json-configmap.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/dashboards-json-configmap.yaml new file mode 100644 index 000000000..24212b736 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/dashboards-json-configmap.yaml @@ -0,0 +1,36 @@ +{{- if .Values.dashboards }} +{{ $files := .Files }} +{{- range $provider, $dashboards := .Values.dashboards }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "grafana.fullname" $ }}-dashboards-{{ $provider }} + namespace: {{ template "grafana.namespace" $ }} + labels: + {{- include "grafana.labels" $ | nindent 4 }} + dashboard-provider: {{ $provider }} + grafana_dashboard: tvm +{{- if $dashboards }} +data: +{{- $dashboardFound := false }} +{{- range $key, $value := $dashboards }} +{{- if (or (hasKey $value "json") (hasKey $value "file")) }} +{{- $dashboardFound = true }} +{{ print $key | indent 2 }}.json: +{{- if hasKey $value "json" }} + |- +{{ $value.json | indent 6 }} +{{- end }} +{{- if hasKey $value "file" }} +{{ toYaml ( $files.Get $value.file ) | indent 4}} +{{- end }} +{{- end }} +{{- end }} +{{- if not $dashboardFound }} + {} +{{- end }} +{{- end }} +--- +{{- end }} + +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/deployment.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/deployment.yaml new file mode 100644 index 000000000..8dbe5e107 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/deployment.yaml @@ -0,0 +1,50 @@ +{{ if (or (not .Values.persistence.enabled) (eq .Values.persistence.type "pvc")) }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + {{- if and (not .Values.autoscaling.enabled) (.Values.replicas) }} + replicas: {{ .Values.replicas }} + {{- end }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} +{{- with .Values.deploymentStrategy }} + strategy: +{{ toYaml . | trim | indent 4 }} +{{- end }} + template: + metadata: + labels: + {{- include "grafana.selectorLabels" . | nindent 8 }} +{{- with .Values.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} + checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }} +{{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} +{{- end }} +{{- if .Values.envRenderSecret }} + checksum/secret-env: {{ include (print $.Template.BasePath "/secret-env.yaml") . | sha256sum }} +{{- end }} +{{- with .Values.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- include "grafana.pod" . | nindent 6 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/extra-manifests.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/extra-manifests.yaml new file mode 100644 index 000000000..a9bb3b6ba --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/extra-manifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/headless-service.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/headless-service.yaml new file mode 100644 index 000000000..1df42e967 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/headless-service.yaml @@ -0,0 +1,22 @@ +{{- if or .Values.headlessService (and .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "statefulset"))}} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "grafana.fullname" . }}-headless + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + clusterIP: None + selector: + {{- include "grafana.selectorLabels" . | nindent 4 }} + type: ClusterIP + ports: + - protocol: TCP + port: 3000 + targetPort: 3000 +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/hpa.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/hpa.yaml new file mode 100644 index 000000000..9c186d74a --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/hpa.yaml @@ -0,0 +1,20 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ template "grafana.fullname" . }} + labels: + app.kubernetes.io/name: {{ template "grafana.name" . }} + helm.sh/chart: {{ template "grafana.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "grafana.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: +{{ toYaml .Values.autoscaling.metrics | indent 4 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/image-renderer-deployment.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/image-renderer-deployment.yaml new file mode 100644 index 000000000..acf262e9d --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/image-renderer-deployment.yaml @@ -0,0 +1,121 @@ +{{ if .Values.imageRenderer.enabled }} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "grafana.fullname" . }}-image-renderer + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.imageRenderer.labels" . | nindent 4 }} +{{- if .Values.imageRenderer.labels }} +{{ toYaml .Values.imageRenderer.labels | indent 4 }} +{{- end }} +{{- with .Values.imageRenderer.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.imageRenderer.replicas }} + revisionHistoryLimit: {{ .Values.imageRenderer.revisionHistoryLimit }} + selector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} +{{- with .Values.imageRenderer.deploymentStrategy }} + strategy: +{{ toYaml . | trim | indent 4 }} +{{- end }} + template: + metadata: + labels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 8 }} +{{- with .Values.imageRenderer.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} +{{- with .Values.imageRenderer.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + + {{- if .Values.imageRenderer.schedulerName }} + schedulerName: "{{ .Values.imageRenderer.schedulerName }}" + {{- end }} + {{- if .Values.imageRenderer.serviceAccountName }} + serviceAccountName: "{{ .Values.imageRenderer.serviceAccountName }}" + {{- end }} + {{- if .Values.imageRenderer.securityContext }} + securityContext: + {{- toYaml .Values.imageRenderer.securityContext | nindent 8 }} + {{- end }} + {{- if .Values.imageRenderer.hostAliases }} + hostAliases: + {{- toYaml .Values.imageRenderer.hostAliases | nindent 8 }} + {{- end }} + {{- if .Values.imageRenderer.priorityClassName }} + priorityClassName: {{ .Values.imageRenderer.priorityClassName }} + {{- end }} + {{- if .Values.imageRenderer.image.pullSecrets }} + imagePullSecrets: + {{- $root := . }} + {{- range .Values.imageRenderer.image.pullSecrets }} + - name: {{ tpl . $root }} + {{- end}} + {{- end }} + containers: + - name: {{ .Chart.Name }}-image-renderer + {{- if .Values.imageRenderer.image.sha }} + image: "{{ .Values.imageRenderer.image.registry }}/{{ .Values.imageRenderer.image.repository }}:{{ .Values.imageRenderer.image.tag }}@sha256:{{ .Values.imageRenderer.image.sha }}" + {{- else }} + image: "{{ .Values.imageRenderer.image.registry }}/{{ .Values.imageRenderer.image.repository }}:{{ .Values.imageRenderer.image.tag }}" + {{- end }} + imagePullPolicy: {{ .Values.imageRenderer.image.pullPolicy }} + {{- if .Values.imageRenderer.command }} + command: + {{- range .Values.imageRenderer.command }} + - {{ . }} + {{- end }} + {{- end}} + ports: + - name: {{ .Values.imageRenderer.service.portName }} + containerPort: {{ .Values.imageRenderer.service.port }} + protocol: TCP + livenessProbe: + httpGet: + path: / + port: {{ .Values.imageRenderer.service.portName }} + env: + - name: HTTP_PORT + value: {{ .Values.imageRenderer.service.port | quote }} + {{- range $key, $value := .Values.imageRenderer.env }} + - name: {{ $key | quote }} + value: {{ $value | quote }} + {{- end }} + securityContext: + capabilities: + drop: ['all'] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /tmp + name: image-renderer-tmpfs + {{- with .Values.imageRenderer.resources }} + resources: +{{ toYaml . | indent 12 }} + {{- end }} + {{- with .Values.imageRenderer.nodeSelector }} + nodeSelector: +{{ toYaml . | indent 8 }} + {{- end }} + {{- $root := . }} + {{- with .Values.imageRenderer.affinity }} + affinity: +{{ tpl (toYaml .) $root | indent 8 }} + {{- end }} + {{- with .Values.imageRenderer.tolerations }} + tolerations: +{{ toYaml . | indent 8 }} + {{- end }} + volumes: + - name: image-renderer-tmpfs + emptyDir: {} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/image-renderer-network-policy.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/image-renderer-network-policy.yaml new file mode 100644 index 000000000..f8ca73aab --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/image-renderer-network-policy.yaml @@ -0,0 +1,76 @@ +{{- if and (.Values.imageRenderer.enabled) (.Values.imageRenderer.networkPolicy.limitIngress) }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "grafana.fullname" . }}-image-renderer-ingress + namespace: {{ template "grafana.namespace" . }} + annotations: + comment: Limit image-renderer ingress traffic from grafana +spec: + podSelector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} + {{- if .Values.imageRenderer.podLabels }} + {{ toYaml .Values.imageRenderer.podLabels | nindent 6 }} + {{- end }} + + policyTypes: + - Ingress + ingress: + - ports: + - port: {{ .Values.imageRenderer.service.port }} + protocol: TCP + from: + - namespaceSelector: + matchLabels: + name: {{ template "grafana.namespace" . }} + podSelector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 14 }} + {{- if .Values.podLabels }} + {{ toYaml .Values.podLabels | nindent 14 }} + {{- end }} +{{ end }} + +{{- if and (.Values.imageRenderer.enabled) (.Values.imageRenderer.networkPolicy.limitEgress) }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "grafana.fullname" . }}-image-renderer-egress + namespace: {{ template "grafana.namespace" . }} + annotations: + comment: Limit image-renderer egress traffic to grafana +spec: + podSelector: + matchLabels: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 6 }} + {{- if .Values.imageRenderer.podLabels }} + {{ toYaml .Values.imageRenderer.podLabels | nindent 6 }} + {{- end }} + + policyTypes: + - Egress + egress: + # allow dns resolution + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + # talk only to grafana + - ports: + - port: {{ .Values.service.port }} + protocol: TCP + to: + - namespaceSelector: + matchLabels: + name: {{ template "grafana.namespace" . }} + podSelector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 14 }} + {{- if .Values.podLabels }} + {{ toYaml .Values.podLabels | nindent 14 }} + {{- end }} +{{ end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/image-renderer-service.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/image-renderer-service.yaml new file mode 100644 index 000000000..f29586c3a --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/image-renderer-service.yaml @@ -0,0 +1,30 @@ +{{ if .Values.imageRenderer.enabled }} +{{ if .Values.imageRenderer.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "grafana.fullname" . }}-image-renderer + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.imageRenderer.labels" . | nindent 4 }} +{{- if .Values.imageRenderer.service.labels }} +{{ toYaml .Values.imageRenderer.service.labels | indent 4 }} +{{- end }} +{{- with .Values.imageRenderer.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + type: ClusterIP + {{- if .Values.imageRenderer.service.clusterIP }} + clusterIP: {{ .Values.imageRenderer.service.clusterIP }} + {{end}} + ports: + - name: {{ .Values.imageRenderer.service.portName }} + port: {{ .Values.imageRenderer.service.port }} + protocol: TCP + targetPort: {{ .Values.imageRenderer.service.targetPort }} + selector: + {{- include "grafana.imageRenderer.selectorLabels" . | nindent 4 }} +{{ end }} +{{ end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/ingress.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/ingress.yaml new file mode 100644 index 000000000..7699cecaa --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/ingress.yaml @@ -0,0 +1,78 @@ +{{- if .Values.ingress.enabled -}} +{{- $ingressApiIsStable := eq (include "grafana.ingress.isStable" .) "true" -}} +{{- $ingressSupportsIngressClassName := eq (include "grafana.ingress.supportsIngressClassName" .) "true" -}} +{{- $ingressSupportsPathType := eq (include "grafana.ingress.supportsPathType" .) "true" -}} +{{- $fullName := include "grafana.fullname" . -}} +{{- $servicePort := .Values.service.port -}} +{{- $ingressPath := .Values.ingress.path -}} +{{- $ingressPathType := .Values.ingress.pathType -}} +{{- $extraPaths := .Values.ingress.extraPaths -}} +apiVersion: {{ include "grafana.ingress.apiVersion" . }} +kind: Ingress +metadata: + name: {{ $fullName }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.ingress.labels }} +{{ toYaml .Values.ingress.labels | indent 4 }} +{{- end }} + {{- if .Values.ingress.annotations }} + annotations: + {{- range $key, $value := .Values.ingress.annotations }} + {{ $key }}: {{ tpl $value $ | quote }} + {{- end }} + {{- end }} +spec: + {{- if and $ingressSupportsIngressClassName .Values.ingress.ingressClassName }} + ingressClassName: {{ .Values.ingress.ingressClassName }} + {{- end -}} +{{- if .Values.ingress.tls }} + tls: +{{ tpl (toYaml .Values.ingress.tls) $ | indent 4 }} +{{- end }} + rules: + {{- if .Values.ingress.hosts }} + {{- range .Values.ingress.hosts }} + - host: {{ tpl . $}} + http: + paths: +{{- if $extraPaths }} +{{ toYaml $extraPaths | indent 10 }} +{{- end }} + - path: {{ $ingressPath }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- end }} + {{- else }} + - http: + paths: + - backend: + {{- if $ingressApiIsStable }} + service: + name: {{ $fullName }} + port: + number: {{ $servicePort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $servicePort }} + {{- end }} + {{- if $ingressPath }} + path: {{ $ingressPath }} + {{- end }} + {{- if $ingressSupportsPathType }} + pathType: {{ $ingressPathType }} + {{- end }} + {{- end -}} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/networkpolicy.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/networkpolicy.yaml new file mode 100644 index 000000000..fc243828e --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/networkpolicy.yaml @@ -0,0 +1,37 @@ +{{- if .Values.networkPolicy.enabled }} +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + podSelector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} + ingress: + - ports: + - port: {{ .Values.service.targetPort }} + {{- if not .Values.networkPolicy.allowExternal }} + from: + - podSelector: + matchLabels: + {{ template "grafana.fullname" . }}-client: "true" + {{- if .Values.networkPolicy.explicitNamespacesSelector }} + namespaceSelector: + {{ toYaml .Values.networkPolicy.explicitNamespacesSelector | indent 12 }} + {{- end }} + - podSelector: + matchLabels: + {{- include "grafana.labels" . | nindent 14 }} + role: read + {{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/poddisruptionbudget.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..61813a436 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/poddisruptionbudget.yaml @@ -0,0 +1,22 @@ +{{- if .Values.podDisruptionBudget }} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.labels }} +{{ toYaml .Values.labels | indent 4 }} +{{- end }} +spec: +{{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} +{{- end }} +{{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} +{{- end }} + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/podsecuritypolicy.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/podsecuritypolicy.yaml new file mode 100644 index 000000000..7de6c021d --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/podsecuritypolicy.yaml @@ -0,0 +1,49 @@ +{{- if .Values.rbac.pspEnabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "grafana.fullname" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' + seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default' + {{- if .Values.rbac.pspUseAppArmor }} + apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' + apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' + {{- end }} +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + # Default set from Docker, with DAC_OVERRIDE and CHOWN + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'csi' + - 'secret' + - 'downwardAPI' + - 'persistentVolumeClaim' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/pvc.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/pvc.yaml new file mode 100644 index 000000000..8d93f5c23 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/pvc.yaml @@ -0,0 +1,33 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "pvc")}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- with .Values.persistence.annotations }} + annotations: +{{ toYaml . | indent 4 }} + {{- end }} + {{- with .Values.persistence.finalizers }} + finalizers: +{{ toYaml . | indent 4 }} + {{- end }} +spec: + accessModes: + {{- range .Values.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size | quote }} + {{- if .Values.persistence.storageClassName }} + storageClassName: {{ .Values.persistence.storageClassName }} + {{- end -}} + {{- with .Values.persistence.selectorLabels }} + selector: + matchLabels: +{{ toYaml . | indent 6 }} + {{- end }} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/role.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/role.yaml new file mode 100644 index 000000000..6a1890fb9 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/role.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.rbac.create (not .Values.rbac.useExistingRole) -}} +apiVersion: {{ template "grafana.rbac.apiVersion" . }} +kind: Role +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +{{- if or .Values.rbac.pspEnabled (and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled (or .Values.sidecar.datasources.enabled .Values.rbac.extraRoleRules))) }} +rules: +{{- if .Values.rbac.pspEnabled }} +- apiGroups: ['extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ template "grafana.fullname" . }}] +{{- end }} +{{- if and .Values.rbac.namespaced (or .Values.sidecar.dashboards.enabled .Values.sidecar.datasources.enabled) }} +- apiGroups: [""] # "" indicates the core API group + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] +{{- end }} +{{- with .Values.rbac.extraRoleRules }} +{{ toYaml . | indent 0 }} +{{- end}} +{{- else }} +rules: [] +{{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/rolebinding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/rolebinding.yaml new file mode 100644 index 000000000..e0107255e --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/rolebinding.yaml @@ -0,0 +1,25 @@ +{{- if .Values.rbac.create -}} +apiVersion: {{ template "grafana.rbac.apiVersion" . }} +kind: RoleBinding +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role +{{- if (not .Values.rbac.useExistingRole) }} + name: {{ template "grafana.fullname" . }} +{{- else }} + name: {{ .Values.rbac.useExistingRole }} +{{- end }} +subjects: +- kind: ServiceAccount + name: {{ template "grafana.serviceAccountName" . }} + namespace: {{ template "grafana.namespace" . }} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/secret-env.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/secret-env.yaml new file mode 100644 index 000000000..5c09313e6 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/secret-env.yaml @@ -0,0 +1,14 @@ +{{- if .Values.envRenderSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "grafana.fullname" . }}-env + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +type: Opaque +data: +{{- range $key, $val := .Values.envRenderSecret }} + {{ $key }}: {{ $val | b64enc | quote }} +{{- end -}} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/secret.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/secret.yaml new file mode 100644 index 000000000..c8aa750ac --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/secret.yaml @@ -0,0 +1,26 @@ +{{- if or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret)) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +type: Opaque +data: + {{- if and (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD) }} + admin-user: {{ .Values.adminUser | b64enc | quote }} + {{- if .Values.adminPassword }} + admin-password: {{ .Values.adminPassword | b64enc | quote }} + {{- else }} + admin-password: {{ template "grafana.password" . }} + {{- end }} + {{- end }} + {{- if not .Values.ldap.existingSecret }} + ldap-toml: {{ tpl .Values.ldap.config $ | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/service.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/service.yaml new file mode 100644 index 000000000..ba84ef970 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/service.yaml @@ -0,0 +1,51 @@ +{{ if .Values.service.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- if .Values.service.labels }} +{{ toYaml .Values.service.labels | indent 4 }} +{{- end }} +{{- with .Values.service.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: +{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }} + type: ClusterIP + {{- if .Values.service.clusterIP }} + clusterIP: {{ .Values.service.clusterIP }} + {{end}} +{{- else if eq .Values.service.type "LoadBalancer" }} + type: {{ .Values.service.type }} + {{- if .Values.service.loadBalancerIP }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + {{- if .Values.service.loadBalancerSourceRanges }} + loadBalancerSourceRanges: +{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }} + {{- end -}} +{{- else }} + type: {{ .Values.service.type }} +{{- end }} +{{- if .Values.service.externalIPs }} + externalIPs: +{{ toYaml .Values.service.externalIPs | indent 4 }} +{{- end }} + ports: + - name: {{ .Values.service.portName }} + port: {{ .Values.service.port }} + protocol: TCP + targetPort: {{ .Values.service.targetPort }} +{{ if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} + nodePort: {{.Values.service.nodePort}} +{{ end }} + {{- if .Values.extraExposePorts }} + {{- tpl (toYaml .Values.extraExposePorts) . | indent 4 }} + {{- end }} + selector: + {{- include "grafana.selectorLabels" . | nindent 4 }} +{{ end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/serviceaccount.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/serviceaccount.yaml new file mode 100644 index 000000000..4ccee15ed --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- $root := . }} +{{- with .Values.serviceAccount.annotations }} + annotations: +{{ tpl (toYaml . | indent 4) $root }} +{{- end }} + name: {{ template "grafana.serviceAccountName" . }} + namespace: {{ template "grafana.namespace" . }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/servicemonitor.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/servicemonitor.yaml new file mode 100644 index 000000000..a18c6d336 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/servicemonitor.yaml @@ -0,0 +1,44 @@ +{{- if .Values.serviceMonitor.enabled }} +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "grafana.fullname" . }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} + {{- else }} + namespace: {{ template "grafana.namespace" . }} + {{- end }} + labels: + {{- include "grafana.labels" . | nindent 4 }} + {{- if .Values.serviceMonitor.labels }} + {{- toYaml .Values.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + endpoints: + - port: {{ .Values.service.portName }} + {{- with .Values.serviceMonitor.interval }} + interval: {{ . }} + {{- end }} + {{- with .Values.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ . }} + {{- end }} + honorLabels: true + path: {{ .Values.serviceMonitor.path }} + scheme: {{ .Values.serviceMonitor.scheme }} + {{- if .Values.serviceMonitor.tlsConfig }} + tlsConfig: + {{- toYaml .Values.serviceMonitor.tlsConfig | nindent 6 }} + {{- end }} + {{- if .Values.serviceMonitor.relabelings }} + relabelings: + {{- toYaml .Values.serviceMonitor.relabelings | nindent 4 }} + {{- end }} + jobLabel: "{{ .Release.Name }}" + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 8 }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/statefulset.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/statefulset.yaml new file mode 100644 index 000000000..ad3dd0696 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/statefulset.yaml @@ -0,0 +1,52 @@ +{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) (eq .Values.persistence.type "statefulset")}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ template "grafana.fullname" . }} + namespace: {{ template "grafana.namespace" . }} + labels: + {{- include "grafana.labels" . | nindent 4 }} +{{- with .Values.annotations }} + annotations: +{{ toYaml . | indent 4 }} +{{- end }} +spec: + replicas: {{ .Values.replicas }} + selector: + matchLabels: + {{- include "grafana.selectorLabels" . | nindent 6 }} + serviceName: {{ template "grafana.fullname" . }}-headless + template: + metadata: + labels: + {{- include "grafana.selectorLabels" . | nindent 8 }} +{{- with .Values.podLabels }} +{{ toYaml . | indent 8 }} +{{- end }} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/dashboards-json-config: {{ include (print $.Template.BasePath "/dashboards-json-configmap.yaml") . | sha256sum }} + checksum/sc-dashboard-provider-config: {{ include (print $.Template.BasePath "/configmap-dashboard-provider.yaml") . | sha256sum }} + {{- if and (or (and (not .Values.admin.existingSecret) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD__FILE) (not .Values.env.GF_SECURITY_ADMIN_PASSWORD)) (and .Values.ldap.enabled (not .Values.ldap.existingSecret))) (not .Values.env.GF_SECURITY_DISABLE_INITIAL_ADMIN_CREATION) }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} +{{- end }} +{{- with .Values.podAnnotations }} +{{ toYaml . | indent 8 }} +{{- end }} + spec: + {{- include "grafana.pod" . | nindent 6 }} + volumeClaimTemplates: + - metadata: + name: storage + spec: + accessModes: {{ .Values.persistence.accessModes }} + storageClassName: {{ .Values.persistence.storageClassName }} + resources: + requests: + storage: {{ .Values.persistence.size }} + {{- with .Values.persistence.selectorLabels }} + selector: + matchLabels: +{{ toYaml . | indent 10 }} + {{- end }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/user-secret.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/user-secret.yaml new file mode 100644 index 000000000..3e9703fff --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/templates/user-secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: k8s-triliovault-operator-grafana + namespace: {{ template "grafana.namespace" . }} +type: Opaque +data: + admin-user: YWRtaW4= + admin-password: YWRtaW4xMjM= diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/values.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/values.yaml new file mode 100644 index 000000000..5d50d4443 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/charts/observability/charts/visualization/charts/grafana/values.yaml @@ -0,0 +1,938 @@ +rbac: + create: true + ## Use an existing ClusterRole/Role (depending on rbac.namespaced false/true) + # useExistingRole: name-of-some-(cluster)role + pspEnabled: false + pspUseAppArmor: false + namespaced: false + extraRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] + extraClusterRoleRules: [] + # - apiGroups: [] + # resources: [] + # verbs: [] +serviceAccount: + create: true + name: + nameTest: +## Service account annotations. Can be templated. +# annotations: +# eks.amazonaws.com/role-arn: arn:aws:iam::123456789000:role/iam-role-name-here + autoMount: true + +replicas: 1 + +## Create a headless service for the deployment +headlessService: false + +## Create HorizontalPodAutoscaler object for deployment type +# +autoscaling: + enabled: false +# minReplicas: 1 +# maxReplicas: 10 +# metrics: +# - type: Resource +# resource: +# name: cpu +# targetAverageUtilization: 60 +# - type: Resource +# resource: +# name: memory +# targetAverageUtilization: 60 + +## See `kubectl explain poddisruptionbudget.spec` for more +## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/ +podDisruptionBudget: {} +# minAvailable: 1 +# maxUnavailable: 1 + +## See `kubectl explain deployment.spec.strategy` for more +## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +deploymentStrategy: + type: RollingUpdate + +readinessProbe: + httpGet: + path: /api/health + port: 3000 + +livenessProbe: + httpGet: + path: /api/health + port: 3000 + initialDelaySeconds: 60 + timeoutSeconds: 30 + failureThreshold: 10 + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: "default-scheduler" + +image: + registry: docker.io + repository: grafana/grafana + tag: 8.5.0 + sha: "" + pullPolicy: IfNotPresent + + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Can be templated. + ## + # pullSecrets: + # - myRegistrKeySecretName + +testFramework: + enabled: true + registry: docker.io + image: "bats/bats" + tag: "v1.4.1" + imagePullPolicy: IfNotPresent + securityContext: {} + +securityContext: + runAsUser: 472 + runAsGroup: 472 + fsGroup: 472 + +containerSecurityContext: + {} + +# Extra configmaps to mount in grafana pods +# Values are templated. +extraConfigmapMounts: [] + # - name: certs-configmap + # mountPath: /etc/grafana/ssl/ + # subPath: certificates.crt # (optional) + # configMap: certs-configmap + # readOnly: true + + +extraEmptyDirMounts: [] + # - name: provisioning-notifiers + # mountPath: /etc/grafana/provisioning/notifiers + + +# Apply extra labels to common labels. +extraLabels: {} + +## Assign a PriorityClassName to pods if set +# priorityClassName: + +downloadDashboardsImage: + registry: docker.io + repository: curlimages/curl + tag: 7.73.0 + sha: "" + pullPolicy: IfNotPresent + +downloadDashboards: + env: {} + envFromSecret: "" + resources: {} + +## Pod Annotations +# podAnnotations: {} + +## Pod Labels +# podLabels: {} + +podPortName: grafana + +## Deployment annotations +annotations: + ignore-check.kube-linter.io/privileged-ports : "This deployment needs to run on privileged ports 80" + ignore-check.kube-linter.io/read-secret-from-env-var : "This deployment needs to read secret from env variable for grafana admin user and password" + +## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service). +## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. +## ref: http://kubernetes.io/docs/user-guide/services/ +## +service: + enabled: true + type: ClusterIP + port: 80 + targetPort: 3000 + # targetPort: 4181 To be used with a proxy extraContainer + annotations: {} + labels: {} + portName: service + +serviceMonitor: + ## If true, a ServiceMonitor CRD is created for a prometheus operator + ## https://github.com/coreos/prometheus-operator + ## + enabled: false + path: /metrics + # namespace: monitoring (defaults to use the namespace this chart is deployed to) + labels: {} + interval: 1m + scheme: http + tlsConfig: {} + scrapeTimeout: 30s + relabelings: [] + +extraExposePorts: [] + # - name: keycloak + # port: 8080 + # targetPort: 8080 + # type: ClusterIP + +# overrides pod.spec.hostAliases in the grafana deployment's pods +hostAliases: [] + # - ip: "1.2.3.4" + # hostnames: + # - "my.host.com" + +ingress: + enabled: false + # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName + # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress + # ingressClassName: nginx + # Values can be templated + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + labels: {} + path: / + + # pathType is only for k8s >= 1.1= + pathType: Prefix + + hosts: + - chart-example.local + ## Extra paths to prepend to every host configuration. This is useful when working with annotation based services. + extraPaths: [] + # - path: /* + # backend: + # serviceName: ssl-redirect + # servicePort: use-annotation + ## Or for k8s > 1.19 + # - path: /* + # pathType: Prefix + # backend: + # service: + # name: ssl-redirect + # port: + # name: use-annotation + + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: + limits: + cpu: 1000m + memory: 500Mi + requests: + cpu: 200m + memory: 256Mi + +## Node labels for pod assignment +## ref: https://kubernetes.io/docs/user-guide/node-selection/ +# +nodeSelector: {} + +## Tolerations for pod assignment +## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +## +tolerations: [] + +## Affinity for pod assignment (evaluated as template) +## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +## +affinity: {} + +## Additional init containers (evaluated as template) +## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/ +## +extraInitContainers: [] + +## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod +extraContainers: "" +# extraContainers: | +# - name: proxy +# image: quay.io/gambol99/keycloak-proxy:latest +# args: +# - -provider=github +# - -client-id= +# - -client-secret= +# - -github-org= +# - -email-domain=* +# - -cookie-secret= +# - -http-address=http://0.0.0.0:4181 +# - -upstream-url=http://127.0.0.1:3000 +# ports: +# - name: proxy-web +# containerPort: 4181 + +## Volumes that can be used in init containers that will not be mounted to deployment pods +extraContainerVolumes: [] +# - name: volume-from-secret +# secret: +# secretName: secret-to-mount +# - name: empty-dir-volume +# emptyDir: {} + +## Enable persistence using Persistent Volume Claims +## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ +## +persistence: + type: pvc + enabled: false + # storageClassName: default + accessModes: + - ReadWriteOnce + size: 10Gi + # annotations: {} + finalizers: + - kubernetes.io/pvc-protection + # selectorLabels: {} + ## Sub-directory of the PV to mount. Can be templated. + # subPath: "" + ## Name of an existing PVC. Can be templated. + # existingClaim: + + ## If persistence is not enabled, this allows to mount the + ## local storage in-memory to improve performance + ## + inMemory: + enabled: false + ## The maximum usage on memory medium EmptyDir would be + ## the minimum value between the SizeLimit specified + ## here and the sum of memory limits of all containers in a pod + ## + # sizeLimit: 300Mi + +initChownData: + ## If false, data ownership will not be reset at startup + ## This allows the prometheus-server to be run with an arbitrary user + ## + enabled: true + + ## initChownData container image + ## + image: + registry: docker.io + repository: busybox + tag: "1.31.1" + sha: "" + pullPolicy: IfNotPresent + + ## initChownData resource requests and limits + ## Ref: http://kubernetes.io/docs/user-guide/compute-resources/ + ## + resources: + limits: + cpu: 200m + memory: 2568Mi + requests: + cpu: 100m + memory: 128Mi + + +# Administrator credentials when not using an existing secret (see below) +adminUser: admin +# adminPassword + +# Use an existing secret for the admin user. +admin: + ## Name of the secret. Can be templated. + existingSecret: "" + userKey: admin-user + passwordKey: admin-password + +## Define command to be executed at startup by grafana container +## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/) +## Default is "run.sh" as defined in grafana's Dockerfile +# command: +# - "sh" +# - "/run.sh" + +## Use an alternate scheduler, e.g. "stork". +## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ +## +# schedulerName: + +## Extra environment variables that will be pass onto deployment pods +## +## to provide grafana with access to CloudWatch on AWS EKS: +## 1. create an iam role of type "Web identity" with provider oidc.eks.* (note the provider for later) +## 2. edit the "Trust relationships" of the role, add a line inside the StringEquals clause using the +## same oidc eks provider as noted before (same as the existing line) +## also, replace NAMESPACE and prometheus-operator-grafana with the service account namespace and name +## +## "oidc.eks.us-east-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:sub": "system:serviceaccount:NAMESPACE:prometheus-operator-grafana", +## +## 3. attach a policy to the role, you can use a built in policy called CloudWatchReadOnlyAccess +## 4. use the following env: (replace 123456789000 and iam-role-name-here with your aws account number and role name) +## +## env: +## AWS_ROLE_ARN: arn:aws:iam::123456789000:role/iam-role-name-here +## AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token +## AWS_REGION: us-east-1 +## +## 5. uncomment the EKS section in extraSecretMounts: below +## 6. uncomment the annotation section in the serviceAccount: above +## make sure to replace arn:aws:iam::123456789000:role/iam-role-name-here with your role arn + +env: {} + +## "valueFrom" environment variable references that will be added to deployment pods. Name is templated. +## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.19/#envvarsource-v1-core +## Renders in container spec as: +## env: +## ... +## - name: +## valueFrom: +## +envValueFrom: {} + # ENV_NAME: + # configMapKeyRef: + # name: configmap-name + # key: value_key + +## The name of a secret in the same kubernetes namespace which contain values to be added to the environment +## This can be useful for auth tokens, etc. Value is templated. +envFromSecret: "" + +## Sensible environment variables that will be rendered as new secret object +## This can be useful for auth tokens, etc +envRenderSecret: {} + +## The names of secrets in the same kubernetes namespace which contain values to be added to the environment +## Each entry should contain a name key, and can optionally specify whether the secret must be defined with an optional key. +## Name is templated. +envFromSecrets: [] +## - name: secret-name +## optional: true + +## The names of conifgmaps in the same kubernetes namespace which contain values to be added to the environment +## Each entry should contain a name key, and can optionally specify whether the configmap must be defined with an optional key. +## Name is templated. +## ref: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#configmapenvsource-v1-core +envFromConfigMaps: [] +## - name: configmap-name +## optional: true + +# Inject Kubernetes services as environment variables. +# See https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#environment-variables +enableServiceLinks: true + +## Additional grafana server secret mounts +# Defines additional mounts with secrets. Secrets must be manually created in the namespace. +extraSecretMounts: [] + # - name: secret-files + # mountPath: /etc/secrets + # secretName: grafana-secret-files + # readOnly: true + # subPath: "" + # + # for AWS EKS (cloudwatch) use the following (see also instruction in env: above) + # - name: aws-iam-token + # mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount + # readOnly: true + # projected: + # defaultMode: 420 + # sources: + # - serviceAccountToken: + # audience: sts.amazonaws.com + # expirationSeconds: 86400 + # path: token + # + # for CSI e.g. Azure Key Vault use the following + # - name: secrets-store-inline + # mountPath: /run/secrets + # readOnly: true + # csi: + # driver: secrets-store.csi.k8s.io + # readOnly: true + # volumeAttributes: + # secretProviderClass: "akv-grafana-spc" + # nodePublishSecretRef: # Only required when using service principal mode + # name: grafana-akv-creds # Only required when using service principal mode + +## Additional grafana server volume mounts +# Defines additional volume mounts. +extraVolumeMounts: [] + # - name: extra-volume-0 + # mountPath: /mnt/volume0 + # readOnly: true + # existingClaim: volume-claim + # - name: extra-volume-1 + # mountPath: /mnt/volume1 + # readOnly: true + # hostPath: /usr/shared/ + +## Container Lifecycle Hooks. Execute a specific bash command or make an HTTP request +lifecycleHooks: {} + # postStart: + # exec: + # command: [] + +## Pass the plugins you want installed as a list. +## +plugins: + - grafana-piechart-panel + # - digrich-bubblechart-panel + # - grafana-clock-panel + +## Configure grafana datasources +## ref: http://docs.grafana.org/administration/provisioning/#datasources +## +datasources: {} +# datasources.yaml: +# apiVersion: 1 +# datasources: +# - name: Prometheus +# type: prometheus +# url: http://prometheus-prometheus-server +# access: proxy +# isDefault: true +# - name: CloudWatch +# type: cloudwatch +# access: proxy +# uid: cloudwatch +# editable: false +# jsonData: +# authType: default +# defaultRegion: us-east-1 + +## Configure notifiers +## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels +## +notifiers: {} +# notifiers.yaml: +# notifiers: +# - name: email-notifier +# type: email +# uid: email1 +# # either: +# org_id: 1 +# # or +# org_name: Main Org. +# is_default: true +# settings: +# addresses: an_email_address@example.com +# delete_notifiers: + +## Configure grafana dashboard providers +## ref: http://docs.grafana.org/administration/provisioning/#dashboards +## +## `path` must be /var/lib/grafana/dashboards/ +## +dashboardProviders: {} +# dashboardproviders.yaml: +# apiVersion: 1 +# providers: +# - name: 'default' +# orgId: 1 +# folder: '' +# type: file +# disableDeletion: false +# editable: true +# options: +# path: /var/lib/grafana/dashboards/default + +## Configure grafana dashboard to import +## NOTE: To use dashboards you must also enable/configure dashboardProviders +## ref: https://grafana.com/dashboards +## +## dashboards per provider, use provider name as key. +## +dashboards: + default: + logging-dashboard: + file: dashboards/logging-dashboard.json + backup-detail: + file: dashboards/backup-detail.json + clusterbackup-detail: + file: dashboards/clusterbackup-detail.json + backup-overview: + file: dashboards/backup-overview.json + backupplan-detail: + file: dashboards/backupplan-detail.json + clusterbackupplan-detail: + file: dashboards/clusterbackupplan-detail.json + backupplan-overview: + file: dashboards/backupplan-overview.json + metadata-detail: + file: dashboards/metadata-detail.json + overview: + file: dashboards/overview.json + restore-detail: + file: dashboards/restore-detail.json + clusterrestore-detail: + file: dashboards/clusterrestore-detail.json + restore-overview: + file: dashboards/restore-overview.json + target-detail: + file: dashboards/target-detail.json + continuousrestoreplan-detail: + file: dashboards/continuousrestoreplan-detail.json + consistentset-detail: + file: dashboards/consistentset-detail.json + # default: + # some-dashboard: + # json: | + # $RAW_JSON + # custom-dashboard: + # file: dashboards/custom-dashboard.json + # prometheus-stats: + # gnetId: 2 + # revision: 2 + # datasource: Prometheus + # local-dashboard: + # url: https://example.com/repository/test.json + # token: '' + # local-dashboard-base64: + # url: https://example.com/repository/test-b64.json + # token: '' + # b64content: true + +## Reference to external ConfigMap per provider. Use provider name as key and ConfigMap name as value. +## A provider dashboards must be defined either by external ConfigMaps or in values.yaml, not in both. +## ConfigMap data example: +## +## data: +## example-dashboard.json: | +## RAW_JSON +## +dashboardsConfigMaps: {} +# default: "" + +## Grafana's primary configuration +## NOTE: values in map will be converted to ini format +## ref: http://docs.grafana.org/installation/configuration/ +## +grafana.ini: + dashboards: + default_home_dashboard_path: /var/lib/grafana/dashboards/default/overview.json + paths: + data: /var/lib/grafana/ + logs: /var/log/grafana + plugins: /var/lib/grafana/plugins + provisioning: /etc/grafana/provisioning + analytics: + check_for_updates: false + log: + mode: console + server: + root_url: "%(protocol)s://%(domain)s:%(http_port)s/grafana/" + serve_from_sub_path: true +## grafana Authentication can be enabled with the following values on grafana.ini +# server: + # The full public facing url you use in browser, used for redirects and emails + # root_url: + # https://grafana.com/docs/grafana/latest/auth/github/#enable-github-in-grafana + # auth.github: + # enabled: false + # allow_sign_up: false + # scopes: user:email,read:org + # auth_url: https://github.com/login/oauth/authorize + # token_url: https://github.com/login/oauth/access_token + # api_url: https://api.github.com/user + # team_ids: + # allowed_organizations: + # client_id: + # client_secret: +## LDAP Authentication can be enabled with the following values on grafana.ini +## NOTE: Grafana will fail to start if the value for ldap.toml is invalid + # auth.ldap: + # enabled: true + # allow_sign_up: true + # config_file: /etc/grafana/ldap.toml + +## Grafana's LDAP configuration +## Templated by the template in _helpers.tpl +## NOTE: To enable the grafana.ini must be configured with auth.ldap.enabled +## ref: http://docs.grafana.org/installation/configuration/#auth-ldap +## ref: http://docs.grafana.org/installation/ldap/#configuration +ldap: + enabled: false + # `existingSecret` is a reference to an existing secret containing the ldap configuration + # for Grafana in a key `ldap-toml`. + existingSecret: "" + # `config` is the content of `ldap.toml` that will be stored in the created secret + config: "" + # config: |- + # verbose_logging = true + + # [[servers]] + # host = "my-ldap-server" + # port = 636 + # use_ssl = true + # start_tls = false + # ssl_skip_verify = false + # bind_dn = "uid=%s,ou=users,dc=myorg,dc=com" + +## Grafana's SMTP configuration +## NOTE: To enable, grafana.ini must be configured with smtp.enabled +## ref: http://docs.grafana.org/installation/configuration/#smtp +smtp: + # `existingSecret` is a reference to an existing secret containing the smtp configuration + # for Grafana. + existingSecret: "" + userKey: "user" + passwordKey: "password" + +## Sidecars that collect the configmaps with specified label and stores the included files them into the respective folders +## Requires at least Grafana 5 to work and can't be used together with parameters dashboardProviders, datasources and dashboards +sidecar: + image: + registry: quay.io + repository: kiwigrid/k8s-sidecar + tag: 1.15.6 + sha: "" + imagePullPolicy: IfNotPresent + resources: + limits: + cpu: 200m + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + securityContext: {} + # skipTlsVerify Set to true to skip tls verification for kube api calls + # skipTlsVerify: true + enableUniqueFilenames: false + readinessProbe: {} + livenessProbe: {} + dashboards: + enabled: true + SCProvider: true + # label that the configmaps with dashboards are marked with + label: grafana_dashboard + # value of label that the configmaps with dashboards are set to + labelValue: null + # folder in the pod that should hold the collected dashboards (unless `defaultFolderName` is set) + folder: /tmp/dashboards + # The default folder name, it will create a subfolder under the `folder` and put dashboards in there instead + defaultFolderName: null + # Namespaces list. If specified, the sidecar will search for config-maps/secrets inside these namespaces. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces. + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # If specified, the sidecar will look for annotation with this name to create folder and put graph here. + # You can use this parameter together with `provider.foldersFromFilesStructure`to annotate configmaps and create folder structure. + folderAnnotation: null + # Absolute path to shell script to execute after a configmap got reloaded + script: null + # watchServerTimeout: request to the server, asking it to cleanly close the connection after that. + # defaults to 60sec; much higher values like 3600 seconds (1h) are feasible for non-Azure K8S + # watchServerTimeout: 3600 + # + # watchClientTimeout: is a client-side timeout, configuring your local socket. + # If you have a network outage dropping all packets with no RST/FIN, + # this is how long your client waits before realizing & dropping the connection. + # defaults to 66sec (sic!) + # watchClientTimeout: 60 + # + # provider configuration that lets grafana manage the dashboards + provider: + # name of the provider, should be unique + name: sidecarProvider + # orgid as configured in grafana + orgid: 1 + # folder in which the dashboards should be imported in grafana + folder: '' + # type of the provider + type: file + # disableDelete to activate a import-only behaviour + disableDelete: false + # allow updating provisioned dashboards from the UI + allowUiUpdates: false + # allow Grafana to replicate dashboard structure from filesystem + foldersFromFilesStructure: false + # Additional dashboard sidecar volume mounts + extraMounts: [] + # Sets the size limit of the dashboard sidecar emptyDir volume + sizeLimit: {} + datasources: + enabled: true + # label that the configmaps with datasources are marked with + label: grafana_datasource + # value of label that the configmaps with datasources are set to + labelValue: null + # If specified, the sidecar will search for datasource config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # Endpoint to send request to reload datasources + reloadURL: "http://localhost:3000/api/admin/provisioning/datasources/reload" + skipReload: false + # Deploy the datasource sidecar as an initContainer in addition to a container. + # This is needed if skipReload is true, to load any datasources defined at startup time. + initDatasources: false + # Sets the size limit of the datasource sidecar emptyDir volume + sizeLimit: {} + plugins: + enabled: false + # label that the configmaps with plugins are marked with + label: grafana_plugin + # value of label that the configmaps with plugins are set to + labelValue: null + # If specified, the sidecar will search for plugin config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # Method to use to detect ConfigMap changes. With WATCH the sidecar will do a WATCH requests, with SLEEP it will list all ConfigMaps, then sleep for 60 seconds. + watchMethod: WATCH + # search in configmap, secret or both + resource: both + # Endpoint to send request to reload plugins + reloadURL: "http://localhost:3000/api/admin/provisioning/plugins/reload" + skipReload: false + # Deploy the datasource sidecar as an initContainer in addition to a container. + # This is needed if skipReload is true, to load any plugins defined at startup time. + initPlugins: false + # Sets the size limit of the plugin sidecar emptyDir volume + sizeLimit: {} + notifiers: + enabled: false + # label that the configmaps with notifiers are marked with + label: grafana_notifier + # If specified, the sidecar will search for notifier config-maps inside this namespace. + # Otherwise the namespace in which the sidecar is running will be used. + # It's also possible to specify ALL to search in all namespaces + searchNamespace: null + # search in configmap, secret or both + resource: both + # Sets the size limit of the notifier sidecar emptyDir volume + sizeLimit: {} + +## Override the deployment namespace +## +namespaceOverride: "" + +## Number of old ReplicaSets to retain +## +revisionHistoryLimit: 10 + +## Add a seperate remote image renderer deployment/service +imageRenderer: + # Enable the image-renderer deployment & service + enabled: false + replicas: 1 + image: + registry: docker.io + # image-renderer Image repository + repository: grafana/grafana-image-renderer + # image-renderer Image tag + tag: latest + # image-renderer Image sha (optional) + sha: "" + # image-renderer ImagePullPolicy + pullPolicy: Always + # extra environment variables + env: + HTTP_HOST: "0.0.0.0" + # RENDERING_ARGS: --no-sandbox,--disable-gpu,--window-size=1280x758 + # RENDERING_MODE: clustered + # IGNORE_HTTPS_ERRORS: true + # image-renderer deployment serviceAccount + serviceAccountName: "" + # image-renderer deployment securityContext + securityContext: {} + # image-renderer deployment Host Aliases + hostAliases: [] + # image-renderer deployment priority class + priorityClassName: '' + service: + # Enable the image-renderer service + enabled: true + # image-renderer service port name + portName: 'http' + # image-renderer service port used by both service and deployment + port: 8081 + targetPort: 8081 + # If https is enabled in Grafana, this needs to be set as 'https' to correctly configure the callback used in Grafana + grafanaProtocol: http + # In case a sub_path is used this needs to be added to the image renderer callback + grafanaSubPath: "" + # name of the image-renderer port on the pod + podPortName: http + # number of image-renderer replica sets to keep + revisionHistoryLimit: 10 + networkPolicy: + # Enable a NetworkPolicy to limit inbound traffic to only the created grafana pods + limitIngress: true + # Enable a NetworkPolicy to limit outbound traffic to only the created grafana pods + limitEgress: false + resources: + limits: + cpu: 200m + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + ## Node labels for pod assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + # + nodeSelector: {} + + ## Tolerations for pod assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + + ## Affinity for pod assignment (evaluated as template) + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## + affinity: {} + +networkPolicy: + ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources. Only Ingress traffic is filtered for now. + ## + enabled: false + ## @param networkPolicy.allowExternal Don't require client label for connections + ## The Policy model to apply. When set to false, only pods with the correct + ## client label will have network access to grafana port defined. + ## When true, grafana will accept connections from any source + ## (with the correct destination port). + ## + allowExternal: true + ## @param networkPolicy.explicitNamespacesSelector A Kubernetes LabelSelector to explicitly select namespaces from which traffic could be allowed + ## If explicitNamespacesSelector is missing or set to {}, only client Pods that are in the networkPolicy's namespace + ## and that match other criteria, the ones that have the good label, can reach the grafana. + ## But sometimes, we want the grafana to be accessible to clients from other namespaces, in this case, we can use this + ## LabelSelector to select these namespaces, note that the networkPolicy's namespace should also be explicitly added. + ## + ## Example: + ## explicitNamespacesSelector: + ## matchLabels: + ## role: frontend + ## matchExpressions: + ## - {key: role, operator: In, values: [frontend]} + ## + explicitNamespacesSelector: {} + +# Enable backward compatibility of kubernetes where version below 1.13 doesn't have the enableServiceLinks option +enableKubeBackwardCompatibility: false + +# Create a dynamic manifests via values: +extraObjects: [] + # - apiVersion: "kubernetes-client.io/v1" + # kind: ExternalSecret + # metadata: + # name: grafana-secrets + # spec: + # backendType: gcpSecretsManager + # data: + # - key: grafana-admin-password + # name: adminPassword diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/crds/triliovault.trilio.io_triliovaultmanagers.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/crds/triliovault.trilio.io_triliovaultmanagers.yaml new file mode 100644 index 000000000..26ebc28eb --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/crds/triliovault.trilio.io_triliovaultmanagers.yaml @@ -0,0 +1,1231 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null + name: triliovaultmanagers.triliovault.trilio.io +spec: + group: triliovault.trilio.io + names: + kind: TrilioVaultManager + listKind: TrilioVaultManagerList + plural: triliovaultmanagers + shortNames: + - tvm + singular: triliovaultmanager + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.releaseVersion + name: TrilioVault-Version + type: string + - jsonPath: .spec.applicationScope + name: Scope + type: string + - jsonPath: .status.status + name: Status + type: string + name: v1 + schema: + openAPIV3Schema: + description: TrilioVaultManager is the Schema for the triliovaultmanagers + API + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: TrilioVaultManagerSpec defines the desired state of TrilioVaultManager + properties: + affinity: + description: The scheduling constraints on application pods. + properties: + nodeAffinity: + description: Describes node affinity scheduling rules for the + pod. + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node matches + the corresponding matchExpressions; the node(s) with the + highest sum are the most preferred. + items: + description: An empty preferred scheduling term matches + all objects with implicit weight 0 (i.e. it's a no-op). + A null preferred scheduling term matches no objects (i.e. + is also a no-op). + properties: + preference: + description: A node selector term, associated with the + corresponding weight. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + weight: + description: Weight associated with matching the corresponding + nodeSelectorTerm, in the range 1-100. + format: int32 + type: integer + required: + - preference + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to an update), the system may or may not try to + eventually evict the pod from its node. + properties: + nodeSelectorTerms: + description: Required. A list of node selector terms. + The terms are ORed. + items: + description: A null or empty node selector term matches + no objects. The requirements of them are ANDed. The + TopologySelectorTerm type implements a subset of the + NodeSelectorTerm. + properties: + matchExpressions: + description: A list of node selector requirements + by node's labels. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchFields: + description: A list of node selector requirements + by node's fields. + items: + description: A node selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: The label key that the selector + applies to. + type: string + operator: + description: Represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists, DoesNotExist. Gt, and + Lt. + type: string + values: + description: An array of string values. If + the operator is In or NotIn, the values + array must be non-empty. If the operator + is Exists or DoesNotExist, the values array + must be empty. If the operator is Gt or + Lt, the values array must have a single + element, which will be interpreted as an + integer. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + type: object + x-kubernetes-map-type: atomic + type: array + required: + - nodeSelectorTerms + type: object + x-kubernetes-map-type: atomic + type: object + podAffinity: + description: Describes pod affinity scheduling rules (e.g. co-locate + this pod in the same node, zone, etc. as some other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the affinity expressions specified by + this field, but it may choose a node that violates one or + more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the affinity requirements specified by this + field are not met at scheduling time, the pod will not be + scheduled onto the node. If the affinity requirements specified + by this field cease to be met at some point during pod execution + (e.g. due to a pod label update), the system may or may + not try to eventually evict the pod from its node. When + there are multiple elements, the lists of nodes corresponding + to each podAffinityTerm are intersected, i.e. all terms + must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + podAntiAffinity: + description: Describes pod anti-affinity scheduling rules (e.g. + avoid putting this pod in the same node, zone, etc. as some + other pod(s)). + properties: + preferredDuringSchedulingIgnoredDuringExecution: + description: The scheduler will prefer to schedule pods to + nodes that satisfy the anti-affinity expressions specified + by this field, but it may choose a node that violates one + or more of the expressions. The node that is most preferred + is the one with the greatest sum of weights, i.e. for each + node that meets all of the scheduling requirements (resource + request, requiredDuringScheduling anti-affinity expressions, + etc.), compute a sum by iterating through the elements of + this field and adding "weight" to the sum if the node has + pods which matches the corresponding podAffinityTerm; the + node(s) with the highest sum are the most preferred. + items: + description: The weights of all of the matched WeightedPodAffinityTerm + fields are added per-node to find the most preferred node(s) + properties: + podAffinityTerm: + description: Required. A pod affinity term, associated + with the corresponding weight. + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied + to the union of the namespaces selected by this + field and the ones listed in the namespaces field. + null selector and null or empty namespaces list + means "this pod's namespace". An empty selector + ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list + of namespace names that the term applies to. The + term is applied to the union of the namespaces + listed in this field and the ones selected by + namespaceSelector. null or empty namespaces list + and null namespaceSelector means "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods + matching the labelSelector in the specified namespaces, + where co-located is defined as running on a node + whose value of the label with key topologyKey + matches that of any node on which any of the selected + pods is running. Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + weight: + description: weight associated with matching the corresponding + podAffinityTerm, in the range 1-100. + format: int32 + type: integer + required: + - podAffinityTerm + - weight + type: object + type: array + requiredDuringSchedulingIgnoredDuringExecution: + description: If the anti-affinity requirements specified by + this field are not met at scheduling time, the pod will + not be scheduled onto the node. If the anti-affinity requirements + specified by this field cease to be met at some point during + pod execution (e.g. due to a pod label update), the system + may or may not try to eventually evict the pod from its + node. When there are multiple elements, the lists of nodes + corresponding to each podAffinityTerm are intersected, i.e. + all terms must be satisfied. + items: + description: Defines a set of pods (namely those matching + the labelSelector relative to the given namespace(s)) + that this pod should be co-located (affinity) or not co-located + (anti-affinity) with, where co-located is defined as running + on a node whose value of the label with key + matches that of any node on which a pod of the set of + pods is running + properties: + labelSelector: + description: A label query over a set of resources, + in this case pods. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaceSelector: + description: A label query over the set of namespaces + that the term applies to. The term is applied to the + union of the namespaces selected by this field and + the ones listed in the namespaces field. null selector + and null or empty namespaces list means "this pod's + namespace". An empty selector ({}) matches all namespaces. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a + selector that contains values, a key, and an + operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are + In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If the + operator is Exists or DoesNotExist, the + values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". The + requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: namespaces specifies a static list of namespace + names that the term applies to. The term is applied + to the union of the namespaces listed in this field + and the ones selected by namespaceSelector. null or + empty namespaces list and null namespaceSelector means + "this pod's namespace". + items: + type: string + type: array + topologyKey: + description: This pod should be co-located (affinity) + or not co-located (anti-affinity) with the pods matching + the labelSelector in the specified namespaces, where + co-located is defined as running on a node whose value + of the label with key topologyKey matches that of + any node on which any of the selected pods is running. + Empty topologyKey is not allowed. + type: string + required: + - topologyKey + type: object + type: array + type: object + type: object + applicationScope: + description: Scope for the application which will be installed in + the cluster NamespaceScope or ClusterScope + enum: + - Cluster + - Namespaced + type: string + componentConfiguration: + description: ComponentConfiguration holds all the field related to + the TVK deployments. + properties: + admission-webhook: + description: AdmissionWebhook holds all configuration for the + admission-webhook deployment + type: object + x-kubernetes-preserve-unknown-fields: true + control-plane: + description: ControlPlane holds all configuration for the control-plane + deployment + type: object + x-kubernetes-preserve-unknown-fields: true + exporter: + description: Exporter holds all configuration for the exporter + deployment. + type: object + x-kubernetes-preserve-unknown-fields: true + ingress-controller: + description: IngressController holds all configuration for the + ingress-controller deployment + type: object + x-kubernetes-preserve-unknown-fields: true + web: + description: Web holds all configuration for the web deployment + type: object + x-kubernetes-preserve-unknown-fields: true + web-backend: + description: WebBackend holds all configuration for the web-backend + deployment + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + csiConfig: + description: CSIConfig is the configuration for the CSI drivers which + doesn't support snapshot functionality + properties: + exclude: + description: Exclude denotes the list of CSI drivers to be excluded + from the non-snapshot functionality category + items: + type: string + type: array + include: + description: Include denotes the list of CSI drivers to be included + in the non-snapshot functionality category + items: + type: string + type: array + type: object + dataJobLimits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Deprecated: DataJobLimits are the resource limits for + all the data processing jobs.' + type: object + dataJobResources: + description: DataJobResources is the resource limits & requests for + all the data processing jobs. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + datamoverLogLevel: + description: DatamoverLogLevel is a log level used in datamover i.e. + data upload/restore part of the TVK. + enum: + - Panic + - Fatal + - Error + - Warn + - Info + - Debug + - Trace + type: string + deploymentLimits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Deprecated: DeploymentLimits are the resource limits + for all the deployments.' + type: object + helmValues: + description: HelmValues holds all the additional fields in the values.yaml + of TVK helm chart. + type: object + x-kubernetes-preserve-unknown-fields: true + helmVersion: + description: 'Deprecated: Helm Version' + properties: + tillerNamespace: + type: string + version: + enum: + - v3 + type: string + required: + - version + type: object + ingressConfig: + description: IngressConfig holds field related to ingress resource + to access the TVK UI. + properties: + annotations: + additionalProperties: + type: string + type: object + host: + type: string + ingressClass: + type: string + tlsSecretName: + type: string + type: object + logLevel: + description: LogLevel is a level used in TVK logging. + enum: + - Panic + - Fatal + - Error + - Warn + - Info + - Debug + - Trace + type: string + metadataJobLimits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Deprecated: MetadataJobLimits are the resource limits + for all the meta processing jobs.' + type: object + metadataJobResources: + description: MetadataJobResources is the resource limits & requests + for all the meta processing jobs. + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + nodeSelector: + additionalProperties: + type: string + description: NodeSelector specifies a map of key-value pairs. For + the pod to be eligible to run on a node, the node must have each + of the indicated key-value pairs as labels. + type: object + pauseSchedule: + description: PauseSchedule is flag to pause schedule backups or snapshot + for all the backupplan/clusterbackupplan. + type: boolean + resources: + description: 'Deprecated: Resources are the resource requirements + for the containers.' + properties: + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Limits describes the maximum amount of compute resources + allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'Requests describes the minimum amount of compute + resources required. If Requests is omitted for a container, + it defaults to Limits if that is explicitly specified, otherwise + to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + type: object + type: object + restoreNamespaces: + description: 'Deprecated: RestoreNamespaces are the namespace where + you want to restore your applications. Restore Namespaces depends + on your k8s RBAC' + items: + type: string + type: array + tolerations: + description: The toleration of application against the specific taints + on the nodes + items: + description: The pod this Toleration is attached to tolerates any + taint that matches the triple using the matching + operator . + properties: + effect: + description: Effect indicates the taint effect to match. Empty + means match all taint effects. When specified, allowed values + are NoSchedule, PreferNoSchedule and NoExecute. + type: string + key: + description: Key is the taint key that the toleration applies + to. Empty means match all taint keys. If the key is empty, + operator must be Exists; this combination means to match all + values and all keys. + type: string + operator: + description: Operator represents a key's relationship to the + value. Valid operators are Exists and Equal. Defaults to Equal. + Exists is equivalent to wildcard for value, so that a pod + can tolerate all taints of a particular category. + type: string + tolerationSeconds: + description: TolerationSeconds represents the period of time + the toleration (which must be of effect NoExecute, otherwise + this field is ignored) tolerates the taint. By default, it + is not set, which means tolerate the taint forever (do not + evict). Zero and negative values will be treated as 0 (evict + immediately) by the system. + format: int64 + type: integer + value: + description: Value is the taint value the toleration matches + to. If the operator is Exists, the value should be empty, + otherwise just a regular string. + type: string + type: object + type: array + trilioVaultAppVersion: + description: 'Deprecated: TrilioVaultAppVersion Helm Chart version' + type: string + tvkInstanceName: + description: TVKInstanceName is a TVK installation name to be displayed + on UI. + type: string + required: + - applicationScope + type: object + status: + description: TrilioVaultManagerStatus defines the observed state of TrilioVaultManager + properties: + conditions: + items: + properties: + lastTransitionTime: + format: date-time + nullable: true + type: string + message: + minLength: 0 + type: string + reason: + enum: + - InstallSuccessful + - UpdateSuccessful + - UninstallSuccessful + - InstallError + - UpdateError + - ReconcileError + - UninstallError + type: string + status: + enum: + - "True" + - "False" + - Unknown + type: string + type: + enum: + - Initialized + - Deployed + - Updated + - ReleaseFailed + - Irreconcilable + type: string + type: object + type: array + dashboard: + type: string + deployedRelease: + properties: + manifest: + type: string + name: + type: string + type: object + helmRevision: + type: integer + releaseVersion: + type: string + status: + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/questions.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/questions.yaml new file mode 100644 index 000000000..c5064a13f --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/questions.yaml @@ -0,0 +1,158 @@ +questions: +- variable: installTVK.enabled + default: true + description: "TriloVault Manager is an instance of TrilioVault for Kubernetes. Selecting this checkbox automatically creates a TrilioVault Manager instance" + required: true + type: boolean + label: "Install TrilioVault Manager Automatically" + group: "TrilioVault Manager Install Configuration" + +- variable: installTVK.tvkInstanceName + show_if: "installTVK.enabled=true" + default: "triliovault-manager" + description: "TrilioVault Manager Instance Name. This will be used to manage the Kubernetes cluster in TVK Management Console and backups performed by the TrilioVault for Kubernetes" + required: true + type: string + label: "TrilioVault Manager Instance Name" + group: "TrilioVault Manager Install Configuration" + +- variable: installTVK.applicationScope + default: Cluster + description: "TrilioVault Manager installation scope: Cluster or Namespaced" + required: true + type: enum + label: "TrilioVault Manager Installation Scope" + group: "TrilioVault Manager Install Configuration" + options: + - "Cluster" + - "Namespaced" + +- variable: installTVK.ingressConfig.host + default: "rancher.k8s-tvk.com" + description: "Hostname URL to access the TVK Management Console - For example: rancher.k8s-tvk.com" + required: true + type: hostname + label: "TVK Management Console Hostname URL" + group: "Ingress Configuration" + +- variable: installTVK.ingressConfig.tlsSecretName + default: "" + description: "TLS Secret containing an appropriate certificate to access the TVK Management Console over HTTPS protocol. Secret should of type kubernetes.io/tls" + required: false + type: secret + label: "TLS Secret of type kubernetes.io/tls (Optional)" + group: "Ingress Configuration" + + +- variable: installTVK.ComponentConfiguration.ingressController.service.type + default: "NodePort" + description: "Ingress Controller Service Type to access the TVK Management Console" + required: true + type: enum + label: "Ingress Controller Service Type" + group: "Ingress Configuration" + options: + - "NodePort" + - "LoadBalancer" + +- variable: installTVK.ingressConfig.annotations + default: "" + description: "Annotations to add for the TrilioVault Manager ingress resource - For example: {'foo':'bar'}" + required: false + type: string + label: "Annotations for Ingress Resource (Optional)" + group: "Ingress Configuration" + +- variable: proxySettings.PROXY_ENABLED + default: false + description: "Select this checkbox to deploy the TrilioVault Manager via a proxy server" + required: false + type: boolean + label: "Proxy Settings (Optional)" + group: "Proxy Settings" + show_subquestion_if: true + subquestions: + - variable: proxySettings.NO_PROXY + default: "" + description: "Provide the user defined IPs/hosts and subnets to exempt from proxy. User can provide comma separated values. For example: 'localhost,127.0.0.1,10.239.112.0/20,10.240.0.0/14'" + required: false + type: string + label: "No Proxy (Optional)" + group: "Proxy Settings" + - variable: proxySettings.HTTP_PROXY + default: "" + description: "Provide HTTP proxy information. For example: http://:@:" + required: true + type: string + label: "HTTP Proxy" + group: "Proxy Settings" + - variable: proxySettings.HTTPS_PROXY + default: "" + description: "Provide HTTPS proxy information. For example: https://:@:" + required: true + type: string + label: "HTTPS Proxy" + group: "Proxy Settings" + - variable: proxySettings.CA_BUNDLE_CONFIGMAP + default: "" + description: "Provide a CA Certificate bundle configmap present on the Kubernetes cluster to communicate with the proxy server" + required: false + type: string + label: "CA Certificate Bundle Configmap Name (Optional)" + group: "Proxy Settings" + +- variable: observability.enabled + default: false + description: "Select this checkbox to deploy the Observability Stack with Triliovault operator" + required: false + type: boolean + label: "Observability Stack (Optional)" + group: "Observability" + show_subquestion_if: true + subquestions: + - variable: observability.logging.loki.enabled + default: true + description: "Select this checkbox to deploy the Logging Stack with Loki" + required: true + type: boolean + label: "Logging with Loki" + group: "Logging" + - variable: observability.logging.promtail.enabled + default: true + description: "Select this checkbox to deploy the Logging Stack with Promtail" + required: true + type: boolean + label: "Logging with Promtail" + group: "Logging" + - variable: observability.monitoring.prometheus.enabled + default: true + description: "Select this checkbox to deploy the Monitoring Stack with Prometheus" + required: true + type: boolean + label: "Monitoring with Prometheus" + group: "Monitoring" + - variable: observability.monitoring.prometheus.server.enabled + default: true + description: "Select this checkbox to deploy the Monitoring Stack with Prometheus Server" + required: true + type: boolean + label: "Monitoring with Prometheus Server" + group: "Monitoring" + - variable: observability.visualization.grafana.enabled + default: true + description: "Select this checkbox to deploy the Visualization Stack with Grafana" + required: true + type: boolean + label: "Visualization with Grafana" + group: "Visualization" + - variable: observability.visualization.grafana.service.type + show_if: "observability.visualization.grafana.enabled=true" + default: "ClusterIP" + description: "Grafana Service Type to access the Grafana Dashboards" + required: true + type: enum + label: "Grafana Service Type" + group: "Visualization" + options: + - "NodePort" + - "LoadBalancer" diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/NOTES.txt b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/NOTES.txt new file mode 100644 index 000000000..587919034 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/NOTES.txt @@ -0,0 +1,59 @@ +TrilioVault Operator is a helm based operator which install/upgrade/delete the helm Chart of the TrilioVault For Kubernetes. +This operator watches over the entire helm application of TrilioVault for Kubernetes and has self-healing capabilities. + +To verify that TrilioVault Operator has started, run: + + kubectl --namespace={{ .Release.Namespace }} wait --for=condition=ready pod -l "release={{ .Release.Name }}" + +{{ if .Values.installTVK.enabled }} +In one click install, a cluster scope TVM custom resource triliovault-manager is created, you can check its +configuration by running following command: + + kubectl --namespace {{ .Release.Namespace }} get triliovaultmanagers.triliovault.trilio.io triliovault-manager -o yaml + +{{- else }} + +Once the Triliovault operator is in running state, you can create the TrilioVault for Kubernetes(TVK) with the +following custom resource: + + apiVersion: triliovault.trilio.io/v1 + kind: TrilioVaultManager + metadata: + labels: + app: triliovault + name: triliovault-manager + namespace: {{ .Release.Namespace }} + spec: + trilioVaultAppVersion: latest + applicationScope: Cluster + ingressConfig: + host: "" + componentConfiguration: + ingress-controller: + enabled: true + service: + type: LoadBalancer + +Once the above CR has been created, you have to wait for the TVK pods to come up. +{{- end }} + +To check all the TVK pods come into running state, run: + + kubectl --namespace {{ .Release.Namespace }} wait --for=condition=ready pod -l "release=triliovault-manager-{{ .Release.Namespace }}" + +Once all the pods are in running state, you can access the TVK UI from your browser using following steps: + +{{- if .Values.installTVK.enabled }} +{{- if eq .Values.installTVK.ComponentConfiguration.ingressController.service.type "LoadBalancer" }} + 1. Find the external IP of the service `k8s-triliovault-ingress-nginx-controller` + 2. Hit the URL in browser: https:///t4k/ +{{- else }} + 1. Find the NodePort from the service `k8s-triliovault-ingress-nginx-controller` + 2. Hit the URL in browser with NodePort: https://:/t4k/ +{{- end }} +{{- end }} + +For more details on how to access the TVK UI, follow this guide: https://docs.trilio.io/kubernetes/management-console-ui/accessing-the-ui + +You can start backup and restore of your application using TVK. For more details on how to do that, please follow our +getting started guide: https://docs.trilio.io/kubernetes/advanced-configuration/management-console diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/TVMCustomResource.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/TVMCustomResource.yaml new file mode 100644 index 000000000..e3a188388 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/TVMCustomResource.yaml @@ -0,0 +1,65 @@ +{{- if .Values.installTVK.enabled }} +{{- if not (lookup "triliovault.trilio.io/v1" "TrilioVaultManager" "" "").items }} + {{template "k8s-triliovault-operator.tlsSecretValidation" .}} +apiVersion: triliovault.trilio.io/v1 +kind: TrilioVaultManager +metadata: + name: "triliovault-manager" + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install +spec: + applicationScope: {{ .Values.installTVK.applicationScope }} + {{- if .Values.installTVK.tvkInstanceName }} + tvkInstanceName: {{ .Values.installTVK.tvkInstanceName }} + {{- end }} + {{- if or .Values.imagePullSecret .Values.svcAccountName .Values.observability.enabled .Values.global.urlPath }} + helmValues: + urlPath: {{ .Values.global.urlPath | quote }} + {{- if .Values.observability.enabled }} + observability: + name: {{ .Values.observability.name }} + namespace: {{ default .Release.Namespace }} + {{- end }} + {{- if include "k8s-triliovault-operator.imagePullSecret" . }} + imagePullSecret: {{ template "k8s-triliovault-operator.imagePullSecret" . }} + {{- end }} + {{- if .Values.svcAccountName }} + svcAccountName: {{ .Values.svcAccountName }} + {{- end }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 4 }} + {{- end }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 4 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 4 }} + {{- end }} + # User can configure the ingress hosts, annotations and TLS secret through the ingressConfig section + ingressConfig: + {{- if and (gt (len .Values.installTVK.ingressConfig.annotations) 0) (not .Values.installTVK.ComponentConfiguration.ingressController.enabled) }} + annotations: + {{- range $key, $value := .Values.installTVK.ingressConfig.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end -}} + {{- end }} + host: {{ .Values.installTVK.ingressConfig.host | quote }} + {{- if not .Values.installTVK.ComponentConfiguration.ingressController.enabled }} + ingressClass: {{ .Values.installTVK.ingressConfig.ingressClass | quote }} + {{- end }} + {{- if .Values.installTVK.ingressConfig.tlsSecretName }} + tlsSecretName: {{ .Values.installTVK.ingressConfig.tlsSecretName | quote }} + {{- end }} + # TVK components configuration, currently supports control-plane, web, exporter, web-backend, ingress-controller, admission-webhook. + # User can configure resources for all componentes and can configure service type and host for the ingress-controller + componentConfiguration: + ingress-controller: + enabled: {{ .Values.installTVK.ComponentConfiguration.ingressController.enabled }} + service: + type: {{ .Values.installTVK.ComponentConfiguration.ingressController.service.type }} +{{- end -}} +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/TVMSecret.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/TVMSecret.yaml new file mode 100644 index 000000000..0d9d8a9df --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/TVMSecret.yaml @@ -0,0 +1,25 @@ +{{- if .Values.observability.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: tvk-integration + namespace: {{ .Release.Namespace }} + annotations: + meta.helm.sh/release-namespace: {{ .Release.Namespace }} + labels: + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + triliovault.trilio.io/owner: {{ template "k8s-triliovault-operator.appName" . }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-validation-webhook-configuration + triliovault.trilio.io/observability: "true" +type: Opaque +stringData: + integration: |- + type: Loki + protocol: "" + host: "" + port: "" + path: "/api/v1/datasource" + username: "admin" + password: {{ .Values.observability.visualization.grafana.adminPassword | quote }} +{{- end }} + diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/_helpers.tpl b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/_helpers.tpl new file mode 100644 index 000000000..120ef9c7d --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/_helpers.tpl @@ -0,0 +1,134 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "k8s-triliovault-operator.name" -}} +{{- default .Release.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "k8s-triliovault-operator.appName" -}} +{{- printf "%s" .Chart.Name -}} +{{- end -}} + + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "k8s-triliovault-operator.fullname" -}} +{{- printf "%s" .Chart.Name -}} +{{- end -}} + +{{/* +Return the proper TrilioVault Operator image name +*/}} +{{- define "k8s-triliovault-operator.image" -}} +{{- $registryName := .Values.image.registry -}} +{{- $repositoryName := .Values.image.repository -}} +{{- $tag := .Values.image.tag | toString -}} +{{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} +{{- end -}} + +{{/* +Validation of the secret of CA bundle if provided +*/}} +{{- define "k8s-triliovault-operator.caBundleValidation" -}} +{{- if .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} +{{- if not (lookup "v1" "ConfigMap" .Release.Namespace .Values.proxySettings.CA_BUNDLE_CONFIGMAP) }} + {{ fail "Proxy CA bundle proxy is not present in the release namespace" }} +{{- else }} + {{- $caMap := (lookup "v1" "ConfigMap" .Release.Namespace .Values.proxySettings.CA_BUNDLE_CONFIGMAP).data }} + {{- if not (get $caMap "ca-bundle.crt") }} + {{ fail "Proxy CA certificate file key should be ca-bundle.crt" }} + {{- end }} +{{- end }} +{{- end }} +{{- end -}} + +{{/* +Validation for the ingress tlsSecret, should exists if provided +*/}} + +{{- define "k8s-triliovault-operator.tlsSecretValidation" }} +{{- if .Values.installTVK.ingressConfig.tlsSecretName -}} +{{- if not (lookup "v1" "Secret" .Release.Namespace .Values.installTVK.ingressConfig.tlsSecretName ) -}} + {{ fail "Ingress tls secret is not present in the release namespace" }} +{{- end -}} +{{- end -}} +{{- end -}} + + +{{- define "k8s-triliovault-operator.preFlightValidation" }} +{{- if not .Values.preflight.storageClass }} + {{ fail "Provide the name of storage class as you have enabled the preflight" }} +{{- else }} + {{- if not (lookup "storage.k8s.io/v1" "StorageClass" "" .Values.preflight.storageClass) }} + {{ fail "Storage class provided is not present in the cluster" }} + {{- end }} +{{- end }} +{{- end }} + +{{- define "k8s-triliovault-operator.priorityClassValidator" }} +{{- if .Values.priorityClassName -}} +{{- if not (lookup "scheduling.k8s.io/v1" "PriorityClass" "" .Values.priorityClassName) }} + {{ fail "Priority class provided is not present in the cluster" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create unified labels for k8s-triliovault-operator components +*/}} +{{- define "k8s-triliovault-operator.labels" -}} +app.kubernetes.io/part-of: {{ template "k8s-triliovault-operator.appName" . }} +app.kubernetes.io/name: {{ template "k8s-triliovault-operator.appName" . }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{- define "k8s-triliovault-operator.serviceAccountName" -}} + {{- if eq .Values.svcAccountName "" -}} + {{- printf "%s" "k8s-triliovault-operator-service-account" -}} + {{- else -}} + {{- printf "%s" .Values.svcAccountName -}} + {{- end -}} +{{- end -}} + +{{- define "k8s-triliovault-operator.preflightServiceAccountName" -}} + {{- if eq .Values.svcAccountName "" -}} + {{- printf "%s" "k8s-triliovault-operator-preflight-service-account" -}} + {{- else -}} + {{- printf "%s" .Values.svcAccountName -}} + {{- end -}} +{{- end -}} + +{{/* +Return the imagePullSecret name in below priority order +1. Returns imagePullSecret name if imagePullSecret is supplied via helm value during installation time +2. If the helm value is not provided and a service account name is provided via svcAccountName parameter, this extracts and returns imagePullSecret from service account if available. + (In case of multiple imagePullSecrets are attached to a service account, only the first one is taken into the consideration) +3. Returns empty string not imagePullSecret is not found in any of the above two +*/}} +{{- define "k8s-triliovault-operator.imagePullSecret" -}} + {{- if eq .Values.imagePullSecret "" -}} + {{- if eq .Values.svcAccountName "" -}} + {{- printf "" -}} + {{- else -}} + {{- if (lookup "v1" "ServiceAccount" .Release.Namespace .Values.svcAccountName).imagePullSecrets -}} + {{- if (index (lookup "v1" "ServiceAccount" .Release.Namespace .Values.svcAccountName).imagePullSecrets 0).name -}} + {{- printf "%s" (index (lookup "v1" "ServiceAccount" .Release.Namespace .Values.svcAccountName).imagePullSecrets 0).name -}} + {{- else -}} + {{- printf "" -}} + {{- end -}} + {{- else -}} + {{- printf "" -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{- printf "%s" .Values.imagePullSecret -}} + {{- end -}} +{{- end -}} + +{{- define "k8s-triliovault-operator.observability" -}} +app.kubernetes.io/part-of: k8s-triliovault-operator +app.kubernetes.io/managed-by: k8s-triliovault-operator +app.kubernetes.io/name: k8s-triliovault-operator +{{- end -}} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/clusterrole.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/clusterrole.yaml new file mode 100644 index 000000000..443e499d4 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/clusterrole.yaml @@ -0,0 +1,148 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{template "k8s-triliovault-operator.name" .}}-{{.Release.Namespace}}-manager-role + labels: + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{template "k8s-triliovault-operator.appName" .}}-manager-role +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - watch + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + - customresourcedefinitions/finalizers + verbs: + - create + - update + - delete + - patch + - apiGroups: + - "" + resources: + - serviceaccounts + - services + - secrets + - events + - pods + - endpoints + - configmaps + - secrets/finalizers + - events/finalizers + - pods/finalizers + - endpoints/finalizers + - configmaps/finalizers + - services/finalizers + - serviceaccounts/finalizers + verbs: + - create + - update + - delete + - patch + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + - mutatingwebhookconfigurations + - validatingwebhookconfigurations/finalizers + - mutatingwebhookconfigurations/finalizers + verbs: + - create + - update + - delete + - patch + - apiGroups: + - apps + resources: + - deployments + - deployments/finalizers + verbs: + - create + - update + - delete + - patch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + - roles + - rolebindings + - clusterroles/finalizers + - clusterrolebindings/finalizers + - roles/finalizers + - rolebindings/finalizers + verbs: + - create + - update + - delete + - patch + - bind + - escalate + - apiGroups: + - triliovault.trilio.io + resources: + - '*' + verbs: + - '*' + - apiGroups: + - "" + resources: + - namespaces + - namespaces/finalizers + verbs: + - update + - apiGroups: + - batch + resources: + - cronjobs + - cronjobs/finalizers + verbs: + - create + - delete + - update + - patch + - apiGroups: + - batch + resources: + - jobs + - jobs/finalizers + verbs: + - create + - delete + - apiGroups: + - policy + resources: + - poddisruptionbudgets + - poddisruptionbudgets/finalizers + verbs: + - create + - update + - patch + - delete + - apiGroups: + - networking.k8s.io + resources: + - ingresses + - ingressclasses + - ingresses/finalizers + - ingressclasses/finalizers + verbs: + - create + - patch + - update + - delete + - apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/clusterrole_binding.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/clusterrole_binding.yaml new file mode 100644 index 000000000..e0f0bdb5f --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/clusterrole_binding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-{{ .Release.Namespace }}-manager-rolebinding + labels: + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "k8s-triliovault-operator.name" . }}-{{ .Release.Namespace }}-manager-role +subjects: +- kind: ServiceAccount + name: {{ template "k8s-triliovault-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/deployment.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/deployment.yaml new file mode 100644 index 000000000..85069b320 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/deployment.yaml @@ -0,0 +1,390 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }} + {{- if .Values.global.azure }} + azure-extensions-usage-release-identifier: {{ .Release.Name }} + {{- end }} +spec: + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + selector: + matchLabels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + replicas: {{ .Values.replicaCount }} + template: + metadata: + {{- if .Values.podAnnotations }} + annotations: + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + {{- if .Values.global.azure }} + azure-extensions-usage-release-identifier: {{ .Release.Name }} + {{- end }} + {{- include "k8s-triliovault-operator.labels" . | nindent 8 }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }} + {{- range $key, $value := .Values.podLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + spec: + hostNetwork: {{ .Values.podSpec.hostNetwork }} + hostIPC: {{ .Values.podSpec.hostIPC }} + hostPID: {{ .Values.podSpec.hostPID }} + {{- if .Values.priorityClassName }} + {{ template "k8s-triliovault-operator.priorityClassValidator" .}} + priorityClassName: {{ .Values.priorityClassName }} + {{- end }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.podSpec.securityContext | nindent 8 }} + {{- end }} + {{- if include "k8s-triliovault-operator.imagePullSecret" . }} + imagePullSecrets: + - name: {{ template "k8s-triliovault-operator.imagePullSecret" . }} + {{- end }} + containers: + - name: k8s-triliovault-operator + {{- if .Values.global.azure }} + image: {{index .Values "global" "azure" "images" "k8s-triliovault-operator" "registry" }}/{{index .Values "global" "azure" "images" "k8s-triliovault-operator" "image" }}@{{index .Values "global" "azure" "images" "k8s-triliovault-operator" "digest" }} + {{- else }} + image: {{ .Values.registry }}/{{ index .Values "k8s-triliovault-operator" "repository" }}:{{ .Values.tag }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + env: + {{- if .Values.proxySettings.PROXY_ENABLED }} + - name: HTTP_PROXY + value: {{ .Values.proxySettings.HTTP_PROXY }} + - name: HTTPS_PROXY + value: {{ .Values.proxySettings.HTTPS_PROXY }} + - name: NO_PROXY + value: {{ .Values.proxySettings.NO_PROXY }} + {{- if .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + - name: PROXY_CA_CONFIGMAP + value: {{ .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + {{- end }} + {{- end }} + - name: MASTER_ENCRYPTION_KEY_NAMESPACE + value: {{ .Values.masterEncryptionKeyConfig.namespace | default .Release.Namespace }} + - name: MASTER_ENCRYPTION_KEY_NAME + value: {{ .Values.masterEncryptionKeyConfig.name }} + {{- if .Values.observability.enabled }} + - name: OBSERVABILITY_SECRET_NAME + value: {{ .Values.observability.name }} + - name: OBSERVABILITY_SECRET_NAMESPACE + value: {{ .Values.observability.namespace | default .Release.Namespace }} + {{- end}} + - name: INSTALL_NAMESPACE + value: {{ .Release.Namespace }} + - name: REGISTRY + value: {{ .Values.registry }} + - name: RELATED_IMAGE_INGRESS_CONTROLLER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "ingress-controller" "image"}}@{{index .Values "global" "azure" "images" "ingress-controller" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "ingress-controller" "image"}}:{{ index .Values "relatedImages" "ingress-controller" "tag" }} + {{- end }} + - name: RELATED_IMAGE_KUBE_CERTGEN + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "kube-certgen" "image"}}@{{index .Values "global" "azure" "images" "kube-certgen" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "kube-certgen" "image"}}:{{ index .Values "relatedImages" "kube-certgen" "tag" }} + {{- end }} + - name: RELATED_IMAGE_METAMOVER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.metamover.image }}@{{index .Values "global" "azure" "images" "datamover" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.metamover.image }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_CONTROL_PLANE + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{index .Values "relatedImages" "control-plane" "image" }}@{{index .Values "global" "azure" "images" "control-plane" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{index .Values "relatedImages" "control-plane" "image" }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_WEB + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.web.image }}@{{index .Values "global" "azure" "images" "web" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.web.image }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_WEB_BACKEND + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "web-backend" "image" }}@{{index .Values "global" "azure" "images" "control-plane" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "web-backend" "image" }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_EXPORTER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.exporter.image }}@{{index .Values "global" "azure" "images" "control-plane" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.exporter.image }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_ADMISSION_WEBHOOK + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "admission-webhook" "image" }}@{{index .Values "global" "azure" "images" "control-plane" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "admission-webhook" "image" }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_ANALYZER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.analyzer.image }}@{{index .Values "global" "azure" "images" "control-plane" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.analyzer.image }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_DATAMOVER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.datamover.image }}@{{index .Values "global" "azure" "images" "datamover" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.datamover.image }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_DATASTORE_ATTACHER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "datastore-attacher" "image" }}@{{index .Values "global" "azure" "images" "datamover" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "datastore-attacher" "image" }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_SCHEDULER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "backup-scheduler" "image" }}@{{index .Values "global" "azure" "images" "control-plane" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "backup-scheduler" "image" }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_CLEANER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "backup-cleaner" "image" }}@{{index .Values "global" "azure" "images" "datamover" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "backup-cleaner" "image" }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_TARGET_BROWSER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "target-browser" "image" }}@{{index .Values "global" "azure" "images" "datamover" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "target-browser" "image" }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_RETENTION + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "backup-retention" "image" }}@{{index .Values "global" "azure" "images" "datamover" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "backup-retention" "image" }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_HOOK + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.hook.image }}@{{index .Values "global" "azure" "images" "control-plane" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.hook.image }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_RESOURCE_CLEANER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "resource-cleaner" "image" }}@{{index .Values "global" "azure" "images" "datamover" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "resource-cleaner" "image" }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_TVK_INIT + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "tvk-init" "image" }}@{{index .Values "global" "azure" "images" "control-plane" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "tvk-init" "image" }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_DEX + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.dex.image }}@{{index .Values "global" "azure" "images" "dex" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.dex.image }}:{{ .Values.relatedImages.dex.tag }} + {{- end }} + - name: RELATED_IMAGE_MINIO + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.minio.image }}@{{index .Values "global" "azure" "images" "control-plane" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.minio.image }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: RELATED_IMAGE_NATS + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.nats.image }}@{{index .Values "global" "azure" "images" "nats" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.nats.image }}:{{ .Values.relatedImages.nats.tag }} + {{- end }} + - name: RELATED_IMAGE_SERVICE_MANAGER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{index .Values "relatedImages" "service-manager" "image" }}@{{index .Values "global" "azure" "images" "event-stack" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{index .Values "relatedImages" "service-manager" "image" }}:{{ .Values.relatedImages.tags.event }} + {{- end }} + - name: RELATED_IMAGE_SYNCER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.syncer.image }}@{{index .Values "global" "azure" "images" "event-stack" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.syncer.image }}:{{ .Values.relatedImages.tags.event }} + {{- end }} + - name: RELATED_IMAGE_WATCHER + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.watcher.image }}@{{index .Values "global" "azure" "images" "event-stack" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ .Values.relatedImages.watcher.image }}:{{ .Values.relatedImages.tags.event }} + {{- end }} + - name: RELATED_IMAGE_CONTINUOUS_RESTORE + {{- if .Values.global.azure }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "continuous-restore" "image" }}@{{index .Values "global" "azure" "images" "datamover" "digest" }} + {{- else }} + value: {{ .Values.registry }}/{{ index .Values "relatedImages" "continuous-restore" "image" }}:{{ .Values.relatedImages.tags.tvk }} + {{- end }} + - name: ADMISSION_MUTATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration + - name: ADMISSION_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration + - name: RELEASE_VERSION + value: !!str {{ .Chart.AppVersion }} + - name: OPERATOR_INSTANCE_NAME + value: {{ template "k8s-triliovault-operator.appName" . }} + {{- if .Values.podAnnotations }} + - name: POD_ANNOTATIONS + value: {{ .Values.podAnnotations | toPrettyJson | quote }} + {{- end }} + {{- if .Values.podLabels }} + - name: POD_LABELS + value: {{ .Values.podLabels | toPrettyJson | quote }} + {{- end }} + - name: PRIORITY_CLASS_NAME + value: {{ .Values.priorityClassName }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 2 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /readyz + port: 8081 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + volumeMounts: + {{- if and .Values.proxySettings.PROXY_ENABLED .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + - name: proxy-ca-cert + mountPath: /proxy-certs + readOnly: true + {{- end }} + {{- if .Values.tls.enable }} + - name: helm-tls-certs + mountPath: /root/.helm + readOnly: true + {{- if .Values.tls.verify }} + - name: helm-tls-ca + mountPath: /root/.helm/ca.crt + readOnly: true + {{- end }} + {{- end }} + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: webhook-certs + readOnly: true + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + resources: + limits: + cpu: 200m + memory: 512Mi + requests: + cpu: 10m + memory: 256Mi + initContainers: + - name: webhook-init + {{- if .Values.global.azure }} + image: {{index .Values "global" "azure" "images" "operator-webhook-init" "registry" }}/{{index .Values "global" "azure" "images" "operator-webhook-init" "image" }}@{{index .Values.global.azure "images" "operator-webhook-init" "digest" }} + {{- else }} + image: {{ .Values.registry }}/{{ index .Values "operator-webhook-init" "repository" }}:{{ .Values.tag }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.securityContext }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} + env: + {{- if .Values.proxySettings.PROXY_ENABLED }} + - name: HTTP_PROXY + value: {{ .Values.proxySettings.HTTP_PROXY }} + - name: HTTPS_PROXY + value: {{ .Values.proxySettings.HTTPS_PROXY }} + - name: NO_PROXY + value: {{ .Values.proxySettings.NO_PROXY }} + {{- if .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + - name: PROXY_CA_CONFIGMAP + value: {{ .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + {{- end }} + {{- end }} + - name: MASTER_ENCRYPTION_KEY_NAMESPACE + value: {{ .Values.masterEncryptionKeyConfig.namespace | default .Release.Namespace }} + - name: MASTER_ENCRYPTION_KEY_NAME + value: {{ .Values.masterEncryptionKeyConfig.name }} + - name: RELEASE_VERSION + value: !!str {{ .Chart.AppVersion }} + - name: ADMISSION_MUTATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration + - name: ADMISSION_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration + - name: NAMESPACE_VALIDATION_CONFIG + value: {{ template "k8s-triliovault-operator.name" . }}-ns-validating-webhook-configuration + - name: WEBHOOK_SERVICE + value: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + - name: WEBHOOK_NAMESPACE + value: {{ .Release.Namespace }} + - name: SECRET_NAME + value: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs + {{- if and .Values.proxySettings.PROXY_ENABLED .Values.proxySettings.CA_BUNDLE_CONFIGMAP }} + volumeMounts: + - name: proxy-ca-cert + mountPath: /proxy-certs + readOnly: true + {{- end }} + serviceAccountName: {{ template "k8s-triliovault-operator.serviceAccountName" . }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + volumes: + {{- if .Values.tls.enable }} + - name: helm-tls-certs + secret: + secretName: {{ .Values.tls.secretName }} + defaultMode: 0400 + {{- if .Values.tls.verify }} + - name: helm-tls-ca + configMap: + name: {{ template "k8s-triliovault-operator.fullname" . }}-helm-tls-ca-config + defaultMode: 0600 + {{- end }} + {{- end }} + - name: webhook-certs + secret: + defaultMode: 420 + secretName: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/mutating-webhook.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/mutating-webhook.yaml new file mode 100644 index 000000000..dc7902c62 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/mutating-webhook.yaml @@ -0,0 +1,28 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-mutating-webhook-configuration + labels: + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-mutating-webhook-configuration +webhooks: +- clientConfig: + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /mutate-triliovault-trilio-io-v1-triliovaultmanager + failurePolicy: Fail + name: v1-tvm-mutation.trilio.io + rules: + - apiGroups: + - triliovault.trilio.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - triliovaultmanagers + sideEffects: None + admissionReviewVersions: + - v1 diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/preflight_job_preinstall_hook.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/preflight_job_preinstall_hook.yaml new file mode 100644 index 000000000..7f2b367c4 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/preflight_job_preinstall_hook.yaml @@ -0,0 +1,203 @@ +{{- if .Values.preflight.enabled -}} +{{- template "k8s-triliovault-operator.preFlightValidation" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{template "k8s-triliovault-operator.name" .}}-{{.Release.Namespace}}-preflight-role + labels: + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{template "k8s-triliovault-operator.appName" .}}-preflight-role + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": hook-failed, hook-succeeded + "helm.sh/hook-weight": "1" +rules: + - apiGroups: + - '*' + resources: + - '*' + verbs: + - get + - list + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - update + - delete + - patch + - apiGroups: + - "" + resources: + - serviceaccounts + - pods + - persistentvolumeclaims + - pods/exec + verbs: + - create + - update + - delete + - patch + - apiGroups: + - rbac.authorization.k8s.io + resources: + - clusterroles + - clusterrolebindings + verbs: + - create + - update + - delete + - patch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - apiGroups: + - storage.k8s.io + resources: + - storageclasses + verbs: + - get + - list + - apiGroups: + - snapshot.storage.k8s.io + resources: + - volumesnapshots + - volumesnapshotclasses + verbs: + - get + - list + - create + - update + - delete + - patch + +--- +{{- if eq .Values.svcAccountName "" }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "k8s-triliovault-operator.preflightServiceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-preflight-service-account + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": hook-failed, hook-succeeded + "helm.sh/hook-weight": "2" +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-{{ .Release.Namespace }}-preflight-rolebinding + labels: + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-preflight-rolebinding + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": hook-failed, hook-succeeded + "helm.sh/hook-weight": "3" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "k8s-triliovault-operator.name" . }}-{{ .Release.Namespace }}-preflight-role +subjects: + - kind: ServiceAccount + name: {{ template "k8s-triliovault-operator.preflightServiceAccountName" . }} + namespace: {{ .Release.Namespace }} + +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-preflight-job-preinstall-hook-{{ randAlphaNum 4 | lower }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-preflight-job-preinstall-hook + {{- if .Values.global.azure }} + azure-extensions-usage-release-identifier: {{ .Release.Name }} + {{- end }} + annotations: + "helm.sh/hook": "pre-install" + "helm.sh/hook-delete-policy": hook-succeeded + "helm.sh/hook-weight": "4" +spec: + backoffLimit: 0 + ttlSecondsAfterFinished: 3600 + template: + spec: + containers: + - name: preflight + {{- if .Values.global.azure }} + image: {{ index .Values "registry" }}/{{ index .Values "preflight" "repository" }}@{{index .Values "global" "azure" "images" "preflight" "digest" }} + {{- else }} + image: {{ index .Values "registry" }}/{{ index .Values "preflight" "repository" }}:{{ index .Values "preflight" "imageTag" }} + {{- end }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + command: + - /bin/sh + - -c + - >- + /opt/tvk-plugins/preflight run --in-cluster + --log-level={{ .Values.preflight.logLevel }} + --namespace={{ .Release.Namespace }} + {{- if .Values.preflight.cleanupOnFailure }} + --cleanup-on-failure + {{- end }} + {{- if .Values.preflight.imagePullSecret }} + --image-pull-secret={{ .Values.preflight.imagePullSecret }} + {{- end }} + {{- if .Values.preflight.limits }} + --limits={{ .Values.preflight.limits }} + {{- end }} + {{- if .Values.preflight.localRegistry }} + --local-registry={{ .Values.preflight.localRegistry }} + {{- end }} + {{- if .Values.preflight.nodeSelector }} + --node-selector={{ .Values.preflight.nodeSelector }} + {{- end }} + {{- if .Values.preflight.pvcStorageRequest }} + --pvc-storage-request={{ .Values.preflight.pvcStorageRequest }} + {{- end }} + {{- if .Values.preflight.requests }} + --requests={{ .Values.preflight.requests }} + {{- end }} + {{- if .Values.preflight.storageClass }} + --storage-class={{ .Values.preflight.storageClass }} + {{- end }} + {{- if .Values.preflight.volumeSnapshotClass }} + --volume-snapshot-class={{ .Values.preflight.volumeSnapshotClass }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: {{- .Values.nodeSelector | toYaml | nindent 8 }} + {{- end }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + restartPolicy: Never + terminationGracePeriodSeconds: 0 + serviceAccountName: {{ template "k8s-triliovault-operator.preflightServiceAccountName" . }} +{{- end }} diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/secret.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/secret.yaml new file mode 100644 index 000000000..22f56e848 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-certs + namespace: {{ .Release.Namespace }} + labels: + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-webhook-certs +type: Opaque diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/serviceAccount.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/serviceAccount.yaml new file mode 100644 index 000000000..c36e39bd0 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/serviceAccount.yaml @@ -0,0 +1,14 @@ +{{- if eq .Values.svcAccountName "" }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "k8s-triliovault-operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-service-account +{{- if .Values.imagePullSecret }} +imagePullSecrets: +- name: {{ .Values.imagePullSecret }} +{{- end}} +{{- end }} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/validating-webhook.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/validating-webhook.yaml new file mode 100644 index 000000000..66d1044d6 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/validating-webhook.yaml @@ -0,0 +1,104 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ template "k8s-triliovault-operator.name" . }}-validating-webhook-configuration + labels: + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-validating-webhook-configuration +webhooks: +- clientConfig: + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-triliovault-trilio-io-v1-triliovaultmanager + failurePolicy: Fail + name: v1-tvm-validation.trilio.io + rules: + - apiGroups: + - triliovault.trilio.io + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - triliovaultmanagers + sideEffects: None + admissionReviewVersions: + - v1 +- clientConfig: + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-core-v1-secret + failurePolicy: Fail + name: v1-encryption-secret-validation.trilio.io + objectSelector: + matchExpressions: + - key: triliovault.trilio.io/master-secret + operator: Exists + rules: + - apiGroups: + - "*" + apiVersions: + - v1 + operations: + - DELETE + - UPDATE + resources: + - secrets + sideEffects: None + admissionReviewVersions: + - v1 +- clientConfig: + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-core-v1-namespace + failurePolicy: Fail + name: v1-tvm-ns-validation.trilio.io + namespaceSelector: + matchExpressions: + - key: trilio-operator-label + operator: In + values: + - {{ .Release.Namespace }} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - DELETE + resources: + - namespaces + scope: '*' + sideEffects: None + admissionReviewVersions: + - v1 +{{- if .Values.observability.enabled }} +- clientConfig: + service: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + path: /validate-core-v1-secret + failurePolicy: Ignore + name: v1-observability-secret-validation.trilio.io + objectSelector: + matchExpressions: + - key: triliovault.trilio.io/observability + operator: Exists + rules: + - apiGroups: + - "*" + apiVersions: + - v1 + operations: + - DELETE + - UPDATE + resources: + - secrets + sideEffects: None + admissionReviewVersions: + - v1 +{{- end }} \ No newline at end of file diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/templates/webhook-service.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/webhook-service.yaml new file mode 100644 index 000000000..8717867d7 --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/templates/webhook-service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ template "k8s-triliovault-operator.fullname" . }}-webhook-service + namespace: {{ .Release.Namespace }} + labels: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" + {{- include "k8s-triliovault-operator.labels" . | nindent 4 }} + app.kubernetes.io/instance: {{ template "k8s-triliovault-operator.appName" . }}-webhook-service +spec: + ports: + - port: 443 + targetPort: 9443 + selector: + app: {{ template "k8s-triliovault-operator.fullname" . }} + release: "{{ .Release.Name }}" diff --git a/charts/trilio/k8s-triliovault-operator/5.0.0/values.yaml b/charts/trilio/k8s-triliovault-operator/5.0.0/values.yaml new file mode 100644 index 000000000..836f0d06a --- /dev/null +++ b/charts/trilio/k8s-triliovault-operator/5.0.0/values.yaml @@ -0,0 +1,247 @@ +## TrilioVault Operator +global: + urlPath: "/" +registry: "quay.io/triliodata" +operator-webhook-init: + repository: operator-webhook-init +k8s-triliovault-operator: + repository: k8s-triliovault-operator +tag: "5.0.0" +# create image pull secrets and specify the name here. +imagePullSecret: "" +priorityClassName: "" +preflight: + enabled: false + repository: preflight + imageTag: "1.3.1" + logLevel: "INFO" + cleanupOnFailure: false + imagePullSecret: "" + limits: "" + localRegistry: "" + nodeSelector: "" + pvcStorageRequest: "" + requests: "" + storageClass: "" + volumeSnapshotClass: "" +# Affinity rules for scheduling the Pod of this application. +# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - ppc64le +# Node selection constraints for scheduling Pods of this application. +# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector +nodeSelector: {} +# Taints to be tolerated by Pods of this application. +# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] +masterEncryptionKeyConfig: + name: "triliovault-master-encryption-key" + namespace: "" +image: + pullPolicy: Always +tls: + secretName: "helm-client-certs" + verify: false + enable: false + keyFile: "tls.key" + certFile: "tls.crt" + caContent: "" + hostname: "" +nameOverride: "" +replicaCount: 1 +proxySettings: + PROXY_ENABLED: false + NO_PROXY: "" + HTTP_PROXY: "" + HTTPS_PROXY: "" + CA_BUNDLE_CONFIGMAP: "" +podSpec: + hostIPC: false + hostNetwork: false + hostPID: false + securityContext: + runAsNonRoot: true + runAsUser: 1001 +securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 1001 + capabilities: + drop: + - ALL +installTVK: + enabled: true + applicationScope: Cluster + tvkInstanceName: "" + ingressConfig: + host: "" + tlsSecretName: "" + annotations: {} + ingressClass: "" + ComponentConfiguration: + ingressController: + enabled: true + service: + type: NodePort +observability: + enabled: false + name: "tvk-integration" + logging: + loki: + enabled: true + fullnameOverride: "loki" + persistence: + enabled: true + accessModes: + - ReadWriteOnce + size: 10Gi + config: + limits_config: + reject_old_samples_max_age: 168h + table_manager: + retention_period: 168h + image: + registry: docker.io + promtail: + enabled: true + fullnameOverride: "promtail" + config: + clients: + - url: http://loki:3100/loki/api/v1/push + image: + registry: docker.io + monitoring: + prometheus: + enabled: true + fullnameOverride: "prom" + server: + enabled: true + fullnameOverride: "prom-server" + persistentVolume: + enabled: false + image: + registry: quay.io + kubeStateMetrics: + enabled: false + image: + registry: k8s.gcr.io + nodeExporter: + enabled: false + image: + registry: quay.io + pushgateway: + enabled: false + image: + registry: docker.io + alertmanager: + enabled: false + image: + registry: quay.io + configmapReload: + prometheus: + image: + registry: docker.io + alertmanager: + image: + registry: docker.io + visualization: + grafana: + grafana.ini: + server: + root_url: "%(protocol)s://%(domain)s:%(http_port)s{{- if ne .Values.global.urlPath \"/\" }}{{.Values.global.urlPath}}{{- end }}/grafana/" + enabled: true + adminPassword: "admin123" + fullnameOverride: "grafana" + service: + type: ClusterIP + image: + registry: docker.io + testFramework: + registry: docker.io + imageRenderer: + image: + registry: docker.io + sidecar: + image: + registry: quay.io + initChownData: + image: + registry: docker.io + downloadDashboardsImage: + registry: docker.io +# these annotations will be added to all tvk pods +podAnnotations: + sidecar.istio.io/inject: false +# these labels will be added to all tvk pods +podLabels: + sidecar.portshift.io/inject: false + linkerd.io/inject: disabled +relatedImages: + tags: + tvk: "5.0.0" + event: "5.0.0" + control-plane: + image: "control-plane" + metamover: + image: "datamover" + datamover: + image: "datamover" + datastore-attacher: + image: "datamover" + admission-webhook: + image: "control-plane" + analyzer: + image: "control-plane" + ingress-controller: + image: "ingress-controller" + tag: "v1.10.1" + kube-certgen: + image: "kube-certgen" + tag: "v1.4.1" + exporter: + image: "control-plane" + web: + image: "web" + web-backend: + image: "control-plane" + backup-scheduler: + image: "control-plane" + backup-cleaner: + image: "datamover" + target-browser: + image: "datamover" + backup-retention: + image: "datamover" + hook: + image: "control-plane" + resource-cleaner: + image: "datamover" + tvk-init: + image: "control-plane" + dex: + image: "dex" + tag: "2.30.7" + minio: + image: "control-plane" + nats: + image: "nats" + tag: "2.8.5" + service-manager: + image: "event-stack" + syncer: + image: "event-stack" + watcher: + image: "event-stack" + continuous-restore: + image: "datamover" +svcAccountName: "" diff --git a/index.yaml b/index.yaml index 11a27801c..86b113605 100644 --- a/index.yaml +++ b/index.yaml @@ -21625,6 +21625,34 @@ entries: - assets/jenkins/jenkins-4.3.27.tgz version: 4.3.27 k8s-triliovault-operator: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator + catalog.cattle.io/kube-version: '>=1.19.0-0' + catalog.cattle.io/release-name: k8s-triliovault-operator + apiVersion: v2 + appVersion: 5.0.0 + created: "2024-11-16T00:01:59.315332335Z" + dependencies: + - condition: observability.enabled + name: observability + repository: file://charts/observability + version: ^0.1.0 + description: K8s-TrilioVault-Operator is an operator designed to manage the K8s-TrilioVault + Application Lifecycle. + digest: 837a3a2119ee5c8b27200b39a0fa1f0f5060da0fd2f722b841ab07b7d6d0543e + home: https://github.com/trilioData/k8s-triliovault-operator + icon: file://assets/icons/k8s-triliovault-operator.png + kubeVersion: '>=1.19.0-0' + maintainers: + - email: prafull.ladha@trilio.io + name: prafull11 + name: k8s-triliovault-operator + sources: + - https://github.com/trilioData/k8s-triliovault-operator + urls: + - assets/trilio/k8s-triliovault-operator-5.0.0.tgz + version: 5.0.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: TrilioVault for Kubernetes Operator @@ -21878,6 +21906,35 @@ entries: - assets/trilio/k8s-triliovault-operator-3.1.1.tgz version: 3.1.1 k10: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: K10 + catalog.cattle.io/kube-version: '>= 1.17.0-0' + catalog.cattle.io/release-name: k10 + apiVersion: v2 + appVersion: 7.0.14 + created: "2024-11-16T00:01:56.510575719Z" + dependencies: + - condition: grafana.enabled + name: grafana + repository: "" + version: 8.5.8 + - condition: prometheus.server.enabled + name: prometheus + repository: "" + version: 25.28.0 + description: Kasten’s K10 Data Management Platform + digest: ef53b6554e34aa4050ef132f6785147d7f954c227561080c8763fb24cd6c40b4 + home: https://kasten.io/ + icon: file://assets/icons/k10.png + kubeVersion: '>= 1.17.0-0' + maintainers: + - email: contact@kasten.io + name: kastenIO + name: k10 + urls: + - assets/kasten/k10-7.0.1401.tgz + version: 7.0.1401 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: K10 @@ -24730,6 +24787,36 @@ entries: - assets/avesha/kubeslice-worker-1.1.1.tgz version: 1.1.1 kuma: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kuma + catalog.cattle.io/namespace: kuma-system + catalog.cattle.io/release-name: kuma + apiVersion: v2 + appVersion: 2.9.1 + created: "2024-11-16T00:01:57.181919052Z" + description: A Helm chart for the Kuma Control Plane + digest: 08d9aaa9449221b3b8e5acb715f2e9c171923f2dff1a5bd0d58980228e70332b + home: https://github.com/kumahq/kuma + icon: file://assets/icons/kuma.svg + keywords: + - service mesh + - control plane + maintainers: + - email: jakub.dyszkiewicz@konghq.com + name: Jakub Dyszkiewicz + url: https://github.com/jakubdyszkiewicz + - email: charly.molter@konghq.com + name: Charly Molter + url: https://github.com/lahabana + - email: michael.beaumont@konghq.com + name: Mike Beaumont + url: https://github.com/michaelbeaumont + name: kuma + type: application + urls: + - assets/kuma/kuma-2.9.1.tgz + version: 2.9.1 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kuma @@ -28752,6 +28839,54 @@ entries: - assets/loft/loft-3.2.0.tgz version: 3.2.0 microgateway: + - annotations: + artifacthub.io/category: security + artifacthub.io/license: MIT + artifacthub.io/links: | + - name: Airlock Microgateway Documentation + url: https://docs.airlock.com/microgateway/4.4/ + - name: Airlock Microgateway Labs + url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io + - name: Airlock Microgateway Forum + url: https://forum.airlock.com/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Airlock Microgateway + catalog.cattle.io/kube-version: '>=1.25.0-0' + catalog.cattle.io/release-name: "" + charts.openshift.io/name: Airlock Microgateway + apiVersion: v2 + appVersion: 4.4.1 + created: "2024-11-16T00:01:53.700514743Z" + description: A Helm chart for deploying the Airlock Microgateway + digest: 2867a07cdff0938923432197b2a9c87201ff82b0d83ccbb88b738b577a6a954f + home: https://www.airlock.com/en/microgateway + icon: file://assets/icons/microgateway.svg + keywords: + - WAF + - Web Application Firewall + - WAAP + - Web Application and API protection + - OWASP + - Airlock + - Microgateway + - Security + - Filtering + - DevSecOps + - shift left + - control plane + - Operator + kubeVersion: '>=1.25.0-0' + maintainers: + - email: support@airlock.com + name: Airlock + url: https://www.airlock.com/ + name: microgateway + sources: + - https://github.com/airlock/microgateway + type: application + urls: + - assets/airlock/microgateway-4.4.1.tgz + version: 4.4.1 - annotations: artifacthub.io/category: security artifacthub.io/license: MIT @@ -29089,6 +29224,53 @@ entries: - assets/airlock/microgateway-4.2.3.tgz version: 4.2.3 microgateway-cni: + - annotations: + artifacthub.io/category: security + artifacthub.io/license: MIT + artifacthub.io/links: | + - name: Airlock Microgateway Documentation + url: https://docs.airlock.com/microgateway/4.4/ + - name: Airlock Microgateway Labs + url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io + - name: Airlock Microgateway Forum + url: https://forum.airlock.com/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Airlock Microgateway CNI + catalog.cattle.io/kube-version: '>=1.25.0-0' + catalog.cattle.io/release-name: "" + charts.openshift.io/name: Airlock Microgateway CNI + apiVersion: v2 + appVersion: 4.4.1 + created: "2024-11-16T00:01:53.705500386Z" + description: A Helm chart for deploying the Airlock Microgateway CNI plugin + digest: e1113ae0e35e1c9fd857e19a5ca65e6d9dc3100ac3c569113dd7da9eaf0a7dd5 + home: https://www.airlock.com/en/microgateway + icon: file://assets/icons/microgateway-cni.svg + keywords: + - WAF + - Web Application Firewall + - WAAP + - Web Application and API protection + - OWASP + - Airlock + - Microgateway + - Security + - Filtering + - DevSecOps + - shift left + - CNI + kubeVersion: '>=1.25.0-0' + maintainers: + - email: support@airlock.com + name: Airlock + url: https://www.airlock.com/ + name: microgateway-cni + sources: + - https://github.com/airlock/microgateway + type: application + urls: + - assets/airlock/microgateway-cni-4.4.1.tgz + version: 4.4.1 - annotations: artifacthub.io/category: security artifacthub.io/license: MIT @@ -30497,6 +30679,31 @@ entries: - assets/nats/nats-0.19.15.tgz version: 0.19.15 netscaler-cpx-with-ingress-controller: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NetScaler CPX with Ingress Controller + catalog.cattle.io/kube-version: '>=v1.16.0-0' + catalog.cattle.io/release-name: netscaler-cpx-with-ingress-controller + apiVersion: v2 + appVersion: 2.2.10 + created: "2024-11-16T00:01:57.315471785Z" + description: A Helm chart for NetScaler CPX with NetScaler ingress Controller + running as sidecar. + digest: 1e0ea2a4d05c1d1819568bbc78becabd6d4d4feab6fbf1938e295367c2ea9cdd + home: https://www.netscaler.com + icon: file://assets/icons/netscaler-cpx-with-ingress-controller.png + kubeVersion: '>=v1.16.0-0' + maintainers: + - email: priyanka.sharma@cloud.com + name: priyankash-citrix + - email: subash.dangol@cloud.com + name: subashd + name: netscaler-cpx-with-ingress-controller + sources: + - https://github.com/netscaler/netscaler-k8s-ingress-controller + urls: + - assets/netscaler/netscaler-cpx-with-ingress-controller-2.2.10.tgz + version: 2.2.10 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: NetScaler CPX with Ingress Controller @@ -30523,6 +30730,30 @@ entries: - assets/netscaler/netscaler-cpx-with-ingress-controller-2.1.4.tgz version: 2.1.4 netscaler-ingress-controller: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: NetScaler Ingress Controller + catalog.cattle.io/kube-version: '>=v1.16.0-0' + catalog.cattle.io/release-name: netscaler-ingress-controller + apiVersion: v2 + appVersion: 2.2.10 + created: "2024-11-16T00:01:57.318087902Z" + description: A Helm chart for NetScaler Ingress Controller configuring MPX/VPX. + digest: e5ec26bc4e26e780bcfa0ac3c58862c4b71d6e096cced9514c8e68b83587053b + home: https://www.netscaler.com + icon: file://assets/icons/netscaler-ingress-controller.png + kubeVersion: '>=v1.16.0-0' + maintainers: + - email: priyanka.sharma@cloud.com + name: priyankash-citrix + - email: subash.dangol@cloud.com + name: subashd + name: netscaler-ingress-controller + sources: + - https://github.com/netscaler/netscaler-k8s-ingress-controller + urls: + - assets/netscaler/netscaler-ingress-controller-2.2.10.tgz + version: 2.2.10 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: NetScaler Ingress Controller @@ -48342,4 +48573,4 @@ entries: urls: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 -generated: "2024-11-15T00:01:45.043320849Z" +generated: "2024-11-16T00:01:53.678822476Z"